The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2020-28461 | This affects the package js-ini before 1.3.0. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be exploited further depending on the context. | -- | Jul 25, 2022 |
| CVE-2020-28459 | This affects all versions of package markdown-it-decorate. An attacker can add an event handler or use javascript:xxx for the link. | -- | Jul 25, 2022 |
| CVE-2020-28455 | This affects all versions of package markdown-it-toc. The title of the generated toc and the contents of the header are not escaped. | -- | Jul 25, 2022 |
| CVE-2020-28447 | This affects all versions of package xopen. The injection point is located in line 14 in index.js in the exported function xopen(filepath) | -- | Jul 25, 2022 |
| CVE-2020-28446 | The package ntesseract before 0.2.9 are vulnerable to Command Injection via lib/tesseract.js. | -- | Jul 28, 2022 |
| CVE-2020-28445 | This affects all versions of package npm-help. The injection point is located in line 13 in index.js file in export.latestVersion() function. | -- | Jul 25, 2022 |
| CVE-2020-28443 | This affects all versions of package sonar-wrapper. The injection point is located in lib/sonarRunner.js. | -- | Jul 25, 2022 |
| CVE-2020-28441 | This affects the package conf-cfg-ini before 1.2.2. If an attacker submits a malicious INI file to an application that parses it with decode, they will pollute the prototype on the application. This can be exploited further depending on the context. | -- | Jul 25, 2022 |
| CVE-2020-28438 | This affects all versions of package deferred-exec. The injection point is located in line 42 in lib/deferred-exec.js | -- | Jul 25, 2022 |
| CVE-2020-28436 | This affects all versions of package google-cloudstorage-commands. | -- | Jul 25, 2022 |
| CVE-2020-28435 | This affects all versions of package ffmpeg-sdk. The injection point is located in line 9 in index.js. | -- | Jul 25, 2022 |
| CVE-2020-28422 | All versions of package git-archive are vulnerable to Command Injection via the exports function. | -- | Jul 25, 2022 |
| CVE-2020-7678 | This affects all versions of package node-import. The params argument of module function can be controlled by users without any sanitization.b. This is then provided to the “eval” function located in line 79 in the index file index.js. | -- | Jul 25, 2022 |
| CVE-2020-7677 | This affects the package thenify before 3.3.1. The name argument provided to the package can be controlled by users without any sanitization, and this is provided to the eval function without any sanitization. | -- | Jul 25, 2022 |
| CVE-2020-7649 | This affects the package snyk-broker before 4.73.0. It allows arbitrary file reads for users with access to Snyk\'s internal network via directory traversal. | -- | Jul 25, 2022 |
| CVE-2020-6998 | The connection establishment algorithm found in Rockwell Automation CompactLogix 5370 and ControlLogix 5570 versions 33 and prior does not sufficiently manage its control flow during execution, creating an infinite loop. This may allow an attacker to send specially crafted CIP packet requests to a controller, which may cause denial-of-service conditions in communications with other products. | -- | Jul 28, 2022 |
| CVE-2017-20145 | A vulnerability was found in Tecrail Responsive Filemanger up to 9.10.x and classified as critical. The manipulation leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 9.11.0 is able to address this issue. It is recommended to upgrade the affected component. | -- | Jul 25, 2022 |
| CVE-2016-4991 | Input passed to the Pdf() function is shell escaped and passed to child_process.exec() during PDF rendering. However, the shell escape does not properly encode all special characters, namely, semicolon and curly braces. This can be abused to achieve command execution. This problem affects nodepdf 1.3.0. | -- | Jul 28, 2022 |
| CVE-2016-4427 | In zulip before 1.3.12, deactivated users could access messages if SSO was enabled. | -- | Jul 28, 2022 |
| CVE-2016-4426 | In zulip before 1.3.12, bot API keys were accessible to other users in the same realm. | -- | Jul 28, 2022 |
| CVE-2016-2139 | In kippo-graph before version 1.5.1, there is a cross-site scripting vulnerability in $file_link in class/KippoInput.class.php. | -- | Jul 28, 2022 |
| CVE-2016-2138 | In kippo-graph before version 1.5.1, there is a cross-site scripting vulnerability in xss_clean() in class/KippoInput.class.php. | -- | Jul 28, 2022 |
| CVE-2016-0796 | WordPress Plugin mb.miniAudioPlayer-an HTML5 audio player for your mp3 files is prone to multiple vulnerabilities, including open proxy and security bypass vulnerabilities because it fails to properly verify user-supplied input. An attacker may leverage these issues to hide attacks directed at a target site from behind vulnerable website or to perform otherwise restricted actions and subsequently download files with the extension mp3, mp4a, wav and ogg from anywhere the web server application has read access to the system. WordPress Plugin mb.miniAudioPlayer-an HTML5 audio player for your mp3 files version 1.7.6 is vulnerable; prior versions may also be affected. | -- | Jul 28, 2022 |
| CVE-2022-36415 | A DLL hijacking vulnerability exists in the uninstaller in Scooter Beyond Compare 1.8a through 4.4.2 before 4.4.3 when installed via the EXE installer. The uninstaller attempts to load DLLs out of a Windows Temp folder. If a standard user places malicious DLLs in the C:\\Windows\\Temp\\ folder, and then the uninstaller is run as SYSTEM, the DLLs will execute with elevated privileges. | -- | Jul 23, 2022 |
| CVE-2022-36414 | There is an elevation of privilege breakout vulnerability in the Windows EXE installer in Scooter Beyond Compare 4.2.0 through 4.4.2 before 4.4.3. Affected versions allow a logged-in user to run applications with elevated privileges via the Clipboard Compare tray app after installation. | -- | Jul 23, 2022 |
| CVE-2022-36408 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2022-31181. Reason: This candidate is a duplicate of CVE-2022-31181. A typo caused the wrong ID to be used. Notes: All CVE users should reference CVE-2022-31181 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage | -- | Jul 23, 2022 |
| CVE-2022-36322 | In JetBrains TeamCity before 2022.04.2 build parameter injection was possible | -- | Jul 20, 2022 |
| CVE-2022-36321 | In JetBrains TeamCity before 2022.04.2 the private SSH key could be written to the build log in some cases | -- | Jul 20, 2022 |
| CVE-2022-36313 | An issue was discovered in the file-type package before 16.5.4 and 17.x before 17.1.3 for Node.js. A malformed MKV file could cause the file type detector to get caught in an infinite loop. This would make the application become unresponsive and could be used to cause a DoS attack. | -- | Jul 21, 2022 |
| CVE-2022-36305 | Vesta v1.0.0-5 was discovered to contain a cross-site scripting (XSS) vulnerability via the body function at /web/api/v1/upload/UploadHandler.php. | -- | Jul 20, 2022 |
| CVE-2022-36304 | Vesta v1.0.0-5 was discovered to contain a cross-site scripting (XSS) vulnerability via the generate_response function at /web/api/v1/upload/UploadHandler.php. | -- | Jul 20, 2022 |
| CVE-2022-36303 | Vesta v1.0.0-5 was discovered to contain a cross-site scripting (XSS) vulnerability via the handle_file_upload function at /web/api/v1/upload/UploadHandler.php. | -- | Jul 20, 2022 |
| CVE-2022-36131 | The Better PDF Exporter add-on 10.0.0 for Atlassian Jira is prone to stored XSS via a crafted description to the PDF Templates overview page. | -- | Jul 22, 2022 |
| CVE-2022-36127 | A vulnerability in Apache SkyWalking NodeJS Agent prior to 0.5.1. The vulnerability will cause NodeJS services that has this agent installed to be unavailable if the OAP is unhealthy and NodeJS agent can\'t establish the connection. | -- | Jul 18, 2022 |
| CVE-2022-35912 | In grails-databinding in Grails before 3.3.15, 4.x before 4.1.1, 5.x before 5.1.9, and 5.2.x before 5.2.1 (at least when certain Java 8 configurations are used), data binding allows a remote attacker to execute code by gaining access to the class loader. | -- | Jul 21, 2022 |
| CVE-2022-35899 | There is an unquoted service path in ASUSTeK Aura Ready Game SDK service (GameSDK.exe) 1.0.0.4. This might allow a local user to escalate privileges by creating a %PROGRAMFILES(X86)%\\ASUS\\GameSDK.exe file. | -- | Jul 21, 2022 |
| CVE-2022-35741 | Apache CloudStack version 4.5.0 and later has a SAML 2.0 authentication Service Provider plugin which is found to be vulnerable to XML external entity (XXE) injection. This plugin is not enabled by default and the attacker would require that this plugin be enabled to exploit the vulnerability. When the SAML 2.0 plugin is enabled in affected versions of Apache CloudStack could potentially allow the exploitation of XXE vulnerabilities. The SAML 2.0 messages constructed during the authentication flow in Apache CloudStack are XML-based and the XML data is parsed by various standard libraries that are now understood to be vulnerable to XXE injection attacks such as arbitrary file reading, possible denial of service, server-side request forgery (SSRF) on the CloudStack management server. | -- | Jul 20, 2022 |
| CVE-2022-35569 | Blogifier v3.0 was discovered to contain an arbitrary file upload vulnerability at /api/storage/upload/PostImage. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted file. | -- | Jul 21, 2022 |
| CVE-2022-35405 | Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects ManageEngine Access Manager Plus before 4303 with authentication.) | -- | Jul 19, 2022 |
| CVE-2022-35404 | ManageEngine Password Manager Pro 12100 and prior and OPManager 126100 and prior are vulnerable to unauthorized file and directory creation on a server machine. | -- | Jul 18, 2022 |
| CVE-2022-34983 | The scu-captcha package in PyPI v0.0.1 to v0.0.4 included a code execution backdoor inserted by a third party. | -- | Jul 22, 2022 |
| CVE-2022-34982 | The eziod package in PyPI before v0.0.1 included a code execution backdoor inserted by a third party. | -- | Jul 22, 2022 |
| CVE-2022-34981 | The PyCrowdTangle package in PyPI before v0.0.1 included a code execution backdoor inserted by a third party. | -- | Jul 22, 2022 |
| CVE-2022-34902 | This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Access 6.5.4 (39316) Agent. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Desktop Control Agent service. The service loads Qt plugins from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-15787. | -- | Jul 18, 2022 |
| CVE-2022-34901 | This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Access 6.5.4 (39316) Agent. An attacker must first obtain the ability to execute low-privileged code on the target host system in order to exploit this vulnerability. The specific flaw exists within the Parallels Service. The service executes files from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-16137. | -- | Jul 18, 2022 |
| CVE-2022-34900 | This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Access 6.5.3 (39313) Agent. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Dispatcher service. The service loads an OpenSSL configuration file from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-15213. | -- | Jul 18, 2022 |
| CVE-2022-34899 | This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Access 6.5.4 (39316) Agent. An attacker must first obtain the ability to execute low-privileged code on the target host system in order to exploit this vulnerability. The specific flaw exists within the Parallels service. By creating a symbolic link, an attacker can abuse the service to execute a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-16134. | -- | Jul 18, 2022 |
| CVE-2022-34892 | This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop Parallels Desktop 17.1.1. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the update machanism. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-16396. | -- | Jul 18, 2022 |
| CVE-2022-34891 | This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop Parallels Desktop 17.1.1. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the update machanism. The product sets incorrect permissions on sensitive files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-16395. | -- | Jul 18, 2022 |
| CVE-2022-34890 | This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 17.1.1 (51537). An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Parallels Tools component. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel. Was ZDI-CAN-16653. | -- | Jul 18, 2022 |
