Search Results (363674 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2022-24441 1 Snyk 3 Snyk Cli, Snyk Language Server, Snyk Security 2025-04-24 5.8 Medium
The package snyk before 1.1064.0 are vulnerable to Code Injection when analyzing a project. An attacker who can convince a user to scan a malicious project can include commands in a build file such as build.gradle or gradle-wrapper.jar, which will be executed with the privileges of the application. This vulnerability may be triggered when running the the CLI tool directly, or when running a scan with one of the IDE plugins that invoke the Snyk CLI. Successful exploitation of this issue would likely require some level of social engineering - to coerce an untrusted project to be downloaded and analyzed via the Snyk CLI or opened in an IDE where a Snyk IDE plugin is installed and enabled. Additionally, if the IDE has a Trust feature then the target folder must be marked as ‘trusted’ in order to be vulnerable. **NOTE:** This issue is independent of the one reported in [CVE-2022-40764](https://security.snyk.io/vuln/SNYK-JS-SNYK-3037342), and upgrading to a fixed version for this addresses that issue as well. The affected IDE plugins and versions are: - VS Code - Affected: <=1.8.0, Fixed: 1.9.0 - IntelliJ - Affected: <=2.4.47, Fixed: 2.4.48 - Visual Studio - Affected: <=1.1.30, Fixed: 1.1.31 - Eclipse - Affected: <=v20221115.132308, Fixed: All subsequent versions - Language Server - Affected: <=v20221109.114426, Fixed: All subsequent versions
CVE-2022-3525 1 Librenms 1 Librenms 2025-04-24 8.8 High
Deserialization of Untrusted Data in GitHub repository librenms/librenms prior to 22.10.0.
CVE-2022-29837 1 Westerndigital 6 My Cloud Home, My Cloud Home Duo, My Cloud Home Duo Firmware and 3 more 2025-04-24 4.7 Medium
A path traversal vulnerability was addressed in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi which could allow an attacker to initiate installation of custom ZIP packages and overwrite system files. This could potentially lead to a code execution.
CVE-2022-4069 1 Librenms 1 Librenms 2025-04-24 4.8 Medium
Cross-site Scripting (XSS) - Generic in GitHub repository librenms/librenms prior to 22.10.0.
CVE-2022-4111 1 Tooljet 1 Tooljet 2025-04-24 6.5 Medium
Unrestricted file size limit can lead to DoS in tooljet/tooljet <1.27 by allowing a logged in attacker to upload profile pictures over 2MB.
CVE-2022-3270 1 Festo 198 Bus Module Cpx-e-ep, Bus Module Cpx-e-ep Firmware, Bus Node Cpx-fb32 and 195 more 2025-04-24 9.8 Critical
In multiple products by Festo a remote unauthenticated attacker could use functions of an undocumented protocol which could lead to a complete loss of confidentiality, integrity and availability.
CVE-2022-41297 1 Ibm 3 Db2 On Cloud Pak For Data, Db2 Warehouse On Cloud Pak For Data, Db2u 2025-04-24 4.3 Medium
IBM Db2U 3.5, 4.0, and 4.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 237212.
CVE-2022-40977 1 Pilz 15 Pasvisu, Pmi V507, Pmi V507 Firmware and 12 more 2025-04-24 7.5 High
A path traversal vulnerability was discovered in Pilz PASvisu Server before 1.12.0. An unauthenticated remote attacker could use a zipped, malicious configuration file to trigger arbitrary file writes ('zip-slip'). File writes do not affect confidentiality or availability.
CVE-2022-41157 2 Microsoft, Webcash 2 Windows, Serp Server 2.0 2025-04-24 8.1 High
A specific file on the sERP server if Kyungrinara(ERP solution) has a fixed password with the SYSTEM authority. This vulnerability could allow attackers to leak or steal sensitive information or execute malicious commands.
CVE-2022-38115 1 Solarwinds 1 Security Event Manager 2025-04-24 5.3 Medium
Insecure method vulnerability in which allowed HTTP methods are disclosed. E.g., OPTIONS, DELETE, TRACE, and PUT
CVE-2023-41425 1 Wondercms 1 Wondercms 2025-04-24 6.1 Medium
Cross Site Scripting vulnerability in Wonder CMS v.3.2.0 thru v.3.4.2 allows a remote attacker to execute arbitrary code via a crafted script uploaded to the installModule component.
CVE-2022-46338 2 Debian, G810-led Project 2 Debian Linux, G810-led 2025-04-24 6.5 Medium
g810-led 0.4.2, a LED configuration tool for Logitech Gx10 keyboards, contained a udev rule to make supported device nodes world-readable and writable, allowing any process on the system to read traffic from keyboards, including sensitive data.
CVE-2022-45869 2 Linux, Redhat 4 Linux Kernel, Enterprise Linux, Rhel Eus and 1 more 2025-04-24 5.5 Medium
A race condition in the x86 KVM subsystem in the Linux kernel through 6.1-rc6 allows guest OS users to cause a denial of service (host OS crash or host OS memory corruption) when nested virtualisation and the TDP MMU are enabled.
CVE-2022-37926 1 Arubanetworks 1 Edgeconnect Enterprise 2025-04-24 5.5 Medium
A vulnerability within the web-based management interface of EdgeConnect Enterprise could allow a remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface by uploading a specially crafted file. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface in Aruba EdgeConnect Enterprise Software version(s): ECOS 9.2.1.0 and below; ECOS 9.1.3.0 and below; ECOS 9.0.7.0 and below; ECOS 8.3.7.1 and below.
CVE-2022-37925 1 Arubanetworks 1 Edgeconnect Enterprise 2025-04-24 6.1 Medium
A vulnerability within the web-based management interface of Aruba EdgeConnect Enterprise could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface in Aruba EdgeConnect Enterprise Software version(s): ECOS 9.2.1.0 and below; ECOS 9.1.3.0 and below; ECOS 9.0.7.0 and below; ECOS 8.3.7.1 and below.
CVE-2022-35120 1 Ixpdata 1 Easyinstall 2025-04-24 8.8 High
IXPdata EasyInstall 6.6.14725 contains an access control issue.
CVE-2022-30528 1 Isic.lk Project 1 Isic.lk 2025-04-24 9.8 Critical
SQL Injection vulnerability in asith-eranga ISIC tour booking through version published on Feb 13th 2018, allows attackers to execute arbitrary commands via the username parameter to /system/user/modules/mod_users/controller.php.
CVE-2022-40746 2 Ibm, Microsoft 2 I Access Client Solutions, Windows 2025-04-24 7.2 High
IBM i Access Family 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.0 could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability. By placing a specially crafted file in a compromised folder, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 236581.
CVE-2022-37923 1 Arubanetworks 1 Edgeconnect Enterprise 2025-04-24 7.2 High
Vulnerabilities in the Aruba EdgeConnect Enterprise command line interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise in Aruba EdgeConnect Enterprise Software version(s): ECOS 9.2.1.0 and below; ECOS 9.1.3.0 and below; ECOS 9.0.7.0 and below; ECOS 8.3.7.1 and below.
CVE-2022-37922 1 Arubanetworks 1 Edgeconnect Enterprise 2025-04-24 7.2 High
Vulnerabilities in the Aruba EdgeConnect Enterprise command line interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise in Aruba EdgeConnect Enterprise Software version(s): ECOS 9.2.1.0 and below; ECOS 9.1.3.0 and below; ECOS 9.0.7.0 and below; ECOS 8.3.7.1 and below.