CVE List - 2022 / May
Showing 1 - 100 of 2161 CVEs for May 2022 (Page 1 of 22)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2022-23060 | 2022-05-01 | Shopizer - Stored XSS in Manage Files |
| CVE-2022-23061 | 2022-05-01 | Shopizer - IDOR delete superadmin |
| CVE-2022-28481 | 2022-05-01 | CSV-Safe gem < 3.0.0 doesn't filter out special characters which could trigger CSV Injection. |
| CVE-2022-25850 | 2022-05-01 | Server-side Request Forgery (SSRF) |
| CVE-2022-24437 | 2022-05-01 | Command Injection |
| CVE-2022-21230 | 2022-05-01 | Information Exposure |
| CVE-2022-21144 | 2022-05-01 | Denial of Service (DoS) |
| CVE-2022-21227 | 2022-05-01 | Denial of Service (DoS) |
| CVE-2022-21189 | 2022-05-01 | Prototype Pollution |
| CVE-2022-23923 | 2022-05-01 | Sandbox Bypass |
| CVE-2022-25844 | 2022-05-01 | Regular Expression Denial of Service (ReDoS) |
| CVE-2022-25842 | 2022-05-01 | Arbitrary File Write via Archive Extraction (Zip Slip) |
| CVE-2022-26068 | 2022-05-01 | Path Traversal |
| CVE-2022-21167 | 2022-05-01 | Arbitrary Code Execution |
| CVE-2022-25349 | 2022-05-01 | Cross-site Scripting (XSS) |
| CVE-2022-25647 | 2022-05-01 | Deserialization of Untrusted Data |
| CVE-2022-25767 | 2022-05-01 | Remote Code Execution |
| CVE-2022-25645 | 2022-05-01 | Prototype Pollution |
| CVE-2022-22143 | 2022-05-01 | Prototype Pollution |
| CVE-2022-21149 | 2022-05-01 | Cross-site Scripting (XSS) |
| CVE-2022-25301 | 2022-05-01 | Prototype Pollution |
| CVE-2021-31674 | 2022-05-01 | Cyclos 4 PRO 4.14.7 and before does not validate user input at error inform, which allows remote unauthenticated attacker to execute javascript code via undefine enum constant. |
| CVE-2021-31673 | 2022-05-01 | A Dom-based Cross-site scripting (XSS) vulnerability at registration account in Cyclos 4 PRO.14.7 and before allows remote attackers to inject arbitrary web script or HTML via the groupId parameter. |
| CVE-2022-28451 | 2022-05-01 | nopCommerce 4.50.1 is vulnerable to Directory Traversal via the backup file in the Maintenance feature. |
| CVE-2021-40822 | 2022-05-01 | GeoServer through 2.18.5 and 2.19.x through 2.19.2 allows SSRF via the option for setting a proxy host. |
| CVE-2022-29849 | 2022-05-01 | In Progress OpenEdge before 11.7.14 and 12.x before 12.2.9, certain SUID binaries within the OpenEdge application were susceptible to privilege escalation. If exploited, a local attacker could elevate their privileges... |
| CVE-2022-1475 | 2022-05-02 | An integer overflow vulnerability was found in FFmpeg versions before 4.4.2 and before 5.0.1 in g729_parse() in llibavcodec/g729_parser.c when processing a specially crafted file. |
| CVE-2022-29970 | 2022-05-02 | Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files. |
| CVE-2022-29968 | 2022-05-02 | An issue was discovered in the Linux kernel through 5.17.5. io_rw_init_file in fs/io_uring.c lacks initialization of kiocb->private. |
| CVE-2022-29969 | 2022-05-02 | The RSS extension before 2022-04-29 for MediaWiki allows XSS via an rss element (if the feed is in $wgRSSUrlWhitelist and $wgRSSAllowLinkTag is true). |
| CVE-2022-29973 | 2022-05-02 | relan exFAT 1.3.0 allows local users to obtain sensitive information (data from deleted files in the filesystem) in certain situations involving offsets beyond ValidDataLength. |
| CVE-2021-46790 | 2022-05-02 | ntfsck in NTFS-3G through 2021.8.22 has a heap-based buffer overflow involving buffer+512*3-2. NOTE: the upstream position is that ntfsck is deprecated; however, it is shipped by some Linux distributions. |
| CVE-2021-36778 | 2022-05-02 | Exposure of repository credentials to external third-party sources |
| CVE-2021-36784 | 2022-05-02 | Privilege escalation for users with create/update permissions in Global Roles |
| CVE-2021-4200 | 2022-05-02 | Write access to the Catalog for any user when restricted-admin role is enabled |
| CVE-2022-1300 | 2022-05-02 | Missing authentication in TRUMPF products may result in corruption of data |
| CVE-2022-23904 | 2022-05-02 | Rainworx Auctionworx < 3.1R2 is vulnerable to a Cross-Site Request Forgery (CSRF) attack that allows an authenticated user to upgrade his account to admin and gain access to the auctionworx... |
| CVE-2022-23064 | 2022-05-02 | Snipe-IT - Host Header Injection |
| CVE-2022-23065 | 2022-05-02 | Vendure - XSS via SVG File Upload |
| CVE-2022-28571 | 2022-05-02 | D-link 882 DIR882A1_FW130B06 was discovered to contain a command injection vulnerability in`/usr/bin/cli. |
| CVE-2022-28572 | 2022-05-02 | Tenda AX1806 v1.0.0.1 was discovered to contain a command injection vulnerability in `SetIPv6Status` function |
| CVE-2022-28573 | 2022-05-02 | D-Link DIR-823-Pro v1.0.2 was discovered to contain a command injection vulnerability in the function SetNTPserverSeting. This vulnerability allows attackers to execute arbitrary commands via the system_time_timezone parameter. |
| CVE-2022-27466 | 2022-05-02 | MCMS v5.2.27 was discovered to contain a SQL injection vulnerability in the orderBy parameter at /dict/list.do. |
| CVE-2022-27982 | 2022-05-02 | RG-NBR-E Enterprise Gateway RG-NBR2100G-E was discovered to contain a remote code execution (RCE) vulnerability via the fileName parameter at /guest_auth/cfg/upLoadCfg.php. |
| CVE-2022-27983 | 2022-05-02 | RG-NBR-E Enterprise Gateway RG-NBR2100G-E was discovered to contain an arbitrary file read vulnerability via the url parameter in check.php. |
| CVE-2022-28054 | 2022-05-02 | Improper sanitization of trigger action scripts in VanDyke Software VShell for Windows v4.6.2 allows attackers to execute arbitrary code via a crafted value. |
| CVE-2022-28056 | 2022-05-02 | ShopXO v2.2.5 and below was discovered to contain a system re-install vulnerability via the Add function in app/install/controller/Index.php. |
| CVE-2021-25002 | 2022-05-02 | Tipsacarrier < 1.5.0.5 - Unauthenticated Orders Disclosure |
| CVE-2021-25086 | 2022-05-02 | Advanced Page Visit Counter < 6.1.2 - Unauthenticated Stored Cross-Site Scripting |
| CVE-2021-25102 | 2022-05-02 | All In One WP Security < 4.4.11 - Authenticated Reflected Cross-Site Scripting |
| CVE-2022-0191 | 2022-05-02 | Ad Invalid Click Protector (AICP) < 1.2.7 - Arbitrary Ban Deletion via CSRF |
| CVE-2022-0418 | 2022-05-02 | Event List < 0.8.8 - Admin+ Stored Cross-Site Scripting |
| CVE-2022-0428 | 2022-05-02 | Content Egg < 5.3.0 - Reflected Cross-Site Scripting |
| CVE-2022-0649 | 2022-05-02 | Adrotate < 5.8.23 - Admin+ XSS via Group Name |
| CVE-2022-0662 | 2022-05-02 | Adrotate < 5.8.23 - Admin+ XSS via Advert Name |
| CVE-2022-0771 | 2022-05-02 | SiteSuperCharger < 5.2.0 - Unauthenticated SQLi |
| CVE-2022-0773 | 2022-05-02 | Documentor <= 1.5.3 - Unauthenticated SQLi |
| CVE-2022-0783 | 2022-05-02 | Multiple Shipping Address Woocommerce < 2.0 - Unauthenticated SQLi |
| CVE-2022-0952 | 2022-05-02 | Sitemap by click5 < 1.0.36 - Unauthenticated Arbitrary Options Update |
| CVE-2022-1046 | 2022-05-02 | Visual Form Builder < 3.0.7 - Admin+ Stored Cross-Site Scripting |
| CVE-2022-1239 | 2022-05-02 | HubSpot < 8.8.15 - Contributor+ Blind SSRF |
| CVE-2022-1250 | 2022-05-02 | LifterLMS PayPal < 1.4.0 - Reflected Cross-Site Scripting |
| CVE-2022-1255 | 2022-05-02 | Import and export users and customers < 1.19.2.1 - Admin+ Stored Cross-Site Scripting |
| CVE-2022-1269 | 2022-05-02 | Fast Flow < 1.2.12 - Reflected Cross-Site Scripting |
| CVE-2022-1273 | 2022-05-02 | Import WP < 2.4.6 - Admin+ Arbitrary File Upload to RCE |
| CVE-2022-1281 | 2022-05-02 | Photo Gallery < 1.6.3 - Unauthenticated SQL Injection |
| CVE-2022-1282 | 2022-05-02 | Photo Gallery < 1.6.3 - Reflected Cross-Site Scripting |
| CVE-2021-29859 | 2022-05-02 | IBM ICP4A - User Management System Component (IBM Cloud Pak for Business Automation V21.0.3 through V21.0.3-IF008, V21.0.2 through V21.0.2-IF009, and V21.0.1 through V21.0.1-IF007) could allow a user with physical access... |
| CVE-2022-1366 | 2022-05-02 | Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in HandlerChart.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database... |
| CVE-2022-1367 | 2022-05-02 | Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in Handler_TCV.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database... |
| CVE-2022-1369 | 2022-05-02 | Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in ReadRegIND. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database... |
| CVE-2022-1370 | 2022-05-02 | Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in ReadREGbyID. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database... |
| CVE-2022-1371 | 2022-05-02 | Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in ReadRegf. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database... |
| CVE-2022-1372 | 2022-05-02 | Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in dlSlog.aspx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database... |
| CVE-2022-1374 | 2022-05-02 | Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_unHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database... |
| CVE-2022-1375 | 2022-05-02 | Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_slogHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database... |
| CVE-2022-1376 | 2022-05-02 | Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_privgrpHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database... |
| CVE-2022-1377 | 2022-05-02 | Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_rltHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database... |
| CVE-2022-1378 | 2022-05-02 | Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_pgHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database... |
| CVE-2022-26325 | 2022-05-02 | Cross Site Scripting vulnerability in NetIQ Access Manager versions prior to version 5.0.2 |
| CVE-2022-26326 | 2022-05-02 | Potential open redirection vulnerability in NetIQ Access Manager versions prior to version 5.0.2 |
| CVE-2021-3643 | 2022-05-02 | A flaw was found in sox 14.4.1. The lsx_adpcm_init function within libsox leads to a global-buffer-overflow. This flaw allows an attacker to input a malicious file, leading to the disclosure... |
| CVE-2021-3750 | 2022-05-02 | A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers... |
| CVE-2022-1515 | 2022-05-02 | A memory leak was discovered in matio 1.5.21 and earlier in Mat_VarReadNextInfo5() in mat5.c via a crafted file. This issue can potentially result in DoS. |
| CVE-2022-28613 | 2022-05-02 | Specially Crafted Modbus TCP Packet Vulnerability in RTU500 series |
| CVE-2022-29444 | 2022-05-02 | WordPress Breeze plugin <= 2.0.2 - Plugin Settings Change leading to Cross-Site Scripting (XSS) vulnerability |
| CVE-2021-41810 | 2022-05-02 | Script injection in M-Files Server products with versions before 22.2.11051.0, allows executing stored script in admin tool |
| CVE-2021-36844 | 2022-05-02 | WordPress WP Subscribe plugin <= 1.2.12 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability |
| CVE-2022-24897 | 2022-05-02 | Arbitrary filesystem write access from Velocity |
| CVE-2022-23722 | 2022-05-02 | PingFederate Password Reset via Authentication API Mishandling |
| CVE-2022-23723 | 2022-05-02 | PingFederate PingOneMFA Integration Kit MFA Bypass |
| CVE-2021-4138 | 2022-05-02 | Improved Host header checks to reject requests not sent to a well-known local hostname or IP, or the server-specified hostname. |
| CVE-2022-24974 | 2022-05-02 | Links may not be rewritten according to policy in some specially formatted emails. |
| CVE-2021-42528 | 2022-05-02 | XMP-Toolkit Null Pointer Dereference Application denial-of-service |
| CVE-2021-42532 | 2022-05-02 | XMP-Toolkit SDK Stack-based Buffer Overflow Could Lead To Arbitrary Code Execution |
| CVE-2021-42530 | 2022-05-02 | XMP-Toolkit SDK Stack-based Buffer Overflow Could Lead To Arbitrary Code Execution |
| CVE-2021-42531 | 2022-05-02 | XMP-Toolkit SDK Stack-based Buffer Overflow Could Lead To Arbitrary Code Execution |
| CVE-2021-42529 | 2022-05-02 | XMP-Toolkit SDK Stack-based Buffer Overflow Could Lead To Arbitrary Code Execution |
| CVE-2020-23617 | 2022-05-02 | A cross site scripting (XSS) vulnerability in the error page of Totolink N200RE and N100RE Routers 2.0 allows attackers to execute arbitrary web scripts or HTML via SCRIPT element. |
| CVE-2020-23618 | 2022-05-02 | A reflected cross site scripting (XSS) vulnerability in Xtend Voice Logger 1.0 allows attackers to execute arbitrary web scripts or HTML, via the path of the error page. |