CVE List - 2022 / April
Showing 301 - 400 of 2039 CVEs for April 2022 (Page 4 of 21)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2021-33207 | 2022-04-05 | The HTTP client in MashZone NextGen through 10.7 GA deserializes untrusted data when it gets an HTTP response with a 570 status code. |
| CVE-2022-1213 | 2022-04-05 | SSRF filter bypass port 80, 433 in livehelperchat/livehelperchat |
| CVE-2022-1212 | 2022-04-05 | Use-After-Free in str_escape in mruby/mruby in mruby/mruby |
| CVE-2021-39114 | 2022-04-05 | Affected versions of Atlassian Confluence Server and Data Center allow users with a valid account on a Confluence Data Center instance to execute arbitrary Java code or run arbitrary system... |
| CVE-2022-23909 | 2022-04-05 | There is an unquoted service path in Sherpa Connector Service (SherpaConnectorService.exe) 2020.2.20328.2050. This might allow a local user to escalate privileges by creating a "C:\Program Files\Sherpa Software\Sherpa.exe" file. |
| CVE-2022-25154 | 2022-04-05 | A DLL hijacking vulnerability in Samsung portable SSD T5 PC software before 1.6.9 could allow a local attacker to escalate privileges. (An attacker must already have user privileges on Windows... |
| CVE-2022-1235 | 2022-04-05 | Weak secrethash can be brute-forced in livehelperchat/livehelperchat |
| CVE-2022-1236 | 2022-04-05 | Weak Password Requirements in weseek/growi |
| CVE-2021-38834 | 2022-04-05 | easy-mock v1.5.0-v1.6.0 allows remote attackers to bypass the vm2 sandbox and execute arbitrary system commands through special js code. |
| CVE-2021-41245 | 2022-04-05 | Possible Cross-Site Request Forgery in Combodo iTop |
| CVE-2022-1243 | 2022-04-05 | CRHTLF can lead to invalid protocol extraction potentially leading to XSS in medialize/uri.js |
| CVE-2020-23349 | 2022-04-05 | An intent redirection issue was doscovered in Sina Weibo Android SDK 4.2.7 (com.sina.weibo.sdk.share.WbShareTransActivity), any unexported Activities could be started by the com.sina.weibo.sdk.share.WbShareTransActivity. |
| CVE-2021-27117 | 2022-04-05 | An issue was discovered in file profile.go in function GetCPUProfile in beego through 2.0.2, allows attackers to launch symlink attacks locally. |
| CVE-2021-27116 | 2022-04-05 | An issue was discovered in file profile.go in function MemProf in beego through 2.0.2, allows attackers to launch symlink attacks locally. |
| CVE-2021-30080 | 2022-04-05 | An issue was discovered in the route lookup process in beego before 1.12.11 that allows attackers to bypass access control. |
| CVE-2021-41751 | 2022-04-05 | Buffer overflow vulnerability in file ecma-builtin-array-prototype.c:909 in function ecma_builtin_array_prototype_object_slice in Jerryscript before commit e1ce7dd7271288be8c0c8136eea9107df73a8ce2 on Oct 20, 2021. |
| CVE-2022-27462 | 2022-04-05 | Cross Site Scripting (XSS) vulnerability in objects/function.php in function getDeviceID in WWBN AVideo through 11.6, via the yptDevice parameter to view/include/head.php. |
| CVE-2020-28847 | 2022-04-05 | Cross Site Scripting (XSS) vulnerability in xCss Valine v1.4.14 via the nick parameter to /classes/Comment. |
| CVE-2021-28428 | 2022-04-05 | File upload vulnerability in HorizontCMS before 1.0.0-beta.3 via uploading a .htaccess and *.hello files using the Media Files upload functionality. The original file upload vulnerability (CVE-2020-27387) was remediated by restricting... |
| CVE-2020-19229 | 2022-04-05 | Jeesite 1.2.7 uses the apache shiro version 1.2.3 affected by CVE-2016-4437. Because of this version of the java deserialization vulnerability, an attacker could exploit the vulnerability to execute arbitrary commands... |
| CVE-2022-27463 | 2022-04-05 | Open redirect vulnerability in objects/login.json.php in WWBN AVideo through 11.6, allows attackers to arbitrarily redirect users from a crafted url to the login page. |
| CVE-2021-41752 | 2022-04-05 | Stack overflow vulnerability in Jerryscript before commit e1ce7dd7271288be8c0c8136eea9107df73a8ce2 on Oct 20, 2021 due to an unbounded recursive call to the new opt() function. |
| CVE-2022-0602 | 2022-04-05 | Cross-site Scripting (XSS) - DOM in tastyigniter/tastyigniter |
| CVE-2022-22355 | 2022-04-05 | IBM MQ Appliance 9.2 CD and 9.2 LTS are vulnerable to a denial of service in the Login component of the application which could allow an attacker to cause a... |
| CVE-2022-22356 | 2022-04-05 | IBM MQ Appliance 9.2 CD and 9.2 LTS could allow an attacker to enumerate account credentials due to an observable discrepancy in valid and invalid login attempts. IBM X-Force ID:... |
| CVE-2022-26635 | 2022-04-05 | PHP-Memcached v2.2.0 and below contains an improper NULL termination which allows attackers to execute CLRF injection. Note: Third parties have disputed this as not affecting PHP-Memcached directly. |
| CVE-2022-1244 | 2022-04-05 | heap-buffer-overflow in radareorg/radare2 |
| CVE-2022-28648 | 2022-04-05 | In JetBrains YouTrack before 2022.1.43563 HTML code from the issue description was being rendered |
| CVE-2022-28649 | 2022-04-05 | In JetBrains YouTrack before 2022.1.43563 it was possible to include an iframe from a third-party domain in the issue description |
| CVE-2022-28650 | 2022-04-05 | In JetBrains YouTrack before 2022.1.43700 it was possible to inject JavaScript into Markdown in the YouTrack Classic UI |
| CVE-2022-28651 | 2022-04-05 | In JetBrains IntelliJ IDEA before 2021.3.3 it was possible to get passwords from protected fields |
| CVE-2022-26630 | 2022-04-05 | Jellycms v3.8.1 and below was discovered to contain an arbitrary file upload vulnerability via \app.\admin\Controllers\db.php. |
| CVE-2022-24978 | 2022-04-05 | Zoho ManageEngine ADAudit Plus before 7055 allows authenticated Privilege Escalation on Integrated products. This occurs because a password field is present in a JSON response. |
| CVE-2022-25245 | 2022-04-05 | Zoho ManageEngine ServiceDesk Plus before 13001 allows anyone to know the organisation's default currency name. |
| CVE-2022-25373 | 2022-04-05 | Zoho ManageEngine SupportCenter Plus before 11020 allows Stored XSS in the request history. |
| CVE-2022-24780 | 2022-04-05 | Code Injection in Combodo iTop |
| CVE-2022-28219 | 2022-04-05 | Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution. |
| CVE-2022-24811 | 2022-04-05 | Cross-site Scripting in Combodo iTop |
| CVE-2022-26628 | 2022-04-05 | Matrimony v1.0 was discovered to contain a SQL injection vulnerability via the Password parameter. |
| CVE-2022-27123 | 2022-04-05 | Employee Performance Evaluation v1.0 was discovered to contain a SQL injection vulnerability via the email parameter. |
| CVE-2022-27124 | 2022-04-05 | Insurance Management System 1.0 was discovered to contain a SQL injection vulnerability via the username parameter. |
| CVE-2022-27304 | 2022-04-05 | Student Grading System v1.0 was discovered to contain a SQL injection vulnerability via the user parameter. |
| CVE-2022-28115 | 2022-04-05 | Online Sports Complex Booking v1.0 was discovered to contain a SQL injection vulnerability via the id parameter. |
| CVE-2022-28116 | 2022-04-05 | Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter. |
| CVE-2022-28467 | 2022-04-05 | Online Student Admission v1.0 was discovered to contain a SQL injection vulnerability via the txtapplicationID parameter. |
| CVE-2022-28468 | 2022-04-05 | Payroll Management System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter. |
| CVE-2022-23974 | 2022-04-05 | Pinot segment push endpoint has a vulnerability in unprotected environments |
| CVE-2022-24475 | 2022-04-05 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
| CVE-2022-24523 | 2022-04-05 | Microsoft Edge (Chromium-based) Spoofing Vulnerability |
| CVE-2022-26891 | 2022-04-05 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
| CVE-2022-26894 | 2022-04-05 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
| CVE-2022-26895 | 2022-04-05 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
| CVE-2022-26900 | 2022-04-05 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
| CVE-2022-26908 | 2022-04-05 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
| CVE-2022-26909 | 2022-04-05 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
| CVE-2022-26912 | 2022-04-05 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
| CVE-2021-43138 | 2022-04-06 | In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution. |
| CVE-2022-1238 | 2022-04-06 | Out-of-bounds Write in libr/bin/format/ne/ne.c in radareorg/radare2 |
| CVE-2022-1253 | 2022-04-06 | Heap-based Buffer Overflow in strukturag/libde265 |
| CVE-2022-24786 | 2022-04-06 | Potential out-of-bound read/write in PJSIP |
| CVE-2022-24793 | 2022-04-06 | Potential heap buffer overflow when parsing DNS packets in PJSIP |
| CVE-2022-26251 | 2022-04-06 | The HTTP interface of Synaman v5.1 and below was discovered to allow authenticated attackers to execute arbitrary code and escalate privileges. |
| CVE-2022-26250 | 2022-04-06 | Synaman v5.1 and below was discovered to contain weak file permissions which allows authenticated attackers to escalate privileges. |
| CVE-2022-26953 | 2022-04-06 | Digi Passport Firmware through 1.5.1,1 is affected by a buffer overflow. An attacker can supply a string in the page parameter for reboot.asp endpoint, allowing him to force an overflow... |
| CVE-2022-26952 | 2022-04-06 | Digi Passport Firmware through 1.5.1,1 is affected by a buffer overflow in the function for building the Location header string when an unauthenticated user is redirected to the authentication page. |
| CVE-2021-45103 | 2022-04-06 | An issue was discovered in HTCondor 9.0.x before 9.0.10 and 9.1.x before 9.5.1. An attacker can access files stored in S3 cloud storage that a user has asked HTCondor to... |
| CVE-2021-45104 | 2022-04-06 | An issue was discovered in HTCondor 9.0.x before 9.0.10 and 9.1.x before 9.5.1. An attacker who can capture HTCondor network data can interfere with users' jobs and data. |
| CVE-2022-26110 | 2022-04-06 | An issue was discovered in HTCondor 8.8.x before 8.8.16, 9.0.x before 9.0.10, and 9.1.x before 9.6.0. When a user authenticates to an HTCondor daemon via the CLAIMTOBE method, the user... |
| CVE-2021-30497 | 2022-04-06 | Ivanti Avalanche (Premise) 6.3.2 allows remote unauthenticated users to read arbitrary files via Absolute Path Traversal. The imageFilePath parameter processed by the /AvalancheWeb/image endpoint is not verified to be within... |
| CVE-2021-40374 | 2022-04-06 | A stored cross-site scripting (XSS) vulnerability was identified in Apperta Foundation OpenEyes 3.5.1. Updating a patient's details allows remote attackers to inject arbitrary web script or HTML via the Address1... |
| CVE-2021-40375 | 2022-04-06 | Apperta Foundation OpenEyes 3.5.1 allows remote attackers to view the sensitive information of patients without having the intended level of privilege. Despite OpenEyes returning a Forbidden error message, the contents... |
| CVE-2022-1248 | 2022-04-06 | SAP Information System POST Request add_admin.php improper authentication |
| CVE-2022-1234 | 2022-04-06 | XSS in livehelperchat in livehelperchat/livehelperchat |
| CVE-2022-23446 | 2022-04-06 | A improper control of a resource through its lifetime in Fortinet FortiEDR version 5.0.3 and earlier allows attacker to make the whole application unresponsive via changing its root directory access... |
| CVE-2020-29013 | 2022-04-06 | An improper input validation vulnerability in the sniffer interface of FortiSandbox before 3.2.2 may allow an authenticated attacker to silently halt the sniffer via specifically crafted requests. |
| CVE-2022-23441 | 2022-04-06 | A use of hard-coded cryptographic key vulnerability [CWE-321] in FortiEDR versions 5.0.2, 5.0.1, 5.0.0, 4.0.0 may allow an unauthenticated attacker on the network to disguise as and forge messages from... |
| CVE-2021-26112 | 2022-04-06 | Multiple stack-based buffer overflow vulnerabilities [CWE-121] both in network daemons and in the command line interpreter of FortiWAN before 4.5.9 may allow an unauthenticated attacker to potentially corrupt control data... |
| CVE-2021-26114 | 2022-04-06 | Multiple improper neutralization of special elements used in an SQL command vulnerabilities in FortiWAN before 4.5.9 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted... |
| CVE-2021-24009 | 2022-04-06 | Multiple improper neutralization of special elements used in an OS command vulnerabilities (CWE-78) in the Web GUI of FortiWAN before 4.5.9 may allow an authenticated attacker to execute arbitrary commands... |
| CVE-2021-32593 | 2022-04-06 | A use of a broken or risky cryptographic algorithm vulnerability [CWE-327] in the Dynamic Tunnel Protocol of FortiWAN before 4.5.9 may allow an unauthenticated remote attacker to decrypt and forge... |
| CVE-2021-43205 | 2022-04-06 | An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiClient for Linux version 7.0.2 and below, 6.4.7 and below and 6.2.9 and below may allow an unauthenticated... |
| CVE-2022-23440 | 2022-04-06 | A use of hard-coded cryptographic key vulnerability [CWE-321] in the registration mechanism of FortiEDR collectors versions 5.0.2, 5.0.1, 5.0.0, 4.0.0 may allow a local attacker to disable and uninstall the... |
| CVE-2021-44169 | 2022-04-06 | A improper initialization in Fortinet FortiClient (Windows) version 6.0.10 and below, version 6.2.9 and below, version 6.4.7 and below, version 7.0.3 and below allows attacker to gain administrative privileges via... |
| CVE-2022-1237 | 2022-04-06 | Improper Validation of Array Index in radareorg/radare2 |
| CVE-2022-1240 | 2022-04-06 | Heap buffer overflow in libr/bin/format/mach0/mach0.c in radareorg/radare2 |
| CVE-2022-27107 | 2022-04-06 | OrangeHRM 4.10 is vulnerable to Stored XSS in the "Share Video" section under "OrangeBuzz" via the GET/POST "createVideo[linkAddress]" parameter |
| CVE-2022-27108 | 2022-04-06 | OrangeHRM 4.10 is vulnerable to Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTimesheet`. Any user can create a timesheet in another user's account. |
| CVE-2022-27109 | 2022-04-06 | OrangeHRM 4.10 suffers from a Referer header injection redirect vulnerability. |
| CVE-2022-27110 | 2022-04-06 | OrangeHRM 4.10 is vulnerable to a Host header injection redirect via viewPersonalDetails endpoint. |
| CVE-2022-22410 | 2022-04-06 | IBM Watson Query with Cloud Pak for Data as a Service could allow an authenticated user to obtain sensitive information that would allow them to examine or alter system configurations... |
| CVE-2021-26104 | 2022-04-06 | Multiple OS command injection (CWE-78) vulnerabilities in the command line interface of FortiManager 6.2.7 and below, 6.4.5 and below and all versions of 6.2.x, 6.0.x and 5.6.x, FortiAnalyzer 6.2.7 and... |
| CVE-2021-41026 | 2022-04-06 | A relative path traversal in FortiWeb versions 6.4.1, 6.4.0, and 6.3.0 through 6.3.15 may allow an authenticated attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web... |
| CVE-2021-22127 | 2022-04-06 | An improper input validation vulnerability in FortiClient for Linux 6.4.x before 6.4.3, FortiClient for Linux 6.2.x before 6.2.9 may allow an unauthenticated attacker to execute arbitrary code on the host... |
| CVE-2021-32585 | 2022-04-06 | An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiWAN before 4.5.9 may allow an attacker to perform a stored cross-site scripting attack via specifically crafted HTTP... |
| CVE-2021-26116 | 2022-04-06 | An improper neutralization of special elements used in an OS command vulnerability in the command line interpreter of FortiAuthenticator before 6.3.1 may allow an authenticated attacker to execute unauthorized commands... |
| CVE-2021-26113 | 2022-04-06 | A use of a one-way hash with a predictable salt vulnerability [CWE-760] in FortiWAN before 4.5.9 may allow an attacker who has previously come in possession of the password file... |
| CVE-2022-24822 | 2022-04-06 | Denial of Service in @podium/layout and @podium/proxy |
| CVE-2022-26850 | 2022-04-06 | Insufficiently protected credentials |
| CVE-2022-20784 | 2022-04-06 | Cisco Web Security Appliance Filter Bypass Vulnerability |
| CVE-2022-20782 | 2022-04-06 | Cisco Identity Services Engine Sensitive Information Disclosure Vulnerability |