Total
3861 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-30083 | 1 Elliegrid | 1 Elliegrid | 2024-08-03 | 9.8 Critical |
| EllieGrid Android Application version 3.4.1 is vulnerable to Code Injection. The application appears to evaluate user input as code (remote). | ||||
| CVE-2022-29814 | 1 Jetbrains | 1 Intellij Idea | 2024-08-03 | 6.9 Medium |
| In JetBrains IntelliJ IDEA before 2022.1 local code execution via HTML descriptions in custom JSON schemas was possible | ||||
| CVE-2022-29821 | 1 Jetbrains | 1 Pycharm | 2024-08-03 | 6.9 Medium |
| In JetBrains Rider before 2022.1 local code execution via links in ReSharper Quick Documentation was possible | ||||
| CVE-2022-29819 | 1 Jetbrains | 1 Intellij Idea | 2024-08-03 | 6.9 Medium |
| In JetBrains IntelliJ IDEA before 2022.1 local code execution via links in Quick Documentation was possible | ||||
| CVE-2022-29813 | 1 Jetbrains | 1 Intellij Idea | 2024-08-03 | 6.9 Medium |
| In JetBrains IntelliJ IDEA before 2022.1 local code execution via custom Pandoc path was possible | ||||
| CVE-2022-29815 | 1 Jetbrains | 1 Intellij Idea | 2024-08-03 | 6.9 Medium |
| In JetBrains IntelliJ IDEA before 2022.1 local code execution via workspace settings was possible | ||||
| CVE-2022-29307 | 1 Ionizecms | 1 Ionize | 2024-08-03 | 9.8 Critical |
| IonizeCMS v1.0.8.1 was discovered to contain a command injection vulnerability via the function copy_lang_content in application/models/lang_model.php. | ||||
| CVE-2022-29216 | 1 Google | 1 Tensorflow | 2024-08-03 | 7.8 High |
| TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, TensorFlow's `saved_model_cli` tool is vulnerable to a code injection. This can be used to open a reverse shell. This code path was maintained for compatibility reasons as the maintainers had several test cases where numpy expressions were used as arguments. However, given that the tool is always run manually, the impact of this is still not severe. The maintainers have now removed the `safe=False` argument, so all parsing is done without calling `eval`. The patch is available in versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4. | ||||
| CVE-2022-29221 | 3 Debian, Fedoraproject, Smarty | 3 Debian Linux, Fedora, Smarty | 2024-08-03 | 8.8 High |
| Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.45 and 4.1.1, template authors could inject php code by choosing a malicious {block} name or {include} file name. Sites that cannot fully trust template authors should upgrade to versions 3.1.45 or 4.1.1 to receive a patch for this issue. There are currently no known workarounds. | ||||
| CVE-2022-29171 | 1 Sourcegraph | 1 Sourcegraph | 2024-08-03 | 6.6 Medium |
| Sourcegraph is a fast and featureful code search and navigation engine. Versions before 3.38.0 are vulnerable to Remote Code Execution in the gitserver service. The Gitolite code host integration with Phabricator allows Sourcegraph site admins to specify a `callsignCommand`, which is used to obtain the Phabricator metadata for a Gitolite repository. An administrator who is able to edit or add a Gitolite code host and has administrative access to Sourcegraph’s bundled Grafana instance can change this command arbitrarily and run it remotely. This grants direct access to the infrastructure underlying the Sourcegraph installation. The attack requires: site-admin privileges on the instance of Sourcegraph, Administrative privileges on the bundled Grafana monitoring instance, Knowledge of the gitserver IP address or DNS name (if running in Kubernetes). This can be found through Grafana. The issue is patched in version 3.38.0. You may disable Gitolite code hosts. We still highly encourage upgrading regardless of workarounds. | ||||
| CVE-2022-26982 | 1 Simplemachines | 1 Simple Machines Forum | 2024-08-03 | 7.2 High |
| SimpleMachinesForum 2.1.1 and earlier allows remote authenticated administrators to execute arbitrary code by inserting a vulnerable php code because the themes can be modified by an administrator. NOTE: the vendor's position is that administrators are intended to have the ability to modify themes, and can thus choose any PHP code that they wish to have executed on the server. | ||||
| CVE-2022-29078 | 1 Ejs | 1 Ejs | 2024-08-03 | 9.8 Critical |
| The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation). | ||||
| CVE-2022-27837 | 2 Google, Samsung | 2 Android, Accessibility | 2024-08-03 | 4.4 Medium |
| A vulnerability using PendingIntent in Accessibility prior to version 12.5.3.2 in Android R(11.0) and 13.0.1.1 in Android S(12.0) allows attacker to access the file with system privilege. | ||||
| CVE-2022-25967 | 1 Eta.js | 1 Eta | 2024-08-03 | 8.1 High |
| Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API. **Note:** This is exploitable only for users who are rendering templates with user-defined data. | ||||
| CVE-2022-25894 | 1 Uflo Project | 1 Uflo | 2024-08-03 | 9.8 Critical |
| All versions of the package com.bstek.uflo:uflo-core are vulnerable to Remote Code Execution (RCE) in the ExpressionContextImpl class via jexl.createExpression(expression).evaluate(context); functionality, due to improper user input validation. | ||||
| CVE-2022-25860 | 1 Simple-git Project | 1 Simple-git | 2024-08-03 | 8.1 High |
| Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221). | ||||
| CVE-2022-25813 | 1 Apache | 1 Ofbiz | 2024-08-03 | 7.5 High |
| In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecommerce plugin, can insert a malicious content in a message “Subject” field from the "Contact us" page. Then a party manager needs to list the communications in the party component to activate the SSTI. A RCE is then possible. | ||||
| CVE-2022-25812 | 1 Transposh | 1 Transposh Wordpress Translation | 2024-08-03 | 7.2 High |
| The Transposh WordPress Translation WordPress plugin before 1.0.8 does not validate its debug settings, which could allow allowing high privilege users such as admin to perform RCE | ||||
| CVE-2022-25578 | 1 Taogogo | 1 Taocms | 2024-08-03 | 9.8 Critical |
| taocms v3.0.2 allows attackers to execute code injection via arbitrarily editing the .htaccess file. | ||||
| CVE-2022-25498 | 1 Cuppacms | 1 Cuppacms | 2024-08-03 | 9.8 Critical |
| CuppaCMS v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the saveConfigData function in /classes/ajax/Functions.php. | ||||