The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2022-38752 | Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow. | -- | Sep 8, 2022 | n/a |
| CVE-2022-38753 | This update resolves a multi-factor authentication bypass attack | -- | Dec 2, 2022 | n/a |
| CVE-2022-38754 | A potential vulnerability has been identified in Micro Focus Operations Bridge - Containerized. The vulnerability could be exploited by a malicious authenticated OBM (Operations Bridge Manager) user to run Java Scripts in the browser context of another OBM user. Please note: The vulnerability is only applicable if the Operations Bridge Manager capability is deployed. A potential vulnerability has been identified in Micro Focus Operations Bridge Manager (OBM). The vulnerability could be exploited by a malicious authenticated OBM user to run Java Scripts in the browser context of another OBM user. This issue affects: Micro Focus Micro Focus Operations Bridge Manager versions prior to 2022.11. Micro Focus Micro Focus Operations Bridge- Containerized versions prior to 2022.11. | -- | Dec 8, 2022 | n/a |
| CVE-2022-38755 | A vulnerability has been identified in Micro Focus Filr in versions prior to 4.3.1.1. The vulnerability could be exploited to allow a remote unauthenticated attacker to enumerate valid users of the system. Remote unauthenticated user enumeration. This issue affects: Micro Focus Filr versions prior to 4.3.1.1. | -- | Nov 23, 2022 | n/a |
| CVE-2022-38756 | A vulnerability has been identified in Micro Focus GroupWise Web in versions prior to 18.4.2. The GW Web component makes a request to the Post Office Agent that contains sensitive information in the query parameters that could be logged by any intervening HTTP proxies. | -- | Dec 16, 2022 | n/a |
| CVE-2022-38757 | A vulnerability has been identified in Micro Focus ZENworks 2020 Update 3a and prior versions. This vulnerability allows administrators with rights to perform actions (e.g., install a bundle) on a set of managed devices, to be able to exercise these rights on managed devices in the ZENworks zone but which are outside the scope of the administrator. This vulnerability does not result in the administrators gaining additional rights on the managed devices, either in the scope or outside the scope of the administrator. | -- | Dec 23, 2022 | n/a |
| CVE-2022-38758 | Cross-site Scripting (XSS) vulnerability in NetIQ iManager prior to version 3.2.6 allows attacker to execute malicious scripts on the user\'s browser. This issue affects: Micro Focus NetIQ iManager NetIQ iManager versions prior to 3.2.6 on ALL. | -- | Jan 27, 2023 | n/a |
| CVE-2022-38764 | A vulnerability on Trend Micro HouseCall version 1.62.1.1133 and below could allow a local attacker to escalate privlieges due to an overly permissive folder om the product installer. | -- | Sep 21, 2022 | n/a |
| CVE-2022-38765 | Canon Medical Informatics Vitrea Vision 7.7.76.1 does not adequately enforce access controls. An authenticated user is able to gain unauthorized access to imaging records by tampering with the vitrea-view/studies/search patientId parameter. | -- | Dec 9, 2022 | n/a |
| CVE-2022-38766 | The remote keyless system on Renault ZOE 2021 vehicles sends 433.92 MHz RF signals from the same Rolling Codes set for each door-open request, which allows for a replay attack. | -- | Jan 3, 2023 | n/a |
| CVE-2022-38767 | An issue was discovered in Wind River VxWorks 6.9 and 7, that allows a specifically crafted packet sent by a Radius server, may cause Denial of Service during the IP Radius access procedure. | LOW | Nov 25, 2022 | 22.09 (VxWorks 7) |
| CVE-2022-38768 | The mobile application in Transtek Mojodat FAM (Fixed Asset Management) 2.4.6 allows remote attackers to bypass authorization. | -- | Sep 17, 2022 | n/a |
| CVE-2022-38769 | The mobile application in Transtek Mojodat FAM (Fixed Asset Management) 2.4.6 allows remote attackers to fetch cleartext passwords upon a successful login request. | -- | Sep 17, 2022 | n/a |
| CVE-2022-38770 | The mobile application in Transtek Mojodat FAM (Fixed Asset Management) 2.4.6 allows remote attackers to fetch other users\' data upon a successful login request. | -- | Sep 17, 2022 | n/a |
| CVE-2022-38771 | The mobile application in Transtek Mojodat FAM (Fixed Asset Management) 2.4.6 allows remote attackers to send SCRIPT tags as injected input to the API request. | -- | Sep 17, 2022 | n/a |
| CVE-2022-38772 | Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 125658, 126003, 126105, and 126120 allow authenticated users to make database changes that lead to remote code execution in the NMAP feature. | -- | Sep 2, 2022 | n/a |
| CVE-2022-38773 | Affected devices do not contain an Immutable Root of Trust in Hardware. With this the integrity of the code executed on the device can not be validated during load-time. An attacker with physical access to the device could use this to replace the boot image of the device and execute arbitrary code. | -- | Jan 13, 2023 | n/a |
| CVE-2022-38774 | An issue was discovered in the quarantine feature of Elastic Endpoint Security and Elastic Endgame for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account. | -- | Jan 27, 2023 | n/a |
| CVE-2022-38775 | An issue was discovered in the rollback feature of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account. | -- | Jan 27, 2023 | n/a |
| CVE-2022-38784 | Poppler prior to and including 22.08.0 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIGStream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2022-38171 in Xpdf. | -- | Sep 2, 2022 | n/a |
| CVE-2022-38788 | An issue was discovered in Nokia FastMile 5G Receiver 5G14-B 1.2104.00.0281. Bluetooth on the Nokia ODU uses outdated pairing mechanisms, allowing an attacker to passively intercept a paring handshake and (after offline cracking) retrieve the PIN and LTK (long-term key). | -- | Sep 15, 2022 | n/a |
| CVE-2022-38789 | An issue was discovered in Airties Smart Wi-Fi before 2020-08-04. It allows attackers to change the main/guest SSID and the PSK to arbitrary values, and map the LAN, because of Insecure Direct Object Reference. | -- | Sep 15, 2022 | n/a |
| CVE-2022-38790 | Weave GitOps Enterprise before 0.9.0-rc.5 has a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim\'s permission. The exposure appears in Weave GitOps Enterprise UI via a GitopsCluster dashboard link. An annotation can be added to a GitopsCluster custom resource. | -- | Sep 1, 2022 | n/a |
| CVE-2022-38791 | In MariaDB before 10.9.2, compress_write in extra/mariabackup/ds_compress.cc does not release data_mutex upon a stream write failure, which allows local users to trigger a deadlock. | -- | Aug 27, 2022 | n/a |
| CVE-2022-38792 | The exotel (aka exotel-py) package in PyPI as of 0.1.6 includes a code execution backdoor inserted by a third party. | -- | Aug 27, 2022 | n/a |
| CVE-2022-38794 | Zaver through 2020-12-15 allows directory traversal via the GET /.. substring. | -- | Aug 27, 2022 | n/a |
| CVE-2022-38796 | A Host Header Injection vulnerability in Feehi CMS 2.1.1 may allow an attacker to spoof a particular header. This can be exploited by abusing password reset emails. | -- | Sep 16, 2022 | n/a |
| CVE-2022-38801 | In Zkteco BioTime < 8.5.3 Build:20200816.447, an employee can hijack an administrator session and cookies using blind cross-site scripting. | -- | Dec 2, 2022 | n/a |
| CVE-2022-38802 | Zkteco BioTime < 8.5.3 Build:20200816.447 is vulnerable to Incorrect Access Control via resign, private message, manual log, time interval, attshift, and holiday. An authenticated administrator can read local files by exploiting XSS into a pdf generator when exporting data as a PDF | -- | Dec 2, 2022 | n/a |
| CVE-2022-38803 | Zkteco BioTime < 8.5.3 Build:20200816.447 is vulnerable to Incorrect Access Control via Leave, overtime, Manual log. An authenticated employee can read local files by exploiting XSS into a pdf generator when exporting data as a PDF | -- | Dec 2, 2022 | n/a |
| CVE-2022-38808 | ywoa v6.1 is vulnerable to SQL Injection via backend/oa/visual/exportExcel.do interface. | -- | Sep 17, 2022 | n/a |
| CVE-2022-38812 | AeroCMS 0.1.1 is vulnerable to SQL Injection via the author parameter. | -- | Aug 31, 2022 | n/a |
| CVE-2022-38813 | PHPGurukul Blood Donor Management System 1.0 does not properly restrict access to admin/dashboard.php, which allows attackers to access all data of users, delete the users, add and manage Blood Group, and Submit Report. | -- | Nov 25, 2022 | n/a |
| CVE-2022-38814 | A stored cross-site scripting (XSS) vulnerability in the auth_settings component of FiberHome AN5506-02-B vRP2521 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the sncfg_loid text field. | -- | Sep 16, 2022 | n/a |
| CVE-2022-38817 | Dapr Dashboard v0.1.0 through v0.10.0 is vulnerable to Incorrect Access Control that allows attackers to obtain sensitive data. | -- | Oct 5, 2022 | n/a |
| CVE-2022-38823 | In TOTOLINK T6 V4.1.5cu.709_B20210518, there is a hard coded password for root in /etc/shadow.sample. | -- | Sep 17, 2022 | n/a |
| CVE-2022-38826 | In TOTOLINK T6 V4.1.5cu.709_B20210518, there is an execute arbitrary command in cstecgi.cgi. | -- | Sep 17, 2022 | n/a |
| CVE-2022-38827 | TOTOLINK T6 V4.1.5cu.709_B20210518 is vulnerable to Buffer Overflow via cstecgi.cgi | -- | Sep 17, 2022 | n/a |
| CVE-2022-38828 | TOTOLINK T6 V4.1.5cu.709_B20210518 is vulnerable to command injection via cstecgi.cgi | -- | Sep 17, 2022 | n/a |
| CVE-2022-38829 | Tenda RX9_Pro V22.03.02.10 is vulnerable to Buffer Overflow via httpd/setMacFilterCfg. | -- | Sep 17, 2022 | n/a |
| CVE-2022-38830 | Tenda RX9_Pro V22.03.02.10 is vulnerable to Buffer Overflow via httpd/setIPv6Status. | -- | Sep 17, 2022 | n/a |
| CVE-2022-38831 | Tenda RX9_Pro V22.03.02.10 is vulnerable to Buffer Overflow via httpd/SetNetControlList | -- | Sep 17, 2022 | n/a |
| CVE-2022-38832 | School Activity Updates with SMS Notification v1.0 is vulnerable to SQL Injection via /activity/admin/modules/department/index.php?view=edit&id=. | -- | Sep 17, 2022 | n/a |
| CVE-2022-38833 | School Activity Updates with SMS Notification v1.0 is vulnerable to SQL Injection via /activity/admin/modules/modstudent/index.php?view=view&id=. | -- | Sep 17, 2022 | n/a |
| CVE-2022-38843 | EspoCRM version 7.1.8 is vulnerable to Unrestricted File Upload allowing attackers to upload malicious file with any extension to the server. Attacker may execute these malicious files to run unintended code on the server to compromise the server. | -- | Sep 17, 2022 | n/a |
| CVE-2022-38844 | CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system. | -- | Sep 17, 2022 | n/a |
| CVE-2022-38845 | Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s browser via sending crafted csv file containing malicious JavaScript to authenticated user. Any authenticated user importing the crafted CSV file may end up running the malicious JavaScripting in the browser. | -- | Sep 17, 2022 | n/a |
| CVE-2022-38846 | EspoCRM version 7.1.8 is vulnerable to Missing Secure Flag allowing the browser to send plain text cookies over an insecure channel (HTTP). An attacker may capture the cookie from the insecure channel using MITM attack. | -- | Sep 17, 2022 | n/a |
| CVE-2022-38850 | The MPlayer Project mencoder SVN-r38374-13.0.1 is vulnerable to Divide By Zero via the function config () of llibmpcodecs/vf_scale.c. | -- | Sep 15, 2022 | n/a |
| CVE-2022-38851 | Certain The MPlayer Project products are vulnerable to Out-of-bounds Read via function read_meta_record() of mplayer/libmpdemux/asfheader.c. This affects mplayer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1. | -- | Sep 15, 2022 | n/a |
