The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2022-3411 | A lack of length validation in GitLab CE/EE affecting all versions from 12.4 before 15.6.7, 15.7 before 15.7.6, and 15.8 before 15.8.1 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage. | -- | Feb 14, 2023 | n/a |
| CVE-2022-3409 | A vulnerability in bmcweb of OpenBMC Project allows user to cause denial of service. This vulnerability was identified during mitigation for CVE-2022-2809. When fuzzing the multipart_parser code using AFL++ with address sanitizer enabled to find smallest memory corruptions possible. It detected problem in how multipart_parser handles unclosed http headers. If long enough http header is passed in the multipart form without colon there is one byte overwrite on heap. It can be conducted multiple times in a loop to cause DoS. | -- | Oct 27, 2022 | n/a |
| CVE-2022-3408 | The WP Word Count WordPress plugin through 3.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. | -- | Nov 1, 2022 | n/a |
| CVE-2022-3407 | I some cases, when the device is USB-tethered to a host PC, and the device is sharing its mobile network connection with the host PC, if the user originates a call on the device, then the device\'s modem may reset and cause the phone call to not succeed. This may block the user from dialing emergency services. This patch resolves the device\'s modem reset issue. | -- | Sep 1, 2023 | n/a |
| CVE-2022-3405 | Code execution and sensitive information disclosure due to excessive privileges assigned to Acronis Agent. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 29486, Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545. | -- | May 3, 2023 | n/a |
| CVE-2022-3404 | Rejected reason: This candidate is unused by its CNA. | -- | Nov 7, 2023 | n/a |
| CVE-2022-3403 | Rejected reason: Duplicate, please use CVE-2023-28931 instead. | -- | Nov 7, 2023 | n/a |
| CVE-2022-3402 | The Log HTTP Requests plugin for WordPress is vulnerable to Stored Cross-Site Scripting via logged HTTP requests in versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers who can trick a site\'s administrator into performing an action like clicking on a link, or an authenticated user with access to a page that sends a request using user-supplied data via the server, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | -- | Oct 28, 2022 | n/a |
| CVE-2022-3401 | The Bricks theme for WordPress is vulnerable to remote code execution due to the theme allowing site editors to include executable code blocks in website content in versions 1.2 to 1.5.3. This, combined with the missing authorization vulnerability (CVE-2022-3400), makes it possible for authenticated attackers with minimal permissions, such as a subscriber, can edit any page, post, or template on the vulnerable WordPress website and inject a code execution block that can be used to achieve remote code execution. | -- | Oct 28, 2022 | n/a |
| CVE-2022-3400 | The Bricks theme for WordPress is vulnerable to authorization bypass due to a missing capability check on the bricks_save_post AJAX action in versions 1.0 to 1.5.3. This makes it possible for authenticated attackers with minimal permissions, such as a subscriber, to edit any page, post, or template on the vulnerable WordPress website. | -- | Oct 28, 2022 | n/a |
| CVE-2022-3398 | OMRON CX-Programmer 9.78 and prior is vulnerable to an Out-of-Bounds Write, which may allow an attacker to execute arbitrary code. | -- | Oct 6, 2022 | n/a |
| CVE-2022-3397 | OMRON CX-Programmer 9.78 and prior is vulnerable to an Out-of-Bounds Write, which may allow an attacker to execute arbitrary code. | -- | Oct 6, 2022 | n/a |
| CVE-2022-3396 | OMRON CX-Programmer 9.78 and prior is vulnerable to an Out-of-Bounds Write, which may allow an attacker to execute arbitrary code. | -- | Oct 6, 2022 | n/a |
| CVE-2022-3395 | The WP All Export Pro WordPress plugin before 1.7.9 uses the contents of the cc_sql POST parameter directly as a database query, allowing users which has been given permission to run exports to execute arbitrary SQL statements, leading to a SQL Injection vulnerability. By default only users with the Administrator role can perform exports, but this can be delegated to lower privileged users as well. | -- | Oct 26, 2022 | n/a |
| CVE-2022-3394 | The WP All Export Pro WordPress plugin before 1.7.9 does not limit some functionality during exports only to users with the Administrator role, allowing any logged in user which has been given privileges to perform exports to execute arbitrary code on the site. By default only administrators can run exports, but the privilege can be delegated to lower privileged users. | -- | Oct 26, 2022 | n/a |
| CVE-2022-3393 | The Post to CSV by BestWebSoft WordPress plugin through 1.4.0 does not properly escape fields when exporting data as CSV, leading to a CSV injection | -- | Oct 26, 2022 | n/a |
| CVE-2022-3392 | The WP Humans.txt WordPress plugin through 1.0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | -- | Oct 26, 2022 | n/a |
| CVE-2022-3391 | The Retain Live Chat WordPress plugin through 0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | -- | Oct 26, 2022 | n/a |
| CVE-2022-3389 | Path Traversal in GitHub repository ikus060/rdiffweb prior to 2.4.10. | -- | Oct 6, 2022 | n/a |
| CVE-2022-3388 | An input validation vulnerability exists in the Monitor Pro interface of MicroSCADA Pro and MicroSCADA X SYS600. An authenticated user can launch an administrator level remote code execution irrespective of the authenticated user\'s role. | -- | Nov 21, 2022 | n/a |
| CVE-2022-3387 | Advantech R-SeeNet Versions 2.4.19 and prior are vulnerable to path traversal attacks. An unauthorized attacker could remotely exploit vulnerable PHP code to delete .PDF files. | -- | Oct 28, 2022 | n/a |
| CVE-2022-3386 | Advantech R-SeeNet Versions 2.4.17 and prior are vulnerable to a stack-based buffer overflow. An unauthorized attacker can use an outsized filename to overflow the stack buffer and enable remote code execution. | -- | Oct 28, 2022 | n/a |
| CVE-2022-3385 | Advantech R-SeeNet Versions 2.4.17 and prior are vulnerable to a stack-based buffer overflow. An unauthorized attacker can remotely overflow the stack buffer and enable remote code execution. | -- | Oct 28, 2022 | n/a |
| CVE-2022-3384 | The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the populate_dropdown_options function that accepts user supplied input and passes it through call_user_func(). This is restricted to non-parameter PHP functions like phpinfo(); since user supplied parameters are not passed through the function. This makes it possible for authenticated attackers, with administrative privileges, to execute code on the server. | -- | Dec 1, 2022 | n/a |
| CVE-2022-3383 | The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the get_option_value_from_callback function that accepts user supplied input and passes it through call_user_func(). This makes it possible for authenticated attackers, with administrative capabilities, to execute code on the server. | -- | Dec 1, 2022 | n/a |
| CVE-2022-3382 | HIWIN Robot System Software version 3.3.21.9869 does not properly address the terminated command source. As a result, an attacker could craft code to disconnect HRSS and the controller and cause a denial-of-service condition. | -- | Oct 21, 2022 | n/a |
| CVE-2022-3381 | An issue has been discovered in GitLab affecting all versions starting from 10.0 to 15.7.8, 15.8 prior to 15.8.4 and 15.9 prior to 15.9.2. A crafted URL could be used to redirect users to arbitrary sites | -- | Mar 10, 2023 | n/a |
| CVE-2022-3380 | The Customizer Export/Import WordPress plugin before 0.9.5 unserializes the content of an imported file, which could lead to PHP object injection issues when an admin imports (intentionally or not) a malicious file and a suitable gadget chain is present on the blog. | -- | Nov 1, 2022 | n/a |
| CVE-2022-3379 | Horner Automation\'s Cscape version 9.90 SP7 and prior does not properly validate user-supplied data. If a user opens a maliciously formed FNT file, then an attacker could execute arbitrary code within the current process by writing outside the memory buffer. | -- | Oct 28, 2022 | n/a |
| CVE-2022-3378 | Horner Automation\'s Cscape version 9.90 SP 7 and prior does not properly validate user-supplied data. If a user opens a maliciously formed FNT file, then an attacker could execute arbitrary code within the current process by accessing an uninitialized pointer, leading to an out-of-bounds memory write. | -- | Oct 28, 2022 | n/a |
| CVE-2022-3377 | Horner Automation\'s Cscape version 9.90 SP 6 and prior does not properly validate user-supplied data. If a user opens a maliciously formed FNT file, then an attacker could execute arbitrary code within the current process by accessing an uninitialized pointer, leading to an out-of-bounds memory read. | -- | Nov 15, 2022 | n/a |
| CVE-2022-3376 | Weak Password Requirements in GitHub repository ikus060/rdiffweb prior to 2.5.0a4. | -- | Oct 6, 2022 | n/a |
| CVE-2022-3375 | An issue has been discovered in GitLab affecting all versions starting from 11.10 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible to disclose the branch names when attacker has a fork of a project that was switched to private. | -- | Apr 6, 2023 | n/a |
| CVE-2022-3374 | The Ocean Extra WordPress plugin before 2.0.5 unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import (intentionally or not) a malicious Customizer Styling file and a suitable gadget chain is present on the blog. | -- | Nov 1, 2022 | n/a |
| CVE-2022-3373 | Out of bounds write in V8 in Google Chrome prior to 106.0.5249.91 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High) | -- | Oct 8, 2022 | n/a |
| CVE-2022-3372 | There is a CSRF vulnerability on Netman-204 version 02.05. An attacker could manage to change administrator passwords through a Cross Site Request Forgery due to the lack of proper validation on the CRSF token. This vulnerability could allow a remote attacker to access the administrator panel, being able to modify different parameters that are critical for industrial operations. | -- | Jun 21, 2023 | n/a |
| CVE-2022-3371 | Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0a3. | -- | Oct 4, 2022 | n/a |
| CVE-2022-3370 | Use after free in Custom Elements in Google Chrome prior to 106.0.5249.91 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | -- | Oct 8, 2022 | n/a |
| CVE-2022-3369 | An Improper Access Control vulnerability in the bdservicehost.exe component, as used in Bitdefender Engines for Windows, allows an attacker to delete privileged registry keys by pointing a Registry symlink to a privileged key. This issue affects: Bitdefender Engines versions prior to 7.92659. It also affects Bitdefender Antivirus Free, Bitdefender Antivirus Plus, Bitdefender Internet Security, Bitdefender Total Security, as well as Bitdefender Endpoint Security Tools for Windows with engine versions prior to 7.92659. | -- | Nov 2, 2022 | n/a |
| CVE-2022-3368 | A vulnerability within the Software Updater functionality of Avira Security for Windows allowed an attacker with write access to the filesystem, to escalate his privileges in certain scenarios. The issue was fixed with Avira Security version 1.1.72.30556. | -- | Oct 19, 2022 | n/a |
| CVE-2022-3366 | The PublishPress Capabilities WordPress plugin before 2.5.2, PublishPress Capabilities Pro WordPress plugin before 2.5.2 unserializes the content of imported files, which could lead to PHP object injection attacks by administrators, on multisite WordPress configurations. Successful exploitation in this case requires other plugins with a suitable gadget chain to be present on the site. | -- | Nov 1, 2022 | n/a |
| CVE-2022-3364 | Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0a3. | -- | Oct 4, 2022 | n/a |
| CVE-2022-3363 | Business Logic Errors in GitHub repository ikus060/rdiffweb prior to 2.5.0a7. | -- | Oct 26, 2022 | n/a |
| CVE-2022-3362 | Insufficient Session Expiration in GitHub repository ikus060/rdiffweb prior to 2.5.0. | -- | Nov 17, 2022 | n/a |
| CVE-2022-3361 | The Ultimate Member plugin for WordPress is vulnerable to directory traversal in versions up to, and including 2.5.0 due to insufficient input validation on the \'template\' attribute used in shortcodes. This makes it possible for attackers with administrative privileges to supply arbitrary paths using traversal (../../) to access and include files outside of the intended directory. If an attacker can successfully upload a php file then remote code execution via inclusion may also be possible. Note: for users with less than administrative capabilities, /wp-admin access needs to be enabled for that user in order for this to be exploitable by those users. | -- | Dec 1, 2022 | n/a |
| CVE-2022-3360 | The LearnPress WordPress plugin before 4.1.7.2 unserialises user input in a REST API endpoint available to unauthenticated users, which could lead to PHP Object Injection when a suitable gadget is present, leadint to remote code execution (RCE). To successfully exploit this vulnerability attackers must have knowledge of the site secrets, allowing them to generate a valid hash via the wp_hash() function. | -- | Nov 1, 2022 | n/a |
| CVE-2022-3359 | The Shortcodes and extra features for Phlox theme WordPress plugin before 2.10.7 unserializes the content of an imported file, which could lead to PHP object injection when a user imports (intentionally or not) a malicious file and a suitable gadget chain is present on the blog. | -- | Dec 15, 2022 | n/a |
| CVE-2022-3358 | OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in order to implement custom ciphers. OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions (as well as other similarly named encryption and decryption initialisation functions). Instead of using the custom cipher directly it incorrectly tries to fetch an equivalent cipher from the available providers. An equivalent cipher is found based on the NID passed to EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a given cipher. However it is possible for an application to incorrectly pass NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef is used in this way the OpenSSL encryption/decryption initialisation function will match the NULL cipher as being equivalent and will fetch this from the available providers. This will succeed if the default provider has been loaded (or if a third party provider has been loaded that offers this cipher). Using the NULL cipher means that the plaintext is emitted as the ciphertext. Applications are only affected by this issue if they call EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an encryption/decryption initialisation function. Applications that only use SSL/TLS are not impacted by this issue. Fixed in OpenSSL 3.0.6 (Affected 3.0.0-3.0.5). | LOW | Oct 8, 2022 | 23.03 (VxWorks 7) |
| CVE-2022-3357 | The Smart Slider 3 WordPress plugin before 3.5.1.11 unserialises the content of an imported file, which could lead to PHP object injection issues when a user import (intentionally or not) a malicious file, and a suitable gadget chain is present on the site. | -- | Nov 1, 2022 | n/a |
| CVE-2022-3355 | Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.8.3. | -- | Sep 30, 2022 | n/a |
