CVE List - 2022 / October
Showing 1401 - 1500 of 1849 CVEs for October 2022 (Page 15 of 19)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2021-44769 | 2022-10-24 | TLS Certificate Generation Function Improper Input Validation |
| CVE-2021-44776 | 2022-10-24 | spx_restservice SubNet_handler_func Broken Access Control |
| CVE-2021-45925 | 2022-10-24 | Username Enumeration |
| CVE-2021-46279 | 2022-10-24 | Session Fixation and Insufficient Session Expiration |
| CVE-2021-46848 | 2022-10-24 | GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der. |
| CVE-2021-46850 | 2022-10-24 | myVesta Control Panel before 0.9.8-26-43 and Vesta Control Panel before 0.9.8-26 are vulnerable to command injection. An authenticated and remote administrative user can execute arbitrary commands via the v_sftp_license parameter... |
| CVE-2022-3344 | 2022-10-24 | A flaw was found in the KVM's AMD nested virtualization (SVM). A malicious L1 guest could purposely fail to intercept the shutdown of a cooperative nested guest (L2), possibly leading... |
| CVE-2022-36368 | 2022-10-24 | Multiple stored cross-site scripting vulnerabilities in the web user interface of IPFire versions prior to 2.27 allows a remote authenticated attacker with administrative privilege to inject an arbitrary script. |
| CVE-2022-3676 | 2022-10-24 | In Eclipse Openj9 before version 0.35.0, interface calls can be inlined without a runtime type check. Malicious bytecode could make use of this inlining to access or modify memory via... |
| CVE-2022-38580 | 2022-10-24 | Zalando Skipper v0.13.236 is vulnerable to Server-Side Request Forgery (SSRF). |
| CVE-2022-39305 | 2022-10-24 | Gin-vue-admin vulnerable to Unrestricted Upload of File with Dangerous Type |
| CVE-2022-39313 | 2022-10-24 | Parse Server crashes when receiving file download request with invalid byte range |
| CVE-2022-39314 | 2022-10-24 | User enumeration in the code-based login and password reset forms |
| CVE-2022-39836 | 2022-10-24 | An issue was discovered in Connected Vehicle Systems Alliance (COVESA) dlt-daemon through 2.18.8. Due to a faulty DLT file parser, a crafted DLT file that crashes the process can be... |
| CVE-2022-39837 | 2022-10-24 | An issue was discovered in Connected Vehicle Systems Alliance (COVESA) dlt-daemon through 2.18.8. Due to a faulty DLT file parser, a crafted DLT file that crashes the process can be... |
| CVE-2022-40690 | 2022-10-24 | Cross-site scripting vulnerability in BookStack versions prior to v22.09 allows a remote authenticated attacker to inject an arbitrary script. |
| CVE-2022-40984 | 2022-10-24 | Stack-based buffer overflow in WTViewerE series WTViewerE 761941 from 1.31 to 1.61 and WTViewerEfree from 1.01 to 1.52 allows an attacker to cause the product to crash by processing a... |
| CVE-2022-41796 | 2022-10-24 | Untrusted search path vulnerability in the installer of Content Transfer (for Windows) Ver.1.3 and prior allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. |
| CVE-2022-41797 | 2022-10-24 | Improper authorization in handler for custom URL scheme vulnerability in Lemon8 App for Android versions prior to 3.3.5 and Lemon8 App for iOS versions prior to 3.3.5 allows a remote... |
| CVE-2022-41799 | 2022-10-24 | Improper access control vulnerability in GROWI prior to v5.1.4 (v5 series) and versions prior to v4.5.25 (v4 series) allows a remote authenticated attacker to bypass access restriction and download the... |
| CVE-2022-41986 | 2022-10-24 | Information disclosure vulnerability in Android App 'IIJ SmartKey' versions prior to 2.1.4 allows an attacker to obtain a one-time password issued by the product under certain conditions. |
| CVE-2022-43680 | 2022-10-24 | In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations. |
| CVE-2022-38117 | 2022-10-24 | Juiker app - Hard-coded Credentials |
| CVE-2022-31468 | 2022-10-24 | OX App Suite through 8.2 allows XSS via an attachment or OX Drive content when a client uses the len or off parameter. |
| CVE-2022-29851 | 2022-10-24 | documentconverter in OX App Suite through 7.10.6, in a non-default configuration with ghostscript, allows OS Command Injection because file conversion may occur for an EPS document that is disguised as... |
| CVE-2022-33757 | 2022-10-24 | An authenticated attacker could read Nessus Debug Log file attachments from the web UI without having the correct privileges to do so. This may lead to the disclosure of information... |
| CVE-2022-2421 | 2022-10-25 | Socket.io - Improper type validation in attachment parsing |
| CVE-2022-2422 | 2022-10-25 | Feathers - SQL injection via attribute aliases |
| CVE-2022-29822 | 2022-10-25 | Feathers - Improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection |
| CVE-2022-29823 | 2022-10-25 | Feathers - Query “__proto__” is converted to real prototype |
| CVE-2022-41704 | 2022-10-25 | Apache Batik prior to 1.16 allows RCE when loading untrusted SVG input |
| CVE-2022-42890 | 2022-10-25 | Apache Batik prior to 1.16 allows RCE via scripting |
| CVE-2022-2762 | 2022-10-25 | AdminPad < 2.2 - Note Update via CSRF |
| CVE-2022-28169 | 2022-10-25 | Brocade Webtools in Brocade Fabric OS versions before Brocade Fabric OS versions v9.1.1, v9.0.1e, and v8.2.3c could allow a low privilege webtools, user, to gain elevated admin rights, or privileges,... |
| CVE-2022-28170 | 2022-10-25 | Brocade Fabric OS Web Application services before Brocade Fabric v9.1.0, v9.0.1e, v8.2.3c, v7.4.2j store server and user passwords in the debug statements. This could allow a local user to extract... |
| CVE-2022-3097 | 2022-10-25 | LBStopAttack < 1.1.3 - Arbitrary Settings Update via CSRF |
| CVE-2022-3246 | 2022-10-25 | Blog2Social < 6.9.10 - Subscriber+ SQLi |
| CVE-2022-3247 | 2022-10-25 | Blog2Social < 6.9.10 - Subscriber+ SSRF |
| CVE-2022-3300 | 2022-10-25 | Form Maker by 10Web < 1.15.6 - Admin+ SQLI |
| CVE-2022-3302 | 2022-10-25 | Anti-Spam by CleanTalk < 5.185.1 - Admin+ SQLi |
| CVE-2022-33178 | 2022-10-25 | A vulnerability in the radius authentication system of Brocade Fabric OS before Brocade Fabric OS 9.0 could allow a remote attacker to execute arbitrary code on the Brocade switch. |
| CVE-2022-33179 | 2022-10-25 | A vulnerability in Brocade Fabric OS CLI before Brocade Fabric OS v9.1.0, 9.0.1e, 8.2.3c, and 7.4.2j could allow a local authenticated user to break out of restricted shells with “set... |
| CVE-2022-33180 | 2022-10-25 | A vulnerability in Brocade Fabric OS CLI before Brocade Fabric OS v9.1.0, 9.0.1e, 8.2.3c, 8.2.0cbn5 could allow a local authenticated attacker to export out sensitive files with “seccryptocfg”, “configupload”. |
| CVE-2022-33181 | 2022-10-25 | An information disclosure vulnerability in Brocade Fabric OS CLI before Brocade Fabric OS v9.1.0, 9.0.1e, 8.2.3c, 8.2.0cbn5, 7.4.2.j could allow a local authenticated attacker to read sensitive files using switch... |
| CVE-2022-33182 | 2022-10-25 | A privilege escalation vulnerability in Brocade Fabric OS CLI before Brocade Fabric OS v9.1.0, 9.0.1e, 8.2.3c, 8.2.0cbn5, could allow a local authenticated user to escalate its privilege to root using... |
| CVE-2022-33183 | 2022-10-25 | A vulnerability in Brocade Fabric OS CLI before Brocade Fabric OS v9.1.0, 9.0.1e, 8.2.3c, 8.2.0cbn5, 7.4.2.j could allow a remote authenticated attacker to perform stack buffer overflow using in “firmwaredownload”... |
| CVE-2022-33184 | 2022-10-25 | A vulnerability in fab_seg.c.h libraries of all Brocade Fabric OS versions before Brocade Fabric OS v9.1.1, v9.0.1e, v8.2.3c, v8.2.0_cbn5, 7.4.2j could allow local authenticated attackers to exploit stack-based buffer overflows... |
| CVE-2022-33185 | 2022-10-25 | Several commands in Brocade Fabric OS before Brocade Fabric OS v.9.0.1e, and v9.1.0 use unsafe string functions to process user input. Authenticated local attackers could abuse these vulnerabilities to exploit... |
| CVE-2022-3335 | 2022-10-25 | Kadence WooCommerce Email Designer < 1.5.7 - Admin+ PHP Objection Injection |
| CVE-2022-3350 | 2022-10-25 | Contact Bank <= 3.0.30 - Admin+ Stored Cross-Site Scripting |
| CVE-2022-3391 | 2022-10-25 | Retain Live Chat <= 0.1 - Admin+ Stored Cross-Site Scripting |
| CVE-2022-3392 | 2022-10-25 | WP Humans.txt <= 1.0.6 - Admin+ Stored Cross-Site Scripting |
| CVE-2022-3393 | 2022-10-25 | Post to CSV by BestWebSoft <= 1.4.0 - Author+ CSV Injection |
| CVE-2022-3394 | 2022-10-25 | WP All Export Pro < 1.7.9 - Authenticated Code Injection |
| CVE-2022-3395 | 2022-10-25 | WP All Export Pro < 1.7.9 - Authenticated SQLi |
| CVE-2022-34870 | 2022-10-25 | Apache Geode stored Cross-Site Scripting (XSS) via data injection vulnerability in Pulse web application |
| CVE-2022-35132 | 2022-10-25 | Usermin through 1.850 allows a remote authenticated user to execute OS commands via command injection in a filename for the GPG module. |
| CVE-2022-35739 | 2022-10-25 | PRTG Network Monitor through 22.2.77.2204 does not prevent custom input for a device’s icon, which can be modified to insert arbitrary content into the style tag for that device. When... |
| CVE-2022-3644 | 2022-10-25 | The collection remote for pulp_ansible stores tokens in plaintext instead of using pulp's encrypted field and exposes them in read/write mode via the API () instead of marking it as... |
| CVE-2022-36451 | 2022-10-25 | A vulnerability in the MiCollab Client server component of Mitel MiCollab through 9.5.0.101 could allow an authenticated attacker to conduct a Server-Side Request Forgery (SSRF) attack due to insufficient restriction... |
| CVE-2022-36452 | 2022-10-25 | A vulnerability in the web conferencing component of Mitel MiCollab through 9.5.0.101 could allow an unauthenticated attacker to upload malicious files. A successful exploit could allow an attacker to execute... |
| CVE-2022-36453 | 2022-10-25 | A vulnerability in the MiCollab Client API of Mitel MiCollab 9.1.3 through 9.5.0.101 could allow an authenticated attacker to modify their profile parameters due to improper authorization controls. A successful... |
| CVE-2022-36454 | 2022-10-25 | A vulnerability in the MiCollab Client API of Mitel MiCollab through 9.5.0.101 could allow an authenticated attacker to modify their profile parameters due to improper authorization controls. A successful exploit... |
| CVE-2022-38162 | 2022-10-25 | Reflected cross-site scripting (XSS) vulnerabilities in WithSecure through 2022-08-10) exists within the F-Secure Policy Manager due to an unvalidated parameter in the endpoint, which allows remote attackers to provide a... |
| CVE-2022-38181 | 2022-10-25 | The Arm Mali GPU kernel driver allows unprivileged users to access freed memory because GPU memory operations are mishandled. This affects Bifrost r0p0 through r38p1, and r39p0; Valhall r19p0 through... |
| CVE-2022-38870 | 2022-10-25 | Free5gc v3.2.1 is vulnerable to Information disclosure. |
| CVE-2022-39312 | 2022-10-25 | Dataease Mysql Data Source JDBC Connection Parameters Not Verified Leads to Deserialization Vulnerability |
| CVE-2022-39315 | 2022-10-25 | Kirby CMS vulnerable to user enumeration in the brute force protection |
| CVE-2022-39321 | 2022-10-25 | GitHub Actions Runner vulnerable to Docker Command Escaping |
| CVE-2022-39322 | 2022-10-25 | @keystone-6/core vulnerable to field-level access-control bypass for multiselect field |
| CVE-2022-39326 | 2022-10-25 | kartverket/github-workflows's run-terraform allows for RCE via terraform plan |
| CVE-2022-39327 | 2022-10-25 | Improper Control of Generation of Code ('Code Injection') in Azure CLI |
| CVE-2022-39340 | 2022-10-25 | OpenFGA Information Disclosure |
| CVE-2022-39341 | 2022-10-25 | OpenFGA Authorization Bypass |
| CVE-2022-39342 | 2022-10-25 | OpenFGA Authorization Bypass |
| CVE-2022-39345 | 2022-10-25 | Gin-vue-admin arbitrary file upload vulnerability caused by path traversal |
| CVE-2022-39349 | 2022-10-25 | Tasks.org vulnerable to data exfiltration by malicous app or adb |
| CVE-2022-39350 | 2022-10-25 | @dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via Vulnerability Details |
| CVE-2022-39351 | 2022-10-25 | Dependency-Track vulnerable to logging of API keys in clear text when handling API requests using keys with insufficient permissions |
| CVE-2022-39354 | 2022-10-25 | evm has incorrect is_static parameter for custom stateful precompiles |
| CVE-2022-41711 | 2022-10-25 | Badaso version 2.6.0 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by... |
| CVE-2022-36783 | 2022-10-25 | AlgoSec – FireFlow Reflected Cross-Site-Scripting (RXSS) |
| CVE-2022-27623 | 2022-10-25 | Missing authentication for critical function vulnerability in iSCSI management functionality in Synology DiskStation Manager (DSM) before 7.1-42661 allows remote attackers to read or write arbitrary files via unspecified vectors. |
| CVE-2022-27622 | 2022-10-25 | Server-Side Request Forgery (SSRF) vulnerability in Package Center functionality in Synology DiskStation Manager (DSM) before 7.1-42661 allows remote authenticated users to access intranet resources via unspecified vectors. |
| CVE-2022-38200 | 2022-10-25 | BUG-000142376 - Reflected Cross-Site Scripting (XSS) vulnerability in ArcGIS Server. |
| CVE-2022-38199 | 2022-10-25 | BUG-000144172 - Remote file download issue in ArcGIS Server |
| CVE-2022-38198 | 2022-10-25 | BUG-000146513 - Reflected XSS vulnerability in ArcGIS Server |
| CVE-2022-38197 | 2022-10-25 | BUG-000148347 Unvalidated redirect issues in ArcGIS Server. |
| CVE-2022-38196 | 2022-10-25 | BUG-000150537 - ArcGIS Server has a local file inclusion (LFI) vulnerability |
| CVE-2022-38195 | 2022-10-25 | BUG-000150540 - Reflected XSS vulnerability in ArcGIS Server |
| CVE-2022-27804 | 2022-10-25 | An os command injection vulnerability exists in the web interface util_set_abode_code functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted HTTP request can lead to... |
| CVE-2022-27805 | 2022-10-25 | An authentication bypass vulnerability exists in the GHOME control functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted network request can lead to arbitrary XCMD... |
| CVE-2022-29472 | 2022-10-25 | An OS command injection vulnerability exists in the web interface util_set_serial_mac functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted HTTP request can lead to... |
| CVE-2022-29475 | 2022-10-25 | An information disclosure vulnerability exists in the XFINDER functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted man-in-the-middle attack can lead to increased privileges. An... |
| CVE-2022-29477 | 2022-10-25 | An authentication bypass vulnerability exists in the web interface /action/factory* functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted HTTP header can lead to authentication... |
| CVE-2022-29520 | 2022-10-25 | An OS command injection vulnerability exists in the console_main_loop :sys functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9Z. A specially-crafted XCMD can lead to arbitrary command execution. An... |
| CVE-2022-29889 | 2022-10-25 | A hard-coded password vulnerability exists in the telnet functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9Z. Use of a hard-coded root password can lead to arbitrary command execution.... |
| CVE-2022-30541 | 2022-10-25 | An OS command injection vulnerability exists in the XCMD setUPnP functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted XCMD can lead to arbitrary command... |
| CVE-2022-30603 | 2022-10-25 | An OS command injection vulnerability exists in the web interface /action/iperf functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted HTTP request can lead to... |
| CVE-2022-32454 | 2022-10-25 | A stack-based buffer overflow vulnerability exists in the XCMD setIPCam functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted XCMD can lead to remote code... |