| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1951 |
CVE-2022-33325 |
|
|
Exec Code |
2022-06-30 |
2022-06-30 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network packets can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The `/ajax/clear_tools_log/` API is affected by command injection vulnerability. |
|
1952 |
CVE-2022-33326 |
|
|
Exec Code |
2022-06-30 |
2022-06-30 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network packets can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The `/ajax/config_rollback/` API is affected by a command injection vulnerability. |
|
1953 |
CVE-2022-33327 |
|
|
Exec Code |
2022-06-30 |
2022-06-30 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network packets can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The `/ajax/remove_sniffer_raw_log/` API is affected by a command injection vulnerability. |
|
1954 |
CVE-2022-33328 |
|
|
Exec Code |
2022-06-30 |
2022-06-30 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network packets can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The `/ajax/remove/` API is affected by a command injection vulnerability. |
|
1955 |
CVE-2022-33329 |
|
|
Exec Code |
2022-06-30 |
2022-06-30 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network packets can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The `/ajax/set_sys_time/` API is affected by a command injection vulnerability. |
|
1956 |
CVE-2022-33638 |
|
|
|
2022-06-29 |
2022-06-29 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-30192, CVE-2022-33639. |
|
1957 |
CVE-2022-33639 |
|
|
|
2022-06-29 |
2022-06-29 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-30192, CVE-2022-33638. |
|
1958 |
CVE-2022-33740 |
|
|
+Info |
2022-07-05 |
2022-07-05 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). |
|
1959 |
CVE-2022-33741 |
|
|
+Info |
2022-07-05 |
2022-07-05 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). |
|
1960 |
CVE-2022-33742 |
|
|
+Info |
2022-07-05 |
2022-07-05 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). |
|
1961 |
CVE-2022-33743 |
|
|
|
2022-07-05 |
2022-07-05 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
network backend may cause Linux netfront to use freed SKBs While adding logic to support XDP (eXpress Data Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further processing to nevertheless be freed. |
|
1962 |
CVE-2022-33744 |
|
|
DoS |
2022-07-05 |
2022-07-05 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Arm guests can cause Dom0 DoS via PV devices When mapping pages of guests on Arm, dom0 is using an rbtree to keep track of the foreign mappings. Updating of that rbtree is not always done completely with the related lock held, resulting in a small race window, which can be used by unprivileged guests via PV devices to cause inconsistencies of the rbtree. These inconsistencies can lead to Denial of Service (DoS) of dom0, e.g. by causing crashes or the inability to perform further mappings of other guests' memory pages. |
|
1963 |
CVE-2022-33879 |
|
|
|
2022-06-27 |
2022-06-28 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were insufficient, and we found a separate, new regex DoS in a different regex in the StandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1. |
|
1964 |
CVE-2022-33910 |
|
|
Exec Code XSS |
2022-06-24 |
2022-06-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An XSS vulnerability in MantisBT before 2.25.5 allows remote attackers to attach crafted SVG documents to issue reports or bugnotes. When a user or an admin clicks on the attachment, file_download.php opens the SVG document in a browser tab instead of downloading it as a file, causing the JavaScript code to execute. |
|
1965 |
CVE-2022-33948 |
|
|
Exec Code |
2022-07-04 |
2022-07-05 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
HOME SPOT CUBE2 V102 contains an OS command injection vulnerability due to improper processing of data received from DHCP server. An adjacent attacker may execute an arbitrary OS command on the product if a malicious DHCP server is placed on the WAN side of the product. |
|
1966 |
CVE-2022-33971 |
|
|
Bypass |
2022-07-04 |
2022-07-05 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Authentication bypass by capture-replay vulnerability exists in Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, and Machine automation controller NJ series all models V 1.48 and earlier, which may allow an adjacent attacker who can analyze the communication between the controller and the specific software used by OMRON internally to cause a denial-of-service (DoS) condition or execute a malicious program. |
|
1967 |
CVE-2022-34043 |
|
|
Exec Code |
2022-06-29 |
2022-06-29 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Incorrect permissions for the folder C:\ProgramData\NoMachine\var\uninstall of Nomachine v7.9.2 allows attackers to perform a DLL hijacking attack and execute arbitrary code. |
|
1968 |
CVE-2022-34057 |
|
|
Exec Code |
2022-06-24 |
2022-06-25 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Scoptrial package in PyPI version v0.0.5 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges. |
|
1969 |
CVE-2022-34059 |
|
|
Exec Code |
2022-06-24 |
2022-06-25 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Sixfab-Tool in PyPI v0.0.2 to v0.0.3 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges. |
|
1970 |
CVE-2022-34060 |
|
|
Exec Code |
2022-06-24 |
2022-06-25 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Togglee package in PyPI version v0.0.8 was discovered to contain a code execution backdoor. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges. |
|
1971 |
CVE-2022-34061 |
|
|
Exec Code |
2022-06-24 |
2022-06-25 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Catly-Translate package in PyPI v0.0.3 to v0.0.5 was discovered to contain a code execution backdoor. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges. |
|
1972 |
CVE-2022-34064 |
|
|
Exec Code |
2022-06-24 |
2022-06-25 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Zibal package in PyPI v1.0.0 was discovered to contain a code execution backdoor. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges. |
|
1973 |
CVE-2022-34065 |
|
|
Exec Code |
2022-06-24 |
2022-06-25 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Rondolu-YT-Concate package in PyPI v0.1.0 was discovered to contain a code execution backdoor. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges. |
|
1974 |
CVE-2022-34066 |
|
|
Exec Code |
2022-06-24 |
2022-06-25 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Texercise package in PyPI v0.0.1 to v0.0.12 was discovered to contain a code execution backdoor. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges. |
|
1975 |
CVE-2022-34132 |
|
|
Sql |
2022-06-28 |
2022-06-28 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Benjamin BALET Jorani v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at application/controllers/Leaves.php. |
|
1976 |
CVE-2022-34133 |
|
|
XSS |
2022-06-28 |
2022-06-28 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Benjamin BALET Jorani v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Comment parameter at application/controllers/Leaves.php. |
|
1977 |
CVE-2022-34134 |
|
|
CSRF |
2022-06-28 |
2022-06-28 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Benjamin BALET Jorani v1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /application/controllers/Users.php. |
|
1978 |
CVE-2022-34151 |
|
|
|
2022-07-04 |
2022-07-05 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Use of hard-coded credentials vulnerability exists in Machine automation controller NJ series all models V 1.48 and earlier, Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, Automation software 'Sysmac Studio' all models V1.49 and earlier, and Programmable Terminal (PT) NA series NA5-15W/NA5-12W/NA5-9W/NA5-7W models Runtime V1.15 and earlier, which may allow a remote attacker who successfully obtained the user credentials by analyzing the affected product to access the controller. |
|
1979 |
CVE-2022-34265 |
|
|
Sql |
2022-07-04 |
2022-07-05 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected. |
|
1980 |
CVE-2022-34295 |
|
|
|
2022-06-23 |
2022-06-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
totd before 1.5.3 does not properly randomize mesg IDs. |
|
1981 |
CVE-2022-34296 |
|
|
Bypass |
2022-06-23 |
2022-06-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
In Zalando Skipper before 0.13.218, a query predicate could be bypassed via a prepared request. |
|
1982 |
CVE-2022-34298 |
|
|
|
2022-06-23 |
2022-06-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The NT auth module in OpenAM before 14.6.6 allows a "replace Samba username attack." |
|
1983 |
CVE-2022-34491 |
|
|
XSS |
2022-06-25 |
2022-06-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
In the RSS extension for MediaWiki through 1.38.1, when the $wgRSSAllowLinkTag config variable was set to true, and a new RSS feed was created with certain XSS payloads within its description tags and added to the $wgRSSUrlWhitelist config variable, stored XSS could occur via MediaWiki's template system whenever that feed was loaded via the rss document tag. |
|
1984 |
CVE-2022-34494 |
|
|
|
2022-06-26 |
2022-06-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
rpmsg_virtio_add_ctrl_dev in drivers/rpmsg/virtio_rpmsg_bus.c in the Linux kernel before 5.18.4 has a double free. |
|
1985 |
CVE-2022-34495 |
|
|
|
2022-06-26 |
2022-06-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
rpmsg_probe in drivers/rpmsg/virtio_rpmsg_bus.c in the Linux kernel before 5.18.4 has a double free. |
|
1986 |
CVE-2022-34750 |
|
|
|
2022-06-28 |
2022-06-28 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An issue was discovered in MediaWiki through 1.38.1. The lemma length of a Wikibase lexeme is currently capped at a thousand characters. Unfortunately, this length is not validated, allowing much larger lexemes to be created, which introduces various denial-of-service attack vectors within the Wikibase and WikibaseLexeme extensions. This is related to Special:NewLexeme and Special:NewProperty. |
|
1987 |
CVE-2022-34777 |
79 |
|
XSS |
2022-06-30 |
2022-06-30 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. |
|
1988 |
CVE-2022-34778 |
79 |
|
XSS |
2022-06-30 |
2022-06-30 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins TestNG Results Plugin 554.va4a552116332 and earlier renders the unescaped test descriptions and exception messages provided in test results if certain job-level options are set, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs or control test results. |
|
1989 |
CVE-2022-34779 |
862 |
|
|
2022-06-30 |
2022-06-30 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. |
|
1990 |
CVE-2022-34780 |
352 |
|
CSRF |
2022-06-30 |
2022-06-30 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A cross-site request forgery (CSRF) vulnerability in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. |
|
1991 |
CVE-2022-34781 |
862 |
|
|
2022-06-30 |
2022-06-30 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Missing permission checks in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. |
|
1992 |
CVE-2022-34782 |
863 |
|
|
2022-06-30 |
2022-06-30 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests. |
|
1993 |
CVE-2022-34783 |
79 |
|
XSS |
2022-06-30 |
2022-06-30 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins Plot Plugin 2.1.10 and earlier does not escape plot descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. |
|
1994 |
CVE-2022-34784 |
79 |
|
XSS |
2022-06-30 |
2022-06-30 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins build-metrics Plugin 1.3 does not escape the build description on one of its views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Build/Update permission. |
|
1995 |
CVE-2022-34785 |
862 |
|
+Info |
2022-06-30 |
2022-06-30 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins build-metrics Plugin 1.3 and earlier does not perform permission checks in multiple HTTP endpoints, allowing attackers with Overall/Read permission to obtain information about jobs otherwise inaccessible to them. |
|
1996 |
CVE-2022-34786 |
79 |
|
XSS |
2022-06-30 |
2022-06-30 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs. |
|
1997 |
CVE-2022-34787 |
|
|
XSS |
2022-06-30 |
2022-06-30 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins Project Inheritance Plugin 21.04.03 and earlier does not escape the reason a build is blocked in tooltips, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to control the reason a queue item is blocked. |
|
1998 |
CVE-2022-34788 |
79 |
|
XSS |
2022-06-30 |
2022-06-30 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins Matrix Reloaded Plugin 1.1.3 and earlier does not escape the agent name in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission. |
|
1999 |
CVE-2022-34789 |
352 |
|
CSRF |
2022-06-30 |
2022-06-30 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A cross-site request forgery (CSRF) vulnerability in Jenkins Matrix Reloaded Plugin 1.1.3 and earlier allows attackers to rebuild previous matrix builds. |
|
2000 |
CVE-2022-34790 |
79 |
|
XSS |
2022-06-30 |
2022-06-30 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. |
