CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 2 and 2.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2022-29868 312 Bypass 2022-05-09 2022-05-18
2.1
None Local Low Not required Partial None None
1Password for Mac 7.2.4 through 7.9.x before 7.9.3 is vulnerable to a process validation bypass. Malicious software running on the same computer can exfiltrate secrets from 1Password provided that 1Password is running and is unlocked. Affected secrets include vault items and derived values used for signing in to 1Password.
2 CVE-2022-29816 74 2022-04-28 2022-05-05
2.1
None Local Low Not required None Partial None
In JetBrains IntelliJ IDEA before 2022.1 HTML injection into IDE messages was possible
3 CVE-2022-29812 2022-04-28 2022-05-05
2.1
None Local Low Not required None Partial None
In JetBrains IntelliJ IDEA before 2022.1 notification mechanisms about using Unicode directionality formatting characters were insufficient
4 CVE-2022-29810 532 2022-04-27 2022-05-10
2.1
None Local Low Not required Partial None None
The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter.
5 CVE-2022-29302 552 2022-05-12 2022-05-20
2.1
None Local Low Not required Partial None None
SolarView Compact ver.6.00 was discovered to contain a local file disclosure via /html/Solar_Ftp.php.
6 CVE-2022-29172 79 XSS 2022-05-05 2022-05-16
2.6
None Remote High Not required None Partial None
Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before `11.33.0`, when the “additional signup fields� feature [is configured](https://github.com/auth0/lock#additional-sign-up-fields), a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service `user_metdata` payload (using the `name` property). Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient's name within the delivered email template. You are impacted by this vulnerability if you are using `auth0-lock` version `11.32.2` or lower and are using the “additional signup fields� feature in your application. Upgrade to version `11.33.0`.
7 CVE-2022-29140 2022-05-10 2022-05-23
2.1
None Local Low Not required Partial None None
Windows Print Spooler Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-29114.
8 CVE-2022-29134 2022-05-10 2022-05-23
2.1
None Local Low Not required Partial None None
Windows Clustered Shared Volume Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-29120, CVE-2022-29122, CVE-2022-29123.
9 CVE-2022-29123 668 2022-05-10 2022-05-23
2.1
None Local Low Not required Partial None None
Windows Clustered Shared Volume Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-29120, CVE-2022-29122, CVE-2022-29134.
10 CVE-2022-29122 668 2022-05-10 2022-05-23
2.1
None Local Low Not required Partial None None
Windows Clustered Shared Volume Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-29120, CVE-2022-29123, CVE-2022-29134.
11 CVE-2022-29114 863 2022-05-10 2022-05-23
2.1
None Local Low Not required Partial None None
Windows Print Spooler Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-29140.
12 CVE-2022-28793 754 2022-05-03 2022-05-11
2.1
None Local Low Not required None Partial None
Given the TEE is compromised and controlled by the attacker, improper state maintenance in StrongBox allows attackers to change Android ROT during device boot cycle after compromising TEE. The patch is applied in Galaxy S22 to prevent change of Android ROT after first initialization at boot time.
13 CVE-2022-28791 20 2022-05-03 2022-05-11
2.1
None Local Low Not required None Partial None
Improper input validation vulnerability in InstallAgent in Galaxy Store prior to version 4.5.41.8 allows attacker to overwrite files stored in a specific path. The patch adds proper protection to prevent overwrite to existing files.
14 CVE-2022-28790 287 2022-05-03 2022-05-11
2.1
None Local Low Not required None None Partial
Improper authentication in Link to Windows Service prior to version 2.3.04.1 allows attacker to lock the device. The patch adds proper caller signature check logic.
15 CVE-2022-28789 862 2022-05-03 2022-05-11
2.1
None Local Low Not required Partial None None
Unprotected activities in Voice Note prior to version 21.3.51.11 allows attackers to record voice without user interaction. The patch adds proper permission for vulnerable activities.
16 CVE-2022-28788 125 DoS 2022-05-03 2022-05-11
2.1
None Local Low Not required None None Partial
Improper buffer size check logic in aviextractor library prior to SMR May-2022 Release 1 allows out of bounds read leading to possible temporary denial of service. The patch adds buffer size check logic.
17 CVE-2022-28787 125 DoS 2022-05-03 2022-05-11
2.1
None Local Low Not required None None Partial
Improper buffer size check logic in wmfextractor library prior to SMR May-2022 Release 1 allows out of bounds read leading to possible temporary denial of service. The patch adds buffer size check logic.
18 CVE-2022-28786 125 DoS 2022-05-03 2022-05-11
2.1
None Local Low Not required None None Partial
Improper buffer size check logic in aviextractor library prior to SMR May-2022 Release 1 allows out of bounds read leading to possible temporary denial of service. The patch adds buffer size check logic.
19 CVE-2022-28785 125 DoS 2022-05-03 2022-05-11
2.1
None Local Low Not required None None Partial
Improper buffer size check logic in aviextractor library prior to SMR May-2022 Release 1 allows out of bounds read leading to possible temporary denial of service. The patch adds buffer size check logic.
20 CVE-2022-28784 22 Dir. Trav. 2022-05-03 2022-05-11
2.1
None Local Low Not required Partial None None
Path traversal vulnerability in Galaxy Themes prior to SMR May-2022 Release 1 allows attackers to list file names in arbitrary directory as system user. The patch addresses incorrect implementation of file path validation check logic.
21 CVE-2022-28782 863 2022-05-03 2022-05-11
2.1
None Local Low Not required None Partial None
Improper access control vulnerability in Contents To Window prior to SMR May-2022 Release 1 allows physical attacker to install package before completion of Setup wizard. The patch blocks entry point of the vulnerability.
22 CVE-2022-28780 2022-05-03 2022-05-11
2.1
None Local Low Not required Partial None None
Improper access control vulnerability in Weather prior to SMR May-2022 Release 1 allows that attackers can access location information that set in Weather without permission. The patch adds proper protection to prevent access to location information.
23 CVE-2022-28778 863 2022-04-11 2022-04-19
2.1
None Local Low Not required None Partial None
Improper access control vulnerability in Samsung Security Supporter prior to version 1.2.40.0 allows attacker to set the arbitrary folder as Secret Folder without Samsung Security Supporter permission
24 CVE-2022-28777 863 2022-04-11 2022-04-19
2.1
None Local Low Not required None Partial None
Improper access control vulnerability in Samsung Members prior to version 13.6.08.5 allows local attacker to execute call function without CALL_PHONE permission.
25 CVE-2022-28775 863 2022-04-11 2022-04-21
2.1
None Local Low Not required None Partial None
Improper access control vulnerability in Samsung Flow prior to version 4.8.06.5 allows attacker to write the file without Samsung Flow permission.
26 CVE-2022-28651 522 2022-04-05 2022-04-18
2.1
None Local Low Not required Partial None None
In JetBrains IntelliJ IDEA before 2021.3.3 it was possible to get passwords from protected fields
27 CVE-2022-28543 22 Dir. Trav. 2022-04-11 2022-04-21
2.1
None Local Low Not required Partial None None
Path traversal vulnerability in Samsung Flow prior to version 4.8.07.4 allows local attackers to read arbitrary files as Samsung Flow permission.
28 CVE-2022-28542 863 2022-04-11 2022-04-21
2.1
None Local Low Not required Partial None None
Improper sanitization of incoming intent in Galaxy Store prior to version 4.5.40.5 allows local attackers to access privileged content providers as Galaxy Store permission.
29 CVE-2022-28218 276 2022-04-26 2022-05-06
2.1
None Local Low Not required Partial None None
An issue was discovered in CipherMail Webmail Messenger 1.1.1 through 4.1.4. A local attacker could access secret keys (found in a Roundcube configuration file) that are used to protect Webmail user passwords and two-factor authentication (2FA).
30 CVE-2022-28190 20 DoS 2022-05-17 2022-05-25
2.1
None Local Low Not required None None Partial
NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where improper input validation can cause denial of service.
31 CVE-2022-28189 476 2022-05-17 2022-05-25
2.1
None Local Low Not required None None Partial
NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where a NULL pointer dereference may lead to a system crash.
32 CVE-2022-28162 312 2022-05-09 2022-05-17
2.1
None Local Low Not required Partial None None
Brocade SANnav before version SANnav 2.2.0 logs the REST API Authentication token in plain text.
33 CVE-2022-27950 401 2022-03-28 2022-04-05
2.1
None Local Low Not required None None Partial
In drivers/hid/hid-elo.c in the Linux kernel before 5.16.11, a memory leak exists for a certain hid_parse error condition.
34 CVE-2022-27888 532 2022-04-26 2022-05-05
2.1
None Local Low Not required Partial None None
Foundry Issues service versions 2.244.0 to 2.249.0 was found to be logging in a manner that captured sensitive information (session tokens). This issue was fixed in 2.249.1.
35 CVE-2022-27832 125 DoS 2022-04-11 2022-04-18
2.1
None Local Low Not required None None Partial
Improper boundary check in media.extractor library prior to SMR Apr-2022 Release 1 allows attackers to cause denial of service via a crafted media file.
36 CVE-2022-27822 668 2022-04-11 2022-04-18
2.1
None Local Low Not required Partial None None
Information exposure vulnerability in ril property setting prior to SMR April-2022 Release 1 allows access to EF_RUIMID value without permission.
37 CVE-2022-27814 668 2022-04-14 2022-04-21
2.1
None Local Low Not required Partial None None
SWHKD 1.1.5 allows arbitrary file-existence tests via the -c option.
38 CVE-2022-27636 532 2022-05-05 2022-05-13
2.1
None Local Low Not required Partial None None
On F5 BIG-IP APM 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, as well as F5 BIG-IP APM Clients 7.x versions prior to 7.2.1.5, BIG-IP Edge Client may log sensitive APM session-related information when VPN is launched on a Windows system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
39 CVE-2022-27503 79 XSS 2022-04-13 2022-04-21
2.6
None Remote High Not required None Partial None
Cross-site Scripting (XSS) vulnerability in Citrix StoreFront affects version 1912 before CU5 and version 3.12 before CU9
40 CVE-2022-27254 294 2022-03-23 2022-03-31
2.9
None Local Network Medium Not required None Partial None
The remote keyless system on Honda Civic 2018 vehicles sends the same RF signal for each door-open request, which allows for a replay attack, a related issue to CVE-2019-20626.
41 CVE-2022-27195 532 2022-03-15 2022-03-23
2.1
None Local Low Not required Partial None None
Jenkins Parameterized Trigger Plugin 2.43 and earlier captures environment variables passed to builds triggered using Jenkins Parameterized Trigger Plugin, including password parameter values, in their `build.xml` files. These values are stored unencrypted and can be viewed by users with access to the Jenkins controller file system.
42 CVE-2022-27152 2022-04-08 2022-04-15
2.7
None Local Network Low ??? None Partial None
Roku devices running RokuOS v9.4.0 build 4200 or earlier that uses a Realtek WiFi chip is vulnerable to Arbitrary file modification.
43 CVE-2022-26966 +Info 2022-03-12 2022-04-27
2.1
None Local Low Not required Partial None None
An issue was discovered in the Linux kernel before 5.16.12. drivers/net/usb/sr9700.c allows attackers to obtain sensitive information from heap memory via crafted frame lengths from a device.
44 CVE-2022-26930 2022-05-10 2022-05-19
2.1
None Local Low Not required Partial None None
Windows Remote Access Connection Manager Information Disclosure Vulnerability.
45 CVE-2022-26878 772 2022-03-11 2022-03-22
2.1
None Local Low Not required None None Partial
drivers/bluetooth/virtio_bt.c in the Linux kernel before 5.16.3 has a memory leak (socket buffers have memory allocated but not freed).
46 CVE-2022-26856 522 2022-04-21 2022-05-03
2.1
None Local Low Not required Partial None None
Dell EMC Repository Manager version 3.4.0 contains a plain-text password storage vulnerability. A local attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application's database with privileges of the compromised account.
47 CVE-2022-26855 276 DoS 2022-04-08 2022-04-14
2.1
None Local Low Not required None None Partial
Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contains an incorrect default permissions vulnerability. A local malicious user could potentially exploit this vulnerability, leading to a denial of service.
48 CVE-2022-26519 307 2022-04-20 2022-04-29
2.1
None Local Low Not required Partial None None
There is no limit to the number of attempts to authenticate for the local configuration pages for the Hills ComNav Version 3002-19 interface, which allows local attackers to brute-force credentials.
49 CVE-2022-26354 772 2022-03-16 2022-05-12
2.1
None Local Low Not required None None Partial
A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results. Affected QEMU versions <= 6.2.0.
50 CVE-2022-26296 2022-03-28 2022-04-07
2.1
None Local Low Not required Partial None None
BOOM: The Berkeley Out-of-Order RISC-V Processor commit d77c2c3 was discovered to allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.