CVE List - 2022 / November
Showing 1701 - 1800 of 2020 CVEs for November 2022 (Page 18 of 21)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2022-44260 | 2022-11-23 | TOTOLINK LR350 V9.3.5u.6369_B20220309 contains a post-authentication buffer overflow via parameter sPort/ePort in the setIpPortFilterRules function. |
| CVE-2022-44278 | 2022-11-23 | Sanitization Management System v1.0 is vulnerable to SQL Injection via /php-sms/admin/?page=user/manage_user&id=. |
| CVE-2022-44280 | 2022-11-23 | Automotive Shop Management System v1.0 is vulnerable to Delete any file via /asms/classes/Master.php?f=delete_img. |
| CVE-2022-44789 | 2022-11-23 | A logical issue in O_getOwnPropertyDescriptor() in Artifex MuJS 1.0.0 through 1.3.x before 1.3.2 allows an attacker to achieve Remote Code Execution through memory corruption, via the loading of a crafted... |
| CVE-2022-45149 | 2022-11-23 | A vulnerability was found in Moodle which exists due to insufficient validation of the HTTP request origin in course redirect URL. A user's CSRF token was unnecessarily included in the... |
| CVE-2022-45150 | 2022-11-23 | A reflected cross-site scripting vulnerability was discovered in Moodle. This flaw exists due to insufficient sanitization of user-supplied data in policy tool. An attacker can trick the victim to open... |
| CVE-2022-45151 | 2022-11-23 | The stored-XSS vulnerability was discovered in Moodle which exists due to insufficient sanitization of user-supplied data in several "social" user profile fields. An attacker could inject and execute arbitrary HTML... |
| CVE-2022-45276 | 2022-11-23 | An issue in the /index/user/user_edit.html component of YJCMS v1.0.9 allows unauthenticated attackers to obtain the Administrator account password. |
| CVE-2022-45278 | 2022-11-23 | Jizhicms v2.3.3 was discovered to contain a SQL injection vulnerability via the /index.php/admins/Fields/get_fields.html component. |
| CVE-2022-45280 | 2022-11-23 | A cross-site scripting (XSS) vulnerability in the Url parameter in /login.php of EyouCMS v1.6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. |
| CVE-2022-45462 | 2022-11-23 | Apache DolphinScheduler prior to 2.0.5 have command execution vulnerability |
| CVE-2022-45472 | 2022-11-23 | CAE LearningSpace Enterprise (with Intuity License) image 267r patch 639 allows DOM XSS, related to ontouchmove and onpointerup. |
| CVE-2022-45866 | 2022-11-23 | qpress before PierreLvx/qpress 20220819 and before version 11.3, as used in Percona XtraBackup and other products, allows directory traversal via ../ in a .qp file. |
| CVE-2022-45872 | 2022-11-23 | iTerm2 before 3.4.18 mishandles a DECRQSS response. |
| CVE-2022-45873 | 2022-11-23 | systemd 250 and 251 allows local users to achieve a systemd-coredump deadlock by triggering a crash that has a long backtrace. This occurs in parse_elf_object in shared/elf-util.c. The exploitation methodology... |
| CVE-2022-4019 | 2022-11-23 | Authenticated user could send multiple requests containing a large payload to a Playbooks API and can crash a Mattermost server |
| CVE-2022-4044 | 2022-11-23 | Authenticated user could send multiple requests containing a large Auto Responder Message payload and can crash a Mattermost server |
| CVE-2022-4045 | 2022-11-23 | Authenticated user could send multiple requests containing a parameter which could fetch a large amount of data and can crash a Mattermost server |
| CVE-2022-42895 | 2022-11-23 | Info Leak in l2cap_core in the Linux Kernel |
| CVE-2022-42896 | 2022-11-23 | Info Leak in l2cap_core in the Linux Kernel |
| CVE-2021-35246 | 2022-11-23 | Unprotected Transport of Credentials (HSTS) Vulnerability |
| CVE-2022-2650 | 2022-11-24 | Improper Restriction of Excessive Authentication Attempts in wger-project/wger |
| CVE-2022-26885 | 2022-11-24 | Apache DolphinScheduler config file read by task risk |
| CVE-2022-4088 | 2022-11-24 | rickxy Stock Management System processlogin.php sql injection |
| CVE-2022-4089 | 2022-11-24 | rickxy Stock Management System processlogin.php cross site scripting |
| CVE-2022-4090 | 2022-11-24 | rickxy Stock Management System cross-site request forgery |
| CVE-2022-4136 | 2022-11-24 | Exposed Dangerous Method or Function in qmpaas/leadshop |
| CVE-2022-44748 | 2022-11-24 | Uploading workflows to KNIME Server may override arbitrary file system contents |
| CVE-2022-44749 | 2022-11-24 | Opening workflows from untrusted resources may override arbitrary file system contents |
| CVE-2022-40266 | 2022-11-24 | Denial-of-Service (DoS) Vulnerability in FTP Server Function on GOT2000 Series |
| CVE-2022-40976 | 2022-11-24 | PILZ: Multiple products affected by ZipSlip |
| CVE-2022-40977 | 2022-11-24 | PILZ: PASvisu and PMI affected by ZipSlip |
| CVE-2022-25164 | 2022-11-24 | Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GX Works3 versions from 1.000A to 1.095Z and Mitsubishi Electric MX OPC UA Module Configurator-R versions 1.08J and prior allows a... |
| CVE-2022-29825 | 2022-11-24 | Use of Hard-coded Password vulnerability in Mitsubishi Electric GX Works3 versions from 1.000A to 1.090U, GT Designer3 Version1 (GOT2000) versions from 1.122C to 1.290C, and MT Works2 versions from 1.100E... |
| CVE-2022-29826 | 2022-11-24 | Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GX Works3 versions from 1.000A to 1.087R and Motion Control Setting(GX Works3 related software) versions from 1.000A to 1.042U allows a... |
| CVE-2022-29827 | 2022-11-24 | Use of Hard-coded Cryptographic Key vulnerability in Mitsubishi Electric GX Works3 versions from 1.000A and later allows a remote unauthenticated attacker to disclose sensitive information. As a result, unauthenticated attackers... |
| CVE-2022-29828 | 2022-11-24 | Use of Hard-coded Cryptographic Key vulnerability in Mitsubishi Electric GX Works3 versions from 1.000A and later allows a remote unauthenticated attacker to disclose sensitive information. As a result, unauthenticated attackers... |
| CVE-2022-29829 | 2022-11-24 | Use of Hard-coded Cryptographic Key vulnerability in Mitsubishi Electric GX Works3 versions from 1.000A to 1.090U, GT Designer3 Version1 (GOT2000) versions from 1.122C to 1.290C, Motion Control Setting(GX Works3 related... |
| CVE-2022-29830 | 2022-11-24 | Use of Hard-coded Cryptographic Key vulnerability in Mitsubishi Electric GX Works3 versions from 1.000A to 1.095Z, and Motion Control Setting(GX Works3 related software) versions from 1.000A to 1.065T allows a... |
| CVE-2022-29831 | 2022-11-24 | Use of Hard-coded Password vulnerability in Mitsubishi Electric Corporation GX Works3 versions from 1.015R to 1.095Z allows a remote unauthenticated attacker to obtain information about the project file for MELSEC... |
| CVE-2022-29832 | 2022-11-24 | Cleartext Storage of Sensitive Information in Memory vulnerability in Mitsubishi Electric Corporation GX Works3 versions 1.015R and later, GX Works2 all versions and GX Developer versions 8.40S and later allows... |
| CVE-2022-29833 | 2022-11-24 | Insufficiently Protected Credentials vulnerability in Mitsubishi Electric Corporation GX Works3 versions 1.015R and later allows a remote unauthenticated attacker to disclose sensitive information. As a result, unauthenticated users could access... |
| CVE-2022-45218 | 2022-11-25 | Human Resource Management System v1.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability. This vulnerability is triggered via a crafted payload injected into an authentication error message. |
| CVE-2022-45884 | 2022-11-25 | An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvbdev.c has a use-after-free, related to dvb_register_device dynamically allocating fops. |
| CVE-2022-45886 | 2022-11-25 | An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_net.c has a .disconnect versus dvb_device_open race condition that leads to a use-after-free. |
| CVE-2022-0698 | 2022-11-25 | Microweber version 1.3.1 allows an unauthenticated user to perform an account takeover via an XSS on the 'select-file' parameter. |
| CVE-2022-23044 | 2022-11-25 | Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to persuade users to perform unintended actions within the application. This is possible because the application is vulnerable to CSRF. |
| CVE-2022-2721 | 2022-11-25 | In affected versions of Octopus Server it is possible for target discovery to print certain values marked as sensitive to log files in plaint-text in when verbose logging is enabled. |
| CVE-2022-36133 | 2022-11-25 | The WebConfig functionality of Epson TM-C3500 and TM-C7500 devices with firmware version WAM31500 allows authentication bypass. |
| CVE-2022-37720 | 2022-11-25 | Orchardproject Orchard CMS 1.10.3 is vulnerable to Cross Site Scripting (XSS). When a low privileged user such as an author or publisher, injects a crafted html and javascript payload in... |
| CVE-2022-37721 | 2022-11-25 | PyroCMS 3.9 is vulnerable to a stored Cross Site Scripting (XSS_ when a low privileged user such as an author, injects a crafted html and javascript payload in a blog... |
| CVE-2022-38166 | 2022-11-25 | In F-Secure Endpoint Protection for Windows and macOS before channel with Capricorn database 2022-11-22_07, the aerdl.dll unpacker handler crashes. This can lead to a scanning engine crash, triggerable remotely by... |
| CVE-2022-38767 | 2022-11-25 | An issue was discovered in Wind River VxWorks 6.9 and 7, that allows a specifically crafted packet sent by a Radius server, may cause Denial of Service during the IP... |
| CVE-2022-38813 | 2022-11-25 | PHPGurukul Blood Donor Management System 1.0 does not properly restrict access to admin/dashboard.php, which allows attackers to access all data of users, delete the users, add and manage Blood Group,... |
| CVE-2022-39325 | 2022-11-25 | Cross-site scripting vulnerability in BaserCMS |
| CVE-2022-39331 | 2022-11-25 | Cross-site Scripting (XSS) in Nexcloud Desktop Client |
| CVE-2022-39332 | 2022-11-25 | Cross-site scripting (XSS) in Nextcloud Desktop Client |
| CVE-2022-39333 | 2022-11-25 | Cross-site scripting (XSS) in Nextcloud Desktop Client |
| CVE-2022-39334 | 2022-11-25 | nextcloudcmd incorrectly trusts bad TLS certificates |
| CVE-2022-39338 | 2022-11-25 | Stored cross site scripting (XSS) vulnerability via Authorization Endpoint in user_oidc |
| CVE-2022-39339 | 2022-11-25 | Cleartext Transmission of Sensitive Information in user_oidc |
| CVE-2022-39346 | 2022-11-25 | Missing length validation of user displayname in nextcloud server |
| CVE-2022-40282 | 2022-11-25 | The web server of Hirschmann BAT-C2 before 09.13.01.00R04 allows authenticated command injection. This allows an authenticated attacker to pass commands to the shell of the system because the dir parameter... |
| CVE-2022-4091 | 2022-11-25 | SourceCodester Canteen Management System food.php query cross site scripting |
| CVE-2022-41156 | 2022-11-25 | OndiskPlayer Remote Code Execution Vulnerability |
| CVE-2022-41157 | 2022-11-25 | ERP solution Remote Code Execution Vulnerability |
| CVE-2022-41158 | 2022-11-25 | eyoom builder Remote Code Execution Vulnerability |
| CVE-2022-4135 | 2022-11-25 | Heap buffer overflow in GPU in Google Chrome prior to 107.0.5304.121 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted... |
| CVE-2022-4141 | 2022-11-25 | Heap-based Buffer Overflow in vim/vim |
| CVE-2022-41705 | 2022-11-25 | Badaso version 2.6.3 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by... |
| CVE-2022-41706 | 2022-11-25 | Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the URL protocol passed to the Browsershot::url method. |
| CVE-2022-41712 | 2022-11-25 | Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not correctly validate the information injected by the user in... |
| CVE-2022-41926 | 2022-11-25 | Nextcloud Talk Android broadcast incorrect permission handling |
| CVE-2022-41954 | 2022-11-25 | Temporary File Information Disclosure Vulnerability |
| CVE-2022-41958 | 2022-11-25 | Deserialization Vulnerability by yaml config input in super-xray |
| CVE-2022-43983 | 2022-11-25 | Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the HTML content passed to the Browsershot::html... |
| CVE-2022-43984 | 2022-11-25 | Browsershot version 3.57.3 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the JS content imported from an external... |
| CVE-2022-44411 | 2022-11-25 | Web Based Quiz System v1.0 transmits user passwords in plaintext during the authentication process, allowing attackers to obtain users' passwords via a bruteforce attack. |
| CVE-2022-44843 | 2022-11-25 | TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the port parameter in the setting/setOpenVpnClientCfg function. |
| CVE-2022-44844 | 2022-11-25 | TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the pass parameter in the setting/setOpenVpnCfg function. |
| CVE-2022-44858 | 2022-11-25 | Automotive Shop Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /asms/products/view_product.php. |
| CVE-2022-44859 | 2022-11-25 | Automotive Shop Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /asms/admin/products/manage_product.php. |
| CVE-2022-44860 | 2022-11-25 | Automotive Shop Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/transactions/update_status.php. |
| CVE-2022-45036 | 2022-11-25 | A cross-site scripting (XSS) vulnerability in the Search Settings module of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the... |
| CVE-2022-45037 | 2022-11-25 | A cross-site scripting (XSS) vulnerability in /admin/users/index.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Display Name field. |
| CVE-2022-45038 | 2022-11-25 | A cross-site scripting (XSS) vulnerability in /admin/settings/save.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website Footer field. |
| CVE-2022-45039 | 2022-11-25 | An arbitrary file upload vulnerability in the Server Settings module of WBCE CMS v1.5.4 allows attackers to execute arbitrary code via a crafted PHP file. |
| CVE-2022-45040 | 2022-11-25 | A cross-site scripting (XSS) vulnerability in /admin/pages/sections_save.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name Section field. |
| CVE-2022-45152 | 2022-11-25 | A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not utilise... |
| CVE-2022-45205 | 2022-11-25 | Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component /sys/dict/queryTableData. |
| CVE-2022-45206 | 2022-11-25 | Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component /sys/duplicate/check. |
| CVE-2022-45207 | 2022-11-25 | Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component updateNullByEmptyString. |
| CVE-2022-45208 | 2022-11-25 | Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component /sys/user/putRecycleBin. |
| CVE-2022-45210 | 2022-11-25 | Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component /sys/user/deleteRecycleBin. |
| CVE-2022-45225 | 2022-11-25 | Book Store Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /bsms_ci/index.php/book. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted... |
| CVE-2022-45475 | 2022-11-25 | Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to access the application's internal files. This is possible because the application is vulnerable to broken access control. |
| CVE-2022-45476 | 2022-11-25 | Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is... |
| CVE-2022-45885 | 2022-11-25 | An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_frontend.c has a race condition that can cause a use-after-free when a device is disconnected. |
| CVE-2022-45887 | 2022-11-25 | An issue was discovered in the Linux kernel through 6.0.9. drivers/media/usb/ttusb-dec/ttusb_dec.c has a memory leak because of the lack of a dvb_frontend_detach call. |
| CVE-2022-45888 | 2022-11-25 | An issue was discovered in the Linux kernel through 6.0.9. drivers/char/xillybus/xillyusb.c has a race condition and use-after-free during physical removal of a USB device. |