The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2022-38094 | OS command injection vulnerability in the telnet function of CentreCOM AR260S V2 firmware versions prior to Ver.3.3.7 allows a remote authenticated attacker to execute an arbitrary OS command. | -- | Sep 8, 2022 | n/a |
| CVE-2022-38095 | Cross-Site Request Forgery (CSRF) vulnerability in AlgolPlus Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.3 at WordPress. | -- | Sep 23, 2022 | n/a |
| CVE-2022-38096 | A NULL pointer dereference vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file \'/dev/dri/renderD128 (or Dxxx)\'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS). | -- | Sep 9, 2022 | n/a |
| CVE-2022-38097 | A use-after-free vulnerability exists in the JavaScript engine of Foxit Software\'s PDF Reader, version 12.0.1.12430. By prematurely destroying annotation objects, a specially-crafted PDF document can trigger the reuse of previously freed memory, which can lead to arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially-crafted, malicious site if the browser plugin extension is enabled. | -- | Nov 22, 2022 | n/a |
| CVE-2022-38099 | Improper input validation in BIOS firmware for some Intel(R) NUC 11 Compute Elements before version EBTGL357.0065 may allow a privileged user to potentially enable escalation of privilege via local access. | LOW | Nov 11, 2022 | n/a |
| CVE-2022-38100 | The CMS800 device fails while attempting to parse malformed network data sent by a threat actor. A threat actor with network access can remotely issue a specially formatted UDP request that will cause the entire device to crash and require a physical reboot. A UDP broadcast request could be sent that causes a mass denial-of-service attack on all CME8000 devices connected to the same network. | -- | Sep 14, 2022 | n/a |
| CVE-2022-38104 | Auth. WordPress Options Change (siteurl, users_can_register, default_role, admin_email and new_admin_email) vulnerability in Biplob Adhikari\'s Accordions – Multiple Accordions or FAQs Builder plugin (versions <= 2.0.3 on WordPress. | -- | Oct 21, 2022 | n/a |
| CVE-2022-38105 | An information disclosure vulnerability exists in the cm_processREQ_NC opcode of Asus RT-AX82U 3.0.0.4.386_49674-ge182230 router\'s configuration service. A specially-crafted network packets can lead to a disclosure of sensitive information. An attacker can send a network request to trigger this vulnerability. | -- | Jan 14, 2023 | n/a |
| CVE-2022-38106 | This vulnerability happens in the web client versions 15.3.0 to Serv-U 15.3.1. This vulnerability affects the directory creation function. | -- | Dec 16, 2022 | n/a |
| CVE-2022-38107 | Sensitive information could be displayed when a detailed technical error message is posted. This information could disclose environmental details. | -- | Oct 21, 2022 | n/a |
| CVE-2022-38108 | SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands. | -- | Oct 21, 2022 | n/a |
| CVE-2022-38110 | In Database Performance Analyzer (DPA) 2022.4 and older releases, certain URL vectors are susceptible to authenticated reflected cross-site scripting. | -- | Jan 27, 2023 | n/a |
| CVE-2022-38111 | SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands. | -- | Feb 16, 2023 | n/a |
| CVE-2022-38112 | In DPA 2022.4 and older releases, generated heap memory dumps contain sensitive information in cleartext. | -- | Jan 26, 2023 | n/a |
| CVE-2022-38113 | This vulnerability discloses build and services versions in the server response header. | -- | Nov 23, 2022 | n/a |
| CVE-2022-38114 | This vulnerability occurs when a web server fails to correctly process the Content-Length of POST requests. This can lead to HTTP request smuggling or XSS. | -- | Nov 23, 2022 | n/a |
| CVE-2022-38115 | Insecure method vulnerability in which allowed HTTP methods are disclosed. E.g., OPTIONS, DELETE, TRACE, and PUT | -- | Nov 23, 2022 | n/a |
| CVE-2022-38116 | Le-yan Personnel and Salary Management System has hard-coded database account and password within the website source code. An unauthenticated remote attacker can access, modify system data or disrupt service. | -- | Aug 30, 2022 | n/a |
| CVE-2022-38117 | Juiker app hard-coded its AES key in the source code. A physical attacker, after getting the Android root privilege, can use the AES key to decrypt users’ ciphertext and tamper with it. | -- | Oct 25, 2022 | n/a |
| CVE-2022-38118 | OAKlouds Portal website’s Meeting Room has insufficient validation for user input. A remote attacker with general user privilege can perform SQL-injection to access, modify, delete database, perform system operations and disrupt service. | -- | Aug 30, 2022 | n/a |
| CVE-2022-38119 | UPSMON Pro login function has insufficient authentication. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication and get administrator privilege to access, control system or disrupt service. | -- | Nov 10, 2022 | n/a |
| CVE-2022-38120 | UPSMON PRO’s has a path traversal vulnerability. A remote attacker with general user privilege can exploit this vulnerability to bypass authentication and access arbitrary system files. | -- | Nov 10, 2022 | n/a |
| CVE-2022-38121 | UPSMON PRO configuration file stores user password in plaintext under public user directory. A remote attacker with general user privilege can access all users‘ and administrators\' account names and passwords via this unprotected configuration file. | -- | Nov 10, 2022 | n/a |
| CVE-2022-38122 | UPSMON PRO transmits sensitive data in cleartext over HTTP protocol. An unauthenticated remote attacker can exploit this vulnerability to access sensitive data. | -- | Nov 10, 2022 | n/a |
| CVE-2022-38123 | Improper Input Validation of plugin files in Administrator Interface of Secomea GateManager allows a server administrator to inject code into the GateManager interface. This issue affects: Secomea GateManager versions prior to 10.0. | -- | Dec 8, 2022 | n/a |
| CVE-2022-38124 | Debug tool in Secomea SiteManager allows logged-in administrator to modify system state in an unintended manner. | -- | Dec 16, 2022 | n/a |
| CVE-2022-38126 | ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | -- | Sep 2, 2022 | n/a |
| CVE-2022-38127 | ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | -- | Sep 2, 2022 | n/a |
| CVE-2022-38128 | ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | -- | Sep 2, 2022 | n/a |
| CVE-2022-38129 | A path traversal vulnerability exists in the com.keysight.tentacle.licensing.LicenseManager.addLicenseFile() method in the Keysight Sensor Management Server (SMS). This allows an unauthenticated remote attacker to upload arbitrary files to the SMS host. | -- | Aug 10, 2022 | n/a |
| CVE-2022-38130 | The com.keysight.tentacle.config.ResourceManager.smsRestoreDatabaseZip() method is used to restore the HSQLDB database used in SMS. It takes the path of the zipped database file as the single parameter. An unauthenticated, remote attacker can specify an UNC path for the database file (i.e., \\\\<attacker-host>\\sms\\<attacker-db.zip>), effectively controlling the content of the database to be restored. | -- | Aug 10, 2022 | n/a |
| CVE-2022-38131 | RStudio Connect is affected by an Open Redirect issue. The vulnerability could allow an attacker to redirect users to malicious websites. | -- | Sep 9, 2022 | n/a |
| CVE-2022-38132 | Command injection vulnerability in Linksys MR8300 router while Registration to DDNS Service. By specifying username and password, an attacker connected to the router\'s web interface can execute arbitrary OS commands. The username and password fields are not sanitized correctly and are used as URL construction arguments, allowing URL redirection to an arbitrary server, downloading an arbitrary script file, and eventually executing the file in the device. This issue affects: Linksys MR8300 Router 1.0. | -- | Aug 24, 2022 | n/a |
| CVE-2022-38133 | In JetBrains TeamCity before 2022.04.3 the private SSH key could be written to the server log in some cases | -- | Aug 12, 2022 | n/a |
| CVE-2022-38134 | Authenticated (subscriber+) Broken Access Control vulnerability in Customer Reviews for WooCommerce plugin <= 5.3.5 at WordPress. | -- | Sep 23, 2022 | n/a |
| CVE-2022-38135 | Broken Access Control vulnerability in Dean Oakley\'s Photospace Gallery plugin <= 2.3.5 at WordPress allows users with subscriber or higher role to change plugin settings. | -- | Sep 12, 2022 | n/a |
| CVE-2022-38136 | Uncontrolled search path in the Intel(R) oneAPI DPC++/C++ Compiler for Windows and Intel Fortran Compiler for Windows before version 2022.2.1 for some Intel(R) oneAPI Toolkits before version 2022.3.1 may allow an authenticated user to potentially enable escalation of privilege via local access. | -- | Feb 6, 2023 | n/a |
| CVE-2022-38137 | Cross-Site Request Forgery (CSRF) vulnerability in Analytify plugin <= 4.2.2 on WordPress. | -- | Nov 9, 2022 | n/a |
| CVE-2022-38138 | The Triangle Microworks IEC 61850 Library (Any client or server using the C language library with a version number of 11.2.0 or earlier and any client or server using the C++, C#, or Java language library with a version number of 5.0.1 or earlier) and 60870-6 (ICCP/TASE.2) Library (Any client or server using a C++ language library with a version number of 4.4.3 or earlier) are vulnerable to access given to a small number of uninitialized pointers within their code. This could allow an attacker to target any client or server using the affected libraries to cause a denial-of-service condition. | -- | Oct 12, 2022 | n/a |
| CVE-2022-38139 | Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in RD Station plugin <= 5.2.0 at WordPress. | -- | Sep 15, 2022 | n/a |
| CVE-2022-38140 | Auth. (contributor+) Arbitrary File Upload in SEO Plugin by Squirrly SEO plugin <= 12.1.10 on WordPress. | -- | Dec 1, 2022 | n/a |
| CVE-2022-38142 | Delta Electronics InfraSuite Device Master versions 00.00.01a and prior deserialize user-supplied data provided through the Device-Gateway service port without proper verification. An attacker could provide malicious serialized objects to execute arbitrary code upon deserialization. | -- | Nov 2, 2022 | n/a |
| CVE-2022-38143 | A heap out-of-bounds write vulnerability exists in the way OpenImageIO v2.3.19.0 processes RLE encoded BMP images. A specially-crafted bmp file can write to arbitrary out of bounds memory, which can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. | -- | Dec 23, 2022 | n/a |
| CVE-2022-38144 | Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team wpForo Forum plugin <= 2.0.5 at WordPress. | -- | Sep 10, 2022 | n/a |
| CVE-2022-38145 | Silverstripe silverstripe/framework through 4.11 allows XSS (issue 1 of 3) via remote attackers adding a Javascript payload to a page\'s meta description and get it executed in the versioned history compare view. | -- | Nov 23, 2022 | n/a |
| CVE-2022-38146 | Silverstripe silverstripe/framework through 4.11 allows XSS (issue 2 of 3). | -- | Nov 22, 2022 | n/a |
| CVE-2022-38147 | Silverstripe silverstripe/framework through 4.11 allows XSS (issue 3 of 3). | -- | Nov 23, 2022 | n/a |
| CVE-2022-38148 | Silverstripe silverstripe/framework through 4.11 allows SQL Injection. | -- | Nov 22, 2022 | n/a |
| CVE-2022-38149 | HashiCorp Consul Template up to 0.27.2, 0.28.2, and 0.29.1 may expose the contents of Vault secrets in the error returned by the *template.Template.Execute method, when given a template using Vault secret contents incorrectly. Fixed in 0.27.3, 0.28.3, and 0.29.2. | -- | Aug 18, 2022 | n/a |
| CVE-2022-38150 | In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to assert and automatically restart through forged HTTP/1 backend responses. An attack uses a crafted reason phrase of the backend response status line. This is fixed in 7.0.3 and 7.1.1. | -- | Aug 11, 2022 | n/a |
