Search Results (362636 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2022-45449 2024-11-21 N/A
Sensitive information disclosure due to excessive privileges assigned to Acronis Agent. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 30984.
CVE-2022-45448 1 Prestashop 1 M4 Pdf 2024-11-21 3.5 Low
M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to an arbitrary HTML Document crafting vulnerability. The resource /m4pdf/pdf.php uses templates to dynamically create documents. In the case that the template does not exist, the application will return a fixed document with a message in mpdf format. An attacker could exploit this vulnerability by inputting a valid HTML/CSS document as the value of the parameter.
CVE-2022-45447 1 Prestashop 1 M4 Pdf 2024-11-21 6.5 Medium
M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to a directory traversal vulnerability. The “f” parameter is not properly checked in the resource /m4pdf/pdf.php, returning any file given its relative path. An attacker that exploits this vulnerability could download /etc/passwd from the server if the file exists.
CVE-2022-45379 2 Jenkins, Redhat 2 Script Security, Openshift 2024-11-21 7.5 High
Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the script, making it vulnerable to collision attacks.
CVE-2022-45378 1 Apache 1 Soap 2024-11-21 9.8 Critical
In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2022-45375 1 Cyberchimps 1 Ifeature Slider 2024-11-21 5.4 Medium
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in iFeature Slider plugin <= 1.2 on WordPress.
CVE-2022-45372 1 Codeixer 1 Product Gallery Slider For Woocommerce 2024-11-21 4.3 Medium
Cross-Site Request Forgery (CSRF) vulnerability in Codeixer Product Gallery Slider for WooCommerce plugin <= 2.2.8 versions.
CVE-2022-45366 1 Wp-slimstat 1 Slimstat Analytics 2024-11-21 7.1 High
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Jason Crouse, VeronaLabs Slimstat Analytics plugin <= 5.0.4 versions.
CVE-2022-45363 1 Muffingroup 1 Betheme 2024-11-21 5.4 Medium
Auth. (subscriber+) Stored Cross-Site Scripting (XSS) in Muffingroup Betheme theme <= 26.6.1 on WordPress.
CVE-2022-45218 1 Oretnom23 1 Human Resource Management System 2024-11-21 6.1 Medium
Human Resource Management System v1.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability. This vulnerability is triggered via a crafted payload injected into an authentication error message.
CVE-2022-45199 1 Python 1 Pillow 2024-11-21 7.5 High
Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL.
CVE-2022-45198 1 Python 1 Pillow 2024-11-21 7.5 High
Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification).
CVE-2022-45184 1 Ironmansoftware 1 Powershell Universal 2024-11-21 7.2 High
The Web Server in Ironman Software PowerShell Universal v3.x and v2.x allows for directory traversal outside of the configuration directory, which allows a remote attacker with administrator privilege to create, delete, update, and display files outside of the configuration directory via a crafted HTTP request to particular endpoints in the web server. Patched Versions are 3.5.3 and 3.4.7.
CVE-2022-45183 1 Ironmansoftware 1 Powershell Universal 2024-11-21 8.8 High
Escalation of privileges in the Web Server in Ironman Software PowerShell Universal 2.x and 3.x allows an attacker with a valid app token to retrieve other app tokens by ID via an HTTP web request. Patched Versions are 3.5.3, 3.4.7, and 2.12.6.
CVE-2022-45177 1 Liveboxcloud 1 Vdesk 2024-11-21 7.5 High
An issue was discovered in LIVEBOX Collaboration vDesk through v031. An Observable Response Discrepancy can occur under the /api/v1/vdeskintegration/user/isenableuser endpoint, the /api/v1/sharedsearch?search={NAME]+{SURNAME] endpoint, and the /login endpoint. The web application provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
CVE-2022-45176 1 Liveboxcloud 1 Vdesk 2024-11-21 6.1 Medium
An issue was discovered in LIVEBOX Collaboration vDesk through v018. Stored Cross-site Scripting (XSS) can occur under the /api/v1/getbodyfile endpoint via the uri parameter. The web application (through its vShare functionality section) doesn't properly check parameters, sent in HTTP requests as input, before saving them on the server. In addition, crafted JavaScript content can then be reflected back to the end user and executed by the web browser.
CVE-2022-45169 1 Liveboxcloud 1 Vdesk 2024-11-21 5.9 Medium
An issue was discovered in LIVEBOX Collaboration vDesk through v031. A URL Redirection to an Untrusted Site (Open Redirect) can occur under the /api/v1/notification/createnotification endpoint, allowing an authenticated user to send an arbitrary push notification to any other user of the system. This push notification can include an (invisible) clickable link.
CVE-2022-45146 2 Bouncycastle, Oracle 2 Fips Java Api, Jdk 2024-11-21 5.5 Medium
An issue was discovered in the FIPS Java API of Bouncy Castle BC-FJA before 1.0.2.4. Changes to the JVM garbage collector in Java 13 and later trigger an issue in the BC-FJA FIPS modules where it is possible for temporary keys used by the module to be zeroed out while still in use by the module, resulting in errors or potential information loss. NOTE: FIPS compliant users are unaffected because the FIPS certification is only for Java 7, 8, and 11.
CVE-2022-45143 2 Apache, Redhat 4 Tomcat, Jboss Enterprise Web Server, Jboss Fuse and 1 more 2024-11-21 7.5 High
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.
CVE-2022-45137 1 Wago 14 751-9301, 751-9301 Firmware, 752-8303\/8000-002 and 11 more 2024-11-21 6.1 Medium
The configuration backend of the web-based management is vulnerable to reflected XSS (Cross-Site Scripting) attacks that targets the users browser. This leads to a limited impact of confidentiality and integrity but no impact of availability.