The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2022-29558 | Realtek rtl819x-SDK before v3.6.1 allows command injection over the web interface. | -- | Jul 29, 2022 | n/a |
| CVE-2022-29560 | A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < 2.15.1), RUGGEDCOM ROX MX5000RE (All versions < 2.15.1), RUGGEDCOM ROX RX1400 (All versions < 2.15.1), RUGGEDCOM ROX RX1500 (All versions < 2.15.1), RUGGEDCOM ROX RX1501 (All versions < 2.15.1), RUGGEDCOM ROX RX1510 (All versions < 2.15.1), RUGGEDCOM ROX RX1511 (All versions < 2.15.1), RUGGEDCOM ROX RX1512 (All versions < 2.15.1), RUGGEDCOM ROX RX1524 (All versions < 2.15.1), RUGGEDCOM ROX RX1536 (All versions < 2.15.1), RUGGEDCOM ROX RX5000 (All versions < 2.15.1). Affected devices do not properly validate user input, making them susceptible to command injection. An attacker with access to either the shell or the web CLI with administrator privileges could access the underlying operating system as the root user. | HIGH | Jul 12, 2022 | n/a |
| CVE-2022-29561 | A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.0), RUGGEDCOM ROX MX5000RE (All versions < V2.16.0), RUGGEDCOM ROX RX1400 (All versions < V2.16.0), RUGGEDCOM ROX RX1500 (All versions < V2.16.0), RUGGEDCOM ROX RX1501 (All versions < V2.16.0), RUGGEDCOM ROX RX1510 (All versions < V2.16.0), RUGGEDCOM ROX RX1511 (All versions < V2.16.0), RUGGEDCOM ROX RX1512 (All versions < V2.16.0), RUGGEDCOM ROX RX1524 (All versions < V2.16.0), RUGGEDCOM ROX RX1536 (All versions < V2.16.0), RUGGEDCOM ROX RX5000 (All versions < V2.16.0). The web interface of the affected devices are vulnerable to Cross-Site Request Forgery attacks. By tricking an authenticated victim user to click a malicious link, an attacker could perform arbitrary actions on the device on behalf of the victim user. | -- | Jul 11, 2023 | n/a |
| CVE-2022-29562 | A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.0), RUGGEDCOM ROX MX5000RE (All versions < V2.16.0), RUGGEDCOM ROX RX1400 (All versions < V2.16.0), RUGGEDCOM ROX RX1500 (All versions < V2.16.0), RUGGEDCOM ROX RX1501 (All versions < V2.16.0), RUGGEDCOM ROX RX1510 (All versions < V2.16.0), RUGGEDCOM ROX RX1511 (All versions < V2.16.0), RUGGEDCOM ROX RX1512 (All versions < V2.16.0), RUGGEDCOM ROX RX1524 (All versions < V2.16.0), RUGGEDCOM ROX RX1536 (All versions < V2.16.0), RUGGEDCOM ROX RX5000 (All versions < V2.16.0). Affected devices do not properly handle malformed HTTP packets. This could allow an unauthenticated remote attacker to send a malformed HTTP packet causing certain functions to fail in a controlled manner. | -- | Jul 11, 2023 | n/a |
| CVE-2022-29564 | Jamf Private Access before 2022-05-16 has Incorrect Access Control, in which an unauthorized user can reach a system in the internal infrastructure, aka WND-44801. | MEDIUM | Jun 7, 2022 | n/a |
| CVE-2022-29566 | The Bulletproofs 2017/1066 paper mishandles Fiat-Shamir generation because the hash computation fails to include all of the public values from the Zero Knowledge proof statement as well as all of the public values computed in the proof, aka the Frozen Heart issue. | MEDIUM | Apr 22, 2022 | n/a |
| CVE-2022-29567 | The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of values that should not be available on the client-side. | MEDIUM | May 24, 2022 | n/a |
| CVE-2022-29577 | OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content. NOTE: this issue exists because of an incomplete fix for CVE-2022-28367. | MEDIUM | Apr 22, 2022 | n/a |
| CVE-2022-29578 | Meridian Cooperative Utility Software versions 22.02 and 22.03 allows remote attackers to obtain sensitive information such as name, address, and daily energy usage. | MEDIUM | Jun 24, 2022 | n/a |
| CVE-2022-29580 | There exists a path traversal vulnerability in the Android Google Search app. This is caused by the incorrect usage of uri.getLastPathSegment. A symbolic encoded string can bypass the path logic to get access to unintended directories. An attacker can manipulate paths that could lead to code execution on the device. We recommend upgrading beyond version 13.41 | -- | Dec 15, 2022 | n/a |
| CVE-2022-29581 | Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14 and later versions. | HIGH | May 19, 2022 | n/a |
| CVE-2022-29582 | In the Linux kernel before 5.17.3, fs/io_uring.c has a use-after-free due to a race condition in io_uring timeouts. This can be triggered by a local user who has no access to any user namespace; however, the race condition perhaps can only be exploited infrequently. | MEDIUM | Apr 22, 2022 | n/a |
| CVE-2022-29583 | service_windows.go in the kardianos service package for Go omits quoting that is sometimes needed for execution of a Windows service executable from the intended directory. NOTE: this finding could not be reproduced by its original reporter or by others. | MEDIUM | Apr 22, 2022 | n/a |
| CVE-2022-29584 | Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0 allows stored XSS when a particular Cascading Style Sheets (CSS) class for embedly is used, and JavaScript code is constructed to perform an action. | LOW | May 6, 2022 | n/a |
| CVE-2022-29585 | In Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0, a site using Isolated Institutions is vulnerable if more than ten groups are used. They are all shown from page 2 of the group results list (rather than only being shown for the institution that the viewer is a member of). | MEDIUM | Apr 29, 2022 | n/a |
| CVE-2022-29586 | Konica Minolta bizhub MFP devices before 2022-04-14 allow a Sandbox Escape. An attacker must attach a keyboard to a USB port, press F12, and then escape from the kiosk mode. | MEDIUM | May 16, 2022 | n/a |
| CVE-2022-29587 | Konica Minolta bizhub MFP devices before 2022-04-14 have an internal Chromium browser that executes with root (aka superuser) access privileges. | MEDIUM | May 16, 2022 | n/a |
| CVE-2022-29588 | Konica Minolta bizhub MFP devices before 2022-04-14 use cleartext password storage for the /var/log/nginx/html/ADMINPASS and /etc/shadow files. | MEDIUM | May 16, 2022 | n/a |
| CVE-2022-29589 | Crypt Server before 3.3.0 allows XSS in the index view. This is related to serial, computername, and username. | MEDIUM | Apr 22, 2022 | n/a |
| CVE-2022-29591 | Tenda TX9 Pro 22.03.02.10 devices have a SetNetControlList buffer overflow. | HIGH | May 10, 2022 | n/a |
| CVE-2022-29592 | Tenda TX9 Pro 22.03.02.10 devices allow OS command injection via set_route (called by doSystemCmd_route). | HIGH | May 5, 2022 | n/a |
| CVE-2022-29593 | relay_cgi.cgi on Dingtian DT-R002 2CH relay devices with firmware 3.1.276A allows an attacker to replay HTTP post requests without the need for authentication or a valid signed/authorized request. | -- | Jul 14, 2022 | n/a |
| CVE-2022-29594 | eG Agent before 7.2 has weak file permissions that enable escalation of privileges to SYSTEM. | HIGH | Jun 3, 2022 | n/a |
| CVE-2022-29596 | MicroStrategy Enterprise Manager 2022 allows authentication bypass by triggering a login failure and then entering the Uid=/../../../../../../../../../../../windows/win.ini%00.jpg&Pwd=_any_password_&ConnMode=1&3054=Login substring for directory traversal. | HIGH | May 12, 2022 | n/a |
| CVE-2022-29597 | Solutions Atlantic Regulatory Reporting System (RRS) v500 is vulnerable to Local File Inclusion (LFI). Any authenticated user has the ability to reference internal system files within requests made to the RRSWeb/maint/ShowDocument/ShowDocument.aspx page. The server will successfully respond with the file contents of the internal system file requested. This ability could allow for adversaries to extract sensitive data and/or files from the underlying file system, gain knowledge about the internal workings of the system, or access source code of the application. | MEDIUM | Jun 2, 2022 | n/a |
| CVE-2022-29598 | Solutions Atlantic Regulatory Reporting System (RRS) v500 is vulnerable to an reflected Cross-Site Scripting (XSS) vulnerability via RRSWeb/maint/ShowDocument/ShowDocument.aspx . | MEDIUM | Jun 2, 2022 | n/a |
| CVE-2022-29599 | In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks. | HIGH | May 23, 2022 | n/a |
| CVE-2022-29600 | The oelib (aka One is Enough Library) extension through 4.1.5 for TYPO3 allows SQL Injection. | HIGH | Jul 13, 2022 | n/a |
| CVE-2022-29601 | The seminars (aka Seminar Manager) extension through 4.1.3 for TYPO3 allows SQL Injection. | HIGH | Jul 13, 2022 | n/a |
| CVE-2022-29602 | The gridelements (aka Grid Elements) extension through 7.6.1, 8.x through 8.7.0, 9.x through 9.7.0, and 10.x through 10.2.0 extension for TYPO3 allows XSS. | LOW | Jul 13, 2022 | n/a |
| CVE-2022-29603 | A SQL Injection vulnerability exists in UniverSIS UniverSIS-API through 1.2.1 via the $select parameter to multiple API endpoints. A remote authenticated attacker could send crafted SQL statements to a vulnerable endpoint (such as /api/students/me/messages/) to, for example, retrieve personal information or change grades. | MEDIUM | Apr 25, 2022 | n/a |
| CVE-2022-29604 | An issue was discovered in ONOS 2.5.1. An intent with an uppercase letter in a device ID shows the CORRUPT state, which is misleading to a network operator. Improper handling of case sensitivity causes inconsistency between intent and flow rules in the network. | -- | Apr 20, 2023 | n/a |
| CVE-2022-29605 | An issue was discovered in ONOS 2.5.1. IntentManager attempts to install the IPv6 flow rules of an intent into an OpenFlow 1.0 switch that does not support IPv6. Improper handling of the difference in capabilities of the intent and switch is misleading to a network operator. | -- | Apr 20, 2023 | n/a |
| CVE-2022-29606 | An issue was discovered in ONOS 2.5.1. An intent with a large port number shows the CORRUPT state, which is misleading to a network operator. Improper handling of such port numbers causes inconsistency between intent and flow rules in the network. | -- | Apr 20, 2023 | n/a |
| CVE-2022-29607 | An issue was discovered in ONOS 2.5.1. Modification of an existing intent to have the same source and destination shows the INSTALLED state without any flow rule. Improper handling of such an intent is misleading to a network operator. | -- | Apr 20, 2023 | n/a |
| CVE-2022-29608 | An issue was discovered in ONOS 2.5.1. An intent with a port that is an intermediate point of its path installs an invalid flow rule, causing a network loop. | -- | Apr 20, 2023 | n/a |
| CVE-2022-29609 | An issue was discovered in ONOS 2.5.1. An intent with the same source and destination shows the INSTALLING state, indicating that its flow rules are installing. Improper handling of such an intent is misleading to a network operator. | -- | Apr 20, 2023 | n/a |
| CVE-2022-29610 | SAP NetWeaver Application Server ABAP allows an authenticated attacker to upload malicious files and delete (theme) data, which could result in Stored Cross-Site Scripting (XSS) attack. | LOW | May 11, 2022 | n/a |
| CVE-2022-29611 | SAP NetWeaver Application Server for ABAP and ABAP Platform do not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | MEDIUM | May 11, 2022 | n/a |
| CVE-2022-29612 | SAP NetWeaver, ABAP Platform and SAP Host Agent - versions KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, 8.04, KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC 7.22, 7.22EXT, 7.49, 7.53, 8.04, SAPHOSTAGENT 7.22, allows an authenticated user to misuse a function of sapcontrol webfunctionality(startservice) in Kernel which enables malicious users to retrieve information. On successful exploitation, an attacker can obtain technical information like system number or physical address, which is otherwise restricted, causing a limited impact on the confidentiality of the application. | MEDIUM | Jun 15, 2022 | n/a |
| CVE-2022-29613 | Due to insufficient input validation, SAP Employee Self Service allows an authenticated attacker with user privileges to alter employee number. On successful exploitation, the attacker can view personal details of other users causing a limited impact on confidentiality of the application. | MEDIUM | May 11, 2022 | n/a |
| CVE-2022-29614 | SAP startservice - of SAP NetWeaver Application Server ABAP, Application Server Java, ABAP Platform and HANA Database - versions KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC 7.22, 7.22EXT, 7.49, 7.53, SAPHOSTAGENT 7.22, - on Unix systems, s-bit helper program sapuxuserchk, can be abused physically resulting in a privilege escalation of an attacker leading to low impact on confidentiality and integrity, but a profound impact on availability. | MEDIUM | Jun 15, 2022 | n/a |
| CVE-2022-29615 | SAP NetWeaver Developer Studio (NWDS) - version 7.50, is based on Eclipse, which contains the logging framework log4j in version 1.x. The application\'s confidentiality and integrity could have a low impact due to the vulnerabilities associated with version 1.x. | LOW | Jun 15, 2022 | n/a |
| CVE-2022-29616 | SAP Host Agent, SAP NetWeaver and ABAP Platform allow an attacker to leverage logical errors in memory management to cause a memory corruption. | MEDIUM | May 11, 2022 | n/a |
| CVE-2022-29617 | Due to improper error handling an authenticated user can crash CLA assistant instance. This could impact the availability of the application. | MEDIUM | Jun 7, 2022 | n/a |
| CVE-2022-29618 | Due to insufficient input validation, SAP NetWeaver Development Infrastructure (Design Time Repository) - versions 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to inject script into the URL and execute code in the user’s browser. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application. | MEDIUM | Jun 15, 2022 | n/a |
| CVE-2022-29619 | Under certain conditions SAP BusinessObjects Business Intelligence Platform 4.x - versions 420,430 allows user Administrator to view, edit or modify rights of objects it doesn\'t own and which would otherwise be restricted. | MEDIUM | Jul 16, 2022 | n/a |
| CVE-2022-29620 | FileZilla v3.59.0 allows attackers to obtain cleartext passwords of connected SSH or FTP servers via a memory dump.- NOTE: the vendor does not consider this a vulnerability | MEDIUM | Jun 9, 2022 | n/a |
| CVE-2022-29622 | An arbitrary file upload vulnerability in formidable v3.1.4 allows attackers to execute arbitrary code via a crafted filename. NOTE: some third parties dispute this issue because the product has common use cases in which uploading arbitrary files is the desired behavior. Also, there are configuration options in all versions that can change the default behavior of how files are handled. | HIGH | May 16, 2022 | n/a |
| CVE-2022-29623 | An arbitrary file upload vulnerability in the file upload module of Connect-Multiparty v2.2.0 allows attackers to execute arbitrary code via a crafted PDF file. | MEDIUM | May 16, 2022 | n/a |
