The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2022-3153 | NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0404. | -- | Sep 8, 2022 | 10.19.45.26 (Wind River Linux LTS 19) |
| CVE-2022-3152 | Unverified Password Change in GitHub repository phpfusion/phpfusion prior to 9.10.20. | -- | Sep 12, 2022 | n/a |
| CVE-2022-3148 | Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0. | -- | Sep 9, 2022 | n/a |
| CVE-2022-3147 | Mattermost version 7.0.x and earlier fails to sufficiently limit the in-memory sizes of concurrently uploaded JPEG images, which allows authenticated users to cause resource exhaustion on specific system configurations, resulting in server-side Denial of Service. | -- | Sep 9, 2022 | n/a |
| CVE-2022-3138 | Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0. | -- | Sep 9, 2022 | n/a |
| CVE-2022-3134 | Use After Free in GitHub repository vim/vim prior to 9.0.0389. | -- | Sep 9, 2022 | 10.19.45.26 (Wind River Linux LTS 19) |
| CVE-2022-3133 | OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0. | -- | Sep 10, 2022 | n/a |
| CVE-2022-3130 | A vulnerability classified as critical has been found in codeprojects Online Driving School. This affects an unknown part of the file /login.php. The manipulation of the argument username leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-207873 was assigned to this vulnerability. | -- | Sep 12, 2022 | n/a |
| CVE-2022-3129 | A vulnerability was found in codeprojects Online Driving School. It has been rated as critical. Affected by this issue is some unknown functionality of the file /registration.php. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-207872. | -- | Sep 12, 2022 | n/a |
| CVE-2022-3127 | Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8. | -- | Sep 8, 2022 | n/a |
| CVE-2022-3123 | Cross-site Scripting (XSS) - Reflected in GitHub repository splitbrain/dokuwiki prior to 2022-07-31a. | -- | Sep 8, 2022 | n/a |
| CVE-2022-3122 | A vulnerability was found in SourceCodester Clinics Patient Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file medicine_details.php. The manipulation of the argument medicine leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-207854 is the identifier assigned to this vulnerability. | -- | Sep 8, 2022 | n/a |
| CVE-2022-3121 | A vulnerability was found in SourceCodester Online Employee Leave Management System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/addemployee.php. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The identifier VDB-207853 was assigned to this vulnerability. | -- | Sep 8, 2022 | n/a |
| CVE-2022-3120 | A vulnerability classified as critical was found in SourceCodester Clinics Patient Management System. Affected by this vulnerability is an unknown functionality of the file index.php of the component Login. The manipulation of the argument user_name leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-207847. | -- | Sep 8, 2022 | n/a |
| CVE-2022-3077 | A buffer overflow vulnerability was found in the Linux kernel Intel’s iSMT SMBus host controller driver in the way it handled the I2C_SMBUS_BLOCK_PROC_CALL case (via the ioctl I2C_SMBUS) with malicious input data. This flaw could allow a local user to crash the system. | -- | Sep 9, 2022 | n/a |
| CVE-2022-3026 | The WP Users Exporter plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.2 via the \'Export Users\' functionality. This makes it possible for authenticated attackers, such as a subscriber, to add untrusted input into profile information like First Names that will embed into the exported CSV file triggered by an administrator and can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. | -- | Sep 9, 2022 | n/a |
| CVE-2022-3008 | The tinygltf library uses the C library function wordexp() to perform file path expansion on untrusted paths that are provided from the input file. This function allows for command injection by using backticks. An attacker could craft an untrusted path input that would result in a path expansion. We recommend upgrading to 2.6.0 or past commit 52ff00a38447f06a17eab1caa2cf0730a119c751 | -- | Sep 9, 2022 | n/a |
| CVE-2022-2979 | Opening a specially crafted file could cause the affected product to fail to release its memory reference potentially resulting in arbitrary code execution. | -- | Sep 12, 2022 | n/a |
| CVE-2022-2945 | The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 5.5.3 via the \'type\' parameter found in the alm_get_layout() function. This makes it possible for authenticated attackers, with administrative permissions, to read the contents of arbitrary files on the server, which can contain sensitive information. | -- | Sep 6, 2022 | n/a |
| CVE-2022-2943 | The WordPress Infinite Scroll – Ajax Load More plugin for Wordpress is vulnerable to arbitrary file reading in versions up to, and including, 5.5.3 due to insufficient file path validation on the alm_repeaters_export() function. This makes it possible for authenticated attackers, with administrative privileges, to download arbitrary files hosted on the server that may contain sensitive content, such as the wp-config.php file. | -- | Sep 6, 2022 | n/a |
| CVE-2022-2941 | The WP-UserOnline plugin for WordPress has multiple Stored Cross-Site Scripting vulnerabilities in versions up to, and including 2.88.0. This is due to the fact that all fields in the Naming Conventions section do not properly sanitize user input, nor escape it on output. This makes it possible for authenticated attackers, with administrative privileges, to inject JavaScript code into the setting that will execute whenever a user accesses the injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | -- | Sep 6, 2022 | n/a |
| CVE-2022-2939 | The WP Cerber Security plugin for WordPress is vulnerable to security protection bypass in versions up to, and including 9.0, that makes user enumeration possible. This is due to improper validation on the value supplied through the \'author\' parameter found in the ~/cerber-load.php file. In vulnerable versions, the plugin only blocks requests if the value supplied is numeric, making it possible for attackers to supply additional non-numeric characters to bypass the protection. The non-numeric characters are stripped and the user requested is displayed. This can be used by unauthenticated attackers to gather information about users that can targeted in further attacks. | -- | Sep 6, 2022 | n/a |
| CVE-2022-2936 | The Image Hover Effects Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Video Link values that can be added to an Image Hover in versions up to, and including, 9.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, the plugin only allows administrators access to edit Image Hovers, however, if a site admin makes the plugin\'s features available to lower privileged users through the \'Who Can Edit?\' setting then this can be exploited by those users. | -- | Sep 6, 2022 | n/a |
| CVE-2022-2935 | The Image Hover Effects Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Media Image URL value that can be added to an Image Hover in versions up to, and including, 9.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, the plugin only allows administrators access to edit Image Hovers, however, if a site admin makes the plugin\'s features available to lower privileged users through the \'Who Can Edit?\' setting then this can be exploited by those users. | -- | Sep 12, 2022 | n/a |
| CVE-2022-2934 | The Beaver Builder – WordPress Page Builder for WordPress is vulnerable to Stored Cross-Site Scripting via the \'Image URL\' value found in the Media block in versions up to, and including, 2.5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the Beaver Builder editor to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | -- | Sep 6, 2022 | n/a |
| CVE-2022-2925 | Cross-site Scripting (XSS) - Stored in GitHub repository appwrite/appwrite prior to 1.0.0-RC1. | -- | Sep 9, 2022 | n/a |
| CVE-2022-2901 | Improper Authorization in GitHub repository chatwoot/chatwoot prior to 2.8. | -- | Sep 6, 2022 | n/a |
| CVE-2022-2830 | Deserialization of Untrusted Data vulnerability in the message processing component of Bitdefender GravityZone Console allows an attacker to pass unsafe commands to the environment. This issue affects: Bitdefender GravityZone Console On-Premise versions prior to 6.29.2-1. Bitdefender GravityZone Cloud Console versions prior to 6.27.2-2. | -- | Sep 9, 2022 | n/a |
| CVE-2022-2775 | The Fast Flow WordPress plugin before 1.2.13 does not sanitise and escape some of its Widget settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | -- | Sep 8, 2022 | n/a |
| CVE-2022-2735 | A vulnerability was found in the PCS project. This issue occurs due to incorrect permissions on a Unix socket used for internal communication between PCS daemons. A privilege escalation could happen by obtaining an authentication token for a hacluster user. With the hacluster token, this flaw allows an attacker to have complete control over the cluster managed by PCS. | -- | Sep 7, 2022 | n/a |
| CVE-2022-2718 | The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to SQL Injection via the \'orderby\' parameter on the joomsport-page-extrafields page in versions up to, and including, 5.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrative privileges, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | -- | Sep 6, 2022 | n/a |
| CVE-2022-2717 | The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to SQL Injection via the \'orderby\' parameter on the joomsport-events-form page in versions up to, and including, 5.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrative privileges, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | -- | Sep 6, 2022 | n/a |
| CVE-2022-2716 | The Beaver Builder – WordPress Page Builder for WordPress is vulnerable to Stored Cross-Site Scripting via the \'Text Editor\' block in versions up to, and including, 2.5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the Beaver Builder editor to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | -- | Sep 6, 2022 | n/a |
| CVE-2022-2714 | Improper Handling of Length Parameter Inconsistency in GitHub repository francoisjacquet/rosariosis prior to 10.0. | -- | Sep 6, 2022 | n/a |
| CVE-2022-2695 | The Beaver Builder – WordPress Page Builder for WordPress is vulnerable to Stored Cross-Site Scripting via the \'caption\' parameter added to images via the media uploader in versions up to, and including, 2.5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the Beaver Builder editor and the ability to upload media files to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | -- | Sep 6, 2022 | n/a |
| CVE-2022-2657 | The Multivendor Marketplace Solution for WooCommerce WordPress plugin before 3.8.12 is lacking authorisation and CSRF in multiple AJAX actions, which could allow any authenticated users, such as subscriber to call them and suspend vendors (reporter by the submitter) or update arbitrary order status (identified by WPScan when verifying the issue) for example. Other unauthenticated attacks are also possible, either directly or via CSRF | -- | Sep 8, 2022 | n/a |
| CVE-2022-2633 | The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file downloads and blind server-side request forgery via the \'dl\' parameter found in the ~/public/video.php file in versions up to, and including 2.6.0. This makes it possible for unauthenticated users to download sensitive files hosted on the affected server and forge requests to the server. | -- | Sep 12, 2022 | n/a |
| CVE-2022-2597 | The Visual Portfolio, Photo Gallery & Post Grid WordPress plugin before 2.19.0 does not have proper authorisation checks in some of its REST endpoints, allowing users with a role as low as contributor to call them and inject arbitrary CSS in arbitrary saved layouts | -- | Sep 9, 2022 | n/a |
| CVE-2022-2565 | The Simple Payment Donations & Subscriptions WordPress plugin before 4.2.1 does not sanitise and escape user input given in its forms, which could allow unauthenticated attackers to perform Cross-Site Scripting attacks against admins | -- | Sep 8, 2022 | n/a |
| CVE-2022-2543 | The Visual Portfolio, Photo Gallery & Post Grid WordPress plugin before 2.18.0 does not have proper authorisation checks in some of its REST endpoints, allowing unauthenticated users to call them and inject arbitrary CSS in arbitrary saved layouts | -- | Sep 8, 2022 | n/a |
| CVE-2022-2542 | The uContext for Clickbank plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. This is due to missing nonce validation in the ~/app/sites/ajax/actions/keyword_save.php file that is called via the doAjax() function. This makes it possible for unauthenticated attackers to modify the plugin\'s settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | -- | Sep 6, 2022 | n/a |
| CVE-2022-2541 | The uContext for Amazon plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. This is due to missing nonce validation in the ~/app/sites/ajax/actions/keyword_save.php file that is called via the doAjax() function. This makes it possible for unauthenticated attackers to modify the plugin\'s settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | -- | Sep 6, 2022 | n/a |
| CVE-2022-2540 | The Link Optimizer Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 1.4.5. This is due to missing nonce validation on the admin_page function found in the ~/admin.php file. This makes it possible for unauthenticated attackers to modify the plugin\'s settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | -- | Sep 6, 2022 | n/a |
| CVE-2022-2528 | In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages. | -- | Sep 9, 2022 | n/a |
| CVE-2022-2518 | The Stockists Manager for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.2.1. This is due to missing nonce validation on the stockist_settings_main() function. This makes it possible for unauthenticated attackers to modify the plugin\'s settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | -- | Sep 9, 2022 | n/a |
| CVE-2022-2517 | The Beaver Builder – WordPress Page Builder for WordPress is vulnerable to Stored Cross-Site Scripting via the \'Caption - On Hover\' value associated with images in versions up to, and including, 2.5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the Beaver Builder editor to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | -- | Sep 6, 2022 | n/a |
| CVE-2022-2516 | The Visual Composer Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post/page \'Title\' value in versions up to, and including, 45.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the visual composer editor to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | -- | Sep 6, 2022 | n/a |
| CVE-2022-2515 | The Simple Banner plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `pro_version_activation_code` parameter in versions up to, and including, 2.11.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, including those without administrative capabilities when access is granted to those users, to inject arbitrary web scripts in page that will execute whenever a user role having access to Simple Banner accesses the plugin\'s settings. | -- | Sep 10, 2022 | n/a |
| CVE-2022-2473 | The WP-UserOnline plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘templates[browsingpage][text]\' parameter in versions up to, and including, 2.87.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrative capabilities and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The only affects multi-site installations and installations where unfiltered_html is disabled. | -- | Sep 10, 2022 | n/a |
| CVE-2022-2462 | The Transposh WordPress Translation plugin for WordPress is vulnerable to sensitive information disclosure to unauthenticated users in versions up to, and including, 1.0.8.1. This is due to insufficient permissions checking on the \'tp_history\' AJAX action and insufficient restriction on the data returned in the response. This makes it possible for unauthenticated users to exfiltrate usernames of individuals who have translated text. | -- | Sep 9, 2022 | n/a |
