The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date | Fixed Release |
---|---|---|---|---|
CVE-2022-24303 | Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. | MEDIUM | Apr 5, 2022 | n/a |
CVE-2022-24304 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2022-2564. Reason: This candidate is a duplicate of CVE-2022-2564. Notes: All CVE users should reference CVE-2022-2564 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage | -- | Aug 26, 2022 | n/a |
CVE-2022-24305 | Zoho ManageEngine SharePoint Manager Plus before 4329 is vulnerable to a sensitive data leak that leads to privilege escalation. | HIGH | Mar 2, 2022 | n/a |
CVE-2022-24306 | Zoho ManageEngine SharePoint Manager Plus before 4329 allows account takeover because authorization is mishandled. | HIGH | Mar 2, 2022 | n/a |
CVE-2022-24307 | Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.) | HIGH | Feb 9, 2022 | n/a |
CVE-2022-24308 | Automox Agent prior to version 37 on Windows and Linux and Version 36 on OSX could allow for a non privileged user to obtain sensitive information during the install process. | LOW | Apr 13, 2022 | n/a |
CVE-2022-24309 | A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.29), Mendix Applications using Mendix 8 (All versions < V8.18.16), Mendix Applications using Mendix 9 (All versions < V9.13 only with Runtime Custom Setting *DataStorage.UseNewQueryHandler* set to False). If an entity has an association readable by the user, then in some cases, Mendix Runtime may not apply checks for XPath constraints that parse said associations, within apps running on affected versions. A malicious user could use this to dump and manipulate sensitive data. | MEDIUM | Mar 11, 2022 | n/a |
CVE-2022-24310 | A CWE-190: Integer Overflow or Wraparound vulnerability exists that could cause heap-based buffer overflow, leading to denial of service and potentially remote code execution when an attacker sends multiple specially crafted messages. Affected Product: Interactive Graphical SCADA System Data Server (V15.0.0.22020 and prior) | HIGH | Feb 10, 2022 | n/a |
CVE-2022-24311 | A CWE-22: Improper Limitation of a Pathname to a Restricted Directory vulnerability exists that could cause modification of an existing file by inserting at beginning of file or create a new file in the context of the Data Server potentially leading to remote code execution when an attacker sends a specially crafted message. Affected Product: Interactive Graphical SCADA System Data Server (V15.0.0.22020 and prior) | HIGH | Feb 10, 2022 | n/a |
CVE-2022-24312 | A CWE-22: Improper Limitation of a Pathname to a Restricted Directory vulnerability exists that could cause modification of an existing file by adding at end of file or create a new file in the context of the Data Server potentially leading to remote code execution when an attacker sends a specially crafted message. Affected Product: Interactive Graphical SCADA System Data Server (V15.0.0.22020 and prior) | HIGH | Feb 10, 2022 | n/a |
CVE-2022-24313 | A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow potentially leading to remote code execution when an attacker sends a specially crafted message. Affected Product: Interactive Graphical SCADA System Data Server (V15.0.0.22020 and prior) | HIGH | Feb 10, 2022 | n/a |
CVE-2022-24314 | A CWE-125: Out-of-bounds Read vulnerability exists that could cause memory leaks potentially resulting in denial of service when an attacker repeatedly sends a specially crafted message. Affected Product: Interactive Graphical SCADA System Data Server (V15.0.0.22020 and prior) | MEDIUM | Feb 10, 2022 | n/a |
CVE-2022-24315 | A CWE-125: Out-of-bounds Read vulnerability exists that could cause denial of service when an attacker repeatedly sends a specially crafted message. Affected Product: Interactive Graphical SCADA System Data Server (V15.0.0.22020 and prior) | MEDIUM | Feb 10, 2022 | n/a |
CVE-2022-24316 | A CWE-665: Improper Initialization vulnerability exists that could cause information exposure when an attacker sends a specially crafted message. Affected Product: Interactive Graphical SCADA System Data Server (V15.0.0.22020 and prior) | MEDIUM | Feb 10, 2022 | n/a |
CVE-2022-24317 | A CWE-862: Missing Authorization vulnerability exists that could cause information exposure when an attacker sends a specific message. Affected Product: Interactive Graphical SCADA System Data Server (V15.0.0.22020 and prior) | MEDIUM | Feb 10, 2022 | n/a |
CVE-2022-24318 | A CWE-326: Inadequate Encryption Strength vulnerability exists that could cause non-encrypted communication with the server when outdated versions of the ViewX client are used. Affected Product: ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All Versions), EcoStruxure Geo SCADA Expert 2020 (All Versions) | MEDIUM | Feb 10, 2022 | n/a |
CVE-2022-24319 | A CWE-295: Improper Certificate Validation vulnerability exists that could allow a Man-in-theMiddle attack when communications between the client and Geo SCADA web server are intercepted. Affected Product: ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All Versions), EcoStruxure Geo SCADA Expert 2020 (All Versions) | MEDIUM | Feb 10, 2022 | n/a |
CVE-2022-24320 | A CWE-295: Improper Certificate Validation vulnerability exists that could allow a Man-in-theMiddle attack when communications between the client and Geo SCADA database server are intercepted. Affected Product: ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All Versions), EcoStruxure Geo SCADA Expert 2020 (All Versions) | MEDIUM | Feb 10, 2022 | n/a |
CVE-2022-24321 | A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could cause Denial of Service against the Geo SCADA server when receiving a malformed HTTP request. Affected Product: ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All Versions), EcoStruxure Geo SCADA Expert 2020 (All Versions) | MEDIUM | Feb 10, 2022 | n/a |
CVE-2022-24322 | A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could cause a disruption of communication between the Modicon controller and the engineering software when an attacker is able to intercept and manipulate specific Modbus response data. Affected Product: EcoStruxure Control Expert (V15.0 SP1 and prior) | MEDIUM | Mar 12, 2022 | n/a |
CVE-2022-24323 | A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could cause a disruption of communication between the Modicon controller and the engineering software, when an attacker is able to intercept and manipulate specific Modbus response data. Affected Product: EcoStruxure Process Expert (V2021 and prior), EcoStruxure Control Expert (V15.0 SP1 and prior) | MEDIUM | Mar 12, 2022 | n/a |
CVE-2022-24324 | A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow potentially leading to remote code execution when an attacker sends a specially crafted message. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22073) | -- | Feb 1, 2023 | n/a |
CVE-2022-24327 | In JetBrains Hub before 2021.1.13890, integration with JetBrains Account exposed an API key with excessive permissions. | MEDIUM | Feb 25, 2022 | n/a |
CVE-2022-24328 | In JetBrains Hub before 2021.1.13956, an unprivileged user could perform DoS. | MEDIUM | Feb 25, 2022 | n/a |
CVE-2022-24329 | In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects. | MEDIUM | Feb 25, 2022 | n/a |
CVE-2022-24330 | In JetBrains TeamCity before 2021.2.1, a redirection to an external site was possible. | MEDIUM | Feb 25, 2022 | n/a |
CVE-2022-24331 | In JetBrains TeamCity before 2021.1.4, GitLab authentication impersonation was possible. | HIGH | Feb 25, 2022 | n/a |
CVE-2022-24332 | In JetBrains TeamCity before 2021.2, a logout action didn\'t remove a Remember Me cookie. | MEDIUM | Feb 25, 2022 | n/a |
CVE-2022-24333 | In JetBrains TeamCity before 2021.2, blind SSRF via an XML-RPC call was possible. | MEDIUM | Feb 25, 2022 | n/a |
CVE-2022-24334 | In JetBrains TeamCity before 2021.2.1, the Agent Push feature allowed selection of any private key on the server. | MEDIUM | Feb 25, 2022 | n/a |
CVE-2022-24335 | JetBrains TeamCity before 2021.2 was vulnerable to a Time-of-check/Time-of-use (TOCTOU) race-condition attack in agent registration via XML-RPC. | MEDIUM | Feb 25, 2022 | n/a |
CVE-2022-24336 | In JetBrains TeamCity before 2021.2.1, an unauthenticated attacker can cancel running builds via an XML-RPC request to the TeamCity server. | MEDIUM | Feb 25, 2022 | n/a |
CVE-2022-24337 | In JetBrains TeamCity before 2021.2, health items of pull requests were shown to users who lacked appropriate permissions. | MEDIUM | Feb 25, 2022 | n/a |
CVE-2022-24338 | JetBrains TeamCity before 2021.2.1 was vulnerable to reflected XSS. | MEDIUM | Feb 25, 2022 | n/a |
CVE-2022-24339 | JetBrains TeamCity before 2021.2.1 was vulnerable to stored XSS. | LOW | Feb 25, 2022 | n/a |
CVE-2022-24340 | In JetBrains TeamCity before 2021.2.1, XXE during the parsing of the configuration file was possible. | HIGH | Feb 25, 2022 | n/a |
CVE-2022-24341 | In JetBrains TeamCity before 2021.2.1, editing a user account to change its password didn\'t terminate sessions of the edited user. | MEDIUM | Feb 25, 2022 | n/a |
CVE-2022-24342 | In JetBrains TeamCity before 2021.2.1, URL injection leading to CSRF was possible. | MEDIUM | Feb 25, 2022 | n/a |
CVE-2022-24343 | In JetBrains YouTrack before 2021.4.31698, a custom logo could be set by a user who has read-only permissions. | MEDIUM | Feb 25, 2022 | n/a |
CVE-2022-24344 | JetBrains YouTrack before 2021.4.31698 was vulnerable to stored XSS on the Notification templates page. | LOW | Feb 25, 2022 | n/a |
CVE-2022-24345 | In JetBrains IntelliJ IDEA before 2021.2.4, local code execution (without permission from a user) upon opening a project was possible. | MEDIUM | Feb 25, 2022 | n/a |
CVE-2022-24346 | In JetBrains IntelliJ IDEA before 2021.3.1, local code execution via RLO (Right-to-Left Override) characters was possible. | MEDIUM | Feb 25, 2022 | n/a |
CVE-2022-24347 | JetBrains YouTrack before 2021.4.36872 was vulnerable to stored XSS via a project icon. | LOW | Feb 25, 2022 | n/a |
CVE-2022-24348 | Argo CD before 2.1.9 and 2.2.x before 2.2.4 allows directory traversal related to Helm charts because of an error in helmTemplate in repository.go. For example, an attacker may be able to discover credentials stored in a YAML file. | MEDIUM | Feb 9, 2022 | n/a |
CVE-2022-24349 | An authenticated user can create a link with reflected XSS payload for actions’ pages, and send it to other users. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim. This attack can be implemented with the help of social engineering and expiration of a number of factors - an attacker should have authorized access to the Zabbix Frontend and allowed network connection between a malicious server and victim’s computer, understand attacked infrastructure, be recognized by the victim as a trustee and use trusted communication channel. | LOW | Mar 10, 2022 | n/a |
CVE-2022-24350 | An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. IHISI function 0x17 verifies that the output buffer lies within the command buffer but does not verify that output data does not go beyond the end of the command buffer. In particular, the GetFlashTable function is called directly on the Command Buffer before the DataSize is check, leading to possible circumstances where the data immediately following the command buffer could be destroyed before returning a buffer size error. | -- | Apr 12, 2023 | n/a |
CVE-2022-24351 | TOCTOU race-condition vulnerability in Insyde InsydeH2O with Kernel 5.2 before version 05.27.29, Kernel 5.3 before version 05.36.29, Kernel 5.4 version before 05.44.13, and Kernel 5.5 before version 05.52.13 allows an attacker to alter data and code used by the remainder of the boot process. | -- | Dec 18, 2023 | n/a |
CVE-2022-24352 | This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link AC1750 prior to 211210 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the NetUSB.ko kernel module. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15773. | -- | Mar 28, 2023 | n/a |
CVE-2022-24353 | This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link AC1750 1.1.4 Build 20211022 rel.59103(5553) routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the NetUSB.ko module. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the root user. Was ZDI-CAN-15769. | -- | Mar 28, 2023 | n/a |
CVE-2022-24354 | This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link AC1750 prior to 1.1.4 Build 20211022 rel.59103(5553) routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the NetUSB.ko module. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15835. | HIGH | Feb 18, 2022 | n/a |