| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
801 |
CVE-2022-24315 |
125 |
|
DoS |
2022-02-09 |
2022-02-16 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A CWE-125: Out-of-bounds Read vulnerability exists that could cause denial of service when an attacker repeatedly sends a specially crafted message. Affected Product: Interactive Graphical SCADA System Data Server (V15.0.0.22020 and prior) |
|
802 |
CVE-2022-24314 |
125 |
|
DoS |
2022-02-09 |
2022-02-16 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A CWE-125: Out-of-bounds Read vulnerability exists that could cause memory leaks potentially resulting in denial of service when an attacker repeatedly sends a specially crafted message. Affected Product: Interactive Graphical SCADA System Data Server (V15.0.0.22020 and prior) |
|
803 |
CVE-2022-24296 |
327 |
|
|
2022-06-08 |
2022-06-17 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Use of a Broken or Risky Cryptographic Algorithm vulnerability in Air Conditioning System G-150AD Ver. 3.21 and prior, Air Conditioning System AG-150A-A Ver. 3.21 and prior, Air Conditioning System AG-150A-J Ver. 3.21 and prior, Air Conditioning System GB-50AD Ver. 3.21 and prior, Air Conditioning System GB-50ADA-A Ver. 3.21 and prior, Air Conditioning System GB-50ADA-J Ver. 3.21 and prior, Air Conditioning System EB-50GU-A Ver. 7.10 and prior, Air Conditioning System EB-50GU-J Ver. 7.10 and prior, Air Conditioning System AE-200J Ver. 7.97 and prior, Air Conditioning System AE-200A Ver. 7.97 and prior, Air Conditioning System AE-200E Ver. 7.97 and prior, Air Conditioning System AE-50J Ver. 7.97 and prior, Air Conditioning System AE-50A Ver. 7.97 and prior, Air Conditioning System AE-50E Ver. 7.97 and prior, Air Conditioning System EW-50J Ver. 7.97 and prior, Air Conditioning System EW-50A Ver. 7.97 and prior, Air Conditioning System EW-50E Ver. 7.97 and prior, Air Conditioning System TE-200A Ver. 7.97 and prior, Air Conditioning System TE-50A Ver. 7.97 and prior and Air Conditioning System TW-50A Ver. 7.97 and prior allows a remote unauthenticated attacker to cause a disclosure of encrypted message of the air conditioning systems by sniffing encrypted communications. |
|
804 |
CVE-2022-24290 |
121 |
|
Overflow |
2022-05-20 |
2022-08-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.13), Teamcenter V13.0 (All versions < V13.0.0.9), Teamcenter V13.1 (All versions), Teamcenter V13.2 (All versions < V13.2.0.8), Teamcenter V13.3 (All versions < V13.3.0.3), Teamcenter V14.0 (All versions < V14.0.0.2). The tcserver.exe binary in affected applications is vulnerable to a stack overflow condition during the parsing of user input that may lead the binary to crash. |
|
805 |
CVE-2022-24279 |
1321 |
|
|
2022-04-15 |
2022-04-25 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The package madlib-object-utils before 0.1.8 are vulnerable to Prototype Pollution via the setValue method, as it allows an attacker to merge object prototypes into it. *Note:* This vulnerability derives from an incomplete fix of [CVE-2020-7701](https://security.snyk.io/vuln/SNYK-JS-MADLIBOBJECTUTILS-598676) |
|
806 |
CVE-2022-24241 |
610 |
|
|
2022-06-02 |
2022-06-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
ACEweb Online Portal 3.5.065 was discovered to contain an External Controlled File Path and Name vulnerability via the txtFilePath parameter in attachments.awp. |
|
807 |
CVE-2022-24226 |
89 |
|
Sql |
2022-02-15 |
2022-02-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Hospital Management System v4.0 was discovered to contain a blind SQL injection vulnerability via the register function in func2.php. |
|
808 |
CVE-2022-24141 |
|
|
|
2022-07-06 |
2022-07-14 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
|
The iTopVPNmini.exe component of iTop VPN 3.2 will try to connect to datastate_iTopVPN_Pipe_Server on a loop. An attacker that opened a named pipe with the same name can use it to gain the token of another user by listening for connections and abusing ImpersonateNamedPipeClient(). |
|
809 |
CVE-2022-24132 |
|
|
DoS |
2022-03-30 |
2022-04-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
phpshe V1.8 is affected by a denial of service (DoS) attack in the registry's verification code, which can paralyze the target service. |
|
810 |
CVE-2022-24124 |
89 |
|
Sql |
2022-01-29 |
2022-04-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The query API in Casdoor before 1.13.1 has a SQL injection vulnerability related to the field and value parameters, as demonstrated by api/get-organizations. |
|
811 |
CVE-2022-24121 |
89 |
|
Sql |
2022-02-03 |
2022-02-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
SQL Injection vulnerability discovered in Unified Office Total Connect Now that would allow an attacker to extract sensitive information through a cookie parameter. |
|
812 |
CVE-2022-24111 |
306 |
|
|
2022-02-10 |
2022-02-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In Mahara 21.04 before 21.04.3 and 21.10 before 21.10.1, portfolios created in groups that have not been shared with non-group members and portfolios created on the site and institution levels can be viewed without requiring a login if the URL to these portfolios is known. |
|
813 |
CVE-2022-24073 |
|
|
|
2022-03-17 |
2022-03-23 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
The Web Request API in Whale browser before 3.12.129.18 allowed to deny access to the extension store or redirect to any URL when users access the store. |
|
814 |
CVE-2022-24070 |
416 |
|
Mem. Corr. |
2022-04-12 |
2022-07-22 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Subversion's mod_dav_svn is vulnerable to memory corruption. While looking up path-based authorization rules, mod_dav_svn servers may attempt to use memory which has already been freed. Affected Subversion mod_dav_svn servers 1.10.0 through 1.14.1 (inclusive). Servers that do not use mod_dav_svn are not affected. |
|
815 |
CVE-2022-24044 |
307 |
|
|
2022-05-20 |
2022-06-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The login functionality of the application does not employ any countermeasures against Password Spraying attacks or Credential Stuffing attacks. An attacker could obtain a list of valid usernames on the device by exploiting the issue and then perform a precise Password Spraying or Credential Stuffing attack in order to obtain access to at least one account. |
|
816 |
CVE-2022-24043 |
203 |
|
|
2022-05-20 |
2022-06-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The login functionality of the application fails to normalize the response times of login attempts performed with wrong usernames with the ones executed with correct usernames. A remote unauthenticated attacker could exploit this side-channel information to perform a username enumeration attack and identify valid usernames. |
|
817 |
CVE-2022-24032 |
668 |
|
|
2022-01-30 |
2022-02-04 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Adenza AxiomSL ControllerView through 10.8.1 is vulnerable to user enumeration. An attacker can identify valid usernames on the platform because a failed login attempt produces a different error message when the username is valid. |
|
818 |
CVE-2022-24003 |
|
|
|
2022-02-11 |
2022-02-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Exposure of Sensitive Information vulnerability in Bixby Vision prior to version 3.7.50.6 allows attackers to access internal data of Bixby Vision via unprotected intent. |
|
819 |
CVE-2022-24002 |
863 |
|
|
2022-02-11 |
2022-02-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Improper Authorization vulnerability in Link Sharing prior to version 12.4.00.3 allows attackers to open protected activity via PreconditionActivity. |
|
820 |
CVE-2022-23989 |
|
|
DoS |
2022-03-15 |
2022-03-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
In Stormshield Network Security (SNS) before 3.7.25, 3.8.x through 3.11.x before 3.11.13, 4.x before 4.2.10, and 4.3.x before 4.3.5, a flood of connections to the SSLVPN service might lead to saturation of the loopback interface. This could result in the blocking of almost all network traffic, making the firewall unreachable. An attacker could exploit this via forged and properly timed traffic to cause a denial of service. |
|
821 |
CVE-2022-23986 |
89 |
|
Sql +Info |
2022-02-24 |
2022-03-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
SQL injection vulnerability in the phpUploader v1.2 and earlier allows a remote unauthenticated attacker to obtain the information in the database via unspecified vectors. |
|
822 |
CVE-2022-23984 |
200 |
|
+Info |
2022-02-21 |
2022-03-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Sensitive information disclosure discovered in wpDiscuz WordPress plugin (versions <= 7.3.11). |
|
823 |
CVE-2022-23982 |
200 |
|
+Info |
2022-02-18 |
2022-02-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The vulnerability discovered in WordPress Perfect Brands for WooCommerce plugin (versions <= 2.0.4) allows server information exposure. |
|
824 |
CVE-2022-23976 |
352 |
|
CSRF |
2022-04-18 |
2022-04-27 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Cross-Site Request Forgery (CSRF) in Access Demo Importer <= 1.0.7 on WordPress allows an attacker to reset all data (posts / pages / media). |
|
825 |
CVE-2022-23974 |
674 |
|
|
2022-04-05 |
2022-04-15 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
In 0.9.3 or older versions of Apache Pinot segment upload path allowed segment directories to be imported into pinot tables. In pinot installations that allow open access to the controller a specially crafted request can potentially be exploited to cause disruption in pinot service. Pinot release 0.10.0 fixes this. See https://docs.pinot.apache.org/basics/releases/0.10.0 |
|
826 |
CVE-2022-23973 |
787 |
|
Exec Code Overflow |
2022-04-07 |
2022-04-14 |
5.8 |
None |
Local Network |
Low |
Not required |
Partial |
Partial |
Partial |
|
ASUS RT-AX56U’s user profile configuration function is vulnerable to stack-based buffer overflow due to insufficient validation for parameter length. An unauthenticated LAN attacker can execute arbitrary code to perform arbitrary operations or disrupt service. |
|
827 |
CVE-2022-23972 |
89 |
|
Sql |
2022-04-07 |
2022-04-14 |
5.8 |
None |
Local Network |
Low |
Not required |
Partial |
Partial |
Partial |
|
ASUS RT-AX56U’s SQL handling function has an SQL injection vulnerability due to insufficient user input validation. An unauthenticated LAN attacker to inject arbitrary SQL code to read, modify and delete database. |
|
828 |
CVE-2022-23945 |
306 |
|
|
2022-01-25 |
2022-02-01 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1. |
|
829 |
CVE-2022-23942 |
798 |
|
|
2022-04-26 |
2022-05-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Apache Doris, prior to 1.0.0, used a hardcoded key and IV to initialize the cipher used for ldap password, which may lead to information disclosure. |
|
830 |
CVE-2022-23937 |
125 |
|
|
2022-03-29 |
2022-04-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
In Wind River VxWorks 6.9 and 7, a specific crafted packet may lead to an out-of-bounds read during an IKE initial exchange scenario. |
|
831 |
CVE-2022-23913 |
400 |
|
|
2022-02-04 |
2022-05-01 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt availability (DoS) through uncontrolled resource consumption of memory. |
|
832 |
CVE-2022-23889 |
674 |
|
|
2022-01-28 |
2022-02-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The comment function in YzmCMS v6.3 was discovered as being able to be operated concurrently, allowing attackers to create an unusually large number of comments. |
|
833 |
CVE-2022-23856 |
668 |
|
|
2022-01-24 |
2022-01-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in Saviynt Enterprise Identity Cloud (EIC) 5.5 SP2.x. An attacker can enumerate users by changing the id parameter, such as for the ECM/maintenance/forgotpasswordstep1 URI. |
|
834 |
CVE-2022-23837 |
770 |
|
|
2022-01-21 |
2022-04-25 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users. |
|
835 |
CVE-2022-23833 |
835 |
|
|
2022-02-03 |
2022-02-22 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files. |
|
836 |
CVE-2022-23802 |
276 |
|
+Info |
2022-05-06 |
2022-05-16 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Joomla Guru extension 5.2.5 is affected by: Insecure Permissions. The impact is: obtain sensitive information (remote). The component is: Access to private information and components, possibility to view other users' information. Information disclosure Access to private information and components, possibility to view other users' information. |
|
837 |
CVE-2022-23798 |
601 |
|
|
2022-03-30 |
2022-04-05 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not. |
|
838 |
CVE-2022-23794 |
209 |
|
|
2022-03-30 |
2022-04-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Uploading a file name of an excess length causes the error. This error brings up the screen with the path of the source code of the web application. |
|
839 |
CVE-2022-23793 |
22 |
|
Dir. Trav. |
2022-03-30 |
2022-04-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Extracting an specifilcy crafted tar package could write files outside of the intended path. |
|
840 |
CVE-2022-23779 |
200 |
|
+Info |
2022-03-02 |
2022-03-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zoho ManageEngine Desktop Central before 10.1.2137.8 exposes the installed server name to anyone. The internal hostname can be discovered by reading HTTP redirect responses. |
|
841 |
CVE-2022-23774 |
|
|
|
2022-02-01 |
2022-02-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Docker Desktop before 4.4.4 on Windows allows attackers to move arbitrary files. |
|
842 |
CVE-2022-23773 |
863 |
|
|
2022-02-11 |
2022-08-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags. |
|
843 |
CVE-2022-23724 |
287 |
|
Bypass |
2022-05-04 |
2022-05-16 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
|
Use of static encryption key material allows forging an authentication token to other users within a tenant organization. MFA may be bypassed by redirecting an authentication flow to a target user. To exploit the vulnerability, must have compromised user credentials. |
|
844 |
CVE-2022-23712 |
|
|
DoS |
2022-06-06 |
2022-07-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shut down an Elasticsearch node with a specifically formatted network request. |
|
845 |
CVE-2022-23711 |
|
|
|
2022-04-21 |
2022-05-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A vulnerability in Kibana could expose sensitive information related to Elastic Stack monitoring in the Kibana page source. Elastic Stack monitoring features provide a way to keep a pulse on the health and performance of your Elasticsearch cluster. Authentication with a vulnerable Kibana instance is not required to view the exposed information. The Elastic Stack monitoring exposure only impacts users that have set any of the optional monitoring.ui.elasticsearch.* settings in order to configure Kibana as a remote UI for Elastic Stack Monitoring. The same vulnerability in Kibana could expose other non-sensitive application-internal information in the page source. |
|
846 |
CVE-2022-23705 |
863 |
|
|
2022-05-09 |
2022-05-23 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
A security vulnerability has been identified in HPE Nimble Storage Hybrid Flash Arrays, HPE Nimble Storage All Flash Arrays, and HPE Nimble Storage Secondary Flash Arrays which could potentially allow the upload, but not execution, of unauthorized update binaries to the array. HPE has made the following software updates to resolve the vulnerability in HPE Nimble Storage: 5.0.10.100 or later, 5.2.1.0 or later, 6.0.0.100 or later. |
|
847 |
CVE-2022-23704 |
|
|
DoS |
2022-05-09 |
2022-05-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A potential security vulnerability has been identified in Integrated Lights-Out 4 (iLO 4). The vulnerability could allow remote Denial of Service. The vulnerability is resolved in Integrated Lights-Out 4 (iLO 4) 2.80 and later. |
|
848 |
CVE-2022-23703 |
|
|
|
2022-04-12 |
2022-04-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
A security vulnerability has been identified in HPE Nimble Storage Hybrid Flash Arrays, HPE Nimble Storage All Flash Arrays and HPE Nimble Storage Secondary Flash Arrays during update. This would potentially allow an attacker to intercept and modify network communication for software updates initiated by the Nimble appliance. The following NimbleOS versions, and all subsequent releases, contain a software fix for this vulnerability: 5.0.10.100, 5.2.1.500, 6.0.0.100 |
|
849 |
CVE-2022-23701 |
74 |
|
|
2022-02-24 |
2022-03-08 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
A potential remote host header injection security vulnerability has been identified in HPE Integrated Lights-Out 4 (iLO 4) firmware version(s): Prior to 2.60. This vulnerability could be remotely exploited to allow an attacker to supply invalid input to the iLO 4 webserver, causing it to respond with a redirect to an attacker-controlled domain. HPE has provided a firmware update to resolve this vulnerability in HPE Integrated Lights-Out 4 (iLO 4). |
|
850 |
CVE-2022-23698 |
|
|
|
2022-04-04 |
2022-04-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A remote unauthenticated disclosure of information vulnerability was discovered in HPE OneView version(s): Prior to 6.6. HPE has provided a software update to resolve this vulnerability in HPE OneView. |
