Total
291504 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-24870 | 1 Combodo | 1 Itop | 2025-04-22 | 8.7 High |
| Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to 3.0.0 beta3 a malicious script can be injected in tooltips using iTop customization mechanism. This provides a stored cross site scripting attack vector to authorized users of the system. Users are advised to upgrade. There are no known workarounds for this issue. | ||||
| CVE-2024-51001 | 1 Netgear | 2 R8500, R8500 Firmware | 2025-04-22 | 5.7 Medium |
| Netgear R8500 v1.0.2.160 was discovered to contain a stack overflow via the sysDNSHost parameter at ddns.cgi. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted POST request. | ||||
| CVE-2022-23457 | 3 Netapp, Oracle, Owasp | 4 Active Iq Unified Manager, Oncommand Workflow Automation, Weblogic Server and 1 more | 2025-04-22 | 7.5 High |
| ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path. This vulnerability is patched in release 2.3.0.0 of ESAPI. As a workaround, it is possible to write one's own implementation of the Validator interface. However, maintainers do not recommend this. | ||||
| CVE-2022-24882 | 2 Fedoraproject, Freerdp | 3 Extra Packages For Enterprise Linux, Fedora, Freerdp | 2025-04-22 | 9.1 Critical |
| FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). In versions prior to 2.7.0, NT LAN Manager (NTLM) authentication does not properly abort when someone provides and empty password value. This issue affects FreeRDP based RDP Server implementations. RDP clients are not affected. The vulnerability is patched in FreeRDP 2.7.0. There are currently no known workarounds. | ||||
| CVE-2022-24881 | 1 Ballcat | 1 Codegen | 2025-04-22 | 8.8 High |
| Ballcat Codegen provides the function of online editing code to generate templates. In versions prior to 1.0.0.beta.2, attackers can implement remote code execution through malicious code injection of the template engine. This happens because Velocity and freemarker templates are introduced but input verification is not done. The fault is rectified in version 1.0.0.beta.2. | ||||
| CVE-2024-51000 | 1 Netgear | 2 R8500, R8500 Firmware | 2025-04-22 | 5.7 Medium |
| Netgear R8500 v1.0.2.160 was discovered to contain multiple stack overflow vulnerabilities in the component wireless.cgi via the opmode, opmode_an, and opmode_an_2 parameters. These vulnerabilities allow attackers to cause a Denial of Service (DoS) via a crafted POST request. | ||||
| CVE-2024-50999 | 1 Netgear | 2 R8500, R8500 Firmware | 2025-04-22 | 5.7 Medium |
| Netgear R8500 v1.0.2.160 was discovered to contain a command injection vulnerability in the sysNewPasswd parameter at password.cgi. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request. | ||||
| CVE-2024-50998 | 1 Netgear | 2 R8500, R8500 Firmware | 2025-04-22 | 5.7 Medium |
| Netgear R8500 v1.0.2.160 was discovered to contain multiple stack overflow vulnerabilities in the component openvpn.cgi via the openvpn_service_port and openvpn_service_port_tun parameters. These vulnerabilities allow attackers to cause a Denial of Service (DoS) via a crafted POST request. | ||||
| CVE-2024-50995 | 1 Netgear | 2 R8500, R8500 Firmware | 2025-04-22 | 5.7 Medium |
| Netgear R8500 v1.0.2.160 was discovered to contain a stack overflow via the share_name parameter at usb_remote_smb_conf.cgi. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted POST request. | ||||
| CVE-2024-50994 | 1 Netgear | 2 R8500, R8500 Firmware | 2025-04-22 | 5.7 Medium |
| Netgear R8500 v1.0.2.160 was discovered to contain multiple stack overflow vulnerabilities in the component ipv6_fix.cgi via the ipv6_wan_ipaddr, ipv6_lan_ipaddr, ipv6_wan_length, and ipv6_lan_length parameters. These vulnerabilities allow attackers to cause a Denial of Service (DoS) via a crafted POST request. | ||||
| CVE-2024-50993 | 1 Netgear | 2 R8500, R8500 Firmware | 2025-04-22 | 8 High |
| Netgear R8500 v1.0.2.160 was discovered to contain a command injection vulnerability in the sysNewPasswd parameter at admin_account.cgi. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request. | ||||
| CVE-2022-46827 | 1 Jetbrains | 1 Intellij Idea | 2025-04-22 | 3.9 Low |
| In JetBrains IntelliJ IDEA before 2022.3 an XXE attack leading to SSRF via requests to custom plugin repositories was possible. | ||||
| CVE-2022-2807 | 1 Algan | 1 Prens Student Information System | 2025-04-22 | 9.8 Critical |
| SQL Injection vulnerability in Algan Software Prens Student Information System allows SQL Injection.This issue affects Prens Student Information System: before 2.1.11. | ||||
| CVE-2022-46831 | 1 Jetbrains | 1 Teamcity | 2025-04-22 | 6.6 Medium |
| In JetBrains TeamCity between 2022.10 and 2022.10.1 connecting to AWS using the "Default Credential Provider Chain" allowed TeamCity project administrators to access AWS resources normally limited to TeamCity system administrators. | ||||
| CVE-2022-24891 | 3 Netapp, Oracle, Owasp | 4 Active Iq Unified Manager, Oncommand Workflow Automation, Weblogic Server and 1 more | 2025-04-22 | 5.4 Medium |
| ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the **antisamy-esapi.xml** configuration file that can cause "javascript:" URLs to fail to be correctly sanitized. This issue is patched in ESAPI 2.3.0.0. As a workaround, manually edit the **antisamy-esapi.xml** configuration files to change the "onsiteURL" regular expression. More information about remediation of the vulnerability, including the workaround, is available in the maintainers' release notes and security bulletin. | ||||
| CVE-2022-24885 | 1 Nextcloud | 1 Nextcloud | 2025-04-22 | 2 Low |
| Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. Prior to version 3.19.1, users can bypass a lock on the Nextcloud app on an Android device by repeatedly reopening the app. Version 3.19.1 contains a fix for the problem. There are currently no known workarounds. | ||||
| CVE-2022-24887 | 1 Nextcloud | 1 Talk | 2025-04-22 | 4.3 Medium |
| Nextcloud Talk is a video and audio conferencing app for Nextcloud, a self-hosted productivity platform. Prior to versions 11.3.4, 12.2.2, and 13.0.0, when sharing a Deck card in conversation, the metaData can be manipulated so users can be tricked into opening arbitrary URLs. This issue is fixed in versions 11.3.4, 12.2.2, and 13.0.0. There are currently no known workarounds. | ||||
| CVE-2022-24889 | 1 Nextcloud | 1 Nextcloud Server | 2025-04-22 | 2.4 Low |
| Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 21.0.8, 22.2.4, and 23.0.1, it is possible to trick administrators into enabling "recommended" apps for the Nextcloud server that they do not need, thus expanding their attack surface unnecessarily. This issue is fixed in versions 21.0.8 , 22.2.4, and 23.0.1. | ||||
| CVE-2022-24735 | 5 Fedoraproject, Netapp, Oracle and 2 more | 6 Fedora, Management Services For Element Software, Management Services For Netapp Hci and 3 more | 2025-04-22 | 3.9 Low |
| Redis is an in-memory database that persists on disk. By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis prior to version 7.0.0 or 6.2.7 can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. The Lua script execution environment in Redis provides some measures that prevent a script from creating side effects that persist and can affect the execution of the same, or different script, at a later time. Several weaknesses of these measures have been publicly known for a long time, but they had no security impact as the Redis security model did not endorse the concept of users or privileges. With the introduction of ACLs in Redis 6.0, these weaknesses can be exploited by a less privileged users to inject Lua code that will execute at a later time, when a privileged user executes a Lua script. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules. | ||||
| CVE-2022-24736 | 5 Fedoraproject, Netapp, Oracle and 2 more | 6 Fedora, Management Services For Element Software, Management Services For Netapp Hci and 3 more | 2025-04-22 | 3.3 Low |
| Redis is an in-memory database that persists on disk. Prior to versions 6.2.7 and 7.0.0, an attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules. | ||||