CVE List - 2022 / March
Showing 1601 - 1700 of 2065 CVEs for March 2022 (Page 17 of 21)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2022-24778 | 2022-03-25 | Incorrect Authorization in imgcrypt |
| CVE-2021-43636 | 2022-03-25 | Two Buffer Overflow vulnerabilities exists in T10 V2_Firmware V4.1.8cu.5207_B20210320 in the http_request_parse function when processing host data in the HTTP request process. |
| CVE-2021-35254 | 2022-03-25 | Authenticated Remote Code Execution in WebHelpDesk 12.7.8 |
| CVE-2021-44462 | 2022-03-25 | Horner Automation Cscape EnvisionRV Improper Input Validation |
| CVE-2021-44477 | 2022-03-25 | GE Gas Power ToolBoxST Improper Restriction of XML External Entity Reference |
| CVE-2022-0988 | 2022-03-25 | Delta Electronics DIAEnergie CLEARTEXT Transmission of Sensitive Information |
| CVE-2021-44768 | 2022-03-25 | Delta Electronics CNCSoft Out-of-bounds Read |
| CVE-2022-25606 | 2022-03-25 | WordPress WP-DownloadManager plugin <= 1.68.5 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities |
| CVE-2022-25610 | 2022-03-25 | WordPress Simple Ajax Chat plugin <= 20220115 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability |
| CVE-2022-25611 | 2022-03-25 | WordPress Simple Event Planner plugin <= 1.5.4 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability |
| CVE-2022-25612 | 2022-03-25 | WordPress Simple Event Planner plugin <= 1.5.4 - Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities |
| CVE-2021-26620 | 2022-03-25 | IPTIME NAS2dual improper authentication vulnerability |
| CVE-2021-26621 | 2022-03-25 | Netis Korea MEX01 Buffer overflow vulnerability |
| CVE-2021-26622 | 2022-03-25 | Genian NAC remote code execution vulnerability |
| CVE-2021-22100 | 2022-03-25 | In cloud foundry CAPI versions prior to 1.122, a denial-of-service attack in which a developer can push a service broker that (accidentally or maliciously) causes CC instances to timeout and... |
| CVE-2021-3422 | 2022-03-25 | Indexer denial-of-service via malformed S2S request |
| CVE-2021-4157 | 2022-03-25 | An out of memory bounds write flaw (1 or 2 bytes of memory) in the Linux kernel NFS subsystem was found in the way users use mirroring (replication of files... |
| CVE-2021-4202 | 2022-03-25 | A use-after-free flaw was found in nci_request in net/nfc/nci/core.c in NFC Controller Interface (NCI) in the Linux kernel. This flaw could allow a local attacker with user privileges to cause... |
| CVE-2021-20290 | 2022-03-25 | An improper authorization handling flaw was found in Foreman. The OpenSCAP plugin for the smart-proxy allows foreman clients to execute actions that should be limited to the Foreman Server. This... |
| CVE-2021-3567 | 2022-03-25 | A flaw was found in Caribou due to a regression of CVE-2020-25712 fix. An attacker could use this flaw to bypass screen-locking applications that leverage Caribou as an input mechanism.... |
| CVE-2021-3582 | 2022-03-25 | A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. The issue occurs while handling a "PVRDMA_CMD_CREATE_MR" command due to improper memory remapping (mremap). This flaw allows... |
| CVE-2021-3814 | 2022-03-25 | It was found that 3scale's APIdocs does not validate the access token, in the case of invalid token, it uses session auth instead. This conceivably bypasses access controls and permits... |
| CVE-2022-0322 | 2022-03-25 | A flaw was found in the sctp_make_strreset_req function in net/sctp/sm_make_chunk.c in the SCTP network protocol in the Linux kernel with a local user privilege access. In this flaw, an attempt... |
| CVE-2021-20323 | 2022-03-25 | A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak. |
| CVE-2022-1049 | 2022-03-25 | A flaw was found in the Pacemaker configuration tool (pcs). The pcs daemon was allowing expired accounts, and accounts with expired passwords to login when using PAM authentication. Therefore, unprivileged... |
| CVE-2022-0500 | 2022-03-25 | A flaw was found in unrestricted eBPF usage by the BPF_BTF_LOAD, leading to a possible out-of-bounds memory write in the Linux kernel’s BPF subsystem due to the way a user... |
| CVE-2022-0494 | 2022-03-25 | A kernel information leak flaw was identified in the scsi_ioctl function in drivers/scsi/scsi_ioctl.c in the Linux kernel. This flaw allows a local attacker with a special user privilege (CAP_SYS_ADMIN or... |
| CVE-2022-0983 | 2022-03-25 | An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default. |
| CVE-2022-0995 | 2022-03-25 | An out-of-bounds (OOB) memory write flaw was found in the Linux kernel’s watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user... |
| CVE-2022-0759 | 2022-03-25 | A flaw was found in all versions of kubeclient up to (but not including) v4.9.3, the Ruby client for Kubernetes REST API, in the way it parsed kubeconfig files. When... |
| CVE-2022-25590 | 2022-03-25 | SurveyKing v0.2.0 was discovered to retain users' session cookies after logout, allowing attackers to login to the system and access data using the browser cache when the user exits the... |
| CVE-2022-26573 | 2022-03-25 | Maccms v10 was discovered to contain multiple reflected cross-site scripting (XSS) vulnerabilities in /admin.php/admin/art/data.html via the select and input parameters. |
| CVE-2022-27884 | 2022-03-25 | Maccms v10 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in /admin.php/admin/plog/index.html via the wd parameter. |
| CVE-2022-27885 | 2022-03-25 | Maccms v10 was discovered to contain multiple reflected cross-site scripting (XSS) vulnerabilities in /admin.php/admin/website/data.html via the select and input parameters. |
| CVE-2022-27886 | 2022-03-25 | Maccms v10 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in /admin.php/admin/ulog/index.html via the wd parameter. |
| CVE-2022-27887 | 2022-03-25 | Maccms v10 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in /admin.php/admin/vod/data.html via the repeat parameter. |
| CVE-2022-27906 | 2022-03-25 | Mendelson OFTP2 before 1.1 b43 is affected by directory traversal. To access the vulnerable code path, the attacker has to know one of the configured Odette IDs of the OFTP2... |
| CVE-2022-27919 | 2022-03-25 | Gradle Enterprise before 2022.1 allows remote code execution if the installation process did not specify an initial configuration file. The configuration allows certain anonymous access to administration and an API. |
| CVE-2022-27920 | 2022-03-25 | libkiwix 10.0.0 and 10.0.1 allows XSS in the built-in webserver functionality via the search suggestions URL parameter. This is fixed in 10.1.0. |
| CVE-2022-26197 | 2022-03-25 | Joget DX 7 was discovered to contain a cross-site scripting (XSS) vulnerability via the Datalist table. |
| CVE-2022-24643 | 2022-03-25 | A stored cross-site scripting (XSS) issue was discovered in the OpenEMR Hospital Information Management System version 6.0.0. |
| CVE-2021-44905 | 2022-03-25 | Incorrect permissions in the Bluetooth Services in the Fortessa FTBTLD Smart Lock as of 12-13-2022 allows a remote attacker to disable the lock via an unauthenticated edit to the lock... |
| CVE-2022-25523 | 2022-03-25 | TypesetterCMS v5.1 was discovered to contain a Cross-Site Request Forgery (CSRF) which is exploited via a crafted POST request. |
| CVE-2022-26659 | 2022-03-25 | Docker Desktop installer on Windows in versions before 4.6.0 allows an attacker to overwrite any administrator writable files by creating a symlink in place of where the installer writes its... |
| CVE-2021-44683 | 2022-03-25 | The DuckDuckGo browser 7.64.4 on iOS allows Address Bar Spoofing due to mishandling of the JavaScript window.open function (used to open a secondary browser window). This could be exploited by... |
| CVE-2022-24783 | 2022-03-25 | Sandbox bypass leading to arbitrary code execution in Deno |
| CVE-2022-24784 | 2022-03-25 | Discoverability of user password hash in Statamic CMS |
| CVE-2021-40904 | 2022-03-25 | The web management console of CheckMK Raw Edition (versions 1.5.0 to 1.6.0) allows a misconfiguration of the web-app Dokuwiki (installed by default), which allows embedded php code. As a result,... |
| CVE-2021-40905 | 2022-03-25 | The web management console of CheckMK Enterprise Edition (versions 1.5.0 to 2.0.0p9) does not properly sanitise the uploading of ".mkp" files, which are Extension Packages, making remote code execution possible.... |
| CVE-2021-40906 | 2022-03-25 | CheckMK Raw Edition software (versions 1.5.0 to 1.6.0) does not sanitise the input of a web service parameter that is in an unauthenticated zone. This Reflected XSS allows an attacker... |
| CVE-2022-22274 | 2022-03-25 | A Stack-based buffer overflow vulnerability in the SonicOS via HTTP request allows a remote unauthenticated attacker to cause Denial of Service (DoS) or potentially results in code execution in the... |
| CVE-2022-27939 | 2022-03-26 | tcprewrite in Tcpreplay 4.4.1 has a reachable assertion in get_layer4_v6 in common/get.c. |
| CVE-2022-27940 | 2022-03-26 | tcprewrite in Tcpreplay 4.4.1 has a heap-based buffer over-read in get_ipv6_next in common/get.c. |
| CVE-2022-27941 | 2022-03-26 | tcprewrite in Tcpreplay 4.4.1 has a heap-based buffer over-read in get_l2len_protocol in common/get.c. |
| CVE-2022-27942 | 2022-03-26 | tcpprep in Tcpreplay 4.4.1 has a heap-based buffer over-read in parse_mpls in common/get.c. |
| CVE-2022-27943 | 2022-03-26 | libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new. |
| CVE-2022-1071 | 2022-03-26 | User after free in mrb_vm_exec in mruby/mruby |
| CVE-2022-27938 | 2022-03-26 | stb_image.h (aka the stb image loader) 2.19, as used in libsixel and other products, has a reachable assertion in stbi__create_png_image_raw. |
| CVE-2022-27945 | 2022-03-26 | NETGEAR R8500 1.0.2.158 devices allow remote authenticated users to execute arbitrary commands (such as telnetd) via shell metacharacters in the sysNewPasswd and sysConfirmPasswd parameters to password.cgi. |
| CVE-2022-27947 | 2022-03-26 | NETGEAR R8500 1.0.2.158 devices allow remote authenticated users to execute arbitrary commands (such as telnetd) via shell metacharacters in the ipv6_fix.cgi ipv6_wan_ipaddr, ipv6_lan_ipaddr, ipv6_wan_length, or ipv6_lan_length parameter. |
| CVE-2022-27946 | 2022-03-26 | NETGEAR R8500 1.0.2.158 devices allow remote authenticated users to execute arbitrary commands (such as telnetd) via shell metacharacters in the sysNewPasswd and sysConfirmPasswd parameters to admin_account.cgi. |
| CVE-2022-26198 | 2022-03-26 | Notable v1.8.4 does not filter text editing, allowing attackers to execute arbitrary code via a crafted payload injected into the Title text field. |
| CVE-2022-26258 | 2022-03-27 | D-Link DIR-820L 1.05B03 was discovered to contain remote command execution (RCE) vulnerability via HTTP POST to get set ccp. |
| CVE-2022-26205 | 2022-03-27 | Marky commit 3686565726c65756e was discovered to contain a remote code execution (RCE) vulnerability via the Display text fields. This vulnerability allows attackers to execute arbitrary code via injection of a... |
| CVE-2022-27948 | 2022-03-27 | Certain Tesla vehicles through 2022-03-26 allow attackers to open the charging port via a 315 MHz RF signal containing a fixed sequence of approximately one hundred symbols. NOTE: the vendor's... |
| CVE-2022-26245 | 2022-03-27 | Falcon-plus v0.3 was discovered to contain a SQL injection vulnerability via the parameter grpName in /config/service/host.go. |
| CVE-2022-1106 | 2022-03-27 | use after free in mrb_vm_exec in mruby/mruby |
| CVE-2022-26252 | 2022-03-27 | aaPanel v6.8.21 was discovered to be vulnerable to directory traversal. This vulnerability allows attackers to obtain the root user private SSH key(id_rsa). |
| CVE-2022-26254 | 2022-03-27 | WoWonder The Ultimate PHP Social Network Platform v4.0.0 was discovered to contain an access control issue which allows unauthenticated attackers to arbitrarily change group ID names. |
| CVE-2021-44127 | 2022-03-27 | In DLink DAP-1360 F1 firmware version <=v6.10 in the "webupg" binary, an attacker can use the "file" parameter to execute arbitrary system commands when the parameter is "name=deleteFile" after being... |
| CVE-2022-26255 | 2022-03-27 | Clash for Windows v0.19.8 was discovered to allow arbitrary code execution via a crafted payload injected into the Proxies name column. |
| CVE-2022-1056 | 2022-03-28 | Out-of-bounds Read error in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available... |
| CVE-2022-24303 | 2022-03-28 | Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
| CVE-2022-26259 | 2022-03-28 | A buffer over flow in Xiongmai DVR devices NBD80X16S-KL, NBD80X09S-KL, NBD80X08S-KL, NBD80X09RA-KL, AHB80X04R-MH, AHB80X04R-MH-V2, AHB80X04-R-MH-V3, AHB80N16T-GS, AHB80N32F4-LME, and NBD90S0VT-QW allows attackers to cause a Denial of Service (DoS) via a... |
| CVE-2021-26598 | 2022-03-28 | ImpressCMS before 1.4.3 has Incorrect Access Control because include/findusers.php allows access by unauthenticated attackers (who are, by design, able to have a security token). |
| CVE-2022-26268 | 2022-03-28 | Xiaohuanxiong v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /app/controller/Books.php. |
| CVE-2021-26599 | 2022-03-28 | ImpressCMS before 1.4.3 allows include/findusers.php groups SQL Injection. |
| CVE-2021-26600 | 2022-03-28 | ImpressCMS before 1.4.3 has plugins/preloads/autologin.php type confusion with resultant Authentication Bypass (!= instead of !==). |
| CVE-2021-26601 | 2022-03-28 | ImpressCMS before 1.4.3 allows libraries/image-editor/image-edit.php image_temp Directory Traversal. |
| CVE-2021-44208 | 2022-03-28 | OX App Suite through 7.10.5 allows XSS via an unknown system message in Chat. |
| CVE-2021-44209 | 2022-03-28 | OX App Suite through 7.10.5 allows XSS via an HTML 5 element such as AUDIO. |
| CVE-2021-44210 | 2022-03-28 | OX App Suite through 7.10.5 allows XSS via NIFF (Notation Interchange File Format) data. |
| CVE-2022-26271 | 2022-03-28 | 74cmsSE v3.4.1 was discovered to contain an arbitrary file read vulnerability via the $url parameter at \index\controller\Download.php. |
| CVE-2021-44211 | 2022-03-28 | OX App Suite through 7.10.5 allows XSS via the class attribute of an element in an HTML e-mail signature. |
| CVE-2021-44212 | 2022-03-28 | OX App Suite through 7.10.5 allows XSS via a trailing control character such as the SCRIPT\t substring. |
| CVE-2021-44213 | 2022-03-28 | OX App Suite through 7.10.5 allows XSS via uuencoding in a multipart/alternative message. |
| CVE-2021-44617 | 2022-03-28 | A SQL Injection vulnerability exits in the Ramo plugin for GLPI 9.4.6 via the idu parameter in plugins/ramo/ramoapirest.php/getOutdated. |
| CVE-2022-26273 | 2022-03-28 | EyouCMS v1.5.4 was discovered to lack parameter filtering in \user\controller\shop.php, leading to payment logic vulnerabilities. |
| CVE-2021-45490 | 2022-03-28 | The client applications in 3CX on Windows, the 3CX app for iOS, and the 3CX application for Android through 2022-03-17 lack SSL certificate validation. |
| CVE-2021-45491 | 2022-03-28 | 3CX System through 2022-03-17 stores cleartext passwords in a database. |
| CVE-2022-27950 | 2022-03-28 | In drivers/hid/hid-elo.c in the Linux kernel before 5.16.11, a memory leak exists for a certain hid_parse error condition. |
| CVE-2022-25757 | 2022-03-28 | Apache APISIX: the body_schema check in request-validation plugin can be bypassed |
| CVE-2021-46433 | 2022-03-28 | In fenom 2.12.1 and before, there is a way in fenom/src/Fenom/Template.php function getTemplateCode()to bypass sandbox to execute arbitrary PHP code when disable_native_funcs is true. |
| CVE-2021-46434 | 2022-03-28 | EMQ X Dashboard V3.0.0 is affected by username enumeration in the "/api /v3/auth" interface. When a user login, the application returns different results depending on whether the account is correct,... |
| CVE-2022-23882 | 2022-03-28 | TuziCMS 2.0.6 is affected by SQL injection in \App\Manage\Controller\BannerController.class.php. |
| CVE-2022-0342 | 2022-03-28 | An authentication bypass vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.20 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.32... |
| CVE-2022-23884 | 2022-03-28 | Mojang Bedrock Dedicated Server 1.18.2 is affected by an integer overflow leading to a bound check bypass caused by PurchaseReceiptPacket::_read (packet deserializer). |
| CVE-2021-43725 | 2022-03-28 | There is a Cross Site Scripting (XSS) vulnerability in SpotPage_login.php of Spotweb 1.5.1 and below, which allows remote attackers to inject arbitrary web script or HTML via the data[performredirect] parameter. |
| CVE-2021-43721 | 2022-03-28 | Leanote 2.7.0 is vulnerable to Cross Site Scripting (XSS) in the markdown type note. This leads to remote code execution with payload : <video src=x onerror=(function(){require('child_process').exec('calc');})();> |
| CVE-2021-44124 | 2022-03-28 | Hiby Music Hiby OS R3 Pro 1.5 and 1.6 is vulnerable to Directory Traversal. The HTTP Server does not have enough input data sanitization when shown data from SD Card,... |