The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2022-41719 | Unmarshal can panic on some inputs, possibly allowing for denial of service attacks. | -- | Nov 10, 2022 | n/a |
| CVE-2022-41717 | An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection. | -- | Dec 5, 2022 | n/a |
| CVE-2022-41716 | Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string A=B\\x00C=D sets the variables A=B and C=D. | -- | Oct 19, 2022 | n/a |
| CVE-2022-41715 | Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected. | -- | Oct 8, 2022 | n/a |
| CVE-2022-41714 | fastest-json-copy version 1.0.1 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the \'__proto__\' property to be edited. | -- | Nov 5, 2022 | n/a |
| CVE-2022-41713 | deep-object-diff version 1.1.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the \'__proto__\' property to be edited. | -- | Nov 5, 2022 | n/a |
| CVE-2022-41712 | Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not correctly validate the information injected by the user in the import_file parameter. | -- | Nov 25, 2022 | n/a |
| CVE-2022-41711 | Badaso version 2.6.0 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users. | -- | Oct 28, 2022 | n/a |
| CVE-2022-41710 | Markdownify version 1.4.1 allows an external attacker to remotely obtain arbitrary local files on any client that attempts to view a malicious markdown file through Markdownify. This is possible because the application does not have a CSP policy (or at least not strict enough) and/or does not properly validate the contents of markdown files before rendering them. | -- | Nov 4, 2022 | n/a |
| CVE-2022-41709 | Markdownify version 1.4.1 allows an external attacker to execute arbitrary code remotely on any client attempting to view a malicious markdown file through Markdownify. This is possible because the application has the nodeIntegration option enabled. | -- | Oct 20, 2022 | n/a |
| CVE-2022-41708 | Relatedcode\'s Messenger version 7bcd20b allows an authenticated external attacker to access existing chats in the workspaces of any user of the application. This is possible because the application does not validate permissions correctly. | -- | Oct 21, 2022 | n/a |
| CVE-2022-41707 | Relatedcode\'s Messenger version 7bcd20b allows an authenticated external attacker to access sensitive data of any user of the application. This is possible because the application exposes user data to the public. | -- | Oct 20, 2022 | n/a |
| CVE-2022-41706 | Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the URL protocol passed to the Browsershot::url method. | -- | Nov 25, 2022 | n/a |
| CVE-2022-41705 | Badaso version 2.6.3 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users. | -- | Nov 25, 2022 | n/a |
| CVE-2022-41704 | A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16. | -- | Oct 30, 2022 | n/a |
| CVE-2022-41703 | A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user having the feature flag ALLOW_ADHOC_SUBQUERY disabled (default value). This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0. | -- | Jan 24, 2023 | n/a |
| CVE-2022-41702 | The affected product DIAEnergie (versions prior to v1.9.01.002) is vulnerable to a stored cross-site scripting vulnerability through the InsertReg API. | -- | Oct 28, 2022 | n/a |
| CVE-2022-41701 | The affected product DIAEnergie (versions prior to v1.9.01.002) is vulnerable to a stored cross-site scripting vulnerability through the PutShift API. | -- | Oct 28, 2022 | n/a |
| CVE-2022-41700 | Insecure inherited permissions in some Intel(R) NUC Pro Software Suite installation software before version 2.0.0.9 may allow an authenticated user to potentially enable escalation of privilege via local access. | -- | Nov 14, 2023 | n/a |
| CVE-2022-41699 | Incorrect permission assignment for critical resource in some Intel(R) QAT drivers for Windows before version 1.9.0 may allow an authenticated user to potentially enable escalation of privilege via local access. | -- | May 10, 2023 | n/a |
| CVE-2022-41698 | Missing Authorization vulnerability in Layered If Menu.This issue affects If Menu: from n/a through 0.16.3. | -- | Apr 17, 2024 | n/a |
| CVE-2022-41697 | A user enumeration vulnerability exists in the login functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted HTTP request can lead to a disclosure of sensitive information. An attacker can send a series of HTTP requests to trigger this vulnerability. | -- | Dec 22, 2022 | n/a |
| CVE-2022-41696 | Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. | -- | Mar 23, 2023 | n/a |
| CVE-2022-41695 | Missing Authorization vulnerability in SedLex Traffic Manager.This issue affects Traffic Manager: from n/a through 1.4.5. | -- | Jan 17, 2024 | n/a |
| CVE-2022-41694 | In BIG-IP versions 16.1.x before 16.1.3, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5, and all versions of 13.1.x, and BIG-IQ versions 8.x before 8.2.0.1 and all versions of 7.x, when an SSL key is imported on a BIG-IP or BIG-IQ system, undisclosed input can cause MCPD to terminate. | -- | Oct 23, 2022 | n/a |
| CVE-2022-41693 | Uncontrolled search path in the Intel(R) Quartus(R) Prime Pro edition software before version 22.3 may allow an authenticated user to potentially enable escalation of privilege via local access. | -- | May 10, 2023 | n/a |
| CVE-2022-41692 | Missing Authorization vulnerability in Appointment Hour Booking plugin <= 1.3.71 on WordPress. | -- | Nov 18, 2022 | n/a |
| CVE-2022-41691 | When a BIG-IP Advanced WAF/ASM security policy is configured on a virtual server, undisclosed requests can cause the bd process to terminate. | -- | Oct 23, 2022 | n/a |
| CVE-2022-41690 | Improper access control in the Intel(R) Retail Edge Mobile iOS application before version 3.4.7 may allow an authenticated user to potentially enable escalation of privilege via local access. | -- | May 10, 2023 | n/a |
| CVE-2022-41689 | Improper access control in some Intel In-Band Manageability software before version 3.0.14 may allow an authenticated user to potentially enable escalation of privilege via local access. | -- | Nov 14, 2023 | n/a |
| CVE-2022-41688 | Delta Electronics InfraSuite Device Master versions 00.00.01a and prior lack proper authentication for functions that create and modify user groups. An attacker could provide malicious serialized objects that could run these functions without authentication to create a new user and add them to the administrator group. | -- | Nov 2, 2022 | n/a |
| CVE-2022-41687 | Insecure inherited permissions in the HotKey Services for some Intel(R) NUC P14E Laptop Element software for Windows 10 before version 1.1.44 may allow an authenticated user to potentially enable escalation of privilege via local access. | -- | May 10, 2023 | n/a |
| CVE-2022-41686 | OpenHarmony-v3.1.2 and prior versions, 3.0.6 and prior versions have an Out-of-bound memory read and write vulnerability in /dev/mmz_userdev device driver. The impact depends on the privileges of the attacker. The unprivileged process run on the device could read out-of-bound memory leading sensitive to information disclosure. The processes with system user UID run on the device would be able to write out-of-bound memory which could lead to unspecified memory corruption. | -- | Oct 14, 2022 | n/a |
| CVE-2022-41685 | Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Viszt Péter\'s Integration for Szamlazz.hu & WooCommerce plugin <= 5.6.3.2 and Csomagpontok és szállítási címkék WooCommerce-hez plugin <= 1.9.0.2 on WordPress. | -- | Nov 20, 2022 | n/a |
| CVE-2022-41684 | A heap out of bounds read vulnerability exists in the OpenImageIO master-branch-9aeece7a when parsing the image file directory part of a PSD image file. A specially-crafted .psd file can cause a read of arbitrary memory address which can lead to denial of service. An attacker can provide a malicious file to trigger this vulnerability. | -- | Dec 23, 2022 | n/a |
| CVE-2022-41681 | There is a vulnerability on Forma LMS version 3.1.0 and earlier that could allow an authenticated attacker (with the role of student) to privilege escalate in order to upload a Zip file through the SCORM importer feature. The exploitation of this vulnerability could lead to a remote code injection. | -- | Nov 1, 2022 | n/a |
| CVE-2022-41680 | Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQL injection vulnerability. The exploitation of this vulnerability could allow an authenticated attacker (with the role of student) to perform a SQL injection on the \'search[value] parameter in the appLms/ajax.server.php?r=mycertificate/getMyCertificates\' function in order to dump the entire database. | -- | Nov 1, 2022 | n/a |
| CVE-2022-41679 | Forma LMS version 3.1.0 and earlier are affected by an Cross-Site scripting vulnerability, that could allow a remote attacker to inject javascript code on the “back_url” parameter in appLms/index.php?modname=faq&op=play function. The exploitation of this vulnerability could allow an attacker to steal the user´s cookies in order to log in to the application. | -- | Nov 1, 2022 | n/a |
| CVE-2022-41678 | Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution. In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia org.jolokia.http.HttpRequestHandler#handlePostRequest is able to create JmxRequest through JSONObject. And calls to org.jolokia.http.HttpRequestHandler#executeRequest. Into deeper calling stacks, org.jolokia.handler.ExecHandler#doHandleRequest is able to invoke through refection. And then, RCE is able to be achieved via jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11. 1 Call newRecording. 2 Call setConfiguration. And a webshell data hides in it. 3 Call startRecording. 4 Call copyTo method. The webshell will be written to a .jsp file. The mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia. A more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0. | -- | Nov 28, 2023 | n/a |
| CVE-2022-41677 | An information disclosure vulnerability was discovered in Bosch IP camera devices allowing an unauthenticated attacker to retrieve information (like capabilities) about the device itself and network settings of the device, disclosing possibly internal network settings if the device is connected to the internet. | -- | Dec 18, 2023 | n/a |
| CVE-2022-41676 | Raiden MAILD Mail Server website mail field has insufficient filtering for user input. A remote attacker with general user privilege can send email using the website with malicious JavaScript in the input field, which triggers XSS (Reflected Cross-Site Scripting) attack to the mail recipient. | -- | Dec 1, 2022 | n/a |
| CVE-2022-41675 | A remote attacker with general user privilege can inject malicious code in the form content of Raiden MAILD Mail Server website. Other users export form content as CSV file can trigger arbitrary code execution and allow the attacker to perform arbitrary system operation or disrupt service on the user side. | -- | Dec 1, 2022 | n/a |
| CVE-2022-41674 | An issue was discovered in the Linux kernel before 5.19.16. Attackers able to inject WLAN frames could cause a buffer overflow in the ieee80211_bss_info_update function in net/mac80211/scan.c. | -- | Oct 15, 2022 | n/a |
| CVE-2022-41672 | In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn\'t prevent an already authenticated user from being able to continue using the UI or API. | -- | Oct 7, 2022 | n/a |
| CVE-2022-41671 | A CWE-89: Improper Neutralization of Special Elements used in SQL Command (‘SQL Injection’) vulnerability exists that allows adversaries with local user privileges to craft a malicious SQL query and execute as part of project migration which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior). | -- | Nov 4, 2022 | n/a |
| CVE-2022-41670 | A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\'Path Traversal\') vulnerability exists in the SGIUtility component that allows adversaries with local user privileges to load malicious DLL which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior). | -- | Nov 4, 2022 | n/a |
| CVE-2022-41669 | A CWE-347: Improper Verification of Cryptographic Signature vulnerability exists in the SGIUtility component that allows adversaries with local user privileges to load a malicious DLL which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior). | -- | Nov 4, 2022 | n/a |
| CVE-2022-41668 | A CWE-704: Incorrect Project Conversion vulnerability exists that allows adversaries with local user privileges to load a project file from an adversary-controlled network share which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior). | -- | Nov 5, 2022 | n/a |
| CVE-2022-41667 | A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\'Path Traversal\') vulnerability exists that allows adversaries with local user privileges to load a malicious DLL which could lead to execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior). | -- | Nov 5, 2022 | n/a |
| CVE-2022-41666 | A CWE-347: Improper Verification of Cryptographic Signature vulnerability exists that allows adversaries with local user privileges to load a malicious DLL which could lead to execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior). | -- | Nov 5, 2022 | n/a |
