CVE List - 2022 / December
Showing 2001 - 2100 of 2356 CVEs for December 2022 (Page 21 of 24)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2021-4280 | 2022-12-25 | styler_praat_scripts Slash file_segmenter.praat denial of service |
| CVE-2022-30260 | 2022-12-26 | Emerson DeltaV Distributed Control System (DCS) has insufficient verification of firmware integrity (an inadequate checksum approach, and no signature). This affects versions before 14.3 of DeltaV M-series, DeltaV S-series, DeltaV... |
| CVE-2018-16135 | 2022-12-26 | The Opera Mini application 47.1.2249.129326 for Android allows remote attackers to spoof the Location Permission dialog via a crafted web site. |
| CVE-2019-11851 | 2022-12-26 | The ACENet service in Sierra Wireless ALEOS before 4.4.9, 4.5.x through 4.9.x before 4.9.5, and 4.10.x through 4.13.x before 4.14.0 allows remote attackers to execute arbitrary code via a buffer... |
| CVE-2019-13988 | 2022-12-26 | Sierra Wireless MGOS before 3.15.2 and 4.x before 4.3 allows attackers to read log files via a Direct Request (aka Forced Browsing). |
| CVE-2019-14802 | 2022-12-26 | HashiCorp Nomad 0.5.0 through 0.9.4 (fixed in 0.9.5) reveals unintended environment variables to the rendering task during template rendering, aka GHSA-6hv3-7c34-4hx8. This applies to nomad/client/allocrunner/taskrunner/template. |
| CVE-2019-18177 | 2022-12-26 | In certain Citrix products, information disclosure can be achieved by an authenticated VPN user when there is a configured SSL VPN endpoint. This affects Citrix ADC and Citrix Gateway 13.0-58.30... |
| CVE-2019-19030 | 2022-12-26 | Cloud Native Computing Foundation Harbor before 1.10.3 and 2.x before 2.0.1 allows resource enumeration because unauthenticated API calls reveal (via the HTTP status code) whether a resource exists. |
| CVE-2019-19705 | 2022-12-26 | Realtek Audio Drivers for Windows, as used on the Lenovo ThinkPad X1 Carbon 20A7, 20A8, 20BS, and 20BT before 6.0.8882.1 and 20KH and 20KG before 6.0.8907.1 (and on many other... |
| CVE-2019-9011 | 2022-12-26 | In Pilz PMC programming tool 3.x before 3.5.17 (based on CODESYS Development System), an attacker can identify valid usernames. |
| CVE-2019-9579 | 2022-12-26 | An issue was discovered in Illumos in Nexenta NexentaStor 4.0.5 and 5.1.2, and other products. The SMB server allows an attacker to have unintended access, e.g., an attacker with WRITE_XATTR... |
| CVE-2020-10650 | 2022-12-26 | A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider. |
| CVE-2020-11101 | 2022-12-26 | Sierra Wireless AirLink Mobility Manager (AMM) before 2.17 mishandles sessions and thus an unauthenticated attacker can obtain a login session with administrator privileges. |
| CVE-2020-12067 | 2022-12-26 | In Pilz PMC programming tool 3.x before 3.5.17 (based on CODESYS Development System), a user's password may be changed by an attacker without knowledge of the current password. |
| CVE-2020-12069 | 2022-12-26 | CODESYS V3 prone to Inadequate Password Hashing |
| CVE-2020-24600 | 2022-12-26 | Shilpi CAPExWeb 1.1 allows SQL injection via a servlet/capexweb.cap_sendMail GET request. |
| CVE-2020-28191 | 2022-12-26 | The console in Togglz before 2.9.4 allows CSRF. |
| CVE-2021-30134 | 2022-12-26 | php-mod/curl (a wrapper of the PHP cURL extension) before 2.3.2 allows XSS via the post_file_path_upload.php key parameter and the POST data to post_multidimensional.php. |
| CVE-2021-35065 | 2022-12-26 | The glob-parent package before 6.0.1 for Node.js allows ReDoS (regular expression denial of service) attacks against the enclosure regular expression. |
| CVE-2021-35951 | 2022-12-26 | fastrack Reflex 2.0 W307S_REFLEX_v90.89 Activity Tracker allows an Unauthenticated Remote attacker to send a malicious firmware update via BLE and brick the device. |
| CVE-2021-35952 | 2022-12-26 | fastrack Reflex 2.0 W307S_REFLEX_v90.89 Activity Tracker allows a Remote attacker to change the time, date, and month via Bluetooth LE Characteristics on handle 0x0017. |
| CVE-2021-35953 | 2022-12-26 | fastrack Reflex 2.0 W307S_REFLEX_v90.89 Activity Tracker allows a Remote attacker to cause a Denial of Service (device outage) via crafted choices of the last three bytes of a characteristic value. |
| CVE-2021-35954 | 2022-12-26 | fastrack Reflex 2.0 W307S_REFLEX_v90.89 Activity Tracker allows physically proximate attackers to dump the firmware, flash custom malicious firmware, and brick the device via the Serial Wire Debug (SWD) feature. |
| CVE-2021-38561 | 2022-12-26 | golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used... |
| CVE-2021-39369 | 2022-12-26 | In Philips (formerly Carestream) Vue MyVue PACS through 12.2.x.x, the VideoStream function allows Path Traversal by authenticated users to access files stored outside of the web root. |
| CVE-2021-43395 | 2022-12-26 | An issue was discovered in illumos before f859e7171bb5db34321e45585839c6c3200ebb90, OmniOS Community Edition r151038, OpenIndiana Hipster 2021.04, and SmartOS 20210923. A local unprivileged user can cause a deadlock and kernel panic via... |
| CVE-2021-44758 | 2022-12-26 | Heimdal before 7.7.1 allows attackers to cause a NULL pointer dereference in a SPNEGO acceptor via a preferred_mech_type of GSS_C_NO_OID and a nonzero initial_response value to send_accept. |
| CVE-2021-44854 | 2022-12-26 | An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. The REST API publicly caches results from private wikis. |
| CVE-2021-44855 | 2022-12-26 | An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. There is Blind Stored XSS via a URL to the Upload Image feature. |
| CVE-2021-44856 | 2022-12-26 | An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. A title blocked by AbuseFilter can be created via Special:ChangeContentModel due to the mishandling of... |
| CVE-2021-45466 | 2022-12-26 | In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, attackers can make a crafted request to api/?api=add_server&DHCP= to add an authorized_keys text file in the /resources/ folder. |
| CVE-2021-45467 | 2022-12-26 | In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated... |
| CVE-2022-24116 | 2022-12-26 | Certain General Electric Renewable Energy products have inadequate encryption strength. This affects iNET and iNET II before 8.3.0. |
| CVE-2022-24117 | 2022-12-26 | Certain General Electric Renewable Energy products download firmware without an integrity check. This affects iNET and iNET II before 8.3.0, SD before 6.4.7, TD220X before 2.0.16, and TD220MAX before 1.2.6. |
| CVE-2022-24118 | 2022-12-26 | Certain General Electric Renewable Energy products allow attackers to use a code to trigger a reboot into the factory default configuration. This affects iNET and iNET II before 8.3.0, SD... |
| CVE-2022-24119 | 2022-12-26 | Certain General Electric Renewable Energy products have a hidden feature for unauthenticated remote access to the device configuration shell. This affects iNET and iNET II before 8.3.0. |
| CVE-2022-24120 | 2022-12-26 | Certain General Electric Renewable Energy products store cleartext credentials in flash memory. This affects iNET and iNET II before 8.3.0. |
| CVE-2022-26964 | 2022-12-26 | Weak password derivation for export in Devolutions Remote Desktop Manager before 2022.1 allows information disclosure via a password brute-force attack. An error caused base64 to be decoded. |
| CVE-2022-26969 | 2022-12-26 | In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true. |
| CVE-2022-29852 | 2022-12-26 | OX App Suite through 8.2 allows XSS because BMFreehand10 and image/x-freehand are not blocked. |
| CVE-2022-29853 | 2022-12-26 | OX App Suite through 8.2 allows XSS via a certain complex hierarchy that forces use of Show Entire Message for a huge HTML e-mail message. |
| CVE-2022-31469 | 2022-12-26 | OX App Suite through 7.10.6 allows XSS via a deep link, as demonstrated by class="deep-link-app" for a /#!!&app=%2e./ URI. |
| CVE-2022-36664 | 2022-12-26 | Password Manager for IIS 2.0 has a cross-site scripting (XSS) vulnerability via the /isapi/PasswordManager.dll ResultURL parameter. |
| CVE-2022-37307 | 2022-12-26 | OX App Suite through 7.10.6 allows XSS via XHTML CDATA for a snippet, as demonstrated by the onerror attribute of an IMG element within an e-mail signature. |
| CVE-2022-37308 | 2022-12-26 | OX App Suite through 7.10.6 allows XSS via HTML in text/plain e-mail messages. |
| CVE-2022-37309 | 2022-12-26 | OX App Suite through 7.10.6 allows XSS via script code within a contact that has an e-mail address but lacks a name. |
| CVE-2022-37310 | 2022-12-26 | OX App Suite through 7.10.6 allows XSS via a malicious capability to the metrics or help module, as demonstrated by a /#!!&app=io.ox/files&cap= URI. |
| CVE-2022-37311 | 2022-12-26 | OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large location request parameter to the redirect servlet. |
| CVE-2022-37312 | 2022-12-26 | OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large request body containing a redirect URL to the deferrer servlet. |
| CVE-2022-37313 | 2022-12-26 | OX App Suite through 7.10.6 allows SSRF because the anti-SSRF protection mechanism only checks the first DNS AA or AAAA record. |
| CVE-2022-41765 | 2022-12-26 | An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. HTMLUserTextField exposes the existence of hidden users. |
| CVE-2022-41767 | 2022-12-26 | An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. When changes made by an IP address are reassigned to a user (using... |
| CVE-2019-25085 | 2022-12-26 | GNOME gvdb gvdb-builder.c gvdb_table_write_contents_async use after free |
| CVE-2022-4742 | 2022-12-26 | json-pointer index.js set prototype pollution |
| CVE-2022-4161 | 2022-12-26 | Contest Gallery < 19.1.5 - Author+ SQL Injection |
| CVE-2022-4268 | 2022-12-26 | Plugin Logic < 1.0.8 - Admin+ SQLi |
| CVE-2022-4153 | 2022-12-26 | Contest Gallery < 19.1.5.1 - Author+ SQL Injection |
| CVE-2022-4157 | 2022-12-26 | Contest Gallery < 19.1.5 - Admin+ SQL Injection |
| CVE-2022-4155 | 2022-12-26 | Contest Gallery < 19.1.5 - Admin+ SQL Injection |
| CVE-2022-4042 | 2022-12-26 | Paytium < 4.3.7 - Admin+ Stored XSS |
| CVE-2022-4243 | 2022-12-26 | ImageInject <= 1.17 - Admin+ Stored XSS |
| CVE-2022-4197 | 2022-12-26 | Sliderby10Web < 1.2.53 - Admin+ Stored XSS |
| CVE-2022-4165 | 2022-12-26 | Contest Gallery < 19.1.5 - Author+ SQL Injection |
| CVE-2022-4158 | 2022-12-26 | Contest Gallery < 19.1.5 - Unauthenticated SQL Injection |
| CVE-2022-4150 | 2022-12-26 | Contest Gallery < 19.1.5 - Author+ SQL Injection |
| CVE-2022-4166 | 2022-12-26 | Contest Gallery < 19.1.5 - Author+ SQL Injection |
| CVE-2022-4163 | 2022-12-26 | Contest Gallery < 19.1.5 - Author+ SQL Injection |
| CVE-2022-4154 | 2022-12-26 | Contest Gallery Pro < 19.1.5 - Admin+ SQL Injection |
| CVE-2022-4267 | 2022-12-26 | Bulk Delete Users by Email <= 1.2 - Reflected Cross-Site Scripting |
| CVE-2022-4156 | 2022-12-26 | Contest Gallery < 19.1.5.1 - Unauthenticated SQL Injection |
| CVE-2022-4117 | 2022-12-26 | IWS - Geo Form Fields <= 1.0 - Unauthenticated SQLi |
| CVE-2022-3840 | 2022-12-26 | Google Apps Login < 3.4.5 - Admin+ Stored XSS |
| CVE-2022-4164 | 2022-12-26 | Contest Gallery < 19.1.5 - Author+ SQL Injection |
| CVE-2022-4162 | 2022-12-26 | Contest Gallery < 19.1.5 - Author+ SQL Injection |
| CVE-2022-4227 | 2022-12-26 | Booster for WooCommerce - Reflected Cross-Site Scripting |
| CVE-2022-4110 | 2022-12-26 | Eventify <= 2.1 - Admin+ Stored XSS |
| CVE-2022-4226 | 2022-12-26 | Simple Basic Contact Form < 20221201 - Admin+ Stored XSS |
| CVE-2022-4047 | 2022-12-26 | Return Refund and Exchange For WooCommerce < 4.0.9 - Unauthenticated Arbitrary File Upload |
| CVE-2022-4266 | 2022-12-26 | Bulk Delete Users by Email <= 1.2 - User Deletion via CSRF |
| CVE-2022-4152 | 2022-12-26 | Contest Gallery < 19.1.5 - Author+ SQL Injection |
| CVE-2022-4159 | 2022-12-26 | Contest Gallery < 19.1.5.1 - Author+ SQL Injection |
| CVE-2022-4151 | 2022-12-26 | Contest Gallery < 19.1.5 - Admin+ SQL Injection |
| CVE-2022-4160 | 2022-12-26 | Contest Gallery < 19.1.5 - Author+ SQL Injection |
| CVE-2022-3835 | 2022-12-26 | Kwayy HTML Sitemap < 4.0 - Admin+ Stored XSS |
| CVE-2022-4242 | 2022-12-26 | WP Google Review Slider < 11.6 - Admin+ Stored XSS |
| CVE-2022-4120 | 2022-12-26 | Stop Spammers Security < 2022.6 - Unauthenticated PHP Object Injection |
| CVE-2022-4239 | 2022-12-26 | Workreap < 2.6.4 - Subscriber+ Arbitrary Posts Deletion via IDOR |
| CVE-2021-24942 | 2022-12-26 | Menu Item Visibility Control <= 0.5 - Admin+ Arbitrary PHP Code Execution |
| CVE-2021-4281 | 2022-12-26 | Brave UX for-the-badge combine-prs.yml os command injection |
| CVE-2022-45423 | 2022-12-27 | Some Dahua software products have a vulnerability of unauthenticated request of MQTT credentials. An attacker can obtain encrypted MQTT credentials by sending a specific crafted packet to the vulnerable interface... |
| CVE-2022-45424 | 2022-12-27 | Some Dahua software products have a vulnerability of unauthenticated request of AES crypto key. An attacker can obtain the AES crypto key by sending a specific crafted packet to the... |
| CVE-2022-45425 | 2022-12-27 | Some Dahua software products have a vulnerability of using of hard-coded cryptographic key. An attacker can obtain the AES crypto key by exploiting this vulnerability. |
| CVE-2022-45426 | 2022-12-27 | Some Dahua software products have a vulnerability of unrestricted download of file. After obtaining the permissions of ordinary users, by sending a specific crafted packet to the vulnerable interface, an... |
| CVE-2022-45427 | 2022-12-27 | Some Dahua software products have a vulnerability of unrestricted upload of file. After obtaining the permissions of administrators, by sending a specific crafted packet to the vulnerable interface, an attacker... |
| CVE-2022-45428 | 2022-12-27 | Some Dahua software products have a vulnerability of sensitive information leakage. After obtaining the permissions of administrators, by sending a specific crafted packet to the vulnerable interface, an attacker can... |
| CVE-2022-45429 | 2022-12-27 | Some Dahua software products have a vulnerability of server-side request forgery (SSRF). An Attacker can access internal resources by concatenating links (URL) that conform to specific rules. |
| CVE-2022-45430 | 2022-12-27 | Some Dahua software products have a vulnerability of unauthenticated enable or disable SSHD service. After bypassing the firewall access control policy, by sending a specific crafted packet to the vulnerable... |
| CVE-2022-45431 | 2022-12-27 | Some Dahua software products have a vulnerability of unauthenticated restart of remote DSS Server. After bypassing the firewall access control policy, by sending a specific crafted packet to the vulnerable... |
| CVE-2022-45432 | 2022-12-27 | Some Dahua software products have a vulnerability of unauthenticated search for devices. After bypassing the firewall access control policy, by sending a specific crafted packet to the vulnerable interface, an... |
| CVE-2022-45433 | 2022-12-27 | Some Dahua software products have a vulnerability of unauthenticated traceroute host from remote DSS Server. After bypassing the firewall access control policy, by sending a specific crafted packet to the... |