The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2022-29986 | Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via \\scbs\\classes\\Master.php?f=delete_facility. | -- | May 12, 2022 |
| CVE-2022-29985 | Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via \\scbs\\classes\\Master.php?f=delete_category. | -- | May 12, 2022 |
| CVE-2022-29984 | Simple Client Management System 1.0 is vulnerable to SQL Injection via /cms/admin/?page=client/view_client&id=. | -- | May 12, 2022 |
| CVE-2022-29983 | Simple Client Management System 1.0 is vulnerable to SQL Injection via /cms/admin/?page=invoice/view_invoice&id=. | -- | May 12, 2022 |
| CVE-2022-29982 | Simple Client Management System 1.0 is vulnerable to SQL Injection via /cms/admin/maintenance/manage_service.php?id=. | -- | May 12, 2022 |
| CVE-2022-29981 | Simple Client Management System 1.0 is vulnerable to SQL Injection via /cms/classes/Users.php?f=delete. | -- | May 12, 2022 |
| CVE-2022-29980 | Simple Client Management System 1.0 is vulnerable to SQL Injection via /cms/admin/?page=user/manage_user&id=. | -- | May 12, 2022 |
| CVE-2022-29979 | Simple Client Management System 1.0 is vulnerable to SQL Injection via /cms/classes/Master.php?f=delete_designation. | -- | May 12, 2022 |
| CVE-2022-29978 | There is a floating point exception error in sixel_encoder_do_resize, encoder.c:633 in libsixel img2sixel 1.8.6. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted JPEG file. | -- | May 11, 2022 |
| CVE-2022-29977 | There is an assertion failure error in stbi__jpeg_huff_decode, stb_image.h:1894 in libsixel img2sixel 1.8.6. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted JPEG file. | -- | May 11, 2022 |
| CVE-2022-29976 | An Authenticated Reflected Cross-site scripting at BCC Parameter was discovered in MDaemon before 22.0.0 . | -- | May 11, 2022 |
| CVE-2022-29975 | An Authenticated Reflected Cross-site scripting at CC Parameter was discovered in MDaemon before 22.0.0 . | -- | May 11, 2022 |
| CVE-2022-29973 | relan exFAT 1.3.0 allows local users to obtain sensitive information (data from deleted files in the filesystem) in certain situations involving offsets beyond ValidDataLength. | LOW | May 2, 2022 |
| CVE-2022-29972 | An argument injection vulnerability in the browser-based authentication component of the Magnitude Simba Amazon Redshift ODBC Driver (1.4.14 through 1.4.21.1001 and 1.4.22 through 1.4.x before 1.4.52) may allow a local user to execute arbitrary code. | -- | May 9, 2022 |
| CVE-2022-29971 | An argument injection vulnerability in the browser-based authentication component of the Magnitude Simba Amazon Athena ODBC Driver 1.1.1 through 1.1.x before 1.1.17 may allow a local user to execute arbitrary code. | -- | May 9, 2022 |
| CVE-2022-29970 | Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files. | MEDIUM | May 2, 2022 |
| CVE-2022-29969 | The RSS extension before 2022-04-29 for MediaWiki allows XSS via an rss element (if the feed is in $wgRSSUrlWhitelist and $wgRSSAllowLinkTag is true). | MEDIUM | May 2, 2022 |
| CVE-2022-29968 | An issue was discovered in the Linux kernel through 5.17.5. io_rw_init_file in fs/io_uring.c lacks initialization of kiocb->private. | MEDIUM | May 2, 2022 |
| CVE-2022-29967 | static_compressed_inmemory_website_callback.c in Glewlwyd through 2.6.2 allows directory traversal. | MEDIUM | Apr 30, 2022 |
| CVE-2022-29950 | Experian Hunter 1.16 allows remote authenticated users to modify assumed-immutable elements via the (1) rule name parameter to the Rules page or the (2) subrule name or (3) categories name parameter to the Subrules page. | MEDIUM | May 4, 2022 |
| CVE-2022-29947 | Woodpecker before 0.15.1 allows XSS via build logs because web/src/components/repo/build/BuildLog.vue lacks escaping. | MEDIUM | Apr 30, 2022 |
| CVE-2022-29945 | DJI drone devices sold in 2017 through 2022 broadcast unencrypted information about the drone operator\'s physical location via the AeroScope protocol. | MEDIUM | Apr 30, 2022 |
| CVE-2022-29943 | Talend Administration Center has a vulnerability that allows an authenticated user to use XML External Entity (XXE) processing to achieve read access as root on the remote filesystem. The issue is fixed for versions 8.0.x in TPS-5189, versions 7.3.x in TPS-5175, and versions 7.2.x in TPS-5201. Earlier versions of Talend Administration Center may also be impacted; users are encouraged to update to a supported version. | MEDIUM | May 4, 2022 |
| CVE-2022-29942 | Talend Administration Center has a vulnerability that allows an authenticated user to use the Service Registry \'Add\' functionality to perform SSRF HTTP GET requests on URLs in the internal network. The issue is fixed for versions 8.0.x in TPS-5189, versions 7.3.x in TPS-5175, and versions 7.2.x in TPS-5201. Earlier versions of Talend Administration Center may also be impacted; users are encouraged to update to a supported version. | MEDIUM | May 4, 2022 |
| CVE-2022-29940 | In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameters formseq and formid in interface\\orders\\find_order_popup.php leads to multiple cross-site scripting (XSS) vulnerabilities. | LOW | May 5, 2022 |
| CVE-2022-29939 | In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameters debug and InsId in interface\\billing\\sl_eob_process.php leads to multiple cross-site scripting (XSS) vulnerabilities. | LOW | May 5, 2022 |
| CVE-2022-29938 | In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameter payment_id in interface\\billing\\new_payment.php via interface\\billing\\payment_master.inc.php leads to SQL injection. | MEDIUM | May 5, 2022 |
| CVE-2022-29937 | USU Oracle Optimization before 5.17.5 allows authenticated DataCollection users to achieve agent root access because some common OS commands are blocked but (for example) an OS command for base64 decoding is not blocked. NOTE: this is not an Oracle Corporation product. | HIGH | Apr 30, 2022 |
| CVE-2022-29936 | USU Oracle Optimization before 5.17 allows authenticated quantum users to achieve remote code execution because of /v2/quantum/save-data-upload-big-file Java deserialization. NOTE: this is not an Oracle Corporation product. | MEDIUM | Apr 30, 2022 |
| CVE-2022-29935 | USU Oracle Optimization before 5.17.5 allows attackers to discover the quantum credentials via an agent-installer download. NOTE: this is not an Oracle Corporation product. | MEDIUM | Apr 30, 2022 |
| CVE-2022-29934 | USU Oracle Optimization before 5.17.5 lacks Polkit authentication, which allows smartcollector users to achieve root access via pkexec. NOTE: this is not an Oracle Corporation product. | HIGH | Apr 30, 2022 |
| CVE-2022-29933 | Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account\'s password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor\'s position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration). | -- | May 9, 2022 |
| CVE-2022-29932 | The HTTP Server in PRIMEUR SPAZIO 2.5.1.954 (File Transfer) allows an unauthenticated attacker to obtain sensitive data (related to the content of transferred files) via a crafted HTTP request. | -- | May 11, 2022 |
| CVE-2022-29930 | SHA1 implementation in JetBrains Ktor Native before 2.0.1 was returning the same value | -- | May 12, 2022 |
| CVE-2022-29929 | In JetBrains TeamCity before 2022.04 potential XSS via Referrer header was possible | -- | May 12, 2022 |
| CVE-2022-29928 | In JetBrains TeamCity before 2022.04 leak of secrets in TeamCity agent logs was possible | -- | May 12, 2022 |
| CVE-2022-29927 | In JetBrains TeamCity before 2022.04 reflected XSS on the Build Chain Status page was possible | -- | May 12, 2022 |
| CVE-2022-29907 | The Nimbus skin for MediaWiki through 1.37.2 (before 6f9c8fb868345701d9544a54d9752515aace39df) allows XSS in Advertise link messages. | MEDIUM | May 7, 2022 |
| CVE-2022-29906 | The admin API module in the QuizGame extension for MediaWiki through 1.37.2 (before 665e33a68f6fa1167df99c0aa18ed0157cdf9f66) omits a check for the quizadmin user. | HIGH | Apr 29, 2022 |
| CVE-2022-29905 | The FanBoxes extension for MediaWiki through 1.37.2 (before 027ffb0b9d6fe0d823810cf03f5b562a212162d4) allows Special:UserBoxes CSRF. | MEDIUM | Apr 29, 2022 |
| CVE-2022-29904 | The SemanticDrilldown extension for MediaWiki through 1.37.2 (before e688bdba6434591b5dff689a45e4d53459954773) allows SQL injection with certain \'-\' and \'_\' constraints. | HIGH | Apr 29, 2022 |
| CVE-2022-29903 | The Private Domains extension for MediaWiki through 1.37.2 (before 1ad65d4c1c199b375ea80988d99ab51ae068f766) allows CSRF for editing pages that store the extension\'s configuration. The attacker must trigger a POST request to Special:PrivateDomains. | MEDIUM | Apr 29, 2022 |
| CVE-2022-29898 | On various RAD-ISM-900-EN-* devices by PHOENIX CONTACT an admin user could use the configuration file uploader in the WebUI to execute arbitrary code with root privileges on the OS due to an improper validation of an integrity check value in all versions of the firmware. | -- | May 11, 2022 |
| CVE-2022-29897 | On various RAD-ISM-900-EN-* devices by PHOENIX CONTACT an admin user could use the traceroute utility integrated in the WebUI to execute arbitrary code with root privileges on the OS due to an improper input validation in all versions of the firmware. | -- | May 11, 2022 |
| CVE-2022-29885 | The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks. | -- | May 12, 2022 |
| CVE-2022-29869 | cifs-utils through 6.14, with verbose logging, can cause an information leak when a file contains = (equal sign) characters but is not a valid credentials file. | MEDIUM | May 7, 2022 |
| CVE-2022-29868 | 1Password for Mac 7.2.4 through 7.9.x before 7.9.3 is vulnerable to a process validation bypass. Malicious software running on the same computer can exfiltrate secrets from 1Password provided that 1Password is running and is unlocked. Affected secrets include vault items and derived values used for signing in to 1Password. | -- | May 9, 2022 |
| CVE-2022-29859 | component/common/network/dhcp/dhcps.c in ambiot amb1_sdk (aka SDK for Ameba1) before 2022-03-11 mishandles data structures for DHCP packet data. | HIGH | May 7, 2022 |
| CVE-2022-29856 | A hardcoded cryptographic key in Automation360 22 allows an attacker to decrypt exported RPA packages. | MEDIUM | Apr 30, 2022 |
| CVE-2022-29855 | Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have undocumented functionality. A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution. | -- | May 12, 2022 |
