| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2022-29976 |
79 |
|
XSS |
2022-05-11 |
2022-05-17 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An Authenticated Reflected Cross-site scripting at BCC Parameter was discovered in MDaemon before 22.0.0 . |
|
2 |
CVE-2022-29975 |
79 |
|
XSS |
2022-05-11 |
2022-05-17 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An Authenticated Reflected Cross-site scripting at CC Parameter was discovered in MDaemon before 22.0.0 . |
|
3 |
CVE-2022-29973 |
770 |
|
+Info |
2022-05-02 |
2022-05-11 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
relan exFAT 1.3.0 allows local users to obtain sensitive information (data from deleted files in the filesystem) in certain situations involving offsets beyond ValidDataLength. |
|
4 |
CVE-2022-29940 |
79 |
|
XSS |
2022-05-05 |
2022-05-12 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameters formseq and formid in interface\orders\find_order_popup.php leads to multiple cross-site scripting (XSS) vulnerabilities. |
|
5 |
CVE-2022-29939 |
79 |
|
XSS |
2022-05-05 |
2022-05-12 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameters debug and InsId in interface\billing\sl_eob_process.php leads to multiple cross-site scripting (XSS) vulnerabilities. |
|
6 |
CVE-2022-29820 |
668 |
|
|
2022-04-28 |
2022-05-05 |
3.3 |
None |
Local Network |
Low |
Not required |
Partial |
None |
None |
|
In JetBrains PyCharm before 2022.1 exposure of the debugger port to the internal network was possible |
|
7 |
CVE-2022-29818 |
346 |
|
|
2022-04-28 |
2022-05-05 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
None |
|
In JetBrains IntelliJ IDEA before 2022.1 origin checks in the internal web server were flawed |
|
8 |
CVE-2022-29816 |
74 |
|
|
2022-04-28 |
2022-05-05 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
In JetBrains IntelliJ IDEA before 2022.1 HTML injection into IDE messages was possible |
|
9 |
CVE-2022-29812 |
|
|
|
2022-04-28 |
2022-05-05 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
In JetBrains IntelliJ IDEA before 2022.1 notification mechanisms about using Unicode directionality formatting characters were insufficient |
|
10 |
CVE-2022-29811 |
79 |
|
XSS |
2022-04-28 |
2022-05-05 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
In JetBrains Hub before 2022.1.14638 stored XSS via project icon was possible. |
|
11 |
CVE-2022-29810 |
532 |
|
|
2022-04-27 |
2022-05-10 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter. |
|
12 |
CVE-2022-29584 |
79 |
|
XSS |
2022-04-28 |
2022-05-06 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0 allows stored XSS when a particular Cascading Style Sheets (CSS) class for embedly is used, and JavaScript code is constructed to perform an action. |
|
13 |
CVE-2022-29532 |
79 |
|
XSS |
2022-04-20 |
2022-04-27 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administrator puts a javascript: URL in the URL field, and another administrator clicks on it. |
|
14 |
CVE-2022-29531 |
79 |
|
XSS |
2022-04-20 |
2022-04-27 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue was discovered in MISP before 2.4.158. There is stored XSS in the event graph via a tag name. |
|
15 |
CVE-2022-29530 |
79 |
|
XSS |
2022-04-20 |
2022-04-27 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue was discovered in MISP before 2.4.158. There is stored XSS in the galaxy clusters. |
|
16 |
CVE-2022-29529 |
79 |
|
XSS |
2022-04-20 |
2022-04-27 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue was discovered in MISP before 2.4.158. There is stored XSS via the LinOTP login field. |
|
17 |
CVE-2022-29444 |
264 |
|
XSS |
2022-05-02 |
2022-05-09 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Plugin Settings Change leading to Cross-Site Scripting (XSS) vulnerability in Cloudways Breeze plugin <= 2.0.2 on WordPress allows users with a subscriber or higher user role to execute any of the wp_ajax_* actions in the class Breeze_Configuration which includes the ability to change any of the plugin's settings including CDN setting which could be further used for XSS attack. |
|
18 |
CVE-2022-29422 |
79 |
|
XSS |
2022-05-06 |
2022-05-16 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Multiple Authenticated (admin+) Persistent Cross-Site Scripting (XSS) vulnerabilities in Adam Skaat's Countdown & Clock plugin <= 2.3.2 at WordPress via &ycd-countdown-width, &ycd-progress-height, &ycd-progress-width, &ycd-button-margin-top, &ycd-button-margin-right, &ycd-button-margin-bottom, &ycd-button-margin-left, &ycd-circle-countdown-before-countdown, &ycd-circle-countdown-after-countdown vulnerable parameters. |
|
19 |
CVE-2022-29420 |
79 |
|
XSS |
2022-05-06 |
2022-05-16 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Adam Skaat's Countdown & Clock plugin <= 2.3.2 at WordPress via &ycd-circle-countdown-before-countdown and &ycd-circle-countdown-after-countdown vulnerable parameters. |
|
20 |
CVE-2022-29418 |
79 |
|
XSS |
2022-04-25 |
2022-05-05 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Authenticated (admin user role) Persistent Cross-Site Scripting (XSS) in Mark Daniels Night Mode plugin <= 1.0.0 on WordPress via vulnerable parameters: &ntmode_page_setting[enable-me], &ntmode_page_setting[bg-color], &ntmode_page_setting[txt-color], &ntmode_page_setting[anc_color]. |
|
21 |
CVE-2022-29172 |
79 |
|
XSS |
2022-05-05 |
2022-05-16 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before `11.33.0`, when the “additional signup fields� feature [is configured](https://github.com/auth0/lock#additional-sign-up-fields), a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service `user_metdata` payload (using the `name` property). Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient's name within the delivered email template. You are impacted by this vulnerability if you are using `auth0-lock` version `11.32.2` or lower and are using the “additional signup fields� feature in your application. Upgrade to version `11.33.0`. |
|
22 |
CVE-2022-29046 |
79 |
|
XSS |
2022-04-12 |
2022-04-20 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Jenkins Subversion Plugin 2.15.3 and earlier does not escape the name and description of List Subversion tags (and more) parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. |
|
23 |
CVE-2022-29045 |
79 |
|
XSS |
2022-04-12 |
2022-04-20 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Jenkins promoted builds Plugin 873.v6149db_d64130 and earlier, except 3.10.1, does not escape the name and description of Promoted Build parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. |
|
24 |
CVE-2022-29044 |
79 |
|
XSS |
2022-04-12 |
2022-04-20 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Jenkins Node and Label parameter Plugin 1.10.3 and earlier does not escape the name and description of Node and Label parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. |
|
25 |
CVE-2022-29043 |
79 |
|
XSS |
2022-04-12 |
2022-04-20 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Jenkins Mask Passwords Plugin 3.0 and earlier does not escape the name and description of Non-Stored Password parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. |
|
26 |
CVE-2022-29042 |
79 |
|
XSS |
2022-04-12 |
2022-04-20 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Jenkins Job Generator Plugin 1.22 and earlier does not escape the name and description of Generator Parameter and Generator Choice parameters on Job Generator jobs' Build With Parameters views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. |
|
27 |
CVE-2022-29041 |
79 |
|
XSS |
2022-04-12 |
2022-04-20 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Jenkins Jira Plugin 3.7 and earlier, except 3.6.1, does not escape the name and description of Jira Issue and Jira Release Version parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. |
|
28 |
CVE-2022-29040 |
79 |
|
XSS |
2022-04-12 |
2022-04-20 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Jenkins Git Parameter Plugin 0.9.15 and earlier does not escape the name and description of Git parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. |
|
29 |
CVE-2022-29039 |
79 |
|
XSS |
2022-04-12 |
2022-04-20 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Jenkins Gerrit Trigger Plugin 2.35.2 and earlier does not escape the name and description of Base64 Encoded String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. |
|
30 |
CVE-2022-29038 |
79 |
|
XSS |
2022-04-12 |
2022-04-20 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier does not escape the name and description of Extended Choice parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. |
|
31 |
CVE-2022-29037 |
79 |
|
XSS |
2022-04-12 |
2022-04-20 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Jenkins CVS Plugin 2.19 and earlier does not escape the name and description of CVS Symbolic Name parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. |
|
32 |
CVE-2022-29036 |
79 |
|
XSS |
2022-04-12 |
2022-04-20 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Jenkins Credentials Plugin 1111.v35a_307992395 and earlier, except 1087.1089.v2f1b_9a_b_040e4, 1074.1076.v39c30cecb_0e2, and 2.6.1.1, does not escape the name and description of Credentials parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. |
|
33 |
CVE-2022-28793 |
754 |
|
|
2022-05-03 |
2022-05-11 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
Given the TEE is compromised and controlled by the attacker, improper state maintenance in StrongBox allows attackers to change Android ROT during device boot cycle after compromising TEE. The patch is applied in Galaxy S22 to prevent change of Android ROT after first initialization at boot time. |
|
34 |
CVE-2022-28791 |
20 |
|
|
2022-05-03 |
2022-05-11 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
Improper input validation vulnerability in InstallAgent in Galaxy Store prior to version 4.5.41.8 allows attacker to overwrite files stored in a specific path. The patch adds proper protection to prevent overwrite to existing files. |
|
35 |
CVE-2022-28790 |
287 |
|
|
2022-05-03 |
2022-05-11 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
Improper authentication in Link to Windows Service prior to version 2.3.04.1 allows attacker to lock the device. The patch adds proper caller signature check logic. |
|
36 |
CVE-2022-28789 |
862 |
|
|
2022-05-03 |
2022-05-11 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Unprotected activities in Voice Note prior to version 21.3.51.11 allows attackers to record voice without user interaction. The patch adds proper permission for vulnerable activities. |
|
37 |
CVE-2022-28788 |
125 |
|
DoS |
2022-05-03 |
2022-05-11 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
Improper buffer size check logic in aviextractor library prior to SMR May-2022 Release 1 allows out of bounds read leading to possible temporary denial of service. The patch adds buffer size check logic. |
|
38 |
CVE-2022-28787 |
125 |
|
DoS |
2022-05-03 |
2022-05-11 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
Improper buffer size check logic in wmfextractor library prior to SMR May-2022 Release 1 allows out of bounds read leading to possible temporary denial of service. The patch adds buffer size check logic. |
|
39 |
CVE-2022-28786 |
125 |
|
DoS |
2022-05-03 |
2022-05-11 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
Improper buffer size check logic in aviextractor library prior to SMR May-2022 Release 1 allows out of bounds read leading to possible temporary denial of service. The patch adds buffer size check logic. |
|
40 |
CVE-2022-28785 |
125 |
|
DoS |
2022-05-03 |
2022-05-11 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
Improper buffer size check logic in aviextractor library prior to SMR May-2022 Release 1 allows out of bounds read leading to possible temporary denial of service. The patch adds buffer size check logic. |
|
41 |
CVE-2022-28784 |
22 |
|
Dir. Trav. |
2022-05-03 |
2022-05-11 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Path traversal vulnerability in Galaxy Themes prior to SMR May-2022 Release 1 allows attackers to list file names in arbitrary directory as system user. The patch addresses incorrect implementation of file path validation check logic. |
|
42 |
CVE-2022-28783 |
20 |
|
|
2022-05-03 |
2022-05-11 |
3.6 |
None |
Local |
Low |
Not required |
None |
Partial |
Partial |
|
Improper validation of removing package name in Galaxy Themes prior to SMR May-2022 Release 1 allows attackers to uninstall arbitrary packages without permission. The patch adds proper validation logic for removing package name. |
|
43 |
CVE-2022-28782 |
863 |
|
|
2022-05-03 |
2022-05-11 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
Improper access control vulnerability in Contents To Window prior to SMR May-2022 Release 1 allows physical attacker to install package before completion of Setup wizard. The patch blocks entry point of the vulnerability. |
|
44 |
CVE-2022-28780 |
|
|
|
2022-05-03 |
2022-05-11 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Improper access control vulnerability in Weather prior to SMR May-2022 Release 1 allows that attackers can access location information that set in Weather without permission. The patch adds proper protection to prevent access to location information. |
|
45 |
CVE-2022-28778 |
863 |
|
|
2022-04-11 |
2022-04-19 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
Improper access control vulnerability in Samsung Security Supporter prior to version 1.2.40.0 allows attacker to set the arbitrary folder as Secret Folder without Samsung Security Supporter permission |
|
46 |
CVE-2022-28777 |
863 |
|
|
2022-04-11 |
2022-04-19 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
Improper access control vulnerability in Samsung Members prior to version 13.6.08.5 allows local attacker to execute call function without CALL_PHONE permission. |
|
47 |
CVE-2022-28775 |
863 |
|
|
2022-04-11 |
2022-04-21 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
Improper access control vulnerability in Samsung Flow prior to version 4.8.06.5 allows attacker to write the file without Samsung Flow permission. |
|
48 |
CVE-2022-28707 |
79 |
|
XSS |
2022-05-05 |
2022-05-12 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, and 14.1.x versions prior to 14.1.4.6, a stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility (also referred to as the BIG-IP TMUI) that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated |
|
49 |
CVE-2022-28651 |
522 |
|
|
2022-04-05 |
2022-04-18 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In JetBrains IntelliJ IDEA before 2021.3.3 it was possible to get passwords from protected fields |
|
50 |
CVE-2022-28650 |
79 |
|
XSS |
2022-04-05 |
2022-04-18 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
In JetBrains YouTrack before 2022.1.43700 it was possible to inject JavaScript into Markdown in the YouTrack Classic UI |
