The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2022-27929 | Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via HTTP. | MEDIUM | Jul 17, 2022 | n/a |
| CVE-2022-27928 | Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via the Session Initiation Protocol. | MEDIUM | Jul 17, 2022 | n/a |
| CVE-2022-27168 | Cross-site scripting vulnerability in LiteCart versions prior to 2.4.2 allows a remote attacker to inject an arbitrary script via unspecified vectors. | MEDIUM | Jul 15, 2022 | n/a |
| CVE-2022-26657 | Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join. | MEDIUM | Jul 17, 2022 | n/a |
| CVE-2022-26656 | Pexip Infinity before 27.3 allows remote attackers to trigger a software abort, and possibly enumerate usernames, via One Touch Join. | MEDIUM | Jul 17, 2022 | n/a |
| CVE-2022-26655 | Pexip Infinity 27.x before 27.3 has Improper Input Validation. The client API allows remote attackers to trigger a software abort via a gateway call into Teams. | MEDIUM | Jul 17, 2022 | n/a |
| CVE-2022-26654 | Pexip Infinity before 27.3 allows remote attackers to force a software abort via HTTP. | MEDIUM | Jul 17, 2022 | n/a |
| CVE-2022-26352 | An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage location. If anonymous content creation is enabled, this allows an unauthenticated attacker to upload an executable file, such as a .jsp file, that can lead to remote code execution. | MEDIUM | Jul 17, 2022 | n/a |
| CVE-2022-25875 | The package svelte before 3.49.0 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function. | MEDIUM | Jul 13, 2022 | n/a |
| CVE-2022-25357 | Pexip Infinity 27.x before 27.2 has Improper Access Control. An attacker can sometimes join a conference (call join) if it has a lock but not a PIN. | MEDIUM | Jul 17, 2022 | n/a |
| CVE-2022-25303 | The package whoogle-search before 0.7.2 are vulnerable to Cross-site Scripting (XSS) via the query string parameter q. In the case where it does not contain the http string, it is used to build the error_message that is then rendered in the error.html template, using the [flask.render_template](https://flask.palletsprojects.com/en/2.1.x/api/flask.render_template) function. However, the error_message is rendered using the [| safe filter](https://jinja.palletsprojects.com/en/3.1.x/templates/working-with-automatic-escaping), meaning the user input is not escaped. | MEDIUM | Jul 12, 2022 | n/a |
| CVE-2022-24800 | October/System is the system module for October CMS, a self-hosted CMS platform based on the Laravel PHP Framework. Prior to versions 1.0.476, 1.1.12, and 2.2.15, when the developer allows the user to specify their own filename in the `fromData` method, an unauthenticated user can perform remote code execution (RCE) by exploiting a race condition in the temporary storage directory. This vulnerability affects plugins that expose the `October\\Rain\\Database\\Attach\\File::fromData` as a public interface and does not affect vanilla installations of October CMS since this method is not exposed or used by the system internally or externally. The issue has been patched in Build 476 (v1.0.476), v1.1.12, and v2.2.15. Those who are unable to upgrade may apply with patch to their installation manually as a workaround. | MEDIUM | Jul 13, 2022 | n/a |
| CVE-2022-22998 | Implemented protections on AWS credentials that were not properly protected. | MEDIUM | Jul 13, 2022 | n/a |
| CVE-2022-22711 | Windows BitLocker Information Disclosure Vulnerability | MEDIUM | Jul 13, 2022 | n/a |
| CVE-2022-22048 | BitLocker Security Feature Bypass Vulnerability | MEDIUM | Jul 13, 2022 | n/a |
| CVE-2022-22045 | Windows.Devices.Picker.dll Elevation of Privilege Vulnerability | MEDIUM | Jul 16, 2022 | n/a |
| CVE-2022-22042 | Windows Hyper-V Information Disclosure Vulnerability | MEDIUM | Jul 16, 2022 | n/a |
| CVE-2022-22039 | Windows Network File System Remote Code Execution Vulnerability | MEDIUM | Jul 16, 2022 | n/a |
| CVE-2022-22038 | Remote Procedure Call Runtime Remote Code Execution Vulnerability | MEDIUM | Jul 16, 2022 | n/a |
| CVE-2022-22036 | Performance Counters for Windows Elevation of Privilege Vulnerability | MEDIUM | Jul 16, 2022 | n/a |
| CVE-2022-22029 | Windows Network File System Remote Code Execution Vulnerability | MEDIUM | Jul 16, 2022 | n/a |
| CVE-2022-22028 | Windows Network File System Information Disclosure Vulnerability | MEDIUM | Jul 16, 2022 | n/a |
| CVE-2022-22027 | Windows Fax Service Remote Code Execution Vulnerability | MEDIUM | Jul 16, 2022 | n/a |
| CVE-2022-22025 | Windows Internet Information Services Cachuri Module Denial of Service Vulnerability | MEDIUM | Jul 16, 2022 | n/a |
| CVE-2022-22024 | Windows Fax Service Remote Code Execution Vulnerability | MEDIUM | Jul 16, 2022 | n/a |
| CVE-2022-22023 | Windows Portable Device Enumerator Service Security Feature Bypass Vulnerability | MEDIUM | Jul 16, 2022 | n/a |
| CVE-2022-21845 | Windows Kernel Information Disclosure Vulnerability | MEDIUM | Jul 16, 2022 | n/a |
| CVE-2022-20234 | In Car Settings app, the NotificationAccessConfirmationActivity is exported. In NotificationAccessConfirmationActivity, it gets both \'mComponentName\' and \'pkgTitle\' from user.An unprivileged app can use a malicous mComponentName with a benign pkgTitle (e.g. Settings app) to make users enable notification access permission for the malicious app. That is, users believe they enable the notification access permission for the Settings app, but actually they enable the notification access permission for the malicious app.Once the malicious app gets the notification access permission, it can read all notifications, including users\' personal information.Product: AndroidVersions: Android-12LAndroid ID: A-225189301 | MEDIUM | Jul 14, 2022 | n/a |
| CVE-2022-20228 | In various functions of C2DmaBufAllocator.cpp, there is a possible memory corruption due to a use after free. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-12 Android-12LAndroid ID: A-213850092 | MEDIUM | Jul 14, 2022 | n/a |
| CVE-2022-20224 | In AT_SKIP_REST of bta_hf_client_at.cc, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote information disclosure in the Bluetooth stack with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-220732646 | MEDIUM | Jul 14, 2022 | n/a |
| CVE-2022-20218 | In PermissionController, there is a possible way to get and retain permissions without user\'s consent due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-12 Android-12LAndroid ID: A-223907044 | MEDIUM | Jul 14, 2022 | n/a |
| CVE-2022-20212 | In wifi.RequestToggleWifiActivity of AndroidManifest.xml, there is a possible EoP due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-182282630 | MEDIUM | Jul 14, 2022 | n/a |
| CVE-2022-2408 | The Guest account feature in Mattermost version 6.7.0 and earlier fails to properly restrict the permissions, which allows a guest user to fetch a list of all public channels in the team, in spite of not being part of those channels. | MEDIUM | Jul 15, 2022 | n/a |
| CVE-2022-2406 | The legacy Slack import feature in Mattermost version 6.7.0 and earlier fails to properly limit the sizes of imported files, which allows an authenticated attacker to crash the server by importing large files via the Slack import REST API. | MEDIUM | Jul 15, 2022 | n/a |
| CVE-2022-2385 | A security issue was discovered in aws-iam-authenticator where an allow-listed IAM identity may be able to modify their username and escalate privileges. | MEDIUM | Jul 13, 2022 | n/a |
| CVE-2022-2366 | Incorrect default configuration for trusted IP header in Mattermost version 6.7.0 and earlier allows attacker to bypass some of the rate limitations in place or use manipulated IPs for audit logging via manipulating the request headers. | MEDIUM | Jul 12, 2022 | n/a |
| CVE-2022-2297 | A vulnerability, which was classified as critical, was found in SourceCodester Clinics Patient Management System 2.0. Affected is an unknown function of the file /pms/update_user.php?user_id=1. The manipulation of the argument profile_picture with the input <?php phpinfo();?> leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | MEDIUM | Jul 16, 2022 | n/a |
| CVE-2022-2291 | A vulnerability was found in SourceCodester Hotel Management System 2.0. It has been rated as problematic. This issue affects some unknown processing of the file /ci_hms/search of the component Search. The manipulation of the argument search with the input ><script>alert(XSS)</script> leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | MEDIUM | Jul 16, 2022 | n/a |
| CVE-2022-2263 | A vulnerability was found in Online Hotel Booking System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file edit_room_cat.php of the component Room Handler. The manipulation of the argument roomname leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | MEDIUM | Jul 12, 2022 | n/a |
| CVE-2022-2262 | A vulnerability has been found in Online Hotel Booking System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file edit_all_room.php of the component Room Handler. The manipulation of the argument id with the input 2828%27%20AND%20(SELECT%203766%20FROM%20(SELECT(SLEEP(5)))BmIK)%20AND%20%27YLPl%27=%27YLPl leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | MEDIUM | Jul 12, 2022 | n/a |
| CVE-2022-2222 | The Download Monitor WordPress plugin before 4.5.91 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup. | MEDIUM | Jul 17, 2022 | n/a |
| CVE-2022-2211 | A vulnerability was found in libguestfs. This issue occurs while calculating the greatest possible number of matching keys in the get_keys() function. This flaw leads to a denial of service, either by mistake or malicious actor. | MEDIUM | Jul 13, 2022 | n/a |
| CVE-2022-2187 | The Contact Form 7 Captcha WordPress plugin before 0.1.2 does not escape the $_SERVER[\'REQUEST_URI\'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers | MEDIUM | Jul 17, 2022 | n/a |
| CVE-2022-2173 | The Advanced Database Cleaner WordPress plugin before 3.1.1 does not escape numerous generated URLs before outputting them back in href attributes of admin dashboard pages, leading to Reflected Cross-Site Scripting | MEDIUM | Jul 17, 2022 | n/a |
| CVE-2022-2168 | The Download Manager WordPress plugin before 3.2.44 does not escape a generated URL before outputting it back in an attribute of the history dashboard, leading to Reflected Cross-Site Scripting | MEDIUM | Jul 17, 2022 | n/a |
| CVE-2022-2146 | The Import CSV Files WordPress plugin through 1.0 does not sanitise and escaped imported data before outputting them back in a page, and is lacking CSRF check when performing such action as well, resulting in a Reflected Cross-Site Scripting | MEDIUM | Jul 17, 2022 | n/a |
| CVE-2022-2144 | The Jquery Validation For Contact Form 7 WordPress plugin before 5.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change Blog options like default_role, users_can_register via a CSRF attack | MEDIUM | Jul 17, 2022 | n/a |
| CVE-2022-2133 | The OAuth Single Sign On WordPress plugin before 6.22.6 doesn\'t validate that OAuth access token requests are legitimate, which allows attackers to log onto the site with the only knowledge of a user\'s email address. | MEDIUM | Jul 17, 2022 | n/a |
| CVE-2022-2123 | The WP Opt-in WordPress plugin through 1.4.1 is vulnerable to CSRF which allows changed plugin settings and can be used for sending spam emails. | MEDIUM | Jul 15, 2022 | n/a |
| CVE-2022-2092 | The WooCommerce PDF Invoices & Packing Slips WordPress plugin before 2.16.0 doesn\'t escape a parameter on its setting page, making it possible for attackers to conduct reflected cross-site scripting attacks. | MEDIUM | Jul 11, 2022 | n/a |
