CVE List - 2022 / November
Showing 1201 - 1300 of 2020 CVEs for November 2022 (Page 13 of 21)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2022-42000 | 2022-11-15 | Potential XSS in comment section |
| CVE-2022-42001 | 2022-11-15 | Potential XSS in book navigation |
| CVE-2022-43780 | 2022-11-15 | Certain HP ENVY, OfficeJet, and DeskJet printers may be vulnerable to a Denial of Service attack. |
| CVE-2022-41558 | 2022-11-15 | TIBCO Spotfire Stored Cross Site Scripting (XSS) Vulnerability |
| CVE-2022-27895 | 2022-11-15 | A component in Foundry logging was found to be capturing sensitive information in logs. |
| CVE-2022-3920 | 2022-11-15 | Consul Peering Imported Nodes/Services Leak |
| CVE-2022-4014 | 2022-11-16 | FeehiCMS Post My Comment Tab cross-site request forgery |
| CVE-2022-4015 | 2022-11-16 | Sports Club Management System make_payments.php sql injection |
| CVE-2022-43262 | 2022-11-16 | Human Resource Management System v1.0 was discovered to contain a SQL injection vulnerability via the password parameter at /hrm/controller/login.php. |
| CVE-2022-45047 | 2022-11-16 | Apache MINA SSHD: Java unsafe deserialization vulnerability |
| CVE-2021-38819 | 2022-11-16 | A SQL injection vulnerability exits on the Simple Image Gallery System 1.0 application through "id" parameter on the album page. |
| CVE-2022-2166 | 2022-11-16 | Improper Restriction of Excessive Authentication Attempts in mastodon/mastodon |
| CVE-2022-39316 | 2022-11-16 | Out of bound read in FreeRDP |
| CVE-2022-39317 | 2022-11-16 | Out of bounds read in zgfx decoder in FreeRDP |
| CVE-2022-39318 | 2022-11-16 | Division by zero in urbdrc channel in FreeRDP |
| CVE-2022-39319 | 2022-11-16 | Missing length validation in urbdrc channel in FreeRDP |
| CVE-2022-39320 | 2022-11-16 | Heap buffer overflow in urbdrc channel |
| CVE-2022-39347 | 2022-11-16 | Missing path sanitation with `drive` channel in FreeRDP |
| CVE-2022-39383 | 2022-11-16 | SSRF vulnerability in KubeVela VelaUX APIServer |
| CVE-2022-3980 | 2022-11-16 | An XML External Entity (XEE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between versions 5.0.0 and 9.7.4. |
| CVE-2022-4011 | 2022-11-16 | Simple History Plugin Header neutralization for logs |
| CVE-2022-4012 | 2022-11-16 | Hospital Management Center patient-info.php sql injection |
| CVE-2022-4013 | 2022-11-16 | Hospital Management Center appointment.php cross-site request forgery |
| CVE-2022-4018 | 2022-11-16 | Missing Authentication for Critical Function in ikus060/rdiffweb |
| CVE-2022-40752 | 2022-11-16 | IBM InfoSphere DataStage 11.7 is vulnerable to a command injection vulnerability due to improper neutralization of special elements. IBM X-Force ID: 236687. |
| CVE-2022-41877 | 2022-11-16 | Missing input length validation in `drive` channel in FreeRDP |
| CVE-2022-41914 | 2022-11-16 | Non-constant-time SCIM token comparison in Zulip Server |
| CVE-2022-42960 | 2022-11-16 | EqualWeb Accessibility Widget 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.10, 3.0.0, 3.0.1, 3.0.2, 4.0.0, and 4.0.1 allows DOM XSS due to improper validation of message events to accessibility.js. |
| CVE-2022-43135 | 2022-11-16 | Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at /diagnostic/login.php. |
| CVE-2022-43234 | 2022-11-16 | An arbitrary file upload vulnerability in the /attachments component of Hoosk v1.8 allows attackers to execute arbitrary code via a crafted PHP file. |
| CVE-2022-43256 | 2022-11-16 | SeaCms before v12.6 was discovered to contain a SQL injection vulnerability via the component /js/player/dmplayer/dmku/index.php. |
| CVE-2022-43263 | 2022-11-16 | A cross-site scripting (XSS) vulnerability in Arobas Music Guitar Pro for iPad and iPhone before v1.10.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload inserted... |
| CVE-2022-43264 | 2022-11-16 | Arobas Music Guitar Pro for iPad and iPhone before v1.10.2 allows attackers to perform directory traversal and download arbitrary files via a crafted web request. |
| CVE-2022-43999 | 2022-11-16 | An issue was discovered in BACKCLICK Professional 5.9.63. Due to exposed CORBA management services, arbitrary system commands can be executed on the server. |
| CVE-2022-44000 | 2022-11-16 | An issue was discovered in BACKCLICK Professional 5.9.63. Due to an exposed internal communications interface, it is possible to execute arbitrary system commands on the server. |
| CVE-2022-44002 | 2022-11-16 | An issue was discovered in BACKCLICK Professional 5.9.63. Due to insufficient output encoding of user-supplied data, the web application is vulnerable to cross-site scripting (XSS) at various locations. |
| CVE-2022-44003 | 2022-11-16 | An issue was discovered in BACKCLICK Professional 5.9.63. Due to insufficient escaping of user-supplied input, the application is vulnerable to SQL injection at various locations. |
| CVE-2022-44004 | 2022-11-16 | An issue was discovered in BACKCLICK Professional 5.9.63. Due to insecure design or lack of authentication, unauthenticated attackers can complete the password-reset process for any account and set a new... |
| CVE-2022-44005 | 2022-11-16 | An issue was discovered in BACKCLICK Professional 5.9.63. Due to the use of consecutive IDs in verification links, the newsletter sign-up functionality is vulnerable to the enumeration of subscribers' e-mail... |
| CVE-2022-44006 | 2022-11-16 | An issue was discovered in BACKCLICK Professional 5.9.63. Due to improper validation or sanitization of upload filenames, an externally reachable, unauthenticated update function permits writing files outside the intended target... |
| CVE-2022-44007 | 2022-11-16 | An issue was discovered in BACKCLICK Professional 5.9.63. Due to an unsafe implementation of session tracking, it is possible for an attacker to trick users into opening an authenticated user... |
| CVE-2022-44008 | 2022-11-16 | An issue was discovered in BACKCLICK Professional 5.9.63. Due to improper validation, arbitrary local files can be retrieved by accessing the back-end Tomcat server directly. |
| CVE-2022-44069 | 2022-11-16 | Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via the Nest library module. |
| CVE-2022-44070 | 2022-11-16 | Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via News articles. |
| CVE-2022-44071 | 2022-11-16 | Zenario CMS 9.3.57186 is is vulnerable to Cross Site Scripting (XSS) via profile. |
| CVE-2022-44073 | 2022-11-16 | Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via svg,Users & Contacts. |
| CVE-2022-24036 | 2022-11-16 | Unauthorized modification in Karmasis Informatics Infraskope SIEM+ |
| CVE-2022-4021 | 2022-11-16 | The Permalink Manager Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.2.20.1. This is due to missing or incorrect nonce validation on... |
| CVE-2022-4022 | 2022-11-16 | The SVG Support plugin for WordPress defaults to insecure settings in version 2.5 and 2.5.1. SVG files containing malicious javascript are not sanitized. While version 2.5 adds the ability to... |
| CVE-2022-34354 | 2022-11-16 | IBM Sterling Partner Engagement Manager information disclosure |
| CVE-2021-31608 | 2022-11-17 | Proofpoint Enterprise Protection before 18.8.0 allows a Bypass of a Security Control. |
| CVE-2021-33897 | 2022-11-17 | A buffer overflow in Synthesia before 10.7.5567, when a non-Latin locale is used, allows user-assisted attackers to cause a denial of service (application crash) via a crafted MIDI file with... |
| CVE-2022-20427 | 2022-11-17 | In (TBD) of (TBD), there is a possible way to corrupt memory due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed.... |
| CVE-2022-20428 | 2022-11-17 | In (TBD) of (TBD), there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges... |
| CVE-2022-20459 | 2022-11-17 | In (TBD) of (TBD), there is a possible way to redirect code execution due to improper input validation. This could lead to local escalation of privilege with System execution privileges... |
| CVE-2022-20460 | 2022-11-17 | In (TBD) mprot_unmap? of (TBD), there is a possible way to corrupt the memory mapping due to improper input validation. This could lead to local escalation of privilege with System... |
| CVE-2022-23748 | 2022-11-17 | mDNSResponder.exe is vulnerable to DLL Sideloading attack. Executable improperly specifies how to load the DLL, from which folder and under what conditions. In these scenarios, a malicious attacker could be... |
| CVE-2022-36432 | 2022-11-17 | The Preview functionality in the Amasty Blog Pro 2.10.3 plugin for Magento 2 uses eval unsafely. This allows attackers to perform Cross-site Scripting attacks on admin panel users by manipulating... |
| CVE-2022-36786 | 2022-11-17 | DLINK - DSL-224 Post-auth RCE. |
| CVE-2022-38165 | 2022-11-17 | Arbitrary file write in F-Secure Policy Manager through 2022-08-10 allows unauthenticated users to write the file with the contents in arbitrary locations on the F-Secure Policy Manager Server. |
| CVE-2022-39389 | 2022-11-17 | Witness Block Parsing DoS Vulnerability in lnd |
| CVE-2022-39834 | 2022-11-17 | A stored XSS vulnerability was discovered in adminweb/ra/viewendentity.jsp in PrimeKey EJBCA through 7.9.0.2. A low-privilege user can store JavaScript in order to exploit a higher-privilege user. |
| CVE-2022-4051 | 2022-11-17 | Hostel Searching Project view-property.php sql injection |
| CVE-2022-4052 | 2022-11-17 | Student Attendance Management System createClass.php sql injection |
| CVE-2022-4053 | 2022-11-17 | Student Attendance Management System createClass.php cross site scripting |
| CVE-2022-40881 | 2022-11-17 | SolarView Compact 6.00 was discovered to contain a command injection vulnerability via network_test.php |
| CVE-2022-41920 | 2022-11-17 | Zip slip in Lancet |
| CVE-2022-42187 | 2022-11-17 | Hustoj 22.09.22 has a XSS Vulnerability in /admin/problem_judge.php. |
| CVE-2022-42245 | 2022-11-17 | Dreamer CMS 4.0.01 is vulnerable to SQL Injection. |
| CVE-2022-42246 | 2022-11-17 | Doufox 0.0.4 contains a CSRF vulnerability that can add system administrator account. |
| CVE-2022-42533 | 2022-11-17 | In shared_metadata_init of SharedMetadata.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges... |
| CVE-2022-42732 | 2022-11-17 | A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper read access control that... |
| CVE-2022-42733 | 2022-11-17 | A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper read access control that... |
| CVE-2022-42734 | 2022-11-17 | A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper write access control that... |
| CVE-2022-42891 | 2022-11-17 | A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper write access control that... |
| CVE-2022-42892 | 2022-11-17 | A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper write access control that... |
| CVE-2022-42893 | 2022-11-17 | A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper write access control that... |
| CVE-2022-42894 | 2022-11-17 | A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). An unauthenticated Server-Side Request Forgery (SSRF) vulnerability was identified in one of the web services exposed on... |
| CVE-2022-42903 | 2022-11-17 | Zoho ManageEngine SupportCenter Plus through 11024 allows low-privileged users to view the organization users list. |
| CVE-2022-42954 | 2022-11-17 | Keyfactor EJBCA before 7.10.0 allows XSS. |
| CVE-2022-42982 | 2022-11-17 | BKG Professional NtripCaster 2.0.39 allows querying information over the UDP protocol without authentication. The NTRIP sourcetable is typically quite long (tens of kBs) and can be requested with a packet... |
| CVE-2022-42985 | 2022-11-17 | The ScratchLogin extension through 1.1 for MediaWiki does not escape verification failure messages, which allows users with administrator privileges to perform cross-site scripting (XSS). |
| CVE-2022-43096 | 2022-11-17 | Mediatrix 4102 before v48.5.2718 allows local attackers to gain root access via the UART port. |
| CVE-2022-43138 | 2022-11-17 | Dolibarr Open Source ERP & CRM for Business before v14.0.1 allows attackers to escalate privileges via a crafted API. |
| CVE-2022-43140 | 2022-11-17 | kkFileView v4.1.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component cn.keking.web.controller.OnlinePreviewController#getCorsFile. This vulnerability allows attackers to force the application to make arbitrary requests via injection of... |
| CVE-2022-43142 | 2022-11-17 | A cross-site scripting (XSS) vulnerability in the add-fee.php component of Password Storage Application v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the... |
| CVE-2022-43162 | 2022-11-17 | Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /tests/view_test.php. |
| CVE-2022-43163 | 2022-11-17 | Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /clients/view_client.php. |
| CVE-2022-43171 | 2022-11-17 | A heap buffer overflow in the LIEF::MachO::BinaryParser::parse_dyldinfo_generic_bind function of LIEF v0.12.1 allows attackers to cause a Denial of Service (DoS) via a crafted MachO file. |
| CVE-2022-43179 | 2022-11-17 | Online Leave Management System v1.0 was discovered to contain a SQL injection vulnerability via the component /admin/?page=user/manage_user&id=. |
| CVE-2022-43183 | 2022-11-17 | XXL-Job before v2.3.1 contains a Server-Side Request Forgery (SSRF) via the component /admin/controller/JobLogController.java. |
| CVE-2022-43192 | 2022-11-17 | An arbitrary file upload vulnerability in the component /dede/file_manage_control.php of Dedecms v5.7.101 allows attackers to execute arbitrary code via a crafted PHP file. This vulnerability is related to an incomplete... |
| CVE-2022-43332 | 2022-11-17 | A cross-site scripting (XSS) vulnerability in Wondercms v3.3.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Site title field of the Configuration... |
| CVE-2022-44001 | 2022-11-17 | An issue was discovered in BACKCLICK Professional 5.9.63. User authentication for accessing the CORBA back-end services can be bypassed. |
| CVE-2022-44384 | 2022-11-17 | An arbitrary file upload vulnerability in rconfig v3.9.6 allows attackers to execute arbitrary code via a crafted PHP file. |
| CVE-2022-44402 | 2022-11-17 | Automotive Shop Management System v1.0 is vulnerable to SQL Injection via /asms/classes/Master.php?f=delete_transaction. |
| CVE-2022-44403 | 2022-11-17 | Automotive Shop Management System v1.0 is vulnerable to SQL Injection via /asms/admin/?page=user/manage_user&id=. |
| CVE-2022-44725 | 2022-11-17 | OPC Foundation Local Discovery Server (LDS) through 1.04.403.478 uses a hard-coded file path to a configuration file. This allows a normal user to create a malicious file that is loaded... |
| CVE-2022-45461 | 2022-11-17 | The Java Admin Console in Veritas NetBackup through 10.1 and related Veritas products on Linux and UNIX allows authenticated non-root users (that have been explicitly added to the auth.conf file)... |
| CVE-2022-43781 | 2022-11-17 | There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to execute arbitrary... |