Search Results (363337 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2022-25888 1 Opcua Project 1 Opcua 2024-11-21 7.5 High
The package opcua from 0.0.0 are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by sending an unlimited number of huge chunks (e.g. 2GB each) without sending the Final closing chunk.
CVE-2022-25887 2 Apostrophecms, Redhat 2 Sanitize-html, Acm 2024-11-21 5.3 Medium
The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.
CVE-2022-25878 1 Protobufjs Project 1 Protobufjs 2024-11-21 8.2 High
The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions 2. by parsing/loading .proto files
CVE-2022-25876 1 Link-preview-js Project 1 Link-preview-js 2024-11-21 6.2 Medium
The package link-preview-js before 2.1.16 are vulnerable to Server-side Request Forgery (SSRF) which allows attackers to send arbitrary requests to the local network and read the response. This is due to flawed DNS rebinding protection.
CVE-2022-25875 1 Svelte 1 Svelte 2024-11-21 5.4 Medium
The package svelte before 3.49.0 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
CVE-2022-25873 1 Vuetifyjs 1 Vuetify 2024-11-21 4.6 Medium
The package vuetify from 2.0.0-beta.4 and before 2.6.10 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization in the 'eventName' function within the VCalendar component.
CVE-2022-25872 1 Fast String Search Project 1 Fast String Search 2024-11-21 5.3 Medium
All versions of package fast-string-search are vulnerable to Out-of-bounds Read due to incorrect memory freeing and length calculation for any non-string input as the source. This allows the attacker to read previously allocated memory.
CVE-2022-25871 1 Querymen Project 1 Querymen 2024-11-21 5.9 Medium
All versions of package querymen are vulnerable to Prototype Pollution if the parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. Note: This vulnerability derives from an incomplete fix of [CVE-2020-7600](https://security.snyk.io/vuln/SNYK-JS-QUERYMEN-559867).
CVE-2022-25867 1 Socket 1 Socket.io-client Java 2024-11-21 7.5 High
The package io.socket:socket.io-client before 2.0.1 are vulnerable to NULL Pointer Dereference when parsing a packet with with invalid payload format.
CVE-2022-25866 1 Git-php Project 1 Git-php 2024-11-21 8.1 High
The package czproject/git-php before 4.0.3 are vulnerable to Command Injection via git argument injection. When calling the isRemoteUrlReadable($url, array $refs = NULL) function, both the url and refs parameters are passed to the git ls-remote subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.
CVE-2022-25865 1 Microsoft 1 Workspace-tools 2024-11-21 8.1 High
The package workspace-tools before 0.18.4 are vulnerable to Command Injection via git argument injection. When calling the fetchRemoteBranch(remote: string, remoteBranch: string, cwd: string) function, both the remote and remoteBranch parameters are passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.
CVE-2022-25864 1 Intel 1 Oneapi Math Kernel Library 2024-11-21 6.7 Medium
Uncontrolled search path in some Intel(R) oneMKL software before version 2022.0 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2022-25863 1 Gatsbyjs 1 Gatsby 2024-11-21 8.1 High
The package gatsby-plugin-mdx before 2.14.1, from 3.0.0 and before 3.15.2 are vulnerable to Deserialization of Untrusted Data when passing input through to the gray-matter package, due to its default configurations that are missing input sanitization. Exploiting this vulnerability is possible when passing input in both webpack (MDX files in src/pages or MDX file imported as a component in frontend / React code) and data mode (querying MDX nodes via GraphQL). Workaround: If an older version of gatsby-plugin-mdx must be used, input passed into the plugin should be sanitized ahead of processing.
CVE-2022-25862 1 Sds Project 1 Sds 2024-11-21 4 Medium
This affects the package sds from 0.0.0. The library could be tricked into adding or modifying properties of the Object.prototype by abusing the set function located in js/set.js. **Note:** This vulnerability derives from an incomplete fix to [CVE-2020-7618](https://security.snyk.io/vuln/SNYK-JS-SDS-564123)
CVE-2022-25858 2 Redhat, Terser 4 Acm, Service Mesh, Service Registry and 1 more 2024-11-21 5.3 Medium
The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
CVE-2022-25857 3 Debian, Redhat, Snakeyaml Project 18 Debian Linux, Amq Broker, Amq Clients and 15 more 2024-11-21 7.5 High
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
CVE-2022-25856 1 Argo Events Project 1 Argo Events 2024-11-21 7.5 High
The package github.com/argoproj/argo-events/sensors/artifacts before 1.7.1 are vulnerable to Directory Traversal in the (g *GitArtifactReader).Read() API in git.go. This could allow arbitrary file reads if the GitArtifactReader is provided a pathname containing a symbolic link or an implicit directory name such as ...
CVE-2022-25854 1 Tagify Project 1 Tagify 2024-11-21 5.4 Medium
This affects the package @yaireo/tagify before 4.9.8. The package is used for rendering UI components inside the input or text fields, and an attacker can pass a malicious placeholder value to it to fire the XSS payload.
CVE-2022-25852 2 Libpq Project, Pg-native Project 2 Libpq, Pg-native 2024-11-21 7.5 High
All versions of package pg-native; all versions of package libpq are vulnerable to Denial of Service (DoS) when the addons attempt to cast the second argument to an array and fail. This happens for every non-array argument passed. **Note:** pg-native is a mere binding to npm's libpq library, which in turn has the addons and bindings to the actual C libpq library. This means that problems found in pg-native may transitively impact npm's libpq.
CVE-2022-25851 1 Jpeg-js Project 1 Jpeg-js 2024-11-21 7.5 High
The package jpeg-js before 0.4.4 are vulnerable to Denial of Service (DoS) where a particular piece of input will cause to enter an infinite loop and never return.