The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2022-30181 | Azure Site Recovery Elevation of Privilege Vulnerability | MEDIUM | Jul 13, 2022 |
| CVE-2022-29619 | Under certain conditions SAP BusinessObjects Business Intelligence Platform 4.x - versions 420,430 allows user Administrator to view, edit or modify rights of objects it doesn\'t own and which would otherwise be restricted. | MEDIUM | Jul 16, 2022 |
| CVE-2022-29512 | Exposure of sensitive information to an unauthorized actor issue in multiple applications of Cybozu Garoon 4.0.0 to 5.9.1 allows a remote authenticated attacker to obtain the data without the viewing privilege. | MEDIUM | Jul 15, 2022 |
| CVE-2022-29286 | Pexip Infinity 27 before 28.0 allows remote attackers to trigger excessive resource consumption and termination because of registrar resource mishandling. | MEDIUM | Jul 17, 2022 |
| CVE-2022-29187 | Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks. | MEDIUM | Jul 14, 2022 |
| CVE-2022-28771 | Due to missing authentication check, SAP Business one License service API - version 10.0 allows an unauthenticated attacker to send malicious http requests over the network. On successful exploitation, an attacker can break the whole application making it inaccessible. | MEDIUM | Jul 13, 2022 |
| CVE-2022-27937 | Pexip Infinity before 27.3 allows remote attackers to trigger excessive resource consumption via H.264. | MEDIUM | Jul 17, 2022 |
| CVE-2022-27936 | Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via H.323. | MEDIUM | Jul 17, 2022 |
| CVE-2022-27935 | Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via Epic Telehealth. | MEDIUM | Jul 17, 2022 |
| CVE-2022-27934 | Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via HTTP. | MEDIUM | Jul 17, 2022 |
| CVE-2022-27933 | Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join. | MEDIUM | Jul 17, 2022 |
| CVE-2022-27932 | Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join. | MEDIUM | Jul 17, 2022 |
| CVE-2022-27931 | Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via the Session Initiation Protocol. | MEDIUM | Jul 17, 2022 |
| CVE-2022-27930 | Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via single-sign-on if a random Universally Unique Identifier is guessed. | MEDIUM | Jul 17, 2022 |
| CVE-2022-27929 | Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via HTTP. | MEDIUM | Jul 17, 2022 |
| CVE-2022-27928 | Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via the Session Initiation Protocol. | MEDIUM | Jul 17, 2022 |
| CVE-2022-27168 | Cross-site scripting vulnerability in LiteCart versions prior to 2.4.2 allows a remote attacker to inject an arbitrary script via unspecified vectors. | MEDIUM | Jul 15, 2022 |
| CVE-2022-26657 | Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join. | MEDIUM | Jul 17, 2022 |
| CVE-2022-26656 | Pexip Infinity before 27.3 allows remote attackers to trigger a software abort, and possibly enumerate usernames, via One Touch Join. | MEDIUM | Jul 17, 2022 |
| CVE-2022-26655 | Pexip Infinity 27.x before 27.3 has Improper Input Validation. The client API allows remote attackers to trigger a software abort via a gateway call into Teams. | MEDIUM | Jul 17, 2022 |
| CVE-2022-26654 | Pexip Infinity before 27.3 allows remote attackers to force a software abort via HTTP. | MEDIUM | Jul 17, 2022 |
| CVE-2022-26352 | An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage location. If anonymous content creation is enabled, this allows an unauthenticated attacker to upload an executable file, such as a .jsp file, that can lead to remote code execution. | MEDIUM | Jul 17, 2022 |
| CVE-2022-25875 | The package svelte before 3.49.0 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function. | MEDIUM | Jul 13, 2022 |
| CVE-2022-25357 | Pexip Infinity 27.x before 27.2 has Improper Access Control. An attacker can sometimes join a conference (call join) if it has a lock but not a PIN. | MEDIUM | Jul 17, 2022 |
| CVE-2022-25303 | The package whoogle-search before 0.7.2 are vulnerable to Cross-site Scripting (XSS) via the query string parameter q. In the case where it does not contain the http string, it is used to build the error_message that is then rendered in the error.html template, using the [flask.render_template](https://flask.palletsprojects.com/en/2.1.x/api/flask.render_template) function. However, the error_message is rendered using the [| safe filter](https://jinja.palletsprojects.com/en/3.1.x/templates/working-with-automatic-escaping), meaning the user input is not escaped. | MEDIUM | Jul 12, 2022 |
| CVE-2022-24800 | October/System is the system module for October CMS, a self-hosted CMS platform based on the Laravel PHP Framework. Prior to versions 1.0.476, 1.1.12, and 2.2.15, when the developer allows the user to specify their own filename in the `fromData` method, an unauthenticated user can perform remote code execution (RCE) by exploiting a race condition in the temporary storage directory. This vulnerability affects plugins that expose the `October\\Rain\\Database\\Attach\\File::fromData` as a public interface and does not affect vanilla installations of October CMS since this method is not exposed or used by the system internally or externally. The issue has been patched in Build 476 (v1.0.476), v1.1.12, and v2.2.15. Those who are unable to upgrade may apply with patch to their installation manually as a workaround. | MEDIUM | Jul 13, 2022 |
| CVE-2022-22998 | Implemented protections on AWS credentials that were not properly protected. | MEDIUM | Jul 13, 2022 |
| CVE-2022-22711 | Windows BitLocker Information Disclosure Vulnerability | MEDIUM | Jul 13, 2022 |
| CVE-2022-22048 | BitLocker Security Feature Bypass Vulnerability | MEDIUM | Jul 13, 2022 |
| CVE-2022-22045 | Windows.Devices.Picker.dll Elevation of Privilege Vulnerability | MEDIUM | Jul 16, 2022 |
| CVE-2022-22042 | Windows Hyper-V Information Disclosure Vulnerability | MEDIUM | Jul 16, 2022 |
| CVE-2022-22039 | Windows Network File System Remote Code Execution Vulnerability | MEDIUM | Jul 16, 2022 |
| CVE-2022-22038 | Remote Procedure Call Runtime Remote Code Execution Vulnerability | MEDIUM | Jul 16, 2022 |
| CVE-2022-22036 | Performance Counters for Windows Elevation of Privilege Vulnerability | MEDIUM | Jul 16, 2022 |
| CVE-2022-22029 | Windows Network File System Remote Code Execution Vulnerability | MEDIUM | Jul 16, 2022 |
| CVE-2022-22028 | Windows Network File System Information Disclosure Vulnerability | MEDIUM | Jul 16, 2022 |
| CVE-2022-22027 | Windows Fax Service Remote Code Execution Vulnerability | MEDIUM | Jul 16, 2022 |
| CVE-2022-22025 | Windows Internet Information Services Cachuri Module Denial of Service Vulnerability | MEDIUM | Jul 16, 2022 |
| CVE-2022-22024 | Windows Fax Service Remote Code Execution Vulnerability | MEDIUM | Jul 16, 2022 |
| CVE-2022-22023 | Windows Portable Device Enumerator Service Security Feature Bypass Vulnerability | MEDIUM | Jul 16, 2022 |
| CVE-2022-21845 | Windows Kernel Information Disclosure Vulnerability | MEDIUM | Jul 16, 2022 |
| CVE-2022-20234 | In Car Settings app, the NotificationAccessConfirmationActivity is exported. In NotificationAccessConfirmationActivity, it gets both \'mComponentName\' and \'pkgTitle\' from user.An unprivileged app can use a malicous mComponentName with a benign pkgTitle (e.g. Settings app) to make users enable notification access permission for the malicious app. That is, users believe they enable the notification access permission for the Settings app, but actually they enable the notification access permission for the malicious app.Once the malicious app gets the notification access permission, it can read all notifications, including users\' personal information.Product: AndroidVersions: Android-12LAndroid ID: A-225189301 | MEDIUM | Jul 14, 2022 |
| CVE-2022-20228 | In various functions of C2DmaBufAllocator.cpp, there is a possible memory corruption due to a use after free. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-12 Android-12LAndroid ID: A-213850092 | MEDIUM | Jul 14, 2022 |
| CVE-2022-20224 | In AT_SKIP_REST of bta_hf_client_at.cc, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote information disclosure in the Bluetooth stack with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-220732646 | MEDIUM | Jul 14, 2022 |
| CVE-2022-20218 | In PermissionController, there is a possible way to get and retain permissions without user\'s consent due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-12 Android-12LAndroid ID: A-223907044 | MEDIUM | Jul 14, 2022 |
| CVE-2022-20212 | In wifi.RequestToggleWifiActivity of AndroidManifest.xml, there is a possible EoP due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-182282630 | MEDIUM | Jul 14, 2022 |
| CVE-2022-2408 | The Guest account feature in Mattermost version 6.7.0 and earlier fails to properly restrict the permissions, which allows a guest user to fetch a list of all public channels in the team, in spite of not being part of those channels. | MEDIUM | Jul 15, 2022 |
| CVE-2022-2406 | The legacy Slack import feature in Mattermost version 6.7.0 and earlier fails to properly limit the sizes of imported files, which allows an authenticated attacker to crash the server by importing large files via the Slack import REST API. | MEDIUM | Jul 15, 2022 |
| CVE-2022-2385 | A security issue was discovered in aws-iam-authenticator where an allow-listed IAM identity may be able to modify their username and escalate privileges. | MEDIUM | Jul 13, 2022 |
| CVE-2022-2366 | Incorrect default configuration for trusted IP header in Mattermost version 6.7.0 and earlier allows attacker to bypass some of the rate limitations in place or use manipulated IPs for audit logging via manipulating the request headers. | MEDIUM | Jul 12, 2022 |
