The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2022-37840 | In TOTOLINK A860R V4.1.2cu.5182_B20201027, the main function in downloadfile.cgi has a buffer overflow vulnerability. | -- | Sep 8, 2022 | n/a |
| CVE-2022-37839 | TOTOLINK A860R V4.1.2cu.5182_B20201027 is vulnerable to Buffer Overflow via Cstecgi.cgi. | -- | Sep 8, 2022 | n/a |
| CVE-2022-37835 | Torguard VPN 4.8, has a vulnerability that allows an attacker to dump sensitive information, such as credentials and information about the server, without admin privileges. | -- | Sep 12, 2022 | n/a |
| CVE-2022-37797 | In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition. | -- | Sep 12, 2022 | n/a |
| CVE-2022-37796 | In Simple Online Book Store System 1.0 in /admin_book.php the Title, Author, and Description parameters are vulnerable to Cross Site Scripting(XSS). | -- | Sep 12, 2022 | n/a |
| CVE-2022-37794 | In Library Management System 1.0 the /card/in-card.php file id_no parameters are vulnerable to SQL injection. | -- | Sep 12, 2022 | n/a |
| CVE-2022-37780 | Phicomm FIR151B A2, FIR302E A2, FIR300B A2, FIR303B A2 routers V3.0.1.17 were discovered to contain a remote command execution (RCE) vulnerability via the pingAddr parameter of the tracert function. | -- | Sep 12, 2022 | n/a |
| CVE-2022-37779 | Phicomm FIR151B A2, FIR302E A2, FIR300B A2, FIR303B A2 routers V3.0.1.17 were discovered to contain a remote command execution (RCE) vulnerability via the sendnum parameter of the ping function. | -- | Sep 12, 2022 | n/a |
| CVE-2022-37778 | Phicomm FIR151B A2, FIR302E A2, FIR300B A2, FIR303B A2 routers V3.0.1.17 were discovered to contain a remote command execution (RCE) vulnerability via the current_time parameter of the time function. | -- | Sep 12, 2022 | n/a |
| CVE-2022-37777 | Phicomm FIR151B A2, FIR302E A2, FIR300B A2, FIR303B A2 routers 3.0.1.17 and earlier were discovered to contain a remote command execution (RCE) vulnerability via the trHops parameter of the tracert function. | -- | Sep 12, 2022 | n/a |
| CVE-2022-37771 | IObit Malware Fighter v9.2 for Microsoft Windows lacks tamper protection, allowing authenticated attackers with Administrator privileges to modify processes within the application and escalate privileges to SYSTEM via a crafted executable. | -- | Sep 9, 2022 | n/a |
| CVE-2022-37767 | Pebble Templates 3.1.5 allows attackers to bypass a protection mechanism and implement arbitrary code execution with springbok. NOTE: the vendor disputes this because input to the Pebble templating engine is intended to include arbitrary Java code, and thus either the input should not arrive from an untrusted source, or else the application using the engine should apply restrictions to the input. The engine is not responsible for validating the input. | -- | Sep 12, 2022 | n/a |
| CVE-2022-37734 | graphql-java before19.0 is vulnerable to Denial of Service. An attacker can send a malicious GraphQL query that consumes CPU resources. The fixed versions are 19.0 and later, 18.3, and 17.4, and 0.0.0-2022-07-26T05-45-04-226aabd9. | -- | Sep 12, 2022 | n/a |
| CVE-2022-37731 | ftcms 2.1 poster.PHP has a XSS vulnerability. The attacker inserts malicious JavaScript code into the web page, causing the user / administrator to trigger malicious code when accessing. | -- | Sep 7, 2022 | n/a |
| CVE-2022-37730 | In ftcms 2.1, there is a Cross Site Request Forgery (CSRF) vulnerability in the PHP page, which causes the attacker to forge a link to trick him to click on a malicious link or visit a page containing attack code, and send a request to the server (corresponding to the identity authentication information) as the victim without the victim\'s knowledge. | -- | Sep 7, 2022 | n/a |
| CVE-2022-37412 | Authenticated (admin+) Reflected Cross-Site Scripting (XSS) vulnerability in Galerio & Urda\'s Better Delete Revision plugin <= 1.6.1 at WordPress. | -- | Sep 10, 2022 | n/a |
| CVE-2022-37411 | Cross-Site Request Forgery (CSRF) vulnerability in Vinoj Cardoza\'s Captcha Code plugin <= 2.7 at WordPress. | -- | Sep 9, 2022 | n/a |
| CVE-2022-37407 | Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities in WPChill Gallery PhotoBlocks plugin <= 1.2.6 at WordPress. | -- | Sep 10, 2022 | n/a |
| CVE-2022-37405 | Cross-Site Request Forgery (CSRF) vulnerability in Mickey Kay\'s Better Font Awesome plugin <= 2.0.1 at WordPress. | -- | Sep 10, 2022 | n/a |
| CVE-2022-37404 | Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Christian Salazar\'s add2fav plugin <= 1.0 at WordPress. | -- | Sep 10, 2022 | n/a |
| CVE-2022-37403 | Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Nikhil Vaghela\'s Add User Role plugin <= 0.0.1 at WordPress. | -- | Sep 10, 2022 | n/a |
| CVE-2022-37344 | Missing Access Control vulnerability in PHP Crafts Accommodation System plugin <= 1.0.1 at WordPress. | -- | Sep 9, 2022 | n/a |
| CVE-2022-37335 | Authenticated (author+) Stored Cross-Site Scripting (XSS) vulnerability in WHA\'s Word Search Puzzles game plugin <= 2.0.1 at WordPress. | -- | Sep 10, 2022 | n/a |
| CVE-2022-37300 | A CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability exists that could cause unauthorized access in read and write mode to the controller when communicating over Modbus. Affected Products: EcoStruxure Control Expert Including all Unity Pro versions (former name of EcoStruxure Control Expert) (V15.0 SP1 and prior), EcoStruxure Process Expert, Including all versions of EcoStruxure Hybrid DCS (former name of EcoStruxure Process Expert) (V2021 and prior), Modicon M340 CPU (part numbers BMXP34*) (V3.40 and prior), Modicon M580 CPU (part numbers BMEP* and BMEH*) (V3.20 and prior). | -- | Sep 12, 2022 | n/a |
| CVE-2022-37299 | An issue was discovered in Shirne CMS 1.2.0. There is a Path Traversal vulnerability which could cause arbitrary file read via /static/ueditor/php/controller.php | -- | Sep 10, 2022 | n/a |
| CVE-2022-37253 | Persistent cross-site scripting (XSS) in Crime Reporting System 1.0 allows a remote attacker to introduce arbitary Javascript via manipulation of an unsanitized POST parameter | -- | Sep 9, 2022 | n/a |
| CVE-2022-37189 | DDMAL MEI2Volpiano 0.8.2 is vulnerable to XML External Entity (XXE), leading to a Denial of Service. This occurs due to the usage of the unsafe \'xml.etree\' library to parse untrusted XML input. | -- | Sep 10, 2022 | n/a |
| CVE-2022-37185 | SQL injection vulnerability exists in the school information query interface (repschoolproj.php) of the EMS 6.2 system of the Office of the Thai Basic Education Commission, which can lead to data leakage. | -- | Sep 9, 2022 | n/a |
| CVE-2022-37164 | Inoda OnTrack v3.4 employs a weak password policy which allows attackers to potentially gain unauthorized access to the application via brute-force attacks. Additionally, user passwords are hashed without a salt or pepper making it much easier for tools like hashcat to crack the hashes. | -- | Sep 8, 2022 | n/a |
| CVE-2022-37163 | Bminusl IHateToBudget v1.5.7 employs a weak password policy which allows attackers to potentially gain unauthorized access to the application via brute-force attacks. Additionally, user passwords are hashed without a salt or pepper making it much easier for tools like hashcat to crack the hashes. | -- | Sep 8, 2022 | n/a |
| CVE-2022-37146 | The PlexTrac platform prior to version 1.28.0 allows for username enumeration via HTTP response times on invalid login attempts for users configured to use the PlexTrac authentication provider. Login attempts for valid, unlocked users configured to use PlexTrac as their authentication provider take significantly longer than those for invalid users, allowing for valid users to be enumerated by an unauthenticated remote attacker. Note that the lockout policy implemented in Plextrac version 1.17.0 makes it impossible to distinguish between valid, locked user accounts and user accounts that do not exist, but does not prevent valid, unlocked users from being enumerated. | -- | Sep 8, 2022 | n/a |
| CVE-2022-37145 | The PlexTrac platform prior to version 1.17.0 does not restrict excessive authentication attempts for accounts configured to use the PlexTrac authentication provider. An unauthenticated remote attacker could perform a bruteforce attack on the login page with no time or attempt limitation in an attempt to obtain valid credentials for the platform users configured to use the PlexTrac authentication provider. | -- | Sep 8, 2022 | n/a |
| CVE-2022-37144 | The PlexTrac platform prior to API version 1.17.0 does not restrict excessive MFA TOTP submission attempts. An unauthenticated remote attacker in possession of a valid username and password can bruteforce their way past MFA protections to login as the targeted user. | -- | Sep 8, 2022 | n/a |
| CVE-2022-37108 | An injection vulnerability in the syslog-ng configuration wizard in Securonix Snypr 6.4 allows an application user with the Manage Ingesters permission to execute arbitrary code on remote ingesters by appending arbitrary text to text files that are executed by the system, such as users\' crontab files. The patch for this was present in SNYPR version 6.4 Jun 2022 R3_[06170871], but may have been introduced sooner. | -- | Sep 7, 2022 | n/a |
| CVE-2022-36878 | Exposure of Sensitive Information in Find My Mobile prior to version 7.2.25.14 allows local attacker to access IMEI via log. | -- | Sep 9, 2022 | n/a |
| CVE-2022-36877 | Exposure of Sensitive Information in FaqSymptomCardViewModel in Samsung Members prior to versions 4.3.00.11 in Global and 14.0.02.4 in China allows local attackers to access device identification via log. | -- | Sep 9, 2022 | n/a |
| CVE-2022-36876 | Improper authorization in UPI payment in Samsung Pass prior to version 4.0.04.10 allows physical attackers to access account list without authentication. | -- | Sep 9, 2022 | n/a |
| CVE-2022-36875 | Improper restriction of broadcasting Intent in SaWebViewRelayActivity of?Waterplugin prior to version 2.2.11.22081151 allows attacker to access the file without permission. | -- | Sep 9, 2022 | n/a |
| CVE-2022-36874 | Improper Handling of Insufficient Permissions or Privileges vulnerability in Waterplugin prior to 2.2.11.22040751 allows attacker to access device IMEI and Serial number. | -- | Sep 9, 2022 | n/a |
| CVE-2022-36873 | Improper restriction of broadcasting Intent in GalaxyStoreBridgePageLinker of?Waterplugin prior to version 2.2.11.22081151 leaks MAC address of the connected Bluetooth device. | -- | Sep 9, 2022 | n/a |
| CVE-2022-36872 | Pending Intent hijacking vulnerability in SpayNotification in Samsung Pay prior to version 5.0.63 for KR and 5.1.47 for Global allows attackers to access files without permission via implicit Intent. | -- | Sep 9, 2022 | n/a |
| CVE-2022-36871 | Pending Intent hijacking vulnerability in NotiCenterUtils in Samsung Pay prior to version 5.0.63 for KR and 5.1.47 for Global allows attackers to access files without permission via implicit Intent. | -- | Sep 9, 2022 | n/a |
| CVE-2022-36870 | Pending Intent hijacking vulnerability in MTransferNotificationManager in Samsung Pay prior to version 5.0.63 for KR and 5.1.47 for Global allows attackers to access files without permission via implicit Intent. | -- | Sep 9, 2022 | n/a |
| CVE-2022-36869 | Improper access control vulnerability in ContactsDumpActivity of?Contacts Provider prior to version 12.7.59 allows attacker to access the file without permission. | -- | Sep 9, 2022 | n/a |
| CVE-2022-36867 | Improper access control vulnerability in Editor Lite prior to version 4.0.40.14 allows attackers to access sensitive information. | -- | Sep 9, 2022 | n/a |
| CVE-2022-36866 | Improper access control vulnerability in Broadcaster in Group Sharing prior to versions 13.0.6.15 in Android S(12), 13.0.6.14 in Android R(11) and below allows attackers to identify the device. | -- | Sep 9, 2022 | n/a |
| CVE-2022-36865 | Improper access control in Group Sharing prior to versions 13.0.6.15 in Android S(12), 13.0.6.14 in Android R(11) and below allows attackers to access device information. | -- | Sep 9, 2022 | n/a |
| CVE-2022-36864 | Improper access control and intent redirection in Samsung Email prior to 6.1.70.20 allows attacker to access specific formatted file and execute privileged behavior. | -- | Sep 9, 2022 | n/a |
| CVE-2022-36863 | A heap-based overflow vulnerability in GetCorrectDbLanguageTypeEsPKc function in libSDKRecognitionText.spensdk.samsung.so library prior to SMR Sep-2022 Release 1 allows attacker to cause memory access fault. | -- | Sep 10, 2022 | n/a |
| CVE-2022-36862 | A heap-based overflow vulnerability in HWR::EngineCJK::Impl::Construct() in libSDKRecognitionText.spensdk.samsung.so library prior to SMR Sep-2022 Release 1 allows attacker to cause memory access fault. | -- | Sep 10, 2022 | n/a |
