CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2022-30972 CSRF 2022-05-17 2022-05-17
0.0
None ??? ??? ??? ??? ??? ???
A cross-site request forgery (CSRF) vulnerability in Jenkins Storable Configs Plugin 1.0 and earlier allows attackers to have Jenkins parse a local XML file (e.g., archived artifacts) that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
2 CVE-2022-30971 2022-05-17 2022-05-17
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Storable Configs Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
3 CVE-2022-30970 XSS 2022-05-17 2022-05-17
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Autocomplete Parameter Plugin 1.1 and earlier references Dropdown Autocomplete parameter and Auto Complete String parameter names in an unsafe manner from Javascript embedded in view definitions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
4 CVE-2022-30969 Exec Code CSRF 2022-05-17 2022-05-17
0.0
None ??? ??? ??? ??? ??? ???
A cross-site request forgery (CSRF) vulnerability in Jenkins Autocomplete Parameter Plugin 1.1 and earlier allows attackers to execute arbitrary code without sandbox protection if the victim is an administrator.
5 CVE-2022-30968 XSS 2022-05-17 2022-05-17
0.0
None ??? ??? ??? ??? ??? ???
Jenkins vboxwrapper Plugin 1.3 and earlier does not escape the name and description of VBox node parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
6 CVE-2022-30967 XSS 2022-05-17 2022-05-17
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Selection tasks Plugin 1.0 and earlier does not escape the name and description of Script Selection task variable parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
7 CVE-2022-30966 XSS 2022-05-17 2022-05-17
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Random String Parameter Plugin 1.0 and earlier does not escape the name and description of Random String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
8 CVE-2022-30965 XSS 2022-05-17 2022-05-17
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Promoted Builds (Simple) Plugin 1.9 and earlier does not escape the name and description of Promotion Level parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
9 CVE-2022-30964 XSS 2022-05-17 2022-05-17
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Multiselect parameter Plugin 1.3 and earlier does not escape the name and description of Multiselect parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
10 CVE-2022-30963 XSS 2022-05-17 2022-05-17
0.0
None ??? ??? ??? ??? ??? ???
Jenkins JDK Parameter Plugin 1.0 and earlier does not escape the name and description of JDK parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
11 CVE-2022-30962 XSS 2022-05-17 2022-05-17
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Global Variable String Parameter Plugin 1.2 and earlier does not escape the name and description of Global Variable String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
12 CVE-2022-30961 XSS 2022-05-17 2022-05-17
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Autocomplete Parameter Plugin 1.1 and earlier does not escape the name of Dropdown Autocomplete and Auto Complete String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
13 CVE-2022-30960 XSS 2022-05-17 2022-05-17
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Application Detector Plugin 1.0.8 and earlier does not escape the name of Chois Application Version parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
14 CVE-2022-30959 2022-05-17 2022-05-17
0.0
None ??? ??? ??? ??? ??? ???
A missing permission check in Jenkins SSH Plugin 2.6.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
15 CVE-2022-30958 CSRF 2022-05-17 2022-05-17
0.0
None ??? ??? ??? ??? ??? ???
A cross-site request forgery (CSRF) vulnerability in Jenkins SSH Plugin 2.6.1 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
16 CVE-2022-30957 2022-05-17 2022-05-17
0.0
None ??? ??? ??? ??? ??? ???
A missing permission check in Jenkins SSH Plugin 2.6.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
17 CVE-2022-30956 XSS 2022-05-17 2022-05-17
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Rundeck Plugin 3.6.10 and earlier does not restrict URL schemes in Rundeck webhook submissions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to submit crafted Rundeck webhook payloads.
18 CVE-2022-30955 2022-05-17 2022-05-17
0.0
None ??? ??? ??? ??? ??? ???
Jenkins GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
19 CVE-2022-30954 2022-05-17 2022-05-17
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server.
20 CVE-2022-30953 CSRF 2022-05-17 2022-05-17
0.0
None ??? ??? ??? ??? ??? ???
A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server.
21 CVE-2022-30952 2022-05-17 2022-05-17
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins.
22 CVE-2022-30951 2022-05-17 2022-05-17
0.0
None ??? ??? ??? ??? ??? ???
Jenkins WMI Windows Agents Plugin 1.8 and earlier includes the Windows Remote Command library does not implement access control, potentially allowing users to start processes even if they're not allowed to log in.
23 CVE-2022-30950 Exec Code Overflow 2022-05-17 2022-05-17
0.0
None ??? ??? ??? ??? ??? ???
Jenkins WMI Windows Agents Plugin 1.8 and earlier includes the Windows Remote Command library which has a buffer overflow vulnerability that may allow users able to connect to a named pipe to execute commands on the Windows agent machine.
24 CVE-2022-30949 +Info 2022-05-17 2022-05-17
0.0
None ??? ??? ??? ??? ??? ???
Jenkins REPO Plugin 1.14.0 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents.
25 CVE-2022-30948 +Info 2022-05-17 2022-05-17
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Mercurial Plugin 2.16 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents.
26 CVE-2022-30947 +Info 2022-05-17 2022-05-17
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Git Plugin 4.11.1 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents.
27 CVE-2022-30946 CSRF 2022-05-17 2022-05-17
0.0
None ??? ??? ??? ??? ??? ???
A cross-site request forgery (CSRF) vulnerability in Jenkins Script Security Plugin 1158.v7c1b_73a_69a_08 and earlier allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver.
28 CVE-2022-30945 2022-05-17 2022-05-17
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines.
29 CVE-2022-30782 2022-05-16 2022-05-16
0.0
None ??? ??? ??? ??? ??? ???
Openmoney API through 2020-06-29 uses the JavaScript Math.random function, which does not provide cryptographically secure random numbers.
30 CVE-2022-30781 2022-05-16 2022-05-16
0.0
None ??? ??? ??? ??? ??? ???
Gitea before 1.16.7 does not escape git fetch remote.
31 CVE-2022-30779 Exec Code 2022-05-16 2022-05-16
0.0
None ??? ??? ??? ??? ??? ???
Laravel 9.1.8, when processing attacker-controlled data for deserialization, allows Remote Code Execution via an unserialize pop chain in __destruct in GuzzleHttp\Cookie\FileCookieJar.php.
32 CVE-2022-30778 Exec Code 2022-05-16 2022-05-16
0.0
None ??? ??? ??? ??? ??? ???
Laravel 9.1.8, when processing attacker-controlled data for deserialization, allows Remote Code Execution via an unserialize pop chain in __destruct in Illuminate\Broadcasting\PendingBroadcast.php and dispatch($command) in Illuminate\Bus\QueueingDispatcher.php.
33 CVE-2022-30777 XSS 2022-05-16 2022-05-16
0.0
None ??? ??? ??? ??? ??? ???
Parallels H-Sphere 3.6.2 allows XSS via the index_en.php from parameter.
34 CVE-2022-30776 XSS 2022-05-16 2022-05-16
0.0
None ??? ??? ??? ??? ??? ???
atmail 6.5.0 allows XSS via the index.php/admin/index/ error parameter.
35 CVE-2022-30775 2022-05-16 2022-05-16
0.0
None ??? ??? ??? ??? ??? ???
xpdf 4.04 allocates excessive memory when presented with crafted input. This can be triggered by (for example) sending a crafted PDF document to the pdftoppm binary. It is most easily reproduced with the DCMAKE_CXX_COMPILER=afl-clang-fast++ option.
36 CVE-2022-30770 XSS 2022-05-16 2022-05-16
0.0
None ??? ??? ??? ??? ??? ???
Terminalfour before 8.3.8 allows XSS, aka RDSM-31817. 8.2.18.2.1 and 8.2.18.5 are also fixed versions.
37 CVE-2022-30767 Overflow 2022-05-16 2022-05-16
0.0
None ??? ??? ??? ??? ??? ???
nfs_lookup_reply in net/nfs.c in Das U-Boot through 2022.04 (and through 2022.07-rc2) has an unbounded memcpy with a failed length check, leading to a buffer overflow. NOTE: this issue exists because of an incorrect fix for CVE-2019-14196.
38 CVE-2022-30765 Sql 2022-05-16 2022-05-16
0.0
None ??? ??? ??? ??? ??? ???
Calibre-Web before 0.6.18 allows user table SQL Injection.
39 CVE-2022-30763 2022-05-16 2022-05-16
0.0
None ??? ??? ??? ??? ??? ???
Janet before 1.22.0 mishandles arrays.
40 CVE-2022-30708 Exec Code 2022-05-15 2022-05-16
0.0
None ??? ??? ??? ??? ??? ???
Webmin through 1.991, when the Authentic theme is used, allows remote code execution when a user has been manually created (i.e., not created in Virtualmin or Cloudmin). This occurs because settings-editor_write.cgi does not properly restrict the file parameter.
41 CVE-2022-30697 2022-05-16 2022-05-16
0.0
None ??? ??? ??? ??? ??? ???
Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis Snap Deploy (Windows) before build 3640
42 CVE-2022-30696 2022-05-16 2022-05-16
0.0
None ??? ??? ??? ??? ??? ???
Local privilege escalation due to a DLL hijacking vulnerability. The following products are affected: Acronis Snap Deploy (Windows) before build 3640
43 CVE-2022-30695 2022-05-16 2022-05-16
0.0
None ??? ??? ??? ??? ??? ???
Local privilege escalation due to excessive permissions assigned to child processes. The following products are affected: Acronis Snap Deploy (Windows) before build 3640
44 CVE-2022-30689 2022-05-17 2022-05-17
0.0
None ??? ??? ??? ??? ??? ???
HashiCorp Vault and Vault Enterprise from 1.10.0 to 1.10.2 did not correctly configure and enforce MFA on login after server restarts. This affects the Login MFA feature introduced in Vault and Vault Enterprise 1.10.0 and does not affect the separate Enterprise MFA feature set. Fixed in 1.10.3.
45 CVE-2022-30688 2022-05-17 2022-05-17
0.0
None ??? ??? ??? ??? ??? ???
needrestart 0.8 through 3.5 before 3.6 is prone to local privilege escalation. Regexes to detect the Perl, Python, and Ruby interpreters are not anchored, allowing a local user to escalate privileges when needrestart tries to detect if interpreters are using old source files.
46 CVE-2022-30594 Bypass 2022-05-12 2022-05-12
0.0
None ??? ??? ??? ??? ??? ???
The Linux kernel before 5.17.2 mishandles seccomp permissions. The PTRACE_SEIZE code path allows attackers to bypass intended restrictions on setting the PT_SUSPEND_SECCOMP flag.
47 CVE-2022-30592 2022-05-11 2022-05-12
0.0
None ??? ??? ??? ??? ??? ???
liblsquic/lsquic_qenc_hdl.c in LiteSpeed QUIC (aka LSQUIC) before 3.1.0 mishandles MAX_TABLE_CAPACITY.
48 CVE-2022-30557 2022-05-11 2022-05-12
0.0
None ??? ??? ??? ??? ??? ???
Foxit PDF Reader and PDF Editor before 11.2.2 have a Type Confusion issue that causes a crash because of Unsigned32 mishandling during JavaScript execution.
49 CVE-2022-30525 Exec Code 2022-05-12 2022-05-16
0.0
None ??? ??? ??? ??? ??? ???
A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.
50 CVE-2022-30524 DoS 2022-05-09 2022-05-09
0.0
None ??? ??? ??? ??? ??? ???
There is an invalid memory access in the TextLine class in TextOutputDev.cc in Xpdf 4.0.4 because the text extractor mishandles characters at large y coordinates. It can be triggered by (for example) sending a crafted pdf file to the pdftotext binary, which allows a remote attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact.
Total number of vulnerabilities : 19302   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.