CVE List - 2022 / April
Showing 1801 - 1900 of 2039 CVEs for April 2022 (Page 19 of 21)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2022-0656 | 2022-04-25 | uDraw < 3.3.3 - Unauthenticated Arbitrary File Access |
| CVE-2022-0657 | 2022-04-25 | 5 Stars Rating Funnel < 1.2.53 - Unauthenticated SQLi |
| CVE-2022-0693 | 2022-04-25 | Master Elements <= 8.0 - Unauthenticated SQLi |
| CVE-2022-0769 | 2022-04-25 | Users Ultra <= 3.1.0 - Unauthenticated SQL Injection |
| CVE-2022-0782 | 2022-04-25 | Donations <= 1.8 - Unauthenticated SQLi |
| CVE-2022-0876 | 2022-04-25 | Social comments by WpDevArt < 2.5.0 - Admin+ Stored Cross-Site Scripting |
| CVE-2022-0953 | 2022-04-25 | Anti-Malware Security and Brute-Force Firewall < 4.20.96 - Reflected Cross-Site Scripting |
| CVE-2022-1027 | 2022-04-25 | Page Restriction WordPress < 1.2.7 - Admin+ Stored Cross-Site Scripting |
| CVE-2022-1092 | 2022-04-25 | myCred < 2.4.4 - Subscriber+ Import/Export to Email Address Disclosure |
| CVE-2022-1094 | 2022-04-25 | Amr Users < 4.59.4 - Admin+ Stored Cross-Site Scripting |
| CVE-2022-1152 | 2022-04-25 | Menubar < 5.8 - Reflected Cross-Site Scripting |
| CVE-2022-1153 | 2022-04-25 | LayerSlider < 7.1.2 - Admin+ Stored Cross-Site Scripting |
| CVE-2022-1156 | 2022-04-25 | Books & Papers <= 0.20210223 - Admin+ Stored Cross-Site Scripting |
| CVE-2022-1228 | 2022-04-25 | Opensea < 1.0.3 - Admin+ Stored XSS |
| CVE-2022-1390 | 2022-04-25 | Admin Word Count Column <= 2.2 - Unauthenticated Arbitrary File Read |
| CVE-2022-1391 | 2022-04-25 | Cab fare calculator < 1.0.4 - Unauthenticated LFI |
| CVE-2022-1392 | 2022-04-25 | Videos sync PDF <= 1.7.4 - Unauthenticated LFI |
| CVE-2022-1396 | 2022-04-25 | Donorbox < 7.1.7 - Admin+ Stored Cross-Site Scripting |
| CVE-2022-28290 | 2022-04-25 | Reflective Cross-Site Scripting vulnerability in WordPress Country Selector Plugin Version 1.6.5. The XSS payload executes whenever the user tries to access the country selector page with the specified payload as... |
| CVE-2022-0477 | 2022-04-25 | An issue has been discovered in GitLab affecting all versions starting from 11.9 before 14.5.4, all versions starting from 14.6.0 before 14.6.4, all versions starting from 14.7.0 before 14.7.1. GitLab... |
| CVE-2022-29417 | 2022-04-25 | WordPress ShortPixel Adaptive Images plugin <= 3.3.1 - Subscriber+ Plugin Settings Update vulnerability |
| CVE-2022-29418 | 2022-04-25 | WordPress Night Mode plugin <= 1.0.0 - Authenticated Persistent Cross-Site Scripting (XSS) vulnerability |
| CVE-2022-29419 | 2022-04-25 | WordPress 3xSocializer plugin <= 0.98.22 - Authenticated SQL Injection (SQLi) vulnerability |
| CVE-2022-25866 | 2022-04-25 | Command Injection |
| CVE-2021-35250 | 2022-04-25 | Directory Transversal Vulnerability in Serv-U 15.3 |
| CVE-2022-24880 | 2022-04-25 | Potential Captcha Validate Bypass in flask-session-captcha |
| CVE-2022-24706 | 2022-04-26 | Remote Code Execution Vulnerability in Packaging |
| CVE-2022-24882 | 2022-04-26 | Server side NTLM does not properly check parameters in FreeRDP |
| CVE-2022-24883 | 2022-04-26 | FreeRDP Server authentication might allow invalid credentials to pass |
| CVE-2022-29499 | 2022-04-26 | The Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 allows remote code execution because of incorrect data validation. The Service Appliances are SA 100, SA 400, and Virtual... |
| CVE-2022-29806 | 2022-04-26 | ZoneMinder before 1.36.13 allows remote code execution via an invalid language. Ability to create a debug log file at an arbitrary pathname contributes to exploitability. |
| CVE-2022-27299 | 2022-04-26 | Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the component room.php. |
| CVE-2022-27468 | 2022-04-26 | Monstaftp v2.10.3 was discovered to contain an arbitrary file upload which allows attackers to execute arbitrary code via a crafted file uploaded to the web server. |
| CVE-2022-27469 | 2022-04-26 | Monstaftp v2.10.3 was discovered to allow attackers to execute Server-Side Request Forgery (SSRF). |
| CVE-2022-27984 | 2022-04-26 | CuppaCMS v1.0 was discovered to contain a SQL injection vulnerability via the menu_filter parameter at /administrator/templates/default/html/windows/right.php. |
| CVE-2022-27985 | 2022-04-26 | CuppaCMS v1.0 was discovered to contain a SQL injection vulnerability via /administrator/alerts/alertLightbox.php. |
| CVE-2022-23942 | 2022-04-26 | Apache Doris hardcoded cryptography initialization |
| CVE-2022-24881 | 2022-04-26 | Command Injection in Ballcat Codegen |
| CVE-2022-1173 | 2022-04-26 | stored xss in getgrav/grav |
| CVE-2022-28218 | 2022-04-26 | An issue was discovered in CipherMail Webmail Messenger 1.1.1 through 4.1.4. A local attacker could access secret keys (found in a Roundcube configuration file) that are used to protect Webmail... |
| CVE-2021-36867 | 2022-04-26 | WordPress Psychological tests & quizzes plugin <= 0.21.19 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability |
| CVE-2021-36895 | 2022-04-26 | WordPress Tripetto plugin <= 5.1.4 - Unauthenticated Cross-Site Scripting (XSS) vulnerability via SVG image upload |
| CVE-2021-26629 | 2022-04-26 | tobesoft XPLATFORM Path Traversal Vulnerability |
| CVE-2021-26628 | 2022-04-26 | MaxBoard XSS and File Upload Vulnerability |
| CVE-2022-1466 | 2022-04-26 | Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the... |
| CVE-2022-27854 | 2022-04-26 | WordPress Psychological tests & quizzes plugin <= 0.21.19 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability |
| CVE-2022-24866 | 2022-04-26 | Exposure of Sensitive Information to an Unauthorized Actor in Discourse Assign |
| CVE-2022-28448 | 2022-04-26 | nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS). An attacker (role customer) can inject javascript code to First name or Last name at Customer Info. |
| CVE-2022-28449 | 2022-04-26 | nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS). At Apply for vendor account feature, an attacker can upload an arbitrary file to the system. |
| CVE-2022-28450 | 2022-04-26 | nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS) via the "Text" parameter (forums) when creating a new post, which allows a remote attacker to execute arbitrary JavaScript code at... |
| CVE-2022-28058 | 2022-04-26 | Verydows v2.0 was discovered to contain an arbitrary file deletion vulnerability via \backend\file_controller.php. |
| CVE-2022-28059 | 2022-04-26 | Verydows v2.0 was discovered to contain an arbitrary file deletion vulnerability via \backend\database_controller.php. |
| CVE-2022-28521 | 2022-04-26 | ZCMS v20170206 was discovered to contain a file inclusion vulnerability via index.php?m=home&c=home&a=sp_set_config. |
| CVE-2022-28522 | 2022-04-26 | ZCMS v20170206 was discovered to contain a stored cross-site scripting (XSS) vulnerability via index.php?m=home&c=message&a=add. |
| CVE-2022-28523 | 2022-04-26 | HongCMS 3.0.0 allows arbitrary file deletion via the component /admin/index.php/template/ajax?action=delete. |
| CVE-2022-28524 | 2022-04-26 | ED01-CMS v20180505 was discovered to contain a SQL injection vulnerability via the component post.php. |
| CVE-2022-28525 | 2022-04-26 | ED01-CMS v20180505 was discovered to contain an arbitrary file upload vulnerability via /admin/users.php?source=edit_user&id=1. |
| CVE-2022-28527 | 2022-04-26 | dhcms v20170919 was discovered to contain an arbitrary folder deletion vulnerability via /admin.php?r=admin/AdminBackup/del. |
| CVE-2022-28528 | 2022-04-26 | bloofoxCMS v0.5.2.1 was discovered to contain an arbitrary file upload vulnerability via /admin/index.php?mode=content&page=media&action=edit. |
| CVE-2022-28918 | 2022-04-26 | GreenCMS v2.3.0603 was discovered to contain an arbitrary file deletion vulnerability via /index.php?m=admin&c=custom&a=plugindelhandle&plugin_name=. |
| CVE-2022-26564 | 2022-04-26 | HotelDruid Hotel Management Software v3.0.3 contains a cross-site scripting (XSS) vulnerability via the prezzoperiodo4 parameter in creaprezzi.php. |
| CVE-2022-27888 | 2022-04-26 | The Foundry Issues service was found to be logging in a manner that captured session tokens. |
| CVE-2022-27239 | 2022-04-27 | In cifs-utils through 6.14, a stack-based buffer overflow when parsing the mount.cifs ip= command-line argument could lead to local attackers gaining root privileges. |
| CVE-2022-24891 | 2022-04-27 | Cross-site Scripting in org.owasp.esapi:esapi -- antisamy-esapi.xml configuration file |
| CVE-2021-41041 | 2022-04-27 | In Eclipse Openj9 before version 0.32.0, Java 8 & 11 fail to throw the exception captured during bytecode verification when verification is triggered by a MethodHandle invocation, allowing unverified methods... |
| CVE-2022-28085 | 2022-04-27 | A flaw was found in htmldoc commit 31f7804. A heap buffer overflow in the function pdf_write_names in ps-pdf.cxx may lead to arbitrary code execution and Denial of Service (DoS). |
| CVE-2022-27331 | 2022-04-27 | An access control issue in Zammad v5.0.3 broadcasts administrative configuration changes to all users who have an active application instance, including settings that should only be visible to authenticated users. |
| CVE-2022-27332 | 2022-04-27 | An access control issue in Zammad v5.0.3 allows attackers to write entries to the CTI caller log without authentication. This vulnerability can allow attackers to execute phishing attacks or cause... |
| CVE-2022-29701 | 2022-04-27 | A lack of rate limiting in the 'forgot password' feature of Zammad v5.1.0 allows attackers to send an excessive amount of reset requests for a legitimate user, leading to a... |
| CVE-2022-29700 | 2022-04-27 | A lack of password length restriction in Zammad v5.1.0 allows for the creation of extremely long passwords which can cause a Denial of Service (DoS) during password verification. |
| CVE-2022-29810 | 2022-04-27 | The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter. |
| CVE-2022-1503 | 2022-04-27 | GetSimple CMS Content Module edit.php cross site scripting |
| CVE-2021-46442 | 2022-04-27 | In the "webupg" binary of D-Link DIR-825 G1, attackers can bypass authentication through parameters "autoupgrade.asp", and perform functions such as downloading configuration files and updating firmware without authorization. |
| CVE-2021-46441 | 2022-04-27 | In the "webupg" binary of D-Link DIR-825 G1, because of the lack of parameter verification, attackers can use "cmd" parameters to execute arbitrary system commands after obtaining authorization. |
| CVE-2022-1504 | 2022-04-27 | XSS in /demo/module/?module=HERE in microweber/microweber |
| CVE-2021-46420 | 2022-04-27 | Franklin Fueling Systems FFS TS-550 evo 2.23.4.8936 is affected by an unauthenticated directory traversal vulnerability, which allows an attacker to obtain sensitive information. |
| CVE-2021-46421 | 2022-04-27 | Franklin Fueling Systems FFS T5 Series 1.8.7.7299 is affected by an unauthenticated directory traversal vulnerability, which allows an attacker to obtain sensitive information. |
| CVE-2021-46422 | 2022-04-27 | Telesquare SDT-CW3B1 1.1.0 is affected by an OS command injection vulnerability that allows a remote attacker to execute OS commands without any authentication. |
| CVE-2021-46423 | 2022-04-27 | Telesquare TLR-2005KSH 1.0.0 is affected by an unauthenticated file download vulnerability that allows a remote attacker to download a full configuration file. |
| CVE-2021-46424 | 2022-04-27 | Telesquare TLR-2005KSH 1.0.0 is affected by an arbitrary file deletion vulnerability that allows a remote attacker to delete any file, even system internal files, via a DELETE request. |
| CVE-2022-28464 | 2022-04-27 | Apifox through 2.1.6 is vulnerable to Cross Site Scripting (XSS) which can lead to remote code execution. |
| CVE-2022-24885 | 2022-04-27 | Improper Authentication in Nextcloud Android Files |
| CVE-2022-24886 | 2022-04-27 | Exposure of Sensitive Information to an Unauthorized Actor in com.nextcloud.client |
| CVE-2022-24887 | 2022-04-27 | Open Redirect in Nextcloud Talk |
| CVE-2022-27905 | 2022-04-27 | In ControlUp Real-Time Agent before 8.6, an unquoted path can result in privilege escalation. An attacker would require write permissions to the root level of the OS drive (C:\) to... |
| CVE-2022-24888 | 2022-04-27 | Possible Injection in Nextcloud Server |
| CVE-2022-29505 | 2022-04-27 | Due to build misconfiguration in openssl dependency, LINE for Windows before 7.8 is vulnerable to DLL injection that could lead to privilege escalation. |
| CVE-2022-24889 | 2022-04-27 | Insufficient Verification of Data Authenticity in Nextcloud Server |
| CVE-2021-34587 | 2022-04-27 | Bender Charge Controller: Long URL could lead to webserver crash |
| CVE-2021-34588 | 2022-04-27 | Bender Charge Controller: Unprotected data export |
| CVE-2021-34589 | 2022-04-27 | Bender Charge Controller: RFID leak |
| CVE-2021-34590 | 2022-04-27 | Bender Charge Controller: Cross-site Scripting |
| CVE-2021-34591 | 2022-04-27 | Bender Charge Controller: Local privilege Escalation |
| CVE-2021-34592 | 2022-04-27 | Bender Charge Controller: Command injection via Web interface |
| CVE-2021-34601 | 2022-04-27 | Bender Charge Controller: Hardcoded Credentials in Charge Controller |
| CVE-2021-34602 | 2022-04-27 | Bender Charge Controller: Long URL could lead to webserver crash |
| CVE-2022-22521 | 2022-04-27 | Privilege Escalation in Miele Benchmark Programming Tool |
| CVE-2022-27336 | 2022-04-27 | Seacms v11.6 was discovered to contain a remote code execution (RCE) vulnerability via the component /admin/weixin.php. |
| CVE-2021-29776 | 2022-04-27 | IBM QRadar SIEM 7.3, 7.4, and 7.5 could allow an authenticated user to obtain sensitive information from another user's dashboard providing the dashboard ID of that user. IBM X-Force ID:... |
| CVE-2021-38869 | 2022-04-27 | IBM QRadar SIEM 7.3, 7.4, and 7.5 in some situations may not automatically log users out after they exceede their idle timeout. IBM X-Force ID: 208341. |