| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2022-28223 |
434 |
|
|
2022-03-30 |
2022-04-05 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
Tekon KIO devices through 2022-03-30 allow an authenticated admin user to escalate privileges to root by uploading a malicious Lua plugin. |
|
2 |
CVE-2022-28209 |
|
|
|
2022-03-30 |
2022-04-05 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in Mediawiki through 1.37.1. The check for the override-antispoof permission in the AntiSpoof extension is incorrect. |
|
3 |
CVE-2022-28206 |
|
|
|
2022-03-30 |
2022-04-05 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in MediaWiki through 1.37.1. ImportPlanValidator.php in the FileImporter extension mishandles the check for edit rights. |
|
4 |
CVE-2022-28205 |
|
|
|
2022-03-30 |
2022-04-05 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in MediaWiki through 1.37.1. The CentralAuth extension mishandles a ttl issue for groups expiring in the future. |
|
5 |
CVE-2022-28202 |
79 |
|
XSS |
2022-03-30 |
2022-10-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. The widthheight, widthheightpage, and nbytes properties of messages are not escaped when used in galleries or Special:RevisionDelete. |
|
6 |
CVE-2022-28160 |
668 |
|
|
2022-03-29 |
2022-04-04 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Jenkins Tests Selector Plugin 1.3.3 and earlier allows users with Item/Configure permission to read arbitrary files on the Jenkins controller. |
|
7 |
CVE-2022-28159 |
79 |
|
XSS |
2022-03-29 |
2022-04-04 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Jenkins Tests Selector Plugin 1.3.3 and earlier does not escape the Properties File Path option for Choosing Tests parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. |
|
8 |
CVE-2022-28158 |
862 |
|
|
2022-03-29 |
2022-04-04 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
A missing permission check in Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. |
|
9 |
CVE-2022-28157 |
22 |
|
Dir. Trav. |
2022-03-29 |
2022-04-04 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Item/Configure permission to upload arbitrary files from the Jenkins controller via FTP to an attacker-specified FTP server. |
|
10 |
CVE-2022-28156 |
22 |
|
Dir. Trav. |
2022-03-29 |
2022-04-04 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Item/Configure permission to copy arbitrary files and directories from the Jenkins controller to the agent workspace. |
|
11 |
CVE-2022-28155 |
611 |
|
|
2022-03-29 |
2022-04-04 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
|
Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
|
12 |
CVE-2022-28154 |
611 |
|
|
2022-03-29 |
2022-04-04 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
|
Jenkins Coverage/Complexity Scatter Plot Plugin 1.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
|
13 |
CVE-2022-28153 |
79 |
|
XSS |
2022-03-29 |
2022-04-04 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Jenkins SiteMonitor Plugin 0.6 and earlier does not escape URLs of sites to monitor in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. |
|
14 |
CVE-2022-28152 |
352 |
|
CSRF |
2022-03-29 |
2022-04-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A cross-site request forgery (CSRF) vulnerability in Jenkins Job and Node ownership Plugin 0.13.0 and earlier allows attackers to restore the default ownership of a job. |
|
15 |
CVE-2022-28151 |
862 |
|
|
2022-03-29 |
2022-04-04 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
A missing permission check in Jenkins Job and Node ownership Plugin 0.13.0 and earlier allows attackers with Item/Read permission to change the owners and item-specific permissions of a job. |
|
16 |
CVE-2022-28150 |
352 |
|
CSRF |
2022-03-29 |
2022-04-05 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
A cross-site request forgery (CSRF) vulnerability in Jenkins Job and Node ownership Plugin 0.13.0 and earlier allows attackers to change the owners and item-specific permissions of a job. |
|
17 |
CVE-2022-28149 |
79 |
|
XSS |
2022-03-29 |
2022-04-04 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Jenkins Job and Node ownership Plugin 0.13.0 and earlier does not escape the names of the secondary owners, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. |
|
18 |
CVE-2022-28148 |
22 |
|
Dir. Trav. |
2022-03-29 |
2022-04-04 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
The file browser in Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier may interpret some paths to files as absolute on Windows, resulting in a path traversal vulnerability allowing attackers with Item/Read permission to obtain the contents of arbitrary files on Windows controllers. |
|
19 |
CVE-2022-28147 |
862 |
|
|
2022-03-29 |
2022-10-17 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
A missing permission check in Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. |
|
20 |
CVE-2022-28146 |
22 |
|
Dir. Trav. |
2022-03-29 |
2022-04-04 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier allows attackers with Item/Configure permission to read arbitrary files on the Jenkins controller by specifying an input folder on the Jenkins controller as a parameter to its build steps. |
|
21 |
CVE-2022-28145 |
79 |
|
XSS |
2022-03-29 |
2022-04-04 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier does not apply Content-Security-Policy headers to report files it serves, resulting in a stored cross-site scripting (XSS) exploitable by attackers with Item/Configure permission or otherwise able to control report contents. |
|
22 |
CVE-2022-28144 |
862 |
|
|
2022-03-29 |
2022-04-04 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
Jenkins Proxmox Plugin 0.7.0 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified host using attacker-specified username and password (perform a connection test), disable SSL/TLS validation for the entire Jenkins controller JVM as part of the connection test (see CVE-2022-28142), and test a rollback with attacker-specified parameters. |
|
23 |
CVE-2022-28143 |
352 |
|
CSRF |
2022-03-29 |
2022-04-04 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
A cross-site request forgery (CSRF) vulnerability in Jenkins Proxmox Plugin 0.7.0 and earlier allows attackers to connect to an attacker-specified host using attacker-specified username and password (perform a connection test), disable SSL/TLS validation for the entire Jenkins controller JVM as part of the connection test (see CVE-2022-28142), and test a rollback with attacker-specified parameters. |
|
24 |
CVE-2022-28142 |
295 |
|
|
2022-03-29 |
2022-04-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Jenkins Proxmox Plugin 0.6.0 and earlier disables SSL/TLS certificate validation globally for the Jenkins controller JVM when configured to ignore SSL/TLS issues. |
|
25 |
CVE-2022-28141 |
522 |
|
|
2022-03-29 |
2022-04-04 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Jenkins Proxmox Plugin 0.5.0 and earlier stores the Proxmox Datacenter password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. |
|
26 |
CVE-2022-28140 |
611 |
|
|
2022-03-29 |
2022-04-04 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
|
Jenkins Flaky Test Handler Plugin 1.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
|
27 |
CVE-2022-28139 |
862 |
|
|
2022-03-29 |
2022-04-04 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
A missing permission check in Jenkins RocketChat Notifier Plugin 1.4.10 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. |
|
28 |
CVE-2022-28138 |
352 |
|
CSRF |
2022-03-29 |
2022-04-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A cross-site request forgery (CSRF) vulnerability in Jenkins RocketChat Notifier Plugin 1.4.10 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credential. |
|
29 |
CVE-2022-28137 |
862 |
|
|
2022-03-29 |
2022-10-17 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
A missing permission check in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. |
|
30 |
CVE-2022-28136 |
352 |
|
CSRF |
2022-03-29 |
2022-04-04 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
A cross-site request forgery (CSRF) vulnerability in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials. |
|
31 |
CVE-2022-28135 |
|
|
|
2022-03-29 |
2022-04-04 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Jenkins instant-messaging Plugin 1.41 and earlier stores passwords for group chats unencrypted in the global configuration file of plugins based on Jenkins instant-messaging Plugin on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. |
|
32 |
CVE-2022-28134 |
862 |
|
|
2022-03-29 |
2022-04-04 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
|
Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to create, view, and delete BitBucket Server consumers. |
|
33 |
CVE-2022-28133 |
79 |
|
XSS |
2022-03-29 |
2022-04-04 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not limit URL schemes for callback URLs on OAuth consumers, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create BitBucket Server consumers. |
|
34 |
CVE-2022-28128 |
426 |
|
Exec Code +Priv |
2022-03-31 |
2022-04-07 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Untrusted search path vulnerability in AttacheCase ver.3.6.1.0 and earlier allows an attacker to gain privileges and execute arbitrary code via a Trojan horse DLL in an unspecified directory. |
|
35 |
CVE-2022-27966 |
428 |
|
Exec Code |
2022-03-31 |
2022-04-08 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Xshell v7.0.0099 and below contains a binary hijack vulnerability which allows attackers to execute arbitrary code via a crafted .exe file. |
|
36 |
CVE-2022-27965 |
428 |
|
Exec Code |
2022-03-31 |
2022-04-08 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Xlpd v7.0.0094 and below contains a binary hijack vulnerability which allows attackers to execute arbitrary code via a crafted .exe file. |
|
37 |
CVE-2022-27964 |
428 |
|
Exec Code |
2022-03-31 |
2022-04-08 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Xmanager v7.0.0096 and below contains a binary hijack vulnerability which allows attackers to execute arbitrary code via a crafted .exe file. |
|
38 |
CVE-2022-27963 |
428 |
|
Exec Code |
2022-03-31 |
2022-04-08 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Xftp 7.0.0088p and below contains a binary hijack vulnerability which allows attackers to execute arbitrary code via a crafted .exe file. |
|
39 |
CVE-2022-27950 |
401 |
|
|
2022-03-28 |
2022-04-05 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
In drivers/hid/hid-elo.c in the Linux kernel before 5.16.11, a memory leak exists for a certain hid_parse error condition. |
|
40 |
CVE-2022-27948 |
|
|
|
2022-03-27 |
2022-04-06 |
3.3 |
None |
Local Network |
Low |
Not required |
None |
Partial |
None |
|
** DISPUTED ** Certain Tesla vehicles through 2022-03-26 allow attackers to open the charging port via a 315 MHz RF signal containing a fixed sequence of approximately one hundred symbols. NOTE: the vendor's perspective is that the behavior is as intended. |
|
41 |
CVE-2022-27947 |
78 |
|
Exec Code |
2022-03-26 |
2022-03-31 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
NETGEAR R8500 1.0.2.158 devices allow remote authenticated users to execute arbitrary commands (such as telnetd) via shell metacharacters in the ipv6_fix.cgi ipv6_wan_ipaddr, ipv6_lan_ipaddr, ipv6_wan_length, or ipv6_lan_length parameter. |
|
42 |
CVE-2022-27946 |
78 |
|
Exec Code |
2022-03-26 |
2022-03-31 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
NETGEAR R8500 1.0.2.158 devices allow remote authenticated users to execute arbitrary commands (such as telnetd) via shell metacharacters in the sysNewPasswd and sysConfirmPasswd parameters to admin_account.cgi. |
|
43 |
CVE-2022-27945 |
78 |
|
Exec Code |
2022-03-26 |
2022-03-31 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
NETGEAR R8500 1.0.2.158 devices allow remote authenticated users to execute arbitrary commands (such as telnetd) via shell metacharacters in the sysNewPasswd and sysConfirmPasswd parameters to password.cgi. |
|
44 |
CVE-2022-27943 |
400 |
|
|
2022-03-26 |
2022-12-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new. |
|
45 |
CVE-2022-27942 |
787 |
|
|
2022-03-26 |
2022-10-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
tcpprep in Tcpreplay 4.4.1 has a heap-based buffer over-read in parse_mpls in common/get.c. |
|
46 |
CVE-2022-27941 |
787 |
|
|
2022-03-26 |
2022-10-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
tcprewrite in Tcpreplay 4.4.1 has a heap-based buffer over-read in get_l2len_protocol in common/get.c. |
|
47 |
CVE-2022-27940 |
787 |
|
|
2022-03-26 |
2022-10-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
tcprewrite in Tcpreplay 4.4.1 has a heap-based buffer over-read in get_ipv6_next in common/get.c. |
|
48 |
CVE-2022-27939 |
617 |
|
|
2022-03-26 |
2022-10-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
tcprewrite in Tcpreplay 4.4.1 has a reachable assertion in get_layer4_v6 in common/get.c. |
|
49 |
CVE-2022-27938 |
617 |
|
|
2022-03-26 |
2022-03-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
stb_image.h (aka the stb image loader) 2.19, as used in libsixel and other products, has a reachable assertion in stbi__create_png_image_raw. |
|
50 |
CVE-2022-27920 |
79 |
|
XSS |
2022-03-25 |
2022-04-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
libkiwix 10.0.0 and 10.0.1 allows XSS in the built-in webserver functionality via the search suggestions URL parameter. This is fixed in 10.1.0. |
