The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2022-34328 | PMB 7.3.10 allows reflected XSS via the id parameter in an lvl=author_see request to index.php. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-34305 | In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-34300 | In tinyexr 1.0.1, there is a heap-based buffer over-read in tinyexr::DecodePixelData. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-34299 | There is a heap-based buffer over-read in libdwarf 0.4.0. This issue is related to dwarf_global_formref_b. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-34213 | Jenkins Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier stores passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-34211 | A cross-site request forgery (CSRF) vulnerability in Jenkins vRealize Orchestrator Plugin 3.0 and earlier allows attackers to send an HTTP POST request to an attacker-specified URL. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-34210 | A missing permission check in Jenkins ThreadFix Plugin 1.5.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-34209 | A cross-site request forgery (CSRF) vulnerability in Jenkins ThreadFix Plugin 1.5.4 and earlier allows attackers to connect to an attacker-specified URL. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-34208 | A missing permission check in Jenkins Beaker builder Plugin 1.10 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-34207 | A cross-site request forgery (CSRF) vulnerability in Jenkins Beaker builder Plugin 1.10 and earlier allows attackers to connect to an attacker-specified URL. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-34206 | A missing permission check in Jenkins Jianliao Notification Plugin 1.1 and earlier allows attackers with Overall/Read permission to send HTTP POST requests to an attacker-specified URL. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-34205 | A cross-site request forgery (CSRF) vulnerability in Jenkins Jianliao Notification Plugin 1.1 and earlier allows attackers to send HTTP POST requests to an attacker-specified URL. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-34204 | A missing permission check in Jenkins EasyQA Plugin 1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-34203 | A cross-site request forgery (CSRF) vulnerability in Jenkins EasyQA Plugin 1.0 and earlier allows attackers to connect to an attacker-specified HTTP server. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-34202 | Jenkins EasyQA Plugin 1.0 and earlier stores user passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-34201 | A missing permission check in Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-34200 | A cross-site request forgery (CSRF) vulnerability in Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier allows attackers to connect to an attacker-specified URL. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-34199 | Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-34182 | Jenkins Nested View Plugin 1.20 through 1.25 (both inclusive) does not escape search parameters, resulting in a reflected cross-site scripting (XSS) vulnerability. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-34181 | Jenkins xUnit Plugin 3.0.8 and earlier implements an agent-to-controller message that creates a user-specified directory if it doesn\'t exist, and parsing files inside it as test results, allowing attackers able to control agent processes to create an arbitrary directory on the Jenkins controller or to obtain test results from existing files in an attacker-specified directory. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-34180 | Jenkins Embeddable Build Status Plugin 2.0.3 and earlier does not correctly perform the ViewStatus permission check in the HTTP endpoint it provides for unprotected status badge access, allowing attackers without any permissions to obtain the build status badge icon for any attacker-specified job and/or build. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-34179 | Jenkins Embeddable Build Status Plugin 2.0.3 and earlier allows specifying a `style` query parameter that is used to choose a different SVG image style without restricting possible values, resulting in a relative path traversal vulnerability that allows attackers without Overall/Read permission to specify paths to other SVG images on the Jenkins controller file system. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-34178 | Jenkins Embeddable Build Status Plugin 2.0.3 allows specifying a \'link\' query parameter that build status badges will link to, without restricting possible values, resulting in a reflected cross-site scripting (XSS) vulnerability. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-34177 | Jenkins Pipeline: Input Step Plugin 448.v37cea_9a_10a_70 and earlier archives files uploaded for `file` parameters for Pipeline `input` steps on the controller as part of build metadata, using the parameter name without sanitization as a relative path inside a build-related directory, allowing attackers able to configure Pipelines to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-34175 | Jenkins 2.335 through 2.355 (both inclusive) allows attackers in some cases to bypass a protection mechanism, thereby directly accessing some view fragments containing sensitive information, bypassing any permission checks in the corresponding view. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-34174 | In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-34173 | In Jenkins 2.340 through 2.355 (both inclusive) the tooltip of the build button in list views supports HTML without escaping the job display name, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-34172 | In Jenkins 2.340 through 2.355 (both inclusive) symbol-based icons unescape previously escaped values of \'tooltip\' parameters, resulting in a cross-site scripting (XSS) vulnerability. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-34171 | In Jenkins 2.321 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the HTML output generated for new symbol-based SVG icons includes the \'title\' attribute of \'l:ionicon\' (until Jenkins 2.334) and \'alt\' attribute of \'l:icon\' (since Jenkins 2.335) without further escaping, resulting in a cross-site scripting (XSS) vulnerability. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-34170 | In Jenkins 2.320 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the help icon does not escape the feature name that is part of its tooltip, effectively undoing the fix for SECURITY-1955, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-34013 | OneBlog v2.3.4 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the Logo parameter under the Link module. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-34012 | Insecure permissions in OneBlog v2.3.4 allows low-level administrators to reset the passwords of high-level administrators who hold greater privileges. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-34011 | OneBlog v2.3.4 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the parameter entryUrls. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-33995 | A path traversal issue in entry attachments in Devolutions Remote Desktop Manager before 2022.2 allows attackers to create or overwrite files in an arbitrary location. | MEDIUM | Jun 21, 2022 | n/a |
| CVE-2022-33913 | In Mahara 21.04 before 21.04.6, 21.10 before 21.10.4, and 22.04.2, files can sometimes be downloaded through thumb.php with no permission check. | MEDIUM | Jun 21, 2022 | n/a |
| CVE-2022-33139 | A vulnerability has been identified in SIMATIC WinCC OA V3.16 (All versions in default configuration), SIMATIC WinCC OA V3.17 (All versions in non-default configuration), SIMATIC WinCC OA V3.18 (All versions in non-default configuration). Affected applications use client-side only authentication, when neither server-side authentication (SSA) nor Kerberos authentication is enabled. In this configuration, attackers could impersonate other users or exploit the client-server protocol without being authenticated. | MEDIUM | Jun 21, 2022 | n/a |
| CVE-2022-33124 | ** DISPUTED ** AIOHTTP 3.8.1 can report a ValueError: Invalid IPv6 URL outcome, which can lead to a Denial of Service (DoS). NOTE: multiple third parties dispute this issue because there is no example of a context in which denial of service would occur, and many common contexts have exception handing in the calling application. | MEDIUM | Jun 26, 2022 | n/a |
| CVE-2022-33121 | A Cross-Site Request Forgery (CSRF) in MiniCMS v1.11 allows attackers to arbitrarily delete local .dat files via clicking on a malicious link. | MEDIUM | Jun 25, 2022 | n/a |
| CVE-2022-33119 | NUUO Network Video Recorder NVRsolo v03.06.02 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via login.php. | MEDIUM | Jun 21, 2022 | n/a |
| CVE-2022-33114 | Jfinal CMS v5.1.0 was discovered to contain a SQL injection vulnerability via the attrVal parameter at /jfinal_cms/system/dict/list. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-33105 | Redis v7.0 was discovered to contain a memory leak via the component streamGetEdgeID. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-33097 | 74cmsSE v3.5.1 was discovered to contain a SQL injection vulnerability via the keyword parameter at /home/campus/campus_job. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-33096 | 74cmsSE v3.5.1 was discovered to contain a SQL injection vulnerability via the keyword parameter at /home/resume/index. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-33095 | 74cmsSE v3.5.1 was discovered to contain a SQL injection vulnerability via the keyword parameter at /home/jobfairol/resumelist. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-33094 | 74cmsSE v3.5.1 was discovered to contain a SQL injection vulnerability via the keyword parameter at /home/job/map. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-33093 | 74cmsSE v3.5.1 was discovered to contain a SQL injection vulnerability via the key parameter at /freelance/resume_list. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-33092 | 74cmsSE v3.5.1 was discovered to contain a SQL injection vulnerability via the keyword parameter at /home/job/index. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-33070 | Protobuf-c v1.4.0 was discovered to contain an invalid arithmetic shift via the function parse_tag_and_wiretype in protobuf-c/protobuf-c.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via unspecified vectors. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-33069 | Ethereum Solidity v0.8.14 contains an assertion failure via SMTEncoder::indexOrMemberAssignment() at SMTEncoder.cpp. | MEDIUM | Jun 23, 2022 | n/a |
| CVE-2022-33068 | An integer overflow in the component hb-ot-shape-fallback.cc of Harfbuzz v4.3.0 allows attackers to cause a Denial of Service (DoS) via unspecified vectors. | MEDIUM | Jun 23, 2022 | n/a |
