CVE List - 2022 / April
Showing 1901 - 2000 of 2039 CVEs for April 2022 (Page 20 of 21)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2021-38874 | 2022-04-27 | IBM QRadar SIEM 7.3, 7.4, and 7.5 allows for users to access information across tenant and domain boundaries in some situations. IBM X-Force ID: 208397. |
| CVE-2021-38878 | 2022-04-27 | IBM QRadar 7.3, 7.4, and 7.5 could allow a malicious actor to impersonate an actor due to key exchange without entity authentication. IBM X-Force ID: 208756. |
| CVE-2021-38919 | 2022-04-27 | IBM QRadar SIEM 7.3, 7.4, and 7.5 in some senarios may reveal authorized service tokens to other QRadar users. IBM X-Force ID: 210021 |
| CVE-2021-38939 | 2022-04-27 | IBM QRadar SIEM 7.3, 7.4, and 7.5 stores potentially sensitive information in log files that could be read by an user with access to creating domains. IBM X-Force ID: 211037. |
| CVE-2022-22312 | 2022-04-27 | IBM Security Identity Manager (IBM Security Verify Password Synchronization Plug-in for Windows AD 10.x) is vulnerable to a denial of service, caused by a heap-based buffer overflow in the Password... |
| CVE-2022-22323 | 2022-04-27 | IBM Security Identity Manager (IBM Security Verify Password Synchronization Plug-in for Windows AD 10.x) is vulnerable to a denial of service, caused by a heap-based buffer overflow in the Password... |
| CVE-2022-22345 | 2022-04-27 | IBM QRadar 7.3, 7.4, and 7.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially... |
| CVE-2022-23822 | 2022-04-27 | In this physical attack, an attacker may potentially exploit the Zynq-7000 SoC First Stage Boot Loader (FSBL) by bypassing authentication and loading a malicious image onto the device. This in... |
| CVE-2022-22275 | 2022-04-27 | Improper Restriction of TCP Communication Channel in HTTP/S inbound traffic from WAN to DMZ bypassing security policy until TCP handshake potentially resulting in Denial of Service (DoS) attack if a... |
| CVE-2022-22276 | 2022-04-27 | A vulnerability in SonicOS SNMP service resulting exposure of sensitive information to an unauthorized user. |
| CVE-2022-22277 | 2022-04-27 | A vulnerability in SonicOS SNMP service resulting exposure of Wireless Access Point sensitive information in cleartext. |
| CVE-2022-22278 | 2022-04-27 | A vulnerability in SonicOS CFS (Content filtering service) returns a large 403 forbidden HTTP response message to the source address when users try to access prohibited resource this allows an... |
| CVE-2021-25266 | 2022-04-27 | An insecure data storage vulnerability allows a physical attacker with root privileges to retrieve TOTP secret keys from unlocked phones in Sophos Authenticator for Android version 3.4 and older, and... |
| CVE-2022-1507 | 2022-04-27 | chafa: NULL Pointer Dereference in function gif_internal_decode_frame at libnsgif.c:599 allows attackers to cause a denial of service (crash) via a crafted input file. in hpjansson/chafa |
| CVE-2022-24372 | 2022-04-27 | Linksys MR9600 devices before 2.0.5 allow attackers to read arbitrary files via a symbolic link to the root directory of a NAS SMB share. |
| CVE-2022-22315 | 2022-04-27 | IBM UrbanCode Deploy (UCD) 7.2.2.1 could allow an authenticated user with special permissions to obtain elevated privileges due to improper handling of permissions. IBM X-Force ID: 217955. |
| CVE-2022-28193 | 2022-04-27 | NVIDIA Jetson Linux Driver Package contains a vulnerability in the Cboot module tegrabl_cbo.c, where insufficient validation of untrusted data may allow a local attacker with elevated privileges to cause a... |
| CVE-2022-28194 | 2022-04-27 | NVIDIA Jetson Linux Driver Package contains a vulnerability in the Cboot module tegrabl_cbo.c, where, if TFTP is enabled, a local attacker with elevated privileges can cause a memory buffer overflow,... |
| CVE-2022-28195 | 2022-04-27 | NVIDIA Jetson Linux Driver Package contains a vulnerability in the Cboot ext4_read_file function, where insufficient validation of untrusted data may allow a highly privileged local attacker to cause a integer... |
| CVE-2022-28196 | 2022-04-27 | NVIDIA Jetson Linux Driver Package contains a vulnerability in the Cboot blob_decompress function, where insufficient validation of untrusted data may allow a local attacker with elevated privileges to cause a... |
| CVE-2022-28197 | 2022-04-27 | NVIDIA Jetson Linux Driver Package contains a vulnerability in the Cboot ext4_mount function, where Insufficient validation of untrusted data may allow a highly privileged local attacker to cause an integer... |
| CVE-2022-24735 | 2022-04-27 | Lua scripts can be manipulated to overcome ACL rules in Redis |
| CVE-2022-24736 | 2022-04-27 | A Malformed Lua script can crash Redis |
| CVE-2021-3523 | 2022-04-27 | A flaw was found in 3Scale APICast in versions prior to 2.11.0, where it incorrectly identified connections for reuse. This flaw allows an attacker to bypass security restrictions for an... |
| CVE-2022-29859 | 2022-04-27 | component/common/network/dhcp/dhcps.c in ambiot amb1_sdk (aka SDK for Ameba1) before 2022-03-11 mishandles data structures for DHCP packet data. |
| CVE-2022-1511 | 2022-04-28 | Missing Authorization in snipe/snipe-it |
| CVE-2022-28892 | 2022-04-28 | Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0 is vulnerable to Cross Site Request Forgery (CSRF) because randomly generated tokens are too easily guessable. |
| CVE-2022-29869 | 2022-04-28 | cifs-utils through 6.14, with verbose logging, can cause an information leak when a file contains = (equal sign) characters but is not a valid credentials file. |
| CVE-2022-28719 | 2022-04-28 | Missing authentication for critical function in AssetView prior to Ver.13.2.0 allows a remote unauthenticated attacker with some knowledge on the system configuration to upload a crafted configuration file to the... |
| CVE-2022-29811 | 2022-04-28 | In JetBrains Hub before 2022.1.14638 stored XSS via project icon was possible. |
| CVE-2022-29812 | 2022-04-28 | In JetBrains IntelliJ IDEA before 2022.1 notification mechanisms about using Unicode directionality formatting characters were insufficient |
| CVE-2022-29813 | 2022-04-28 | In JetBrains IntelliJ IDEA before 2022.1 local code execution via custom Pandoc path was possible |
| CVE-2022-29814 | 2022-04-28 | In JetBrains IntelliJ IDEA before 2022.1 local code execution via HTML descriptions in custom JSON schemas was possible |
| CVE-2022-29815 | 2022-04-28 | In JetBrains IntelliJ IDEA before 2022.1 local code execution via workspace settings was possible |
| CVE-2022-29816 | 2022-04-28 | In JetBrains IntelliJ IDEA before 2022.1 HTML injection into IDE messages was possible |
| CVE-2022-29817 | 2022-04-28 | In JetBrains IntelliJ IDEA before 2022.1 reflected XSS via error messages in internal web server was possible |
| CVE-2022-29818 | 2022-04-28 | In JetBrains IntelliJ IDEA before 2022.1 origin checks in the internal web server were flawed |
| CVE-2022-29819 | 2022-04-28 | In JetBrains IntelliJ IDEA before 2022.1 local code execution via links in Quick Documentation was possible |
| CVE-2022-29820 | 2022-04-28 | In JetBrains PyCharm before 2022.1 exposure of the debugger port to the internal network was possible |
| CVE-2022-29821 | 2022-04-28 | In JetBrains Rider before 2022.1 local code execution via links in ReSharper Quick Documentation was possible |
| CVE-2022-1509 | 2022-04-28 | Command Injection Vulnerability in hestiacp/hestiacp |
| CVE-2021-33436 | 2022-04-28 | NoMachine for Windows prior to version 6.15.1 and 7.5.2 suffer from local privilege escalation due to the lack of safe DLL loading. This vulnerability allows local non-privileged users to perform... |
| CVE-2021-41921 | 2022-04-28 | novel-plus V3.6.1 allows unrestricted file uploads. Unrestricted file suffixes and contents can lead to server attacks and arbitrary code execution. |
| CVE-2022-29152 | 2022-04-28 | The Ericom PowerTerm WebConnect 6.0 login portal can unsafely write an XSS payload from the AppPortal cookie into the page. |
| CVE-2022-24935 | 2022-04-28 | Lexmark products through 2022-02-10 have Incorrect Access Control. |
| CVE-2021-41945 | 2022-04-28 | Encode OSS httpx < 0.23.0 is affected by improper input validation in `httpx.URL`, `httpx.Client` and some functions using `httpx.URL.copy_with`. |
| CVE-2022-24873 | 2022-04-28 | Non-Stored Cross-site Scripting in Shopware storefront |
| CVE-2022-28101 | 2022-04-28 | Turtlapp Turtle Note v0.7.2.6 does not filter the <meta> tag during markdown parsing, allowing attackers to execute HTML injection. |
| CVE-2022-28102 | 2022-04-28 | A cross-site scripting (XSS) vulnerability in PHP MySQL Admin Panel Generator v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected at /edit-db.php. |
| CVE-2022-28114 | 2022-04-28 | DSCMS v3.0 was discovered to contain an arbitrary file deletion vulnerability via /controller/Adv.php. |
| CVE-2022-28117 | 2022-04-28 | A Server-Side Request Forgery (SSRF) in feed_parser class of Navigate CMS v2.9.4 allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the... |
| CVE-2022-24879 | 2022-04-28 | Malfunction of Cross-Site Request Forgery token validation |
| CVE-2022-24892 | 2022-04-28 | Multiple valid tokens for password reset in Shopware |
| CVE-2021-43930 | 2022-04-28 | Elcomplus SmartPtt Path Traversal |
| CVE-2021-43934 | 2022-04-28 | Elcomplus SmartPtt Unrestricted Upload of File with Dangerous Type |
| CVE-2021-43932 | 2022-04-28 | Elcomplus SmartPtt Cross-site Scripting |
| CVE-2021-43939 | 2022-04-28 | Elcomplus SmartPtt Improper Authorization |
| CVE-2022-22781 | 2022-04-28 | Update package downgrade in Zoom Client for Meetings for MacOS |
| CVE-2022-22782 | 2022-04-28 | Local privilege escalation in Windows Zoom Clients |
| CVE-2022-22783 | 2022-04-28 | Process memory exposure in Zoom on-premise Meeting services |
| CVE-2022-29584 | 2022-04-28 | Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0 allows stored XSS when a particular Cascading Style Sheets (CSS) class for embedly is used, and JavaScript code is constructed to perform an... |
| CVE-2022-29585 | 2022-04-28 | In Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0, a site using Isolated Institutions is vulnerable if more than ten groups are used. They are all shown from page 2 of... |
| CVE-2022-27860 | 2022-04-28 | WordPress Footer Text plugin <= 2.0.3 - Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS) vulnerability |
| CVE-2022-29415 | 2022-04-28 | WordPress Ravpage plugin <= 2.16 - Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability |
| CVE-2022-1514 | 2022-04-28 | Stored XSS via upload plugin functionality in zip format in neorazorx/facturascripts |
| CVE-2021-38952 | 2022-04-28 | IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading... |
| CVE-2022-22322 | 2022-04-28 | IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading... |
| CVE-2022-22427 | 2022-04-28 | IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading... |
| CVE-2022-22441 | 2022-04-28 | IBM InfoSphere Information Server 11.7 could allow an authenticated user to view information of higher privileged users and groups due to a privilege escalation vulnerability. IBM X-Force ID: 224426. |
| CVE-2022-22443 | 2022-04-28 | IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading... |
| CVE-2022-29410 | 2022-04-28 | WordPress Hermit 音乐播放器 plugin <= 3.1.6 - Authenticated SQL Injection (SQLi) vulnerability |
| CVE-2022-29413 | 2022-04-28 | WordPress Hermit 音乐播放器 plugin <= 3.1.6 - Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) vulnerability |
| CVE-2022-29412 | 2022-04-28 | WordPress Hermit 音乐播放器 plugin <= 3.1.6 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities |
| CVE-2022-29411 | 2022-04-28 | WordPress Hermit 音乐播放器 plugin <= 3.1.6 - Unauthenticated SQL Injection SQLi) vulnerability |
| CVE-2022-29081 | 2022-04-28 | Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction.... |
| CVE-2022-28060 | 2022-04-28 | SQL Injection vulnerability in Victor CMS v1.0, via the user_name parameter to /includes/login.php. |
| CVE-2022-24898 | 2022-04-28 | Arbitrary file access through XML parsing in org.xwiki.commons:xwiki-commons-xml |
| CVE-2022-28477 | 2022-04-28 | WBCE CMS 1.5.2 is vulnerable to Cross Site Scripting (XSS). |
| CVE-2022-29555 | 2022-04-28 | The Deviceconnect microservice through 1.3.0 in Northern.tech Mender Enterprise before 3.2.2. allows Cross-Origin Websocket Hijacking. |
| CVE-2022-29556 | 2022-04-28 | The iot-manager microservice 1.0.0 in Northern.tech Mender Enterprise before 3.2.2 allows SSRF because the Azure IoT Hub integration provides several SSRF primitives that can execute cross-tenant actions via internal API... |
| CVE-2022-28454 | 2022-04-28 | Limbas 4.3.36.1319 is vulnerable to Cross Site Scripting (XSS). |
| CVE-2022-24449 | 2022-04-28 | Solar appScreener through 3.10.4, when a valid license is not present, allows XXE and SSRF attacks via a crafted XML document. |
| CVE-2021-3982 | 2022-04-29 | Linux distributions using CAP_SYS_NICE for gnome-shell may be exposed to a privilege escalation issue. An attacker, with low privilege permissions, may take advantage of the way CAP_SYS_NICE is currently implemented... |
| CVE-2022-1015 | 2022-04-29 | A flaw was found in the Linux kernel in linux/net/netfilter/nf_tables_api.c of the netfilter subsystem. This flaw allows a local user to cause an out-of-bounds write issue. |
| CVE-2022-29907 | 2022-04-29 | The Nimbus skin for MediaWiki through 1.37.2 (before 6f9c8fb868345701d9544a54d9752515aace39df) allows XSS in Advertise link messages. |
| CVE-2022-29906 | 2022-04-29 | The admin API module in the QuizGame extension for MediaWiki through 1.37.2 (before 665e33a68f6fa1167df99c0aa18ed0157cdf9f66) omits a check for the quizadmin user. |
| CVE-2022-29905 | 2022-04-29 | The FanBoxes extension for MediaWiki through 1.37.2 (before 027ffb0b9d6fe0d823810cf03f5b562a212162d4) allows Special:UserBoxes CSRF. |
| CVE-2022-29904 | 2022-04-29 | The SemanticDrilldown extension for MediaWiki through 1.37.2 (before e688bdba6434591b5dff689a45e4d53459954773) allows SQL injection with certain '-' and '_' constraints. |
| CVE-2022-29903 | 2022-04-29 | The Private Domains extension for MediaWiki through 1.37.2 (before 1ad65d4c1c199b375ea80988d99ab51ae068f766) allows CSRF for editing pages that store the extension's configuration. The attacker must trigger a POST request to Special:PrivateDomains. |
| CVE-2022-1526 | 2022-04-29 | Emlog Pro POST Parameter cross site scripting |
| CVE-2022-1530 | 2022-04-29 | Cross-site Scripting (XSS) in livehelperchat/livehelperchat |
| CVE-2022-1531 | 2022-04-29 | SQL injection vulnerability in ARAX-UI Synonym Lookup functionality in rtxteam/rtx |
| CVE-2022-1534 | 2022-04-29 | Buffer Over-read at parse_rawml.c:1416 in bfabiszewski/libmobi |
| CVE-2022-1533 | 2022-04-29 | Buffer Over-read in bfabiszewski/libmobi |
| CVE-2021-41942 | 2022-04-29 | The Magic CMS MSVOD v10 video system has a SQL injection vulnerability. Attackers can use vulnerabilities to obtain sensitive information in the database. |
| CVE-2021-44595 | 2022-04-29 | Wondershare Dr. Fone Latest version as of 2021-12-06 is vulnerable to Incorrect Access Control. A normal user can send manually crafted packets to the ElevationService.exe and execute arbitrary code without... |
| CVE-2021-44596 | 2022-04-29 | Wondershare LTD Dr. Fone as of 2021-12-06 version is affected by Remote code execution. Due to software design flaws an unauthenticated user can communicate over UDP with the "InstallAssistService.exe" service(the... |
| CVE-2022-1536 | 2022-04-29 | automad Dashboard cross site scripting |
| CVE-2021-41948 | 2022-04-29 | A cross-site scripting (XSS) vulnerability exists in the "contact us" plugin for Subrion CMS <= 4.2.1 version via "List of subjects". |
| CVE-2022-24900 | 2022-04-29 | Absolute Path Traversal due to incorrect use of `send_file` call in Piano LED Visualizer |