| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2022-30295 |
|
|
|
2022-05-06 |
2022-05-16 |
4.0 |
None |
Remote |
High |
Not required |
Partial |
Partial |
None |
|
uClibc-ng through 1.0.40 and uClibc through 0.9.33.2 use predictable DNS transaction IDs that may lead to DNS cache poisoning. This is related to a reset of a value to 0x2. |
|
2 |
CVE-2022-30241 |
79 |
|
XSS |
2022-05-04 |
2022-05-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The jquery.json-viewer library through 1.4.0 for Node.js does not properly escape characters such as < in a JSON object, as demonstrated by a SCRIPT element. |
|
3 |
CVE-2022-29976 |
79 |
|
XSS |
2022-05-11 |
2022-05-17 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An Authenticated Reflected Cross-site scripting at BCC Parameter was discovered in MDaemon before 22.0.0 . |
|
4 |
CVE-2022-29975 |
79 |
|
XSS |
2022-05-11 |
2022-05-17 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An Authenticated Reflected Cross-site scripting at CC Parameter was discovered in MDaemon before 22.0.0 . |
|
5 |
CVE-2022-29973 |
770 |
|
+Info |
2022-05-02 |
2022-05-11 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
relan exFAT 1.3.0 allows local users to obtain sensitive information (data from deleted files in the filesystem) in certain situations involving offsets beyond ValidDataLength. |
|
6 |
CVE-2022-29969 |
79 |
|
XSS |
2022-05-02 |
2022-05-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The RSS extension before 2022-04-29 for MediaWiki allows XSS via an rss element (if the feed is in $wgRSSUrlWhitelist and $wgRSSAllowLinkTag is true). |
|
7 |
CVE-2022-29968 |
909 |
|
|
2022-05-02 |
2022-05-11 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in the Linux kernel through 5.17.5. io_rw_init_file in fs/io_uring.c lacks initialization of kiocb->private. |
|
8 |
CVE-2022-29950 |
|
|
|
2022-05-04 |
2022-05-12 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
Experian Hunter 1.16 allows remote authenticated users to modify assumed-immutable elements via the (1) rule name parameter to the Rules page or the (2) subrule name or (3) categories name parameter to the Subrules page. |
|
9 |
CVE-2022-29947 |
79 |
|
XSS |
2022-04-29 |
2022-05-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Woodpecker before 0.15.1 allows XSS via build logs because web/src/components/repo/build/BuildLog.vue lacks escaping. |
|
10 |
CVE-2022-29942 |
918 |
|
|
2022-05-04 |
2022-05-13 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Talend Administration Center has a vulnerability that allows an authenticated user to use the Service Registry 'Add' functionality to perform SSRF HTTP GET requests on URLs in the internal network. The issue is fixed for versions 8.0.x in TPS-5189, versions 7.3.x in TPS-5175, and versions 7.2.x in TPS-5201. Earlier versions of Talend Administration Center may also be impacted; users are encouraged to update to a supported version. |
|
11 |
CVE-2022-29940 |
79 |
|
XSS |
2022-05-05 |
2022-05-12 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameters formseq and formid in interface\orders\find_order_popup.php leads to multiple cross-site scripting (XSS) vulnerabilities. |
|
12 |
CVE-2022-29939 |
79 |
|
XSS |
2022-05-05 |
2022-05-12 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameters debug and InsId in interface\billing\sl_eob_process.php leads to multiple cross-site scripting (XSS) vulnerabilities. |
|
13 |
CVE-2022-29907 |
79 |
|
XSS |
2022-04-29 |
2022-05-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The Nimbus skin for MediaWiki through 1.37.2 (before 6f9c8fb868345701d9544a54d9752515aace39df) allows XSS in Advertise link messages. |
|
14 |
CVE-2022-29905 |
352 |
|
CSRF |
2022-04-29 |
2022-05-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The FanBoxes extension for MediaWiki through 1.37.2 (before 027ffb0b9d6fe0d823810cf03f5b562a212162d4) allows Special:UserBoxes CSRF. |
|
15 |
CVE-2022-29903 |
352 |
|
CSRF |
2022-04-29 |
2022-05-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The Private Domains extension for MediaWiki through 1.37.2 (before 1ad65d4c1c199b375ea80988d99ab51ae068f766) allows CSRF for editing pages that store the extension's configuration. The attacker must trigger a POST request to Special:PrivateDomains. |
|
16 |
CVE-2022-29869 |
668 |
|
+Info |
2022-04-28 |
2022-05-16 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
cifs-utils through 6.14, with verbose logging, can cause an information leak when a file contains = (equal sign) characters but is not a valid credentials file. |
|
17 |
CVE-2022-29824 |
190 |
|
Overflow |
2022-05-03 |
2022-05-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well. |
|
18 |
CVE-2022-29821 |
94 |
|
Exec Code |
2022-04-28 |
2022-05-05 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
In JetBrains Rider before 2022.1 local code execution via links in ReSharper Quick Documentation was possible |
|
19 |
CVE-2022-29820 |
668 |
|
|
2022-04-28 |
2022-05-05 |
3.3 |
None |
Local Network |
Low |
Not required |
Partial |
None |
None |
|
In JetBrains PyCharm before 2022.1 exposure of the debugger port to the internal network was possible |
|
20 |
CVE-2022-29819 |
94 |
|
Exec Code |
2022-04-28 |
2022-05-05 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
In JetBrains IntelliJ IDEA before 2022.1 local code execution via links in Quick Documentation was possible |
|
21 |
CVE-2022-29818 |
346 |
|
|
2022-04-28 |
2022-05-05 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
None |
|
In JetBrains IntelliJ IDEA before 2022.1 origin checks in the internal web server were flawed |
|
22 |
CVE-2022-29817 |
79 |
|
XSS |
2022-04-28 |
2022-05-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In JetBrains IntelliJ IDEA before 2022.1 reflected XSS via error messages in internal web server was possible |
|
23 |
CVE-2022-29816 |
74 |
|
|
2022-04-28 |
2022-05-05 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
In JetBrains IntelliJ IDEA before 2022.1 HTML injection into IDE messages was possible |
|
24 |
CVE-2022-29815 |
94 |
|
Exec Code |
2022-04-28 |
2022-05-05 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In JetBrains IntelliJ IDEA before 2022.1 local code execution via workspace settings was possible |
|
25 |
CVE-2022-29814 |
94 |
|
Exec Code |
2022-04-28 |
2022-05-05 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
In JetBrains IntelliJ IDEA before 2022.1 local code execution via HTML descriptions in custom JSON schemas was possible |
|
26 |
CVE-2022-29813 |
94 |
|
Exec Code |
2022-04-28 |
2022-05-05 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In JetBrains IntelliJ IDEA before 2022.1 local code execution via custom Pandoc path was possible |
|
27 |
CVE-2022-29812 |
|
|
|
2022-04-28 |
2022-05-05 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
In JetBrains IntelliJ IDEA before 2022.1 notification mechanisms about using Unicode directionality formatting characters were insufficient |
|
28 |
CVE-2022-29811 |
79 |
|
XSS |
2022-04-28 |
2022-05-05 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
In JetBrains Hub before 2022.1.14638 stored XSS via project icon was possible. |
|
29 |
CVE-2022-29810 |
532 |
|
|
2022-04-27 |
2022-05-10 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter. |
|
30 |
CVE-2022-29589 |
79 |
|
XSS |
2022-04-22 |
2022-04-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Crypt Server before 3.3.0 allows XSS in the index view. This is related to serial, computername, and username. |
|
31 |
CVE-2022-29584 |
79 |
|
XSS |
2022-04-28 |
2022-05-06 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0 allows stored XSS when a particular Cascading Style Sheets (CSS) class for embedly is used, and JavaScript code is constructed to perform an action. |
|
32 |
CVE-2022-29583 |
426 |
|
|
2022-04-22 |
2022-05-03 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
service_windows.go in the kardianos service package for Go omits quoting that is sometimes needed for execution of a Windows service executable from the intended directory. |
|
33 |
CVE-2022-29577 |
79 |
|
XSS |
2022-04-21 |
2022-05-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content. NOTE: this issue exists because of an incomplete fix for CVE-2022-28367. |
|
34 |
CVE-2022-29548 |
79 |
|
XSS |
2022-04-21 |
2022-05-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; Identity Server Analytics 5.5.0 and 5.6.0; and WSO2 Micro Integrator 1.0.0. |
|
35 |
CVE-2022-29537 |
125 |
|
|
2022-04-20 |
2022-05-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
gp_rtp_builder_do_hevc in ietf/rtp_pck_mpeg4.c in GPAC 2.0.0 has a heap-based buffer over-read, as demonstrated by MP4Box. |
|
36 |
CVE-2022-29533 |
79 |
|
XSS |
2022-04-20 |
2022-04-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in MISP before 2.4.158. There is XSS in app/Controller/OrganisationsController.php in a situation with a "weird single checkbox page." |
|
37 |
CVE-2022-29532 |
79 |
|
XSS |
2022-04-20 |
2022-04-27 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administrator puts a javascript: URL in the URL field, and another administrator clicks on it. |
|
38 |
CVE-2022-29531 |
79 |
|
XSS |
2022-04-20 |
2022-04-27 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue was discovered in MISP before 2.4.158. There is stored XSS in the event graph via a tag name. |
|
39 |
CVE-2022-29530 |
79 |
|
XSS |
2022-04-20 |
2022-04-27 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue was discovered in MISP before 2.4.158. There is stored XSS in the galaxy clusters. |
|
40 |
CVE-2022-29529 |
79 |
|
XSS |
2022-04-20 |
2022-04-27 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue was discovered in MISP before 2.4.158. There is stored XSS via the LinOTP login field. |
|
41 |
CVE-2022-29505 |
|
|
|
2022-04-27 |
2022-05-06 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Due to build misconfiguration in openssl dependency, LINE for Windows before 7.8 is vulnerable to DLL injection that could lead to privilege escalation. |
|
42 |
CVE-2022-29498 |
89 |
|
Sql |
2022-04-21 |
2022-04-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Blazer before 2.6.0 allows SQL Injection. In certain circumstances, an attacker could get a user to run a query they would not have normally run. |
|
43 |
CVE-2022-29474 |
22 |
|
Dir. Trav. |
2022-05-05 |
2022-05-12 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, a directory traversal vulnerability exists in iControl SOAP that allows an authenticated attacker with at least guest role privileges to read wsdl files in the BIG-IP file system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated |
|
44 |
CVE-2022-29444 |
264 |
|
XSS |
2022-05-02 |
2022-05-09 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Plugin Settings Change leading to Cross-Site Scripting (XSS) vulnerability in Cloudways Breeze plugin <= 2.0.2 on WordPress allows users with a subscriber or higher user role to execute any of the wp_ajax_* actions in the class Breeze_Configuration which includes the ability to change any of the plugin's settings including CDN setting which could be further used for XSS attack. |
|
45 |
CVE-2022-29422 |
79 |
|
XSS |
2022-05-06 |
2022-05-16 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Multiple Authenticated (admin+) Persistent Cross-Site Scripting (XSS) vulnerabilities in Adam Skaat's Countdown & Clock plugin <= 2.3.2 at WordPress via &ycd-countdown-width, &ycd-progress-height, &ycd-progress-width, &ycd-button-margin-top, &ycd-button-margin-right, &ycd-button-margin-bottom, &ycd-button-margin-left, &ycd-circle-countdown-before-countdown, &ycd-circle-countdown-after-countdown vulnerable parameters. |
|
46 |
CVE-2022-29421 |
79 |
|
XSS |
2022-05-06 |
2022-05-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Reflected Cross-Site Scripting (XSS) vulnerability in Adam Skaat's Countdown & Clock plugin on WordPress via &ycd_type vulnerable parameter. |
|
47 |
CVE-2022-29420 |
79 |
|
XSS |
2022-05-06 |
2022-05-16 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Adam Skaat's Countdown & Clock plugin <= 2.3.2 at WordPress via &ycd-circle-countdown-before-countdown and &ycd-circle-countdown-after-countdown vulnerable parameters. |
|
48 |
CVE-2022-29418 |
79 |
|
XSS |
2022-04-25 |
2022-05-05 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Authenticated (admin user role) Persistent Cross-Site Scripting (XSS) in Mark Daniels Night Mode plugin <= 1.0.0 on WordPress via vulnerable parameters: &ntmode_page_setting[enable-me], &ntmode_page_setting[bg-color], &ntmode_page_setting[txt-color], &ntmode_page_setting[anc_color]. |
|
49 |
CVE-2022-29417 |
284 |
|
|
2022-04-25 |
2022-05-03 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
Plugin Settings Update vulnerability in ShortPixel's ShortPixel Adaptive Images plugin <= 3.3.1 at WordPress allows an attacker with a low user role like a subscriber or higher to change the plugin settings. |
|
50 |
CVE-2022-29415 |
79 |
|
XSS |
2022-04-28 |
2022-05-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability in Mati Skiba @ Rav Messer's Ravpage plugin <= 2.16 at WordPress. |
