The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2022-37338 | Multiple Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerabilities in Blossom Recipe Maker plugin <= 1.0.7 at WordPress. | -- | Sep 23, 2022 |
| CVE-2022-37337 | A command execution vulnerability exists in the access control functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability. | -- | Mar 24, 2023 |
| CVE-2022-37336 | Improper input validation in BIOS firmware for some Intel(R) NUC may allow a privileged user to potentially enable escalation of privilege via local access. | -- | Aug 11, 2023 |
| CVE-2022-37335 | Authenticated (author+) Stored Cross-Site Scripting (XSS) vulnerability in WHA\'s Word Search Puzzles game plugin <= 2.0.1 at WordPress. | -- | Sep 10, 2022 |
| CVE-2022-37334 | Improper initialization in BIOS firmware for some Intel(R) NUC 11 Pro Kits and Intel(R) NUC 11 Pro Boards before version TNTGL357.0064 may allow an authenticated user to potentially enable escalation of privilege via local access. | LOW | Nov 11, 2022 |
| CVE-2022-37333 | SQL injection vulnerability in the Exment ((PHP8) exceedone/exment v5.0.2 and earlier and exceedone/laravel-admin v3.0.0 and earlier, (PHP7) exceedone/exment v4.4.2 and earlier and exceedone/laravel-admin v2.2.2 and earlier) allows remote authenticated attackers to execute arbitrary SQL commands. | -- | Aug 24, 2022 |
| CVE-2022-37332 | A use-after-free vulnerability exists in the JavaScript engine of Foxit Software\'s PDF Reader, version 12.0.1.12430. A specially-crafted PDF document can trigger the reuse of previously freed memory via misusing media player API, which can lead to arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially-crafted, malicious site if the browser plugin extension is enabled. | -- | Nov 22, 2022 |
| CVE-2022-37331 | An out-of-bounds write vulnerability exists in the Gaussian format orientation functionality of Open Babel 3.1.1 and master commit 530dbfa3. A specially crafted malformed file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. | -- | Jul 24, 2023 |
| CVE-2022-37330 | Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in WHA Crossword plugin <= 1.1.10 at WordPress. | -- | Sep 23, 2022 |
| CVE-2022-37329 | Uncontrolled search path in some Intel(R) Quartus(R) Prime Pro and Standard Edition software may allow an authenticated user to potentially enable escalation of privilege via local access. | -- | Feb 17, 2023 |
| CVE-2022-37328 | Authenticated (author+) Stored Cross-Site Scripting (XSS) vulnerability in Themes Awesome History Timeline plugin <= 1.0.5 at WordPress. | -- | Sep 23, 2022 |
| CVE-2022-37327 | Improper input validation in BIOS firmware for Intel(R) NUC, Intel(R) NUC Performance Kit, Intel(R) NUC Performance Mini PC, Intel(R) NUC 8 Compute Element, Intel(R) NUC Pro Kit, Intel(R) NUC Pro Board, Intel(R) NUC 11 Compute Element, Intel(R) NUC 12 Compute Element, Intel(R) NUC Extreme, Intel(R) NUC 12 Extreme Compute Element, Intel(R) NUC Laptop Kit, Intel(R) NUC Enthusiast, Intel(R) NUC Essential, Intel(R) NUC Laptop Kit, Intel(R) NUC Extreme Compute Element, Intel(R) NUC Boards, Intel(R) NUC Pro Compute Element, Intel(R) NUC Rugged may allow a privileged user to enable information disclosure via local access. | -- | May 10, 2023 |
| CVE-2022-37326 | Docker Desktop for Windows before 4.6.0 allows attackers to delete (or create) any file through the dockerBackendV2 windowscontainers/start API by controlling the pidfile field inside the DaemonJSON field in the WindowsContainerStartRequest class. This can indirectly lead to privilege escalation. | -- | Apr 28, 2023 |
| CVE-2022-37325 | In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, and 19.x through 19.6.0, an incoming Setup message to addons/ooh323c/src/ooq931.c with a malformed Calling or Called Party IE can cause a crash. | -- | Dec 7, 2022 |
| CVE-2022-37318 | Archer Platform 6.9 SP2 P2 before 6.11 P3 (6.11.0.3) contain a reflected XSS vulnerability. A remote unauthenticated malicious Archer user could potentially exploit this vulnerability by tricking a victim application user into supplying malicious JavaScript code to the vulnerable web application. This code is then reflected to the victim and gets executed by the web browser in the context of the vulnerable web application. 6.10 P4 (6.10.0.4) and 6.11 P2 HF4 (6.11.0.2.4) are also fixed releases. | -- | Aug 26, 2022 |
| CVE-2022-37317 | Archer Platform 6.x before 6.11 P3 contain an HTML injection vulnerability. An authenticated remote attacker could potentially exploit this vulnerability by tricking a victim application user to execute malicious code in the context of the web application. 6.10 P4 (6.10.0.4) and 6.11 P2 HF4 (6.11.0.2.4) are also fixed releases. | -- | Aug 26, 2022 |
| CVE-2022-37316 | Archer Platform 6.8 before 6.11 P3 (6.11.0.3) contains an improper API access control vulnerability in a multi-instance system that could potentially present unauthorized metadata to an authenticated user of the affected system. 6.10 P3 HF1 (6.10.0.3.1) is also a fixed release. | -- | Aug 26, 2022 |
| CVE-2022-37315 | graphql-go (aka GraphQL for Go) through 0.8.0 has infinite recursion in the type definition parser. | -- | Aug 5, 2022 |
| CVE-2022-37313 | OX App Suite through 7.10.6 allows SSRF because the anti-SSRF protection mechanism only checks the first DNS AA or AAAA record. | -- | Dec 27, 2022 |
| CVE-2022-37312 | OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large request body containing a redirect URL to the deferrer servlet. | -- | Dec 27, 2022 |
| CVE-2022-37311 | OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large location request parameter to the redirect servlet. | -- | Dec 27, 2022 |
| CVE-2022-37310 | OX App Suite through 7.10.6 allows XSS via a malicious capability to the metrics or help module, as demonstrated by a /#!!&app=io.ox/files&cap= URI. | -- | Dec 27, 2022 |
| CVE-2022-37309 | OX App Suite through 7.10.6 allows XSS via script code within a contact that has an e-mail address but lacks a name. | -- | Dec 27, 2022 |
| CVE-2022-37308 | OX App Suite through 7.10.6 allows XSS via HTML in text/plain e-mail messages. | -- | Dec 27, 2022 |
| CVE-2022-37307 | OX App Suite through 7.10.6 allows XSS via XHTML CDATA for a snippet, as demonstrated by the onerror attribute of an IMG element within an e-mail signature. | -- | Dec 27, 2022 |
| CVE-2022-37306 | OX App Suite before 7.10.6-rev30 allows XSS via an upsell trigger. | -- | Apr 17, 2023 |
| CVE-2022-37305 | The Remote Keyless Entry (RKE) receiving unit on certain Honda vehicles through 2018 allows remote attackers to perform unlock operations and force a resynchronization after capturing five consecutive valid RKE signals over the radio, aka a RollBack attack. The attacker retains the ability to unlock indefinitely. | -- | Aug 24, 2022 |
| CVE-2022-37304 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate is unused by its CNA. Notes: none. | -- | Nov 7, 2023 |
| CVE-2022-37303 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate is unused by its CNA. Notes: none. | -- | Nov 7, 2023 |
| CVE-2022-37302 | A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could cause a crash of the Control Expert software when an incorrect project file is opened. Affected Products: EcoStruxure Control Expert(V15.1 HF001 and prior). | -- | Sep 15, 2022 |
| CVE-2022-37301 | A CWE-191: Integer Underflow (Wrap or Wraparound) vulnerability exists that could cause a denial of service of the controller due to memory access violations when using the Modbus TCP protocol. Affected products: Modicon M340 CPU (part numbers BMXP34*)(V3.40 and prior), Modicon M580 CPU (part numbers BMEP* and BMEH*)(V3.22 and prior), Legacy Modicon Quantum/Premium(All Versions), Modicon Momentum MDI (171CBU*)(All Versions), Modicon MC80 (BMKC80)(V1.7 and prior) | -- | Nov 22, 2022 |
| CVE-2022-37300 | A CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability exists that could cause unauthorized access in read and write mode to the controller when communicating over Modbus. Affected Products: EcoStruxure Control Expert Including all Unity Pro versions (former name of EcoStruxure Control Expert) (V15.0 SP1 and prior), EcoStruxure Process Expert, Including all versions of EcoStruxure Hybrid DCS (former name of EcoStruxure Process Expert) (V2021 and prior), Modicon M340 CPU (part numbers BMXP34*) (V3.40 and prior), Modicon M580 CPU (part numbers BMEP* and BMEH*) (V3.20 and prior). | -- | Sep 12, 2022 |
| CVE-2022-37299 | An issue was discovered in Shirne CMS 1.2.0. There is a Path Traversal vulnerability which could cause arbitrary file read via /static/ueditor/php/controller.php | -- | Sep 10, 2022 |
| CVE-2022-37298 | Shinken Solutions Shinken Monitoring Version 2.4.3 affected is vulnerable to Incorrect Access Control. The SafeUnpickler class found in shinken/safepickle.py implements a weak authentication scheme when unserializing objects passed from monitoring nodes to the Shinken monitoring server. | -- | Oct 21, 2022 |
| CVE-2022-37292 | Tenda AX12 V22.03.01.21_CN is vulnerable to Buffer Overflow. This overflow is triggered in the sub_42FDE4 function, which satisfies the request of the upper-level interface function sub_430124, that is, handles the post request under /goform/SetIpMacBind. | -- | Aug 27, 2022 |
| CVE-2022-37290 | GNOME Nautilus 42.2 allows a NULL pointer dereference and get_basename application crash via a pasted ZIP archive. | -- | Nov 20, 2022 |
| CVE-2022-37266 | Prototype pollution vulnerability in function extend in babel.js in stealjs steal 2.2.4 via the key variable in babel.js. | -- | Sep 15, 2022 |
| CVE-2022-37265 | Prototype pollution vulnerability in stealjs steal 2.2.4 via the alias variable in babel.js. | -- | Sep 22, 2022 |
| CVE-2022-37264 | Prototype pollution vulnerability in stealjs steal 2.2.4 via the optionName variable in main.js. | -- | Sep 15, 2022 |
| CVE-2022-37262 | A Regular Expression Denial of Service (ReDoS) flaw was found in stealjs steal 2.2.4 via the source and sourceWithComments variable in main.js. | -- | Sep 15, 2022 |
| CVE-2022-37260 | A Regular Expression Denial of Service (ReDoS) flaw was found in stealjs steal 2.2.4 via the input variable in main.js. | -- | Sep 16, 2022 |
| CVE-2022-37259 | A Regular Expression Denial of Service (ReDoS) flaw was found in stealjs steal 2.2.4 via the string variable in babel.js. | -- | Sep 22, 2022 |
| CVE-2022-37258 | Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal 2.2.4 via the packageName variable in npm-convert.js. | -- | Sep 17, 2022 |
| CVE-2022-37257 | Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal 2.2.4 via the requestedVersion variable in npm-convert.js. | -- | Sep 15, 2022 |
| CVE-2022-37255 | TP-Link Tapo C310 1.3.0 devices allow access to the RTSP video feed via credentials of User --- and Password TPL075526460603. | -- | Apr 17, 2023 |
| CVE-2022-37254 | DolphinPHP 1.5.1 is vulnerable to Cross Site Scripting (XSS) via Background - > System - > system function - > configuration management. | -- | Aug 19, 2022 |
| CVE-2022-37253 | Persistent cross-site scripting (XSS) in Crime Reporting System 1.0 allows a remote attacker to introduce arbitary Javascript via manipulation of an unsanitized POST parameter | -- | Sep 9, 2022 |
| CVE-2022-37251 | Craft CMS 4.2.0.1 is vulnerable to Cross Site Scripting (XSS) via Drafts. | -- | Sep 17, 2022 |
| CVE-2022-37250 | Craft CMS 4.2.0.1 suffers from Stored Cross Site Scripting (XSS) in /admin/myaccount. | -- | Sep 17, 2022 |
| CVE-2022-37248 | Craft CMS 4.2.0.1 is vulnerable to Cross Site Scripting (XSS) via src/helpers/Cp.php. | -- | Sep 17, 2022 |
