| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1601 |
CVE-2022-1627 |
352 |
|
CSRF |
2022-06-27 |
2022-06-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The My Private Site WordPress plugin before 3.0.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack |
|
1602 |
CVE-2022-1653 |
352 |
|
CSRF |
2022-06-27 |
2022-06-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Social Share Buttons by Supsystic WordPress plugin before 2.2.4 does not perform CSRF checks in it's ajax endpoints and admin pages, allowing an attacker to trick any logged in user to manipulate or change the plugin settings, as well as create, delete and rename projects and networks. |
|
1603 |
CVE-2022-1740 |
1283 |
|
|
2022-06-24 |
2022-06-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The tested version of Dominion Voting Systems ImageCast X’s on-screen application hash display feature, audit log export, and application export functionality rely on self-attestation mechanisms. An attacker could leverage this vulnerability to disguise malicious applications on a device. |
|
1604 |
CVE-2022-1741 |
|
|
+Priv |
2022-06-24 |
2022-06-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The tested version of Dominion Voting Systems ImageCast X has a Terminal Emulator application which could be leveraged by an attacker to gain elevated privileges on a device and/or install malicious code. |
|
1605 |
CVE-2022-1742 |
424 |
|
|
2022-06-24 |
2022-06-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The tested version of Dominion Voting Systems ImageCast X allows for rebooting into Android Safe Mode, which allows an attacker to directly access the operating system. An attacker could leverage this vulnerability to escalate privileges on a device and/or install malicious code. |
|
1606 |
CVE-2022-1743 |
24 |
|
Exec Code |
2022-06-24 |
2022-06-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The tested version of Dominion Voting System ImageCast X can be manipulated to cause arbitrary code execution by specially crafted election definition files. An attacker could leverage this vulnerability to spread malicious code to ImageCast X devices from the EMS. |
|
1607 |
CVE-2022-1744 |
250 |
|
Exec Code |
2022-06-24 |
2022-06-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Applications on the tested version of Dominion Voting Systems ImageCast X can execute code with elevated privileges by exploiting a system level service. An attacker could leverage this vulnerability to escalate privileges on a device and/or install malicious code. |
|
1608 |
CVE-2022-1745 |
290 |
|
+Priv |
2022-06-24 |
2022-06-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The authentication mechanism used by technicians on the tested version of Dominion Voting Systems ImageCast X is susceptible to forgery. An attacker with physical access may use this to gain administrative privileges on a device and install malicious code or perform arbitrary administrative actions. |
|
1609 |
CVE-2022-1746 |
|
|
+Priv |
2022-06-24 |
2022-06-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The authentication mechanism used by poll workers to administer voting using the tested version of Dominion Voting Systems ImageCast X can expose cryptographic secrets used to protect election information. An attacker could leverage this vulnerability to gain access to sensitive information and perform privileged actions, potentially affecting other election equipment. |
|
1610 |
CVE-2022-1776 |
79 |
|
XSS |
2022-06-27 |
2022-06-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Popups, Welcome Bar, Optins and Lead Generation Plugin WordPress plugin before 2.1.8 does not sanitize and escape some campaign parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks |
|
1611 |
CVE-2022-1842 |
|
|
XSS CSRF |
2022-06-27 |
2022-06-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The OpenBook Book Data WordPress plugin through 3.5.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping as well |
|
1612 |
CVE-2022-1843 |
352 |
|
CSRF |
2022-06-27 |
2022-06-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The MailPress WordPress plugin through 7.2.1 does not have CSRF checks in various places, which could allow attackers to make a logged in admin change the settings, purge log files and more via CSRF attacks |
|
1613 |
CVE-2022-1844 |
352 |
|
XSS CSRF |
2022-06-27 |
2022-06-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The WP Sentry WordPress plugin through 1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping as well |
|
1614 |
CVE-2022-1845 |
352 |
|
CSRF |
2022-06-27 |
2022-06-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The WP Post Styling WordPress plugin before 1.3.1 does not have CSRF checks in various actions, which could allow attackers to make a logged in admin delete plugin's data, update the settings, add new entries and more via CSRF attacks |
|
1615 |
CVE-2022-1846 |
352 |
|
CSRF |
2022-06-27 |
2022-06-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Tiny Contact Form WordPress plugin through 0.7 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack |
|
1616 |
CVE-2022-1847 |
352 |
|
CSRF |
2022-06-27 |
2022-06-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Rotating Posts WordPress plugin through 1.11 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack |
|
1617 |
CVE-2022-1852 |
|
|
DoS |
2022-06-30 |
2022-06-30 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A NULL pointer dereference flaw was found in the Linux kernel’s KVM module, which can lead to a denial of service in the x86_emulate_insn in arch/x86/kvm/emulate.c. This flaw occurs while executing an illegal instruction in guest in the Intel CPU. |
|
1618 |
CVE-2022-1885 |
352 |
|
CSRF |
2022-06-27 |
2022-06-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Cimy Header Image Rotator WordPress plugin through 6.1.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack |
|
1619 |
CVE-2022-1903 |
862 |
|
|
2022-06-27 |
2022-06-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username |
|
1620 |
CVE-2022-1904 |
79 |
|
XSS |
2022-06-27 |
2022-06-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Pricing Tables WordPress Plugin WordPress plugin before 3.2.1 does not sanitise and escape parameter before outputting it back in a page available to any user (both authenticated and unauthenticated) when a specific setting is enabled, leading to a Reflected Cross-Site Scripting |
|
1621 |
CVE-2022-1913 |
352 |
|
XSS CSRF |
2022-06-27 |
2022-06-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Add Post URL WordPress plugin through 2.1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping |
|
1622 |
CVE-2022-1914 |
352 |
|
XSS CSRF |
2022-06-27 |
2022-06-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Clean-Contact WordPress plugin through 1.6 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored XSS due to the lack of sanitisation and escaping as well |
|
1623 |
CVE-2022-1916 |
79 |
|
XSS |
2022-06-27 |
2022-06-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Active Products Tables for WooCommerce. Professional products tables for WooCommerce store WordPress plugin before 1.0.5 does not sanitise and escape a parameter before outputting it back in the response of an AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected cross-Site Scripting |
|
1624 |
CVE-2022-1946 |
79 |
|
XSS |
2022-07-04 |
2022-07-05 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Gallery WordPress plugin before 2.0.0 does not sanitise and escape a parameter before outputting it back in the response of an AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting issue |
|
1625 |
CVE-2022-1953 |
22 |
|
Dir. Trav. |
2022-06-27 |
2022-06-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Product Configurator for WooCommerce WordPress plugin before 1.2.32 suffers from an arbitrary file deletion vulnerability via an AJAX action, accessible to unauthenticated users, which accepts user input that is being used in a path and passed to unlink() without validation first |
|
1626 |
CVE-2022-1954 |
|
|
DoS |
2022-07-01 |
2022-07-01 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A Regular Expression Denial of Service vulnerability in GitLab CE/EE affecting all versions from 1.0.2 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to make a GitLab instance inaccessible via specially crafted web server response headers |
|
1627 |
CVE-2022-1955 |
|
|
Bypass |
2022-06-30 |
2022-06-30 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Session 1.13.0 allows an attacker with physical access to the victim's device to bypass the application's password/pin lock to access user data. This is possible due to lack of adequate security controls to prevent dynamic code manipulation. |
|
1628 |
CVE-2022-1960 |
352 |
|
CSRF |
2022-06-27 |
2022-06-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The MyCSS WordPress plugin through 1.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack |
|
1629 |
CVE-2022-1963 |
|
|
|
2022-07-01 |
2022-07-01 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 14.10.5, all versions starting from 15.0 before 15.0.4, all versions starting from 15.1 before 15.1.1. GitLab reveals if a user has enabled two-factor authentication on their account in the HTML source, to unauthenticated users. |
|
1630 |
CVE-2022-1964 |
79 |
|
XSS |
2022-06-27 |
2022-06-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Easy SVG Support WordPress plugin before 3.3.0 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads |
|
1631 |
CVE-2022-1967 |
352 |
|
XSS CSRF |
2022-07-04 |
2022-07-05 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The WP Championship WordPress plugin before 9.3 is lacking CSRF checks in various places, allowing attackers to make a logged in admin perform unwanted actions, such as create and delete arbitrary teams as well as update the plugin's settings. Due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues |
|
1632 |
CVE-2022-1971 |
79 |
|
XSS |
2022-06-27 |
2022-06-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The NextCellent Gallery WordPress plugin through 1.9.35 does not sanitise and escape some of its image settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup) |
|
1633 |
CVE-2022-1977 |
|
|
|
2022-06-27 |
2022-06-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Import Export All WordPress Images, Users & Post Types WordPress plugin before 6.5.3 does not fully validate the file to be imported via an URL before making an HTTP request to it, which could allow high privilege users such as admin to perform Blind SSRF attacks |
|
1634 |
CVE-2022-1981 |
|
|
Bypass |
2022-07-01 |
2022-07-01 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An issue has been discovered in GitLab EE affecting all versions starting from 12.2 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1. In GitLab, if a group enables the setting to restrict access to users belonging to specific domains, that allow-list may be bypassed if a Maintainer uses the 'Invite a group' feature to invite a group that has members that don't comply with domain allow-list. |
|
1635 |
CVE-2022-1983 |
|
|
|
2022-07-01 |
2022-07-01 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Incorrect authorization in GitLab EE affecting all versions from 10.7 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allowed an attacker already in possession of a valid Deploy Key or a Deploy Token to misuse it from any location to access Container Registries even when IP address restrictions were configured. |
|
1636 |
CVE-2022-1990 |
79 |
|
XSS |
2022-06-27 |
2022-06-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Nested Pages WordPress plugin before 3.1.21 does not escape and sanitize the some of its settings, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfiltered_html is disallowed |
|
1637 |
CVE-2022-1994 |
79 |
|
XSS |
2022-06-27 |
2022-06-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Login With OTP Over SMS, Email, WhatsApp and Google Authenticator WordPress plugin before 1.0.8 does not escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed |
|
1638 |
CVE-2022-1995 |
79 |
|
XSS |
2022-06-27 |
2022-06-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Malware Scanner WordPress plugin before 4.5.2 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup) |
|
1639 |
CVE-2022-1999 |
|
|
|
2022-07-01 |
2022-07-01 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An issue has been discovered in GitLab CE/EE affecting all versions from 8.13 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1. Under certain conditions, using the REST API an unprivileged user was able to change labels description. |
|
1640 |
CVE-2022-2040 |
79 |
|
XSS |
2022-06-27 |
2022-06-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Brizy WordPress plugin before 2.4.2 does not sanitise and escape some element URL, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks |
|
1641 |
CVE-2022-2041 |
|
|
XSS |
2022-06-27 |
2022-06-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Brizy WordPress plugin before 2.4.2 does not sanitise and escape some element content, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks |
|
1642 |
CVE-2022-2056 |
|
|
|
2022-06-30 |
2022-06-30 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010. |
|
1643 |
CVE-2022-2057 |
|
|
|
2022-06-30 |
2022-06-30 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010. |
|
1644 |
CVE-2022-2058 |
|
|
|
2022-06-30 |
2022-06-30 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010. |
|
1645 |
CVE-2022-2073 |
|
|
|
2022-06-29 |
2022-06-29 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Code Injection in GitHub repository getgrav/grav prior to 1.7.34. |
|
1646 |
CVE-2022-2078 |
|
|
DoS Overflow |
2022-06-30 |
2022-06-30 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A vulnerability was found in the Linux kernel's nft_set_desc_concat_parse() function .This flaw allows an attacker to trigger a buffer overflow via nft_set_desc_concat_parse() , causing a denial of service and possibly to run code. |
|
1647 |
CVE-2022-2088 |
284 |
|
|
2022-06-27 |
2022-06-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An authenticated user with admin privileges may be able to terminate any process on the system running Elcomplus SmartICS v2.3.4.0. |
|
1648 |
CVE-2022-2097 |
|
|
|
2022-07-05 |
2022-07-05 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p). |
|
1649 |
CVE-2022-2102 |
841 |
|
Exec Code Bypass |
2022-06-24 |
2022-06-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Controls limiting uploads to certain file extensions may be bypassed. This could allow an attacker to intercept the initial file upload page response and modify the associated code. This modified code can be forwarded and used by a script loaded later in the sequence, allowing for arbitrary file upload into a location where PHP scripts may be executed. |
|
1650 |
CVE-2022-2104 |
269 |
|
|
2022-06-24 |
2022-06-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The www-data (Apache web server) account is configured to run sudo with no password for many commands (including /bin/sh and /bin/bash). |
