CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1751 CVE-2022-28166 2022-06-27 2022-06-28
0.0
None ??? ??? ??? ??? ??? ???
In Brocade SANnav version before SANN2.2.0.2 and Brocade SANNav before 2.1.1.8, the implementation of TLS/SSL Server Supports the Use of Static Key Ciphers (ssl-static-key-ciphers) on ports 443 & 18082.
1752 CVE-2022-28167 2022-06-27 2022-06-28
0.0
None ??? ??? ??? ??? ??? ???
Brocade SANnav before Brocade SANvav v. 2.2.0.2 and Brocade SANanv v.2.1.1.8 logs the Brocade Fabric OS switch password in plain text in asyncjobscheduler-manager.log
1753 CVE-2022-28168 2022-06-27 2022-06-28
0.0
None ??? ??? ??? ??? ??? ???
In Brocade SANnav before Brocade SANnav v2.2.0.2 and Brocade SANnav2.1.1.8, encoded scp-server passwords are stored using Base64 encoding, which could allow an attacker able to access log files to easily decode the passwords.
1754 CVE-2022-28171 Exec Code 2022-06-27 2022-06-28
0.0
None ??? ??? ??? ??? ??? ???
The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerability. Due to the insufficient input validation, attacker can exploit the vulnerability to execute restricted commands by sending messages with malicious commands to the affected device.
1755 CVE-2022-28172 XSS 2022-06-27 2022-06-28
0.0
None ??? ??? ??? ??? ??? ???
The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerability. Due to the insufficient input validation, attacker can exploit the vulnerability to XSS attack by sending messages with malicious commands to the affected device.
1756 CVE-2022-28200 DoS Exec Code 2022-07-02 2022-07-05
0.0
None ??? ??? ??? ??? ??? ???
NVIDIA DGX A100 contains a vulnerability in SBIOS in the BiosCfgTool, where a local user with elevated privileges can read and write beyond intended bounds in SMRAM, which may lead to code execution, escalation of privileges, denial of service, and information disclosure. The scope of impact can extend to other components.
1757 CVE-2022-28619 2022-06-24 2022-06-24
0.0
None ??? ??? ??? ??? ??? ???
A potential security vulnerability has been identified in the installer of HPE Version Control Repository Manager. The vulnerability could allow local escalation of privilege. HPE has made the following software update to resolve the vulnerability in HPE Version Control Repository Manager installer 7.6.14.0.
1758 CVE-2022-28621 2022-06-28 2022-06-28
0.0
None ??? ??? ??? ??? ??? ???
A remote disclosure of sensitive information vulnerability was discovered in HPE NonStop DSM/SCM version: T6031H03^ADP. HPE has provided a software update to resolve this vulnerability in HPE NonStop DSM/SCM.
1759 CVE-2022-28622 2022-06-27 2022-06-28
0.0
None ??? ??? ??? ??? ??? ???
A potential security vulnerability has been identified in HPE StoreOnce Software. The SSH server supports weak key exchange algorithms which could lead to remote unauthorized access. HPE has made the following software update to resolve the vulnerability in HPE StoreOnce Software 4.3.2.
1760 CVE-2022-28692 2022-07-04 2022-07-05
0.0
None ??? ??? ??? ??? ??? ???
Improper input validation vulnerability in Scheduler of Cybozu Garoon 4.0.0 to 5.5.1 allows a remote authenticated attacker to alter the data of Scheduler.
1761 CVE-2022-28713 +Info 2022-07-04 2022-07-05
0.0
None ??? ??? ??? ??? ??? ???
Improper authentication vulnerability in Scheduler of Cybozu Garoon 4.10.0 to 5.5.1 allows a remote attacker to obtain some data of Facility Information without logging in to the product.
1762 CVE-2022-28718 Bypass 2022-07-04 2022-07-05
0.0
None ??? ??? ??? ??? ??? ???
Operation restriction bypass vulnerability in Bulletin of Cybozu Garoon 4.0.0 to 5.5.1 allow a remote authenticated attacker to alter the data of Bulletin.
1763 CVE-2022-28803 XSS 2022-06-29 2022-06-29
0.0
None ??? ??? ??? ??? ??? ???
In SilverStripe Framework through 2022-04-07, Stored XSS can occur in javascript link tags added via XMLHttpRequest (XHR).
1764 CVE-2022-29096 Exec Code XSS 2022-06-24 2022-06-24
0.0
None ??? ??? ??? ??? ??? ???
Dell Wyse Management Suite 3.6.1 and below contains a Reflected Cross-Site Scripting Vulnerability in saveGroupConfigurations page. An authenticated attacker could potentially exploit this vulnerability, leading to the execution of malicious HTML or JavaScript code in a victim user's web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery.
1765 CVE-2022-29097 +Priv 2022-06-24 2022-06-24
0.0
None ??? ??? ??? ??? ??? ???
Dell WMS 3.6.1 and below contains a Path Traversal vulnerability in Device API. A remote attacker could potentially exploit this vulnerability, to gain unauthorized read access to the files stored on the server filesystem, with the privileges of the running web application.
1766 CVE-2022-29168 79 Exec Code XSS 2022-06-25 2022-06-27
0.0
None ??? ??? ??? ??? ??? ???
Wire is a secure messaging application. Wire is vulnerable to arbitrary HTML and Javascript execution via insufficient escaping when rendering `@mentions` in the wire-webapp. If a user receives and views a malicious message, arbitrary code is injected and executed in the context of the victim allowing the attacker to fully control the user account. Wire-desktop clients that are connected to a vulnerable wire-webapp version are also vulnerable to this attack. The issue has been fixed in wire-webapp 2022-05-04-production.0 and is already deployed on all Wire managed services. On-premise instances of wire-webapp need to be updated to docker tag 2022-05-04-production.0-v0.29.7-0-a6f2ded or wire-server 2022-05-04 (chart/4.11.0) or later. No known workarounds exist.
1767 CVE-2022-29175 2022-05-05 2022-05-06
0.0
None ??? ??? ??? ??? ??? ???
Vyper is a pythonic smart contract language for the ethereum virtual machine. Since version 0.3.2, decimals use the full range of the underlying int168 type. multiplication of 168 bit integers can wrap in 256-bit arithmetic, but safemul does not check for that. This has been patched in v0.3.4. There are no known workarounds for this issue.
1768 CVE-2022-29268 Exec Code 2022-04-15 2022-04-15
0.0
None ??? ??? ??? ??? ??? ???
Bitrix through 7.5.0 allows remote attackers to execute arbitrary code by using the restore.php Upload From Local Disk feature.
1769 CVE-2022-29269 2022-06-29 2022-06-29
0.0
None ??? ??? ??? ??? ??? ???
In Nagios XI through 5.8.5, in the schedule report function, an authenticated attacker is able to inject HTML tags that lead to the reformatting/editing of emails from an official email address.
1770 CVE-2022-29270 2022-06-29 2022-06-29
0.0
None ??? ??? ??? ??? ??? ???
In Nagios XI through 5.8.5, it is possible for a user without password verification to change his e-mail address.
1771 CVE-2022-29271 2022-06-29 2022-06-29
0.0
None ??? ??? ??? ??? ??? ???
In Nagios XI through 5.8.5, a read-only Nagios user (due to an incorrect permission check) is able to schedule downtime for any host/services. This allows an attacker to permanently disable all monitoring checks.
1772 CVE-2022-29272 2022-06-29 2022-06-29
0.0
None ??? ??? ??? ??? ??? ???
In Nagios XI through 5.8.5, an open redirect vulnerability exists in the login function that could lead to spoofing.
1773 CVE-2022-29467 +Info 2022-07-04 2022-07-05
0.0
None ??? ??? ??? ??? ??? ???
Address information disclosure vulnerability in Cybozu Garoon 4.2.0 to 5.5.1 allows a remote authenticated attacker to obtain some data of Address.
1774 CVE-2022-29471 Bypass 2022-07-04 2022-07-05
0.0
None ??? ??? ??? ??? ??? ???
Browse restriction bypass vulnerability in Bulletin of Cybozu Garoon allows a remote authenticated attacker to obtain the data of Bulletin.
1775 CVE-2022-29484 Bypass 2022-07-04 2022-07-05
0.0
None ??? ??? ??? ??? ??? ???
Operation restriction bypass vulnerability in Space of Cybozu Garoon 4.0.0 to 5.9.0 allows a remote authenticated attacker to delete the data of Space.
1776 CVE-2022-29513 XSS 2022-07-04 2022-07-05
0.0
None ??? ??? ??? ??? ??? ???
Cross-site scripting vulnerability in Scheduler of Cybozu Garoon 4.10.0 to 5.5.1 allows a remote authenticated attacker with an administrative privilege to execute an arbitrary script.
1777 CVE-2022-29519 2022-06-28 2022-06-28
0.0
None ??? ??? ??? ??? ??? ???
Cleartext transmission of sensitive information vulnerability exists in STARDOM FCN Controller and FCJ Controller R1.01 to R4.31, which may allow an adjacent attacker to login the affected products and alter device configuration settings or tamper with device firmware.
1778 CVE-2022-29578 +Info 2022-06-24 2022-06-24
0.0
None ??? ??? ??? ??? ??? ???
Meridian Cooperative Utility Software versions 22.02 and 22.03 allows remote attackers to obtain sensitive information such as name, address, and daily energy usage.
1779 CVE-2022-29858 XSS 2022-06-28 2022-06-29
0.0
None ??? ??? ??? ??? ??? ???
Silverstripe silverstripe/assets through 1.10 allows XSS.
1780 CVE-2022-29892 2022-07-04 2022-07-05
0.0
None ??? ??? ??? ??? ??? ???
Improper input validation vulnerability in Space of Cybozu Garoon 4.0.0 to 5.5.1 allows a remote authenticated attacker to repeatedly display errors in certain functions and cause a denial-of-service (DoS).
1781 CVE-2022-29931 XSS 2022-06-25 2022-06-27
0.0
None ??? ??? ??? ??? ??? ???
Raytion 7.2.0 allows reflected Cross-site Scripting (XSS).
1782 CVE-2022-30192 2022-06-29 2022-06-29
0.0
None ??? ??? ??? ??? ??? ???
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-33638, CVE-2022-33639.
1783 CVE-2022-30289 XSS 2022-07-05 2022-07-05
0.0
None ??? ??? ??? ??? ??? ???
A stored Cross-site Scripting (XSS) vulnerability was identified in the Data Import functionality of OpenCTI through 5.2.4. An attacker can abuse the vulnerability to upload a malicious file that will then be executed by a victim when they open the file location.
1784 CVE-2022-30290 2022-07-05 2022-07-05
0.0
None ??? ??? ??? ??? ??? ???
In OpenCTI through 5.2.4, a broken access control vulnerability has been identified in the profile endpoint. An attacker can abuse the identified vulnerability in order to arbitrarily change their registered e-mail address as well as their API key, even though such action is not possible through the interface, legitimately.
1785 CVE-2022-30467 DoS 2022-06-29 2022-06-29
0.0
None ??? ??? ??? ??? ??? ???
Joy ebike Wolf Manufacturing year 2022 is vulnerable to Denial of service, which allows remote attackers to jam the key fob request via RF.
1786 CVE-2022-30560 2022-06-28 2022-06-28
0.0
None ??? ??? ??? ??? ??? ???
When an attacker obtaining the administrative account and password, or through a man-in-the-middle attack, the attacker could send a specified crafted packet to the vulnerable interface then lead the device to crash.
1787 CVE-2022-30561 2022-06-28 2022-06-28
0.0
None ??? ??? ??? ??? ??? ???
When an attacker uses a man-in-the-middle attack to sniff the request packets with success logging in, the attacker could log in to the device by replaying the user's login packet.
1788 CVE-2022-30562 2022-06-28 2022-06-28
0.0
None ??? ??? ??? ??? ??? ???
If the user enables the https function on the device, an attacker can modify the user’s request data packet through a man-in-the-middle attack ,Injection of a malicious URL in the Host: header of the HTTP Request results in a 302 redirect to an attacker-controlled page.
1789 CVE-2022-30563 2022-06-28 2022-06-28
0.0
None ??? ??? ??? ??? ??? ???
When an attacker uses a man-in-the-middle attack to sniff the request packets with success logging in through ONVIF, he can log in to the device by replaying the user's login packet.
1790 CVE-2022-30707 2022-06-28 2022-06-28
0.0
None ??? ??? ??? ??? ??? ???
Violation of secure design principles exists in the communication of CAMS for HIS. Affected products and versions are CENTUM series where LHS4800 is installed (CENTUM CS 3000 and CENTUM CS 3000 Small R3.08.10 to R3.09.00), CENTUM series where CAMS function is used (CENTUM VP, CENTUM VP Small, and CENTUM VP Basic R4.01.00 to R4.03.00), CENTUM series regardless of the use of CAMS function (CENTUM VP, CENTUM VP Small, and CENTUM VP Basic R5.01.00 to R5.04.20 and R6.01.00 to R6.09.00), Exaopc R3.72.00 to R3.80.00 (only if NTPF100-S6 'For CENTUM VP Support CAMS for HIS' is installed), B/M9000 CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01). If an adjacent attacker successfully compromises a computer using CAMS for HIS software, they can use credentials from the compromised machine to access data from another machine using CAMS for HIS software. This can lead to a disabling of CAMS for HIS software functions on any affected machines, or information disclosure/alteration.
1791 CVE-2022-30885 Exec Code 2022-06-24 2022-06-25
0.0
None ??? ??? ??? ??? ??? ???
** Reserved ** The pyesasky for python, as distributed on PyPI, included a code-execution backdoor inserted by a third party. The current version, without this backdoor, is 1.2.0-1.4.2.
1792 CVE-2022-30997 2022-06-28 2022-06-28
0.0
None ??? ??? ??? ??? ??? ???
Use of hard-coded credentials vulnerability exists in STARDOM FCN Controller and FCJ Controller R4.10 to R4.31, which may allow an attacker with an administrative privilege to read/change configuration settings or update the controller with tampered firmware.
1793 CVE-2022-31014 74 2022-07-05 2022-07-05
0.0
None ??? ??? ??? ??? ??? ???
Nextcloud server is an open source personal cloud server. Affected versions were found to be vulnerable to SMTP command injection. The impact varies based on which commands are supported by the backend SMTP server. However, the main risk here is that the attacker can then hijack an already-authenticated SMTP session and run arbitrary SMTP commands as the email user, such as sending emails to other users, changing the FROM user, and so on. As before, this depends on the configuration of the server itself, but newlines should be sanitized to mitigate such arbitrary SMTP command injection. It is recommended that the Nextcloud Server is upgraded to 22.2.8 , 23.0.5 or 24.0.1. There are no known workarounds for this issue.
1794 CVE-2022-31016 400 DoS 2022-06-25 2022-06-27
0.0
None ??? ??? ??? ??? ??? ???
Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must be an authenticated Argo CD user authorized to deploy Applications from a repository which contains (or can be made to contain) a large file. The fix for this vulnerability is available in versions 2.3.5, 2.2.10, 2.1.16, and later. There are no known workarounds. Users are recommended to upgrade.
1795 CVE-2022-31017 571 2022-06-25 2022-06-27
0.0
None ??? ??? ??? ??? ??? ???
Zulip is an open-source team collaboration tool. Versions 2.1.0 through and including 5.2 are vulnerable to a logic error. A stream configured as private with protected history, where new subscribers should not be allowed to see messages sent before they were subscribed, when edited causes the server to incorrectly send an API event that includes the edited message to all of the stream’s current subscribers. This API event is ignored by official clients, but can be observed by using a modified client or the browser’s developer tools. This bug will be fixed in Zulip Server 5.3. There are no known workarounds.
1796 CVE-2022-31032 200 +Info 2022-06-29 2022-06-29
0.0
None ??? ??? ??? ??? ??? ???
Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In versions prior to 13.9.99.58 authorizations are not properly verified when creating projects or trackers from projects marked as templates. Users can get access to information in those template projects because the permissions model is not properly enforced. Users are advised to upgrade. There are no known workarounds for this issue.
1797 CVE-2022-31034 330 2022-06-27 2022-06-28
0.0
None ??? ??? ??? ??? ??? ???
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v0.11.0 are vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or UI. The vulnerabilities are due to the use of insufficiently random values in parameters in Oauth2/OIDC login flows. In each case, using a relatively-predictable (time-based) seed in a non-cryptographically-secure pseudo-random number generator made the parameter less random than required by the relevant spec or by general best practices. In some cases, using too short a value made the entropy even less sufficient. The attacks on login flows which are meant to be mitigated by these parameters are difficult to accomplish but can have a high impact potentially granting an attacker admin access to Argo CD. Patches for this vulnerability has been released in the following Argo CD versions: v2.4.1, v2.3.5, v2.2.10 and v2.1.16. There are no known workarounds for this vulnerability.
1798 CVE-2022-31035 79 XSS 2022-06-27 2022-06-28
0.0
None ??? ??? ??? ??? ??? ???
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a `javascript:` link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). The script would be capable of doing anything which is possible in the UI or via the API, such as creating, modifying, and deleting Kubernetes resources. A patch for this vulnerability has been released in the following Argo CD versions: v2.4.1, v2.3.5, v2.2.10 and v2.1.16. There are no completely-safe workarounds besides upgrading.
1799 CVE-2022-31036 20 2022-06-27 2022-06-28
0.0
None ??? ??? ??? ??? ??? ???
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v1.3.0 are vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive YAML files from Argo CD's repo-server. A malicious Argo CD user with write access for a repository which is (or may be) used in a Helm-type Application may commit a symlink which points to an out-of-bounds file. If the target file is a valid YAML file, the attacker can read the contents of that file. Sensitive files which could be leaked include manifest files from other Applications' source repositories (potentially decrypted files, if you are using a decryption plugin) or any YAML-formatted secrets which have been mounted as files on the repo-server. Patches for this vulnerability has been released in the following Argo CD versions: v2.4.1, v2.3.5, v2.2.10 and v2.1.16. If you are using a version >=v2.3.0 and do not have any Helm-type Applications you may disable the Helm config management tool as a workaround.
1800 CVE-2022-31039 2022-06-27 2022-06-28
0.0
None ??? ??? ??? ??? ??? ???
Greenlight is a simple front-end interface for your BigBlueButton server. In affected versions an attacker can view any room's settings even though they are not authorized to do so. Only the room owner and administrator should be able to view a room's settings. This issue has been patched in release version 2.12.6.
Total number of vulnerabilities : 2011   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 (This Page)37 38 39 40 41
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.