The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2022-24550 | Windows Telephony Server Elevation of Privilege Vulnerability | HIGH | Apr 15, 2022 |
| CVE-2022-24551 | A flaw was found in StarWind Stack. The endpoint for setting a new password doesn’t check the current username and old password. An attacker could reset any local user password (including system/administrator user) using any available user This affects StarWind SAN and NAS v0.2 build 1633. | HIGH | Feb 11, 2022 |
| CVE-2022-24552 | A flaw was found in the REST API in StarWind Stack. REST command, which manipulates a virtual disk, doesn’t check input parameters. Some of them go directly to bash as part of a script. An attacker with non-root user access can inject arbitrary data into the command that will be executed with root privileges. This affects StarWind SAN and NAS v0.2 build 1633. | HIGH | Feb 11, 2022 |
| CVE-2022-24553 | An issue was found in Zfaka <= 1.4.5. The verification of the background file upload function check is not strict, resulting in remote command execution. | HIGH | Feb 22, 2022 |
| CVE-2022-24562 | In IOBit IOTransfer 4.3.1.1561, an unauthenticated attacker can send GET and POST requests to Airserv and gain arbitrary read/write access to the entire file-system (with admin privileges) on the victim\'s endpoint, which can result in data theft and remote code execution. | HIGH | Jun 16, 2022 |
| CVE-2022-24563 | In Genixcms v1.1.11, a stored Cross-Site Scripting (XSS) vulnerability exists in /gxadmin/index.php?page=themes&view=options via the intro_title and intro_image parameters. | LOW | Mar 3, 2022 |
| CVE-2022-24564 | Checkmk <=2.0.0p19 contains a Cross Site Scripting (XSS) vulnerability. While creating or editing a user attribute, the Help Text is subject to HTML injection, which can be triggered for editing a user. | MEDIUM | Feb 22, 2022 |
| CVE-2022-24565 | Checkmk <=2.0.0p19 Fixed in 2.0.0p20 and Checkmk <=1.6.0p27 Fixed in 1.6.0p28 are affected by a Cross Site Scripting (XSS) vulnerability. The Alias of a site was not properly escaped when shown as condition for notifications. | LOW | Feb 24, 2022 |
| CVE-2022-24566 | In Checkmk <=2.0.0p19 fixed in 2.0.0p20 and Checkmk <=1.6.0p27 fixed in 1.6.0p28, the title of a Predefined condition is not properly escaped when shown as condition, which can result in Cross Site Scripting (XSS). | LOW | Feb 24, 2022 |
| CVE-2022-24568 | Novel-plus v3.6.0 was discovered to be vulnerable to Server-Side Request Forgery (SSRF) via user-supplied crafted input. | HIGH | Feb 10, 2022 |
| CVE-2022-24571 | Car Driving School Management System v1.0 is affected by SQL injection in the login page. An attacker can use simple SQL login injection payload to get admin access. | HIGH | Mar 3, 2022 |
| CVE-2022-24572 | Car Driving School Management System v1.0 is affected by Cross Site Scripting (XSS) in the User Enrollment Form (Username Field). To exploit this Vulnerability, an admin views the registered user details. | MEDIUM | Feb 28, 2022 |
| CVE-2022-24573 | A stored cross-site scripting (XSS) vulnerability in the admin interface in Element-IT HTTP Commander 7.0.0 allows unauthenticated users to get admin access by injecting a malicious script in the User-Agent field. | MEDIUM | Mar 3, 2022 |
| CVE-2022-24574 | GPAC 1.0.1 is affected by a NULL pointer dereference in gf_dump_vrml_field.isra (). | MEDIUM | Mar 14, 2022 |
| CVE-2022-24575 | GPAC 1.0.1 is affected by a stack-based buffer overflow through MP4Box. | MEDIUM | Mar 14, 2022 |
| CVE-2022-24576 | GPAC 1.0.1 is affected by Use After Free through MP4Box. | MEDIUM | Mar 14, 2022 |
| CVE-2022-24577 | GPAC 1.0.1 is affected by a NULL pointer dereference in gf_utf8_wcslen. (gf_utf8_wcslen is a renamed Unicode utf8_wcslen function.) | MEDIUM | Mar 14, 2022 |
| CVE-2022-24578 | GPAC 1.0.1 is affected by a heap-based buffer overflow in SFS_AddString () at bifs/script_dec.c. | MEDIUM | Mar 14, 2022 |
| CVE-2022-24580 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-24580. Reason: This candidate is a duplicate of CVE-2023-24580. A typo caused the wrong ID to be used. Notes: All CVE users should reference CVE-2023-24580 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | -- | Nov 7, 2023 |
| CVE-2022-24581 | ACEweb Online Portal 3.5.065 allows unauthenticated SMB hash capture via UNC. By specifying the UNC file path of an external SMB share when uploading a file, an attacker can induce the victim server to disclose the username and password hash of the user executing the ACEweb Online software. | MEDIUM | Jun 2, 2022 |
| CVE-2022-24582 | Accounting Journal Management 1.0 is vulnerable to XSS-PHPSESSID-Hijacking. The parameter manage_user from User lists is vulnerable to XSS-Stored and PHPSESSID attacks. The malicious user can attack the system by using the already session which he has from inside and outside of the network. | LOW | Feb 24, 2022 |
| CVE-2022-24584 | Incorrect access control in Yubico OTP functionality of the YubiKey hardware tokens along with the Yubico OTP validation server. The Yubico OTP supposedly creates hardware bound second factor credentials. When a user reprograms the OTP functionality by writing it on a token using the Yubico Personalization Tool, they can then upload the new configuration to Yubicos OTP validation servers. NOTE: the vendor disputes this because there is no way for a YubiKey device to prevent a user from deciding that a secret value, which is imported into the device, should also be stored elsewhere | MEDIUM | May 11, 2022 |
| CVE-2022-24585 | A stored cross-site scripting (XSS) vulnerability in the component /core/admin/comment.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the author parameter. | LOW | Feb 15, 2022 |
| CVE-2022-24586 | A stored cross-site scripting (XSS) vulnerability in the component /core/admin/categories.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the content and thumbnail parameters. | LOW | Feb 15, 2022 |
| CVE-2022-24587 | A stored cross-site scripting (XSS) vulnerability in the component core/admin/medias.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML. | LOW | Feb 15, 2022 |
| CVE-2022-24588 | Flatpress v1.2.1 was discovered to contain a cross-site scripting (XSS) vulnerability in the Upload SVG File function. | LOW | Feb 15, 2022 |
| CVE-2022-24589 | Burden v3.0 was discovered to contain a stored cross-site scripting (XSS) in the Add Category function. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the task parameter. | MEDIUM | Feb 15, 2022 |
| CVE-2022-24590 | A stored cross-site scripting (XSS) vulnerability in the Add Link function of BackdropCMS v1.21.1 allows attackers to execute arbitrary web scripts or HTML. | LOW | Feb 15, 2022 |
| CVE-2022-24594 | In waline 1.6.1, an attacker can submit messages using X-Forwarded-For to forge any IP address. | MEDIUM | Feb 25, 2022 |
| CVE-2022-24595 | Automotive Grade Linux Kooky Koi 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, and 11.0.5 is affected by Incorrect Access Control in usr/bin/afb-daemon. To exploit the vulnerability, an attacker should send a well-crafted HTTP (or WebSocket) request to the socket listened by the afb-daemon process. No credentials nor user interactions are required. | HIGH | Mar 18, 2022 |
| CVE-2022-24599 | In autofile Audio File Library 0.3.6, there exists one memory leak vulnerability in printfileinfo, in printinfo.c, which allows an attacker to leak sensitive information via a crafted file. The printfileinfo function calls the copyrightstring function to get data, however, it dosn\'t use zero bytes to truncate the data. | MEDIUM | Feb 24, 2022 |
| CVE-2022-24600 | Luocms v2.0 is affected by SQL Injection through /admin/login.php. An attacker can log in to the background through SQL injection statements. | HIGH | Mar 10, 2022 |
| CVE-2022-24601 | Luocms v2.0 is affected by SQL Injection in /admin/manager/admin_mod.php. An attacker can obtain sensitive information through SQL injection statements. | MEDIUM | Mar 10, 2022 |
| CVE-2022-24602 | Luocms v2.0 is affected by SQL Injection in /admin/news/news_mod.php. | HIGH | Mar 10, 2022 |
| CVE-2022-24603 | Luocms v2.0 is affected by SQL Injection in /admin/news/sort_mod.php. | HIGH | Mar 10, 2022 |
| CVE-2022-24604 | Luocms v2.0 is affected by SQL Injection in /admin/link/link_mod.php. | HIGH | Mar 10, 2022 |
| CVE-2022-24605 | Luocms v2.0 is affected by SQL Injection in /admin/link/link_ok.php. | HIGH | Mar 10, 2022 |
| CVE-2022-24606 | Luocms v2.0 is affected by SQL Injection in /admin/news/sort_ok.php. | HIGH | Mar 10, 2022 |
| CVE-2022-24607 | Luocms v2.0 is affected by SQL Injection in /admin/news/news_ok.php. | HIGH | Mar 10, 2022 |
| CVE-2022-24608 | Luocms v2.0 is affected by Cross Site Scripting (XSS) in /admin/news/sort_add.php and /inc/function.php. | MEDIUM | Mar 10, 2022 |
| CVE-2022-24609 | Luocms v2.0 is affected by an incorrect access control vulnerability. Through /admin/templates/template_manage.php, an attacker can write an arbitrary shell file. | HIGH | Mar 10, 2022 |
| CVE-2022-24610 | Settings/network settings/wireless settings on the Alecto DVC-215IP camera version 63.1.1.173 and below shows the Wi-Fi passphrase hidden, but by editing/removing the style of the password field the password becomes visible which grants access to an internal network connected to the camera. | MEDIUM | Feb 24, 2022 |
| CVE-2022-24611 | Denial of Service (DoS) in the Z-Wave S0 NonceGet protocol specification in Silicon Labs Z-Wave 500 series allows local attackers to block S0/S2 protected Z-Wave network via crafted S0 NonceGet Z-Wave packages, utilizing included but absent NodeIDs. | MEDIUM | May 18, 2022 |
| CVE-2022-24612 | An authenticated user can upload an XML file containing an XSS via the ITSM module of EyesOfNetwork 5.3.11, resulting in a stored XSS. | LOW | Feb 25, 2022 |
| CVE-2022-24613 | metadata-extractor up to 2.16.0 can throw various uncaught exceptions while parsing a specially crafted JPEG file, which could result in an application crash. This could be used to mount a denial of service attack against services that use metadata-extractor library. | MEDIUM | Feb 24, 2022 |
| CVE-2022-24614 | When reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use metadata-extractor library. | MEDIUM | Feb 24, 2022 |
| CVE-2022-24615 | zip4j up to v2.10.0 can throw various uncaught exceptions while parsing a specially crafted ZIP file, which could result in an application crash. This could be used to mount a denial of service attack against services that use zip4j library. | MEDIUM | Feb 24, 2022 |
| CVE-2022-24618 | Heimdal.Wizard.exe installer in Heimdal Premium Security 2.5.395 and earlier has insecure permissions, which allows unprivileged local users to elevate privileges to SYSTEM via the Browse For Folder window accessible by triggering a Repair on the MSI package located in C:\\Windows\\Installer. | HIGH | Mar 10, 2022 |
| CVE-2022-24620 | Piwigo version 12.2.0 is vulnerable to stored cross-site scripting (XSS), which can lead to privilege escalation. In this way, admin can steal webmaster\'s cookies to get the webmaster\'s access. | LOW | Feb 24, 2022 |
| CVE-2022-24627 | An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is an unauthenticated SQL injection in the p parameter of the process_login.php login form. | -- | May 30, 2023 |
