The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2021-33447 | An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in mjs_print() in mjs.c. | -- | Jul 28, 2022 | n/a |
| CVE-2021-33446 | An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in mjs_next() in mjs.c. | -- | Jul 28, 2022 | n/a |
| CVE-2021-33445 | An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in mjs_string_char_code_at() in mjs.c. | -- | Jul 28, 2022 | n/a |
| CVE-2021-33444 | An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in getprop_builtin_foreign() in mjs.c. | -- | Jul 28, 2022 | n/a |
| CVE-2021-33443 | An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is stack buffer overflow in mjs_execute() in mjs.c. | -- | Jul 28, 2022 | n/a |
| CVE-2021-33442 | An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in json_printf() in mjs.c. | -- | Jul 28, 2022 | n/a |
| CVE-2021-33441 | An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in exec_expr() in mjs.c. | -- | Jul 28, 2022 | n/a |
| CVE-2021-33440 | An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in mjs_bcode_commit() in mjs.c. | -- | Jul 28, 2022 | n/a |
| CVE-2021-33439 | An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is Integer overflow in gc_compact_strings() in mjs.c. | -- | Jul 28, 2022 | n/a |
| CVE-2021-33438 | An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is stack buffer overflow in json_parse_array() in mjs.c. | -- | Jul 28, 2022 | n/a |
| CVE-2021-33437 | An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There are memory leaks in frozen_cb() in mjs.c. | -- | Jul 28, 2022 | n/a |
| CVE-2021-33371 | A stored cross-site scripting (XSS) vulnerability in /nav_bar_action.php of Student Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Chat box. | -- | Jul 28, 2022 | n/a |
| CVE-2021-33057 | The QQ application 8.7.1 for Android and iOS does not enforce the permission requirements (e.g., android.permission.ACCESS_FINE_LOCATION) for determining the device\'s physical location. An attacker can use qq.createMapContext to create a MapContext object, use MapContext.moveToLocation to move the center of the map to the device\'s location, and use MapContext.getCenterLocation to get the latitude and longitude of the current map center. | -- | Jul 27, 2022 | n/a |
| CVE-2021-27785 | HCL Commerce\'s Remote Store server could allow a local attacker to obtain sensitive personal information. The vulnerability requires the victim to first perform a particular operation on the website. | -- | Jul 30, 2022 | n/a |
| CVE-2021-23451 | The package otp-generator before 3.0.0 are vulnerable to Insecure Randomness due to insecure generation of random one-time passwords, which may allow a brute-force attack. | -- | Jul 25, 2022 | n/a |
| CVE-2021-23397 | All versions of package @ianwalter/merge are vulnerable to Prototype Pollution via the main (merge) function. Maintainer suggests using @generates/merger instead. | -- | Jul 25, 2022 | n/a |
| CVE-2021-23373 | All versions of package set-deep-prop are vulnerable to Prototype Pollution via the main functionality. | -- | Jul 25, 2022 | n/a |
| CVE-2021-22650 | An attacker may use TWinSoft and a malicious source project file (TPG) to extract files on machine executing Ovarro TWinSoft, which could lead to code execution. | -- | Jul 28, 2022 | n/a |
| CVE-2021-22648 | Ovarro TBox proprietary Modbus file access functions allow attackers to read, alter, or delete the configuration file. | -- | Jul 28, 2022 | n/a |
| CVE-2021-22646 | The “ipk” package containing the configuration created by TWinSoft can be uploaded, extracted, and executed in Ovarro TBox, allowing malicious code execution. | -- | Jul 28, 2022 | n/a |
| CVE-2021-22644 | Ovarro TBox TWinSoft uses the custom hardcoded user “TWinSoft” with a hardcoded key. | -- | Jul 28, 2022 | n/a |
| CVE-2021-22642 | An attacker could use specially crafted invalid Modbus frames to crash the Ovarro TBox system. | -- | Jul 28, 2022 | n/a |
| CVE-2021-22640 | An attacker can decrypt the Ovarro TBox login password by communication capture and brute force attacks. | -- | Jul 28, 2022 | n/a |
| CVE-2020-36290 | The Livesearch macro in Confluence Server and Data Center before version 7.4.5, from version 7.5.0 before 7.6.3, and from version 7.7.0 before version 7.7.4 allows remote attackers with permission to edit a page or blog to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the page excerpt functionality. | -- | Jul 26, 2022 | n/a |
| CVE-2020-28471 | This affects the package properties-reader before 2.2.0. | -- | Jul 25, 2022 | n/a |
| CVE-2020-28462 | This affects all versions of package ion-parser. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be exploited further depending on the context. | -- | Jul 25, 2022 | n/a |
| CVE-2020-28461 | This affects the package js-ini before 1.3.0. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be exploited further depending on the context. | -- | Jul 25, 2022 | n/a |
| CVE-2020-28459 | This affects all versions of package markdown-it-decorate. An attacker can add an event handler or use javascript:xxx for the link. | -- | Jul 25, 2022 | n/a |
| CVE-2020-28455 | This affects all versions of package markdown-it-toc. The title of the generated toc and the contents of the header are not escaped. | -- | Jul 25, 2022 | n/a |
| CVE-2020-28447 | This affects all versions of package xopen. The injection point is located in line 14 in index.js in the exported function xopen(filepath) | -- | Jul 25, 2022 | n/a |
| CVE-2020-28446 | The package ntesseract before 0.2.9 are vulnerable to Command Injection via lib/tesseract.js. | -- | Jul 28, 2022 | n/a |
| CVE-2020-28445 | This affects all versions of package npm-help. The injection point is located in line 13 in index.js file in export.latestVersion() function. | -- | Jul 25, 2022 | n/a |
| CVE-2020-28443 | This affects all versions of package sonar-wrapper. The injection point is located in lib/sonarRunner.js. | -- | Jul 25, 2022 | n/a |
| CVE-2020-28441 | This affects the package conf-cfg-ini before 1.2.2. If an attacker submits a malicious INI file to an application that parses it with decode, they will pollute the prototype on the application. This can be exploited further depending on the context. | -- | Jul 25, 2022 | n/a |
| CVE-2020-28438 | This affects all versions of package deferred-exec. The injection point is located in line 42 in lib/deferred-exec.js | -- | Jul 25, 2022 | n/a |
| CVE-2020-28436 | This affects all versions of package google-cloudstorage-commands. | -- | Jul 25, 2022 | n/a |
| CVE-2020-28435 | This affects all versions of package ffmpeg-sdk. The injection point is located in line 9 in index.js. | -- | Jul 25, 2022 | n/a |
| CVE-2020-28422 | All versions of package git-archive are vulnerable to Command Injection via the exports function. | -- | Jul 25, 2022 | n/a |
| CVE-2020-7678 | This affects all versions of package node-import. The params argument of module function can be controlled by users without any sanitization.b. This is then provided to the “eval” function located in line 79 in the index file index.js. | -- | Jul 25, 2022 | n/a |
| CVE-2020-7677 | This affects the package thenify before 3.3.1. The name argument provided to the package can be controlled by users without any sanitization, and this is provided to the eval function without any sanitization. | -- | Jul 25, 2022 | n/a |
| CVE-2020-7649 | This affects the package snyk-broker before 4.73.0. It allows arbitrary file reads for users with access to Snyk\'s internal network via directory traversal. | -- | Jul 25, 2022 | n/a |
| CVE-2020-6998 | The connection establishment algorithm found in Rockwell Automation CompactLogix 5370 and ControlLogix 5570 versions 33 and prior does not sufficiently manage its control flow during execution, creating an infinite loop. This may allow an attacker to send specially crafted CIP packet requests to a controller, which may cause denial-of-service conditions in communications with other products. | -- | Jul 28, 2022 | n/a |
| CVE-2017-20145 | A vulnerability was found in Tecrail Responsive Filemanger up to 9.10.x and classified as critical. The manipulation leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 9.11.0 is able to address this issue. It is recommended to upgrade the affected component. | -- | Jul 25, 2022 | n/a |
| CVE-2016-4991 | Input passed to the Pdf() function is shell escaped and passed to child_process.exec() during PDF rendering. However, the shell escape does not properly encode all special characters, namely, semicolon and curly braces. This can be abused to achieve command execution. This problem affects nodepdf 1.3.0. | -- | Jul 28, 2022 | n/a |
| CVE-2016-4427 | In zulip before 1.3.12, deactivated users could access messages if SSO was enabled. | -- | Jul 28, 2022 | n/a |
| CVE-2016-4426 | In zulip before 1.3.12, bot API keys were accessible to other users in the same realm. | -- | Jul 28, 2022 | n/a |
| CVE-2016-2139 | In kippo-graph before version 1.5.1, there is a cross-site scripting vulnerability in $file_link in class/KippoInput.class.php. | -- | Jul 28, 2022 | n/a |
| CVE-2016-2138 | In kippo-graph before version 1.5.1, there is a cross-site scripting vulnerability in xss_clean() in class/KippoInput.class.php. | -- | Jul 28, 2022 | n/a |
| CVE-2016-0796 | WordPress Plugin mb.miniAudioPlayer-an HTML5 audio player for your mp3 files is prone to multiple vulnerabilities, including open proxy and security bypass vulnerabilities because it fails to properly verify user-supplied input. An attacker may leverage these issues to hide attacks directed at a target site from behind vulnerable website or to perform otherwise restricted actions and subsequently download files with the extension mp3, mp4a, wav and ogg from anywhere the web server application has read access to the system. WordPress Plugin mb.miniAudioPlayer-an HTML5 audio player for your mp3 files version 1.7.6 is vulnerable; prior versions may also be affected. | -- | Jul 28, 2022 | n/a |
| CVE-2022-36415 | A DLL hijacking vulnerability exists in the uninstaller in Scooter Beyond Compare 1.8a through 4.4.2 before 4.4.3 when installed via the EXE installer. The uninstaller attempts to load DLLs out of a Windows Temp folder. If a standard user places malicious DLLs in the C:\\Windows\\Temp\\ folder, and then the uninstaller is run as SYSTEM, the DLLs will execute with elevated privileges. | -- | Jul 23, 2022 | n/a |
