The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date | Fixed Release |
---|---|---|---|---|
CVE-2022-1044 | Sensitive Data Exposure Due To Insecure Storage Of Profile Image in GitHub repository polonel/trudesk prior to v1.2.1. | MEDIUM | May 12, 2022 | n/a |
CVE-2022-1043 | A flaw was found in the Linux kernel’s io_uring implementation. This flaw allows an attacker with a local account to corrupt system memory, crash the system or escalate privileges. | -- | Mar 24, 2022 | n/a |
CVE-2022-1042 | In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during provisioning. | -- | Jul 26, 2022 | n/a |
CVE-2022-1041 | In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during provisioning. | -- | Jul 26, 2022 | n/a |
CVE-2022-1040 | An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18.5 MR3 and older. | HIGH | Mar 25, 2022 | n/a |
CVE-2022-1039 | The weak password on the web user interface can be exploited via HTTP or HTTPS. Once such access has been obtained, the other passwords can be changed. The weak password on Linux accounts can be accessed via SSH or Telnet, the former of which is by default enabled on trusted interfaces. While the SSH service does not support root login, a user logging in using either of the other Linux accounts may elevate to root access using the su command if they have access to the associated password. | HIGH | Apr 20, 2022 | n/a |
CVE-2022-1038 | A potential security vulnerability has been identified in the HP Jumpstart software, which might allow escalation of privilege. HP is recommending that customers uninstall HP Jumpstart and use myHP software. | -- | Dec 12, 2022 | n/a |
CVE-2022-1037 | The EXMAGE WordPress plugin before 1.0.7 does to ensure that images added via URLs are external images, which could lead to a blind SSRF issue by using local URLs | MEDIUM | Apr 18, 2022 | n/a |
CVE-2022-1036 | Able to create an account with long password leads to memory corruption / Integer Overflow in GitHub repository microweber/microweber prior to 1.2.12. | MEDIUM | Mar 23, 2022 | n/a |
CVE-2022-1035 | Segmentation Fault caused by MP4Box -lsr in GitHub repository gpac/gpac prior to 2.1.0-DEV. | MEDIUM | Mar 22, 2022 | n/a |
CVE-2022-1034 | There is a Unrestricted Upload of File vulnerability in ShowDoc v2.10.3 in GitHub repository star7th/showdoc prior to 2.10.4. | MEDIUM | Mar 22, 2022 | n/a |
CVE-2022-1033 | Unrestricted Upload of File with Dangerous Type in GitHub repository crater-invoice/crater prior to 6.0.6. | MEDIUM | Mar 23, 2022 | n/a |
CVE-2022-1032 | Insecure deserialization of not validated module file in GitHub repository crater-invoice/crater prior to 6.0.6. | MEDIUM | Apr 4, 2022 | n/a |
CVE-2022-1031 | Use After Free in op_is_set_bp in GitHub repository radareorg/radare2 prior to 5.6.6. | MEDIUM | Mar 23, 2022 | n/a |
CVE-2022-1030 | Okta Advanced Server Access Client for Linux and macOS prior to version 1.58.0 was found to be vulnerable to command injection via a specially crafted URL. An attacker, who has knowledge of a valid team name for the victim and also knows a valid target host where the user has access, can execute commands on the local system. | HIGH | Mar 24, 2022 | n/a |
CVE-2022-1029 | The Limit Login Attempts WordPress plugin before 4.0.72 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup) | LOW | Jun 27, 2022 | n/a |
CVE-2022-1028 | The WordPress Security Firewall, Malware Scanner, Secure Login and Backup plugin before 4.2.1 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup) | LOW | Jun 27, 2022 | n/a |
CVE-2022-1027 | The Page Restriction WordPress (WP) WordPress plugin before 1.2.7 allows bad actors with administrator privileges to the settings page to inject Javascript code to its settings leading to stored Cross-Site Scripting that will only affect administrator users. | LOW | Apr 25, 2022 | n/a |
CVE-2022-1026 | Kyocera multifunction printers running vulnerable versions of Net View unintentionally expose sensitive user information, including usernames and passwords, through an insufficiently protected address book export function. | MEDIUM | Apr 4, 2022 | n/a |
CVE-2022-1025 | All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to an improper access control bug, allowing a malicious user to potentially escalate their privileges to admin-level. | HIGH | Jul 13, 2022 | n/a |
CVE-2022-1024 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none | -- | Nov 7, 2023 | n/a |
CVE-2022-1023 | The Podcast Importer SecondLine WordPress plugin before 1.3.8 does not sanitise and properly escape some imported data, which could allow SQL injection attacks to be performed by imported a malicious podcast file | MEDIUM | Apr 15, 2022 | n/a |
CVE-2022-1022 | Cross-site Scripting (XSS) - Stored in GitHub repository chatwoot/chatwoot prior to 2.5.0. | LOW | Apr 21, 2022 | n/a |
CVE-2022-1021 | Insecure Storage of Sensitive Information in GitHub repository chatwoot/chatwoot prior to 2.6.0. | -- | Aug 19, 2022 | n/a |
CVE-2022-1020 | The Product Table for WooCommerce (wooproducttable) WordPress plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or one user controlled argument | HIGH | Apr 18, 2022 | n/a |
CVE-2022-1019 | Automated Logic\'s WebCtrl Server Version 6.1 \'Help\' index pages are vulnerable to open redirection. The vulnerability allows an attacker to send a maliciously crafted URL which could result in redirecting the user to a malicious webpage or downloading a malicious file. | MEDIUM | Apr 20, 2022 | n/a |
CVE-2022-1018 | When opening a malicious solution file provided by an attacker, the application suffers from an XML external entity vulnerability due to an unsafe call within a dynamic link library file. An attacker could exploit this to pass data from local files to a remote web server, leading to a loss of confidentiality. | MEDIUM | Apr 2, 2022 | n/a |
CVE-2022-1016 | A flaw was found in the Linux kernel in net/netfilter/nf_tables_core.c:nft_do_chain, which can cause a use-after-free. This issue needs to handle \'return\' with proper preconditions, as it can lead to a kernel information leak problem caused by a local, unprivileged attacker. | -- | Mar 30, 2022 | n/a |
CVE-2022-1015 | A flaw was found in the Linux kernel in linux/net/netfilter/nf_tables_api.c of the netfilter subsystem. This flaw allows a local user to cause an out-of-bounds write issue. | MEDIUM | Apr 30, 2022 | n/a |
CVE-2022-1014 | The WP Contacts Manager WordPress plugin through 2.2.4 fails to properly sanitize user supplied POST data before it is being interpolated in an SQL statement and then executed, leading to an SQL injection vulnerability. | HIGH | May 23, 2022 | n/a |
CVE-2022-1013 | The Personal Dictionary WordPress plugin before 1.3.4 fails to properly sanitize user supplied POST data before it is being interpolated in an SQL statement and then executed, leading to a blind SQL injection vulnerability. | HIGH | May 9, 2022 | n/a |
CVE-2022-1012 | A memory leak problem was found in the TCP source port generation algorithm in net/ipv4/tcp.c due to the small table perturb size. This flaw may allow an attacker to information leak and may cause a denial of service problem. | -- | May 12, 2022 | n/a |
CVE-2022-1011 | A use-after-free flaw was found in the Linux kernel’s FUSE filesystem in the way a user triggers write(). This flaw allows a local user to gain unauthorized access to data from the FUSE filesystem, resulting in privilege escalation. | MEDIUM | Mar 18, 2022 | n/a |
CVE-2022-1010 | The Login using WordPress Users ( WP as SAML IDP ) WordPress plugin before 1.13.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup) | LOW | Jun 27, 2022 | n/a |
CVE-2022-1009 | The Smush WordPress plugin before 3.9.9 does not sanitise and escape a configuration parameter before outputting it back in an admin page when uploading a malicious preset configuration, leading to a Reflected Cross-Site Scripting. For the attack to be successful, an attacker would need an admin to upload a malicious configuration file | MEDIUM | May 31, 2022 | n/a |
CVE-2022-1008 | The One Click Demo Import WordPress plugin before 3.1.0 does not validate the imported file, allowing high privilege users such as admin to upload arbitrary files (such as PHP) even when FILE_MODS and FILE_EDIT are disallowed | MEDIUM | Apr 15, 2022 | n/a |
CVE-2022-1007 | The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the room parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue | MEDIUM | Apr 14, 2022 | n/a |
CVE-2022-1006 | The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the id parameter when editing Calendars, which could allow high privilege users such as admin to perform SQL injection attacks | MEDIUM | Apr 14, 2022 | n/a |
CVE-2022-1005 | The WP Statistics WordPress plugin before 13.2.2 does not sanitise the REQUEST_URI parameter before outputting it back in the rendered page, leading to Cross-Site Scripting (XSS) in web browsers which do not encode characters | MEDIUM | Jun 8, 2022 | n/a |
CVE-2022-1004 | Accounted time is shown in the Ticket Detail View (External Interface), even if ExternalFrontend::TicketDetailView###AccountedTimeDisplay is disabled. | MEDIUM | Mar 21, 2022 | n/a |
CVE-2022-1003 | One of the API in Mattermost version 6.3.0 and earlier fails to properly protect the permissions, which allows the system administrators to combine the two distinct privileges/capabilities in a way that allows them to override certain restricted configurations like EnableUploads. | MEDIUM | Mar 18, 2022 | n/a |
CVE-2022-1002 | Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, which allows registered users with special permissions to invite guest users to inject unescaped HTML content in the email invitations. | LOW | Mar 18, 2022 | n/a |
CVE-2022-1001 | The WP Downgrade WordPress plugin before 1.2.3 only perform client side validation of its WordPress Target Version settings, but does not sanitise and escape it server side, allowing high privilege users such as admin to perform Cross-Site attacks even when the unfiltered_html capability is disallowed | LOW | Apr 25, 2022 | n/a |
CVE-2022-1000 | Path Traversal in GitHub repository prasathmani/tinyfilemanager prior to 2.4.7. | HIGH | Mar 17, 2022 | n/a |
CVE-2022-0999 | An authenticated user may be able to misuse parameters to inject arbitrary operating system commands into mySCADA myPRO versions 8.25.0 and prior. | HIGH | Apr 12, 2022 | n/a |
CVE-2022-0998 | An integer overflow flaw was found in the Linux kernel’s virtio device driver code in the way a user triggers the vhost_vdpa_config_validate function. This flaw allows a local user to crash or potentially escalate their privileges on the system. | HIGH | Mar 18, 2022 | n/a |
CVE-2022-0997 | Improper file permissions in the CommandPost, Collector, and Sensor components of Fidelis Network and Deception enables an attacker with local, administrative access to the CLI to modify affected script files, which could result in arbitrary commands being run as root upon subsequent logon by a root user. The vulnerability is present in Fidelis Network and Deception versions prior to 9.4.5. Patches and updates are available to address this vulnerability. | HIGH | May 18, 2022 | n/a |
CVE-2022-0996 | A vulnerability was found in the 389 Directory Server that allows expired passwords to access the database to cause improper authentication. | MEDIUM | Mar 24, 2022 | n/a |
CVE-2022-0995 | An out-of-bounds (OOB) memory write flaw was found in the Linux kernel’s watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user to gain privileged access or cause a denial of service on the system. | MEDIUM | Mar 25, 2022 | n/a |
CVE-2022-0994 | The Hummingbird WordPress plugin before 3.3.2 does not sanitise and escape the Config Name, which could allow high privilege users, such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | LOW | Apr 18, 2022 | n/a |