CVE List - 2022 / March
Showing 901 - 1000 of 2065 CVEs for March 2022 (Page 10 of 21)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2022-26779 | 2022-03-15 | Apache Cloudstack insecure random number generation affects project email invitation |
| CVE-2022-0968 | 2022-03-15 | The microweber application allows large characters to insert in the input field "fist & last name" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. in microweber/microweber in microweber/microweber |
| CVE-2022-0970 | 2022-03-15 | Cross-site Scripting (XSS) - Stored in getgrav/grav |
| CVE-2022-27195 | 2022-03-15 | Jenkins Parameterized Trigger Plugin 2.43 and earlier captures environment variables passed to builds triggered using Jenkins Parameterized Trigger Plugin, including password parameter values, in their `build.xml` files. These values are... |
| CVE-2022-27196 | 2022-03-15 | Jenkins Favorite Plugin 2.4.0 and earlier does not escape the names of jobs in the favorite column, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure... |
| CVE-2022-27197 | 2022-03-15 | Jenkins Dashboard View Plugin 2.18 and earlier does not perform URL validation for the Iframe Portlet's Iframe source URL, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers... |
| CVE-2022-27198 | 2022-03-15 | A cross-site request forgery (CSRF) vulnerability in Jenkins CloudBees AWS Credentials Plugin 189.v3551d5642995 and earlier allows attackers with Overall/Read permission to connect to an AWS service using an attacker-specified token. |
| CVE-2022-27199 | 2022-03-15 | A missing permission check in Jenkins CloudBees AWS Credentials Plugin 189.v3551d5642995 and earlier allows attackers with Overall/Read permission to connect to an AWS service using an attacker-specified token. |
| CVE-2022-27200 | 2022-03-15 | Jenkins Folder-based Authorization Strategy Plugin 1.3 and earlier does not escape the names of roles shown on the configuration form, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by... |
| CVE-2022-27201 | 2022-03-15 | Jenkins Semantic Versioning Plugin 1.13 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing... |
| CVE-2022-27202 | 2022-03-15 | Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier does not escape the value and description of extended choice parameters of radio buttons or check boxes type, resulting in a stored... |
| CVE-2022-27203 | 2022-03-15 | Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier allows attackers with Item/Configure permission to read values from arbitrary JSON and Java properties files on the Jenkins controller. |
| CVE-2022-27204 | 2022-03-15 | A cross-site request forgery vulnerability in Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier allows attackers to connect to an attacker-specified URL. |
| CVE-2022-27205 | 2022-03-15 | A missing permission check in Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. |
| CVE-2022-27206 | 2022-03-15 | Jenkins GitLab Authentication Plugin 1.13 and earlier stores the GitLab client secret unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with... |
| CVE-2022-27207 | 2022-03-15 | Jenkins global-build-stats Plugin 1.5 and earlier does not escape multiple fields in the chart configuration on the 'Global Build Stats' page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable... |
| CVE-2022-27208 | 2022-03-15 | Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows users with Credentials/Create permission to read arbitrary files on the Jenkins controller. |
| CVE-2022-27209 | 2022-03-15 | A missing permission check in Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. |
| CVE-2022-27210 | 2022-03-15 | A cross-site request forgery (CSRF) vulnerability in Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through... |
| CVE-2022-27211 | 2022-03-15 | A missing permission check in Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained... |
| CVE-2022-27212 | 2022-03-15 | Jenkins List Git Branches Parameter Plugin 0.0.9 and earlier does not escape the name of the 'List Git branches (and more)' parameter, resulting in a stored cross-site scripting (XSS) vulnerability... |
| CVE-2022-27213 | 2022-03-15 | Jenkins Environment Dashboard Plugin 1.1.10 and earlier does not escape the Environment order and the Component order configuration values in its views, resulting in a stored cross-site scripting (XSS) vulnerability... |
| CVE-2022-27214 | 2022-03-15 | A cross-site request forgery (CSRF) vulnerability in Jenkins Release Helper Plugin 1.3.3 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials. |
| CVE-2022-27215 | 2022-03-15 | A missing permission check in Jenkins Release Helper Plugin 1.3.3 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. |
| CVE-2022-27216 | 2022-03-15 | Jenkins dbCharts Plugin 0.5.2 and earlier stores JDBC connection passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to... |
| CVE-2022-27217 | 2022-03-15 | Jenkins Vmware vRealize CodeStream Plugin 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission,... |
| CVE-2022-27218 | 2022-03-15 | Jenkins incapptic connect uploader Plugin 1.15 and earlier stores tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission,... |
| CVE-2020-4989 | 2022-03-15 | IBM Engineering Workflow Management 7.0, 7.0.1, and 7.0.2 and IBM Rational Team Concert 6.0.6 and 6.0.0.1 could allow an authenticated user to obtain sensitive information about build definitions. IBM X-Force... |
| CVE-2022-22771 | 2022-03-15 | TIBCO JasperReports Library Directory Traversal Vulnerability |
| CVE-2022-0778 | 2022-03-15 | Infinite loop in BN_mod_sqrt() reachable when parsing certificates |
| CVE-2022-25498 | 2022-03-15 | CuppaCMS v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the saveConfigData function in /classes/ajax/Functions.php. |
| CVE-2022-25497 | 2022-03-15 | CuppaCMS v1.0 was discovered to contain an arbitrary file read via the copy function. |
| CVE-2022-25495 | 2022-03-15 | The component /jquery_file_upload/server/php/index.php of CuppaCMS v1.0 allows attackers to upload arbitrary files and execute arbitrary code via a crafted PHP file. |
| CVE-2022-25494 | 2022-03-15 | Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via staff_login.php. |
| CVE-2022-25493 | 2022-03-15 | HMS v1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via treatmentrecord.php. |
| CVE-2022-25492 | 2022-03-15 | HMS v1.0 was discovered to contain a SQL injection vulnerability via the medicineid parameter in ajaxmedicine.php. |
| CVE-2022-25491 | 2022-03-15 | HMS v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter in appointment.php. |
| CVE-2022-25490 | 2022-03-15 | HMS v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter in department.php. |
| CVE-2022-25489 | 2022-03-15 | Atom CMS v2.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the "A" parameter in /widgets/debug.php. |
| CVE-2022-25488 | 2022-03-15 | Atom CMS v2.0 was discovered to contain a SQL injection vulnerability via the id parameter in /admin/ajax/avatar.php. |
| CVE-2022-25487 | 2022-03-15 | Atom CMS v2.0 was discovered to contain a remote code execution (RCE) vulnerability via /admin/uploads.php. |
| CVE-2022-25486 | 2022-03-15 | CuppaCMS v1.0 was discovered to contain a local file inclusion via the url parameter in /alerts/alertConfigField.php. |
| CVE-2022-25485 | 2022-03-15 | CuppaCMS v1.0 was discovered to contain a local file inclusion via the url parameter in /alerts/alertLightbox.php. |
| CVE-2022-23989 | 2022-03-15 | In Stormshield Network Security (SNS) before 3.7.25, 3.8.x through 3.11.x before 3.11.13, 4.x before 4.2.10, and 4.3.x before 4.3.5, a flood of connections to the SSLVPN service might lead to... |
| CVE-2021-29134 | 2022-03-15 | The avatar middleware in Gitea before 1.13.6 allows Directory Traversal via a crafted URL. |
| CVE-2022-26206 | 2022-03-15 | Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setLanguageCfg, via the langType parameter.... |
| CVE-2022-26207 | 2022-03-15 | Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setDiagnosisCfg, via the ipDoamin parameter.... |
| CVE-2022-26208 | 2022-03-15 | Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setWebWlanIdx, via the webWlanIdx parameter.... |
| CVE-2022-26209 | 2022-03-15 | Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setUploadSetting, via the FileName parameter.... |
| CVE-2022-26210 | 2022-03-15 | Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setUpgradeFW, via the FileName parameter.... |
| CVE-2022-26211 | 2022-03-15 | Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function CloudACMunualUpdate, via the deviceMac and... |
| CVE-2022-26212 | 2022-03-15 | Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setDeviceName, via the deviceMac and... |
| CVE-2022-26213 | 2022-03-15 | Totolink X5000R_Firmware v9.1.0u.6118_B20201102 was discovered to contain a command injection vulnerability in the function setNtpCfg, via the tz parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted... |
| CVE-2022-26214 | 2022-03-15 | Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function NTPSyncWithHost. This vulnerability allows attackers... |
| CVE-2022-26990 | 2022-03-15 | Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05 and SBR-AC1200P 1.0.5-B05 were discovered to contain a command injection vulnerability in the firewall-local log function via the EmailAddress, SmtpServerName, SmtpUsername, and SmtpPassword parameters.... |
| CVE-2022-26991 | 2022-03-15 | Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05 and SBR-AC1200P 1.0.5-B05 were discovered to contain a command injection vulnerability in the ntp function via the TimeZone parameter. This vulnerability allows attackers to... |
| CVE-2022-26992 | 2022-03-15 | Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05 and SBR-AC1200P 1.0.5-B05 were discovered to contain a command injection vulnerability in the ddns function via the DdnsUserName, DdnsHostName, and DdnsPassword parameters. This vulnerability... |
| CVE-2022-26993 | 2022-03-15 | Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05 and SBR-AC1200P 1.0.5-B05 were discovered to contain a command injection vulnerability in the pppoe function via the pppoeUserName, pppoePassword, and pppoe_Service parameters. This vulnerability... |
| CVE-2022-26994 | 2022-03-15 | Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05 and SBR-AC1200P 1.0.5-B05 were discovered to contain a command injection vulnerability in the pptp function via the pptpUserName and pptpPassword parameters. This vulnerability allows... |
| CVE-2022-26995 | 2022-03-15 | Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the pptp (wan_pptp.html) function via the pptp_fix_ip, pptp_fix_mask, pptp_fix_gw, and wan_dns1_stat parameters. This vulnerability allows attackers to execute... |
| CVE-2022-26996 | 2022-03-15 | Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the pppoe function via the pppoe_username, pppoe_passwd, and pppoe_servicename parameters. This vulnerability allows attackers to execute arbitrary commands... |
| CVE-2022-26997 | 2022-03-15 | Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the upnp function via the upnp_ttl parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted... |
| CVE-2022-26998 | 2022-03-15 | Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the wps setting function via the wps_enrolee_pin parameter. This vulnerability allows attackers to execute arbitrary commands via a... |
| CVE-2022-26999 | 2022-03-15 | Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the static ip settings function via the wan_ip_stat, wan_mask_stat, wan_gw_stat, and wan_dns1_stat parameters. This vulnerability allows attackers to... |
| CVE-2022-27000 | 2022-03-15 | Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the time and time zone function via the h_primary_ntp_server, h_backup_ntp_server, and h_time_zone parameters. This vulnerability allows attackers to... |
| CVE-2022-27001 | 2022-03-15 | Arris TR3300 v1.0.13 were discovered to contain a command injection vulnerability in the dhcp function via the hostname parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted... |
| CVE-2022-27002 | 2022-03-15 | Arris TR3300 v1.0.13 were discovered to contain a command injection vulnerability in the ddns function via the ddns_name, ddns_pwd, h_ddns、ddns_host parameters. This vulnerability allows attackers to execute arbitrary commands via... |
| CVE-2022-27003 | 2022-03-15 | Totolink routers s X5000R V9.1.0u.6118_B20201102 and A7000R V9.1.0u.6115_B20201022 were discovered to contain a command injection vulnerability in the Tunnel 6rd function via the relay6rd parameter. This vulnerability allows attackers to... |
| CVE-2022-27005 | 2022-03-15 | Totolink routers s X5000R V9.1.0u.6118_B20201102 and A7000R V9.1.0u.6115_B20201022 were discovered to contain a command injection vulnerability in the setWanCfg function via the hostName parameter. This vulnerability allows attackers to execute... |
| CVE-2022-27004 | 2022-03-15 | Totolink routers s X5000R V9.1.0u.6118_B20201102 and A7000R V9.1.0u.6115_B20201022 were discovered to contain a command injection vulnerability in the Tunnel 6in4 function via the remote6in4 parameter. This vulnerability allows attackers to... |
| CVE-2020-36519 | 2022-03-15 | Mimecast Email Security before 2020-01-10 allows any admin to spoof any domain, and pass DMARC alignment via SPF. This occurs through misuse of the address rewrite feature. (The domain being... |
| CVE-2022-27223 | 2022-03-15 | In drivers/usb/gadget/udc/udc-xilinx.c in the Linux kernel before 5.16.12, the endpoint index is not validated and might be manipulated by the host for out-of-array access. |
| CVE-2020-25721 | 2022-03-16 | Kerberos acceptors need easy access to stable AD identifiers (eg objectSid). Samba as an AD DC now provides a way for Linux applications to obtain a reliable SID (and samAccountName)... |
| CVE-2021-20299 | 2022-03-16 | A flaw was found in OpenEXR's Multipart input file functionality. A crafted multi-part input file with no actual parts can trigger a NULL pointer dereference. The highest threat from this... |
| CVE-2022-24728 | 2022-03-16 | Cross-site Scripting in CKEditor4 |
| CVE-2022-24729 | 2022-03-16 | Regular expression Denial of Service in dialog plugin |
| CVE-2022-27225 | 2022-03-16 | Gradle Enterprise before 2021.4.3 relies on cleartext data transmission in some situations. It uses Keycloak for identity management services. During the sign-in process, Keycloak sets browser cookies that effectively provide... |
| CVE-2021-43955 | 2022-03-16 | The /rest-service-fecru/server-v1 resource in Fisheye and Crucible before version 4.8.9 allowed authenticated remote attackers to obtain information about installation directories via information disclosure vulnerability. |
| CVE-2021-43956 | 2022-03-16 | The jQuery deserialize library in Fisheye and Crucible before version 4.8.9 allowed remote attackers to to inject arbitrary HTML and/or JavaScript via a prototype pollution vulnerability. |
| CVE-2021-43957 | 2022-03-16 | Affected versions of Atlassian Fisheye & Crucible allowed remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory and bypass the fix... |
| CVE-2021-43958 | 2022-03-16 | Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their... |
| CVE-2022-0911 | 2022-03-16 | Cross-site Scripting (XSS) - Stored in pimcore/pimcore |
| CVE-2022-0704 | 2022-03-16 | Cross-site Scripting (XSS) - Stored in pimcore/pimcore |
| CVE-2021-45852 | 2022-03-16 | An issue was discovered in Projectworlds Hospital Management System v1.0. Unauthorized malicious attackers can add patients without restriction via add_patient.php. |
| CVE-2021-46705 | 2022-03-16 | grub2-once uses fixed file name in /var/tmp |
| CVE-2021-45851 | 2022-03-16 | A Server-Side Request Forgery (SSRF) attack in FUXA 1.1.3 can be carried out leading to the obtaining of sensitive information from the server's internal environment and services, often potentially leading... |
| CVE-2022-21945 | 2022-03-16 | cscreen: usage of fixed path /tmp/cscreen.debug |
| CVE-2022-21946 | 2022-03-16 | suddoers configuration for cscreen not restrictive enough |
| CVE-2022-0705 | 2022-03-16 | Cross-site Scripting (XSS) - Stored in pimcore/pimcore |
| CVE-2021-45786 | 2022-03-16 | In maccms v10, an attacker can log in through /index.php/user/login in the "col" and "openid" parameters to gain privileges. |
| CVE-2021-45787 | 2022-03-16 | There is a stored Cross Site Scripting (XSS) vulnerability in maccms v10 through adding videos. XSS code can be inserted at parameter positions including name and remarks. |
| CVE-2022-0986 | 2022-03-16 | Reflected Cross-site Scripting (XSS) Vulnerability in hestiacp/hestiacp |
| CVE-2021-42552 | 2022-03-16 | Reflected XSS in Archivista |
| CVE-2022-24751 | 2022-03-16 | Race condition in Zulip |
| CVE-2022-26353 | 2022-03-16 | A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for CVE-2021-3748, which forgot to unmap the cached virtqueue elements on error,... |
| CVE-2022-26354 | 2022-03-16 | A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memory, leading to memory... |
| CVE-2021-40778 | 2022-03-16 | Adobe Media Encoder Null Pointer Dereference Application denial-of-service |
| CVE-2021-40777 | 2022-03-16 | Adobe Media Encoder WAV file memory corruption vulnerability could lead to arbitrary code execution |
| CVE-2021-40782 | 2022-03-16 | Adobe Media Encoder Null Pointer Dereference Application denial-of-service |
| CVE-2021-40779 | 2022-03-16 | Adobe Media Encoder WAV file memory corruption vulnerability could lead to arbitrary code execution |