The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2022-42168 | Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/fromSetIpMacBind. | -- | Oct 19, 2022 | n/a |
| CVE-2022-42167 | Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/formSetFirewallCfg. | -- | Oct 19, 2022 | n/a |
| CVE-2022-42166 | Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/formSetSpeedWan. | -- | Oct 19, 2022 | n/a |
| CVE-2022-42165 | Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/formSetDeviceName. | -- | Oct 19, 2022 | n/a |
| CVE-2022-42164 | Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/formSetClientState. | -- | Oct 19, 2022 | n/a |
| CVE-2022-42163 | Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/fromNatStaticSetting. | -- | Oct 19, 2022 | n/a |
| CVE-2022-42154 | An arbitrary file upload vulnerability in the component /apiadmin/upload/attach of 74cmsSE v3.13.0 allows attackers to execute arbitrary code via a crafted PHP file. | -- | Oct 19, 2022 | n/a |
| CVE-2022-42149 | kkFileView 4.0 is vulnerable to Server-side request forgery (SSRF) via controller\\OnlinePreviewController.java. | -- | Oct 20, 2022 | n/a |
| CVE-2022-42147 | kkFileView 4.0 is vulnerable to Cross Site Scripting (XSS) via controller\\ Filecontroller.java. | -- | Oct 19, 2022 | n/a |
| CVE-2022-42143 | Open Source SACCO Management System v1.0 is vulnerable to SQL Injection via /sacco_shield/manage_payment.php. | -- | Oct 19, 2022 | n/a |
| CVE-2022-42142 | Online Tours & Travels Management System v1.0 is vulnerable to Arbitrary code execution via ip/tour/admin/operations/update_settings.php. | -- | Oct 19, 2022 | n/a |
| CVE-2022-42117 | A Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.3.2 through 7.4.3.16, and Liferay DXP 7.3 before update 6, and 7.4 before update 17 allows remote attackers to inject arbitrary web script or HTML. | -- | Oct 20, 2022 | n/a |
| CVE-2022-42116 | A Cross-site scripting (XSS) vulnerability in the Frontend Editor module\'s integration with CKEditor in Liferay Portal 7.3.2 through 7.4.3.14, and Liferay DXP 7.3 before update 6, and 7.4 before update 15 allows remote attackers to inject arbitrary web script or HTML via the (1) name, or (2) namespace parameter. | -- | Oct 20, 2022 | n/a |
| CVE-2022-42115 | Cross-site scripting (XSS) vulnerability in the Object module\'s edit object details page in Liferay Portal 7.4.3.4 through 7.4.3.36 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the object field\'s `Label` text field. | -- | Oct 20, 2022 | n/a |
| CVE-2022-42114 | A Cross-site scripting (XSS) vulnerability in the Role module\'s edit role assignees page in Liferay Portal 7.4.0 through 7.4.3.36, and Liferay DXP 7.4 before update 37 allows remote attackers to inject arbitrary web script or HTML. | -- | Oct 20, 2022 | n/a |
| CVE-2022-42113 | A Cross-site scripting (XSS) vulnerability in Document Library module in Liferay Portal 7.4.3.30 through 7.4.3.36, and Liferay DXP 7.4 update 30 through update 36 allows remote attackers to inject arbitrary web script or HTML via the `redirect` parameter. | -- | Oct 20, 2022 | n/a |
| CVE-2022-42112 | A Cross-site scripting (XSS) vulnerability in the Portal Search module\'s Sort widget in Liferay Portal 7.2.0 through 7.4.3.24, and Liferay DXP 7.2 before fix pack 19, 7.3 before update 5, and DXP 7.4 before update 25 allows remote attackers to inject arbitrary web script or HTML via a crafted payload. | -- | Oct 20, 2022 | n/a |
| CVE-2022-42029 | Chamilo 1.11.16 is affected by an authenticated local file inclusion vulnerability which allows authenticated users with access to \'big file uploads\' to copy/move files from anywhere in the file system into the web directory. | -- | Oct 19, 2022 | n/a |
| CVE-2022-42021 | Best Student Result Management System v1.0 is vulnerable to SQL Injection via /upresult/upresult/notice-details.php?nid=. | -- | Oct 21, 2022 | n/a |
| CVE-2022-41983 | On specific hardware platforms, on BIG-IP versions 16.1.x before 16.1.3.1, 15.1.x before 15.1.7, 14.1.x before 14.1.5.1, and all versions of 13.1.x, while Intel QAT (QuickAssist Technology) and the AES-GCM/CCM cipher is in use, undisclosed conditions can cause BIG-IP to send data unencrypted even with an SSL Profile applied. | -- | Oct 20, 2022 | n/a |
| CVE-2022-41836 | When an \'Attack Signature False Positive Mode\' enabled security policy is configured on a virtual server, undisclosed requests can cause the bd process to terminate. | -- | Oct 20, 2022 | n/a |
| CVE-2022-41835 | In F5OS-A version 1.x before 1.1.0 and F5OS-C version 1.x before 1.5.0, excessive file permissions in F5OS allows an authenticated local attacker to execute limited set of commands in a container and impact the F5OS controller. | -- | Oct 20, 2022 | n/a |
| CVE-2022-41833 | In all BIG-IP 13.1.x versions, when an iRule containing the HTTP::collect command is configured on a virtual server, undisclosed requests can cause Traffic Management Microkernel (TMM) to terminate. | -- | Oct 20, 2022 | n/a |
| CVE-2022-41832 | In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and 13.1.x before 13.1.5.1, when a SIP profile is configured on a virtual server, undisclosed messages can cause an increase in memory resource utilization. | -- | Oct 20, 2022 | n/a |
| CVE-2022-41813 | In versions 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5, and all versions of 13.1.x, when BIG-IP is provisioned with PEM or AFM module, an undisclosed input can cause Traffic Management Microkernel (TMM) to terminate. | -- | Oct 20, 2022 | n/a |
| CVE-2022-41806 | In versions 16.1.x before 16.1.3.2 and 15.1.x before 15.1.5.1, when BIG-IP AFM Network Address Translation policy with IPv6/IPv4 translation rules is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. | -- | Oct 20, 2022 | n/a |
| CVE-2022-41787 | In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and 13.1.x before 13.1.5.1, when DNS profile is configured on a virtual server with DNS Express enabled, undisclosed DNS queries with DNSSEC can cause TMM to terminate. | -- | Oct 20, 2022 | n/a |
| CVE-2022-41780 | In F5OS-A version 1.x before 1.1.0 and F5OS-C version 1.x before 1.4.0, a directory traversal vulnerability exists in an undisclosed location of the F5OS CLI that allows an attacker to read arbitrary files. | -- | Oct 20, 2022 | n/a |
| CVE-2022-41770 | In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.7, 14.1.x before 14.1.5.1, and all versions of 13.1.x, and BIG-IQ all versions of 8.x and 7.x, an authenticated iControl REST user can cause an increase in memory resource utilization, via undisclosed requests. | -- | Oct 20, 2022 | n/a |
| CVE-2022-41751 | Jhead 3.06.0.1 allows attackers to execute arbitrary OS commands by placing them in a JPEG filename and then using the regeneration -rgt50 option. | -- | Oct 20, 2022 | n/a |
| CVE-2022-41743 | NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_hls_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its crash or potential other impact using a specially crafted audio or video file. The issue affects only NGINX Plus when the hls directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_hls_module. | -- | Oct 23, 2022 | n/a |
| CVE-2022-41742 | NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted audio or video file. The issue affects only NGINX products that are built with the module ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module. | -- | Oct 20, 2022 | n/a |
| CVE-2022-41741 | NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact using a specially crafted audio or video file. The issue affects only NGINX products that are built with the ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module. | -- | Oct 20, 2022 | n/a |
| CVE-2022-41716 | Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string A=B\\x00C=D sets the variables A=B and C=D. | -- | Oct 19, 2022 | n/a |
| CVE-2022-41709 | Markdownify version 1.4.1 allows an external attacker to execute arbitrary code remotely on any client attempting to view a malicious markdown file through Markdownify. This is possible because the application has the nodeIntegration option enabled. | -- | Oct 20, 2022 | n/a |
| CVE-2022-41708 | Relatedcode\'s Messenger version 7bcd20b allows an authenticated external attacker to access existing chats in the workspaces of any user of the application. This is possible because the application does not validate permissions correctly. | -- | Oct 21, 2022 | n/a |
| CVE-2022-41707 | Relatedcode\'s Messenger version 7bcd20b allows an authenticated external attacker to access sensitive data of any user of the application. This is possible because the application exposes user data to the public. | -- | Oct 20, 2022 | n/a |
| CVE-2022-41694 | In BIG-IP versions 16.1.x before 16.1.3, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5, and all versions of 13.1.x, and BIG-IQ versions 8.x before 8.2.0.1 and all versions of 7.x, when an SSL key is imported on a BIG-IP or BIG-IQ system, undisclosed input can cause MCPD to terminate. | -- | Oct 23, 2022 | n/a |
| CVE-2022-41691 | When a BIG-IP Advanced WAF/ASM security policy is configured on a virtual server, undisclosed requests can cause the bd process to terminate. | -- | Oct 23, 2022 | n/a |
| CVE-2022-41638 | Auth. Stored Cross-Site Scripting (XSS) in Pop-Up Chop Chop plugin <= 2.1.7 on WordPress. | -- | Oct 21, 2022 | n/a |
| CVE-2022-41624 | In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.2, 15.1.x before 15.1.7, 14.1.x before 14.1.5.2, and 13.1.x before 13.1.5.1, when a sideband iRule is configured on a virtual server, undisclosed traffic can cause an increase in memory resource utilization. | -- | Oct 23, 2022 | n/a |
| CVE-2022-41617 | In versions 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and 13.1.x before 13.1.5.1, When the Advanced WAF / ASM module is provisioned, an authenticated remote code execution vulnerability exists in the BIG-IP iControl REST interface. | -- | Oct 21, 2022 | n/a |
| CVE-2022-41575 | A credential-exposure vulnerability in the support-bundle mechanism in Gradle Enterprise 2022.3 through 2022.3.3 allows remote attackers to access a subset of application data (e.g., cleartext credentials). This is fixed in 2022.3.3. | -- | Oct 21, 2022 | n/a |
| CVE-2022-41547 | Mobile Security Framework (MobSF) v0.9.2 and below was discovered to contain a local file inclusion (LFI) vulnerability in the StaticAnalyzer/views.py script. This vulnerability allows attackers to read arbitrary files via a crafted HTTP request. | -- | Oct 20, 2022 | n/a |
| CVE-2022-41544 | GetSimple CMS v3.3.16 was discovered to contain a remote code execution (RCE) vulnerability via the edited_file parameter in admin/theme-edit.php. | -- | Oct 19, 2022 | n/a |
| CVE-2022-41542 | devhub 0.102.0 was discovered to contain a broken session control. | -- | Oct 19, 2022 | n/a |
| CVE-2022-41541 | TP-Link AX10v1 V1_211117 allows attackers to execute a replay attack by using a previously transmitted encrypted authentication message and valid authentication token. Attackers are able to login to the web application as an admin user. | -- | Oct 20, 2022 | n/a |
| CVE-2022-41540 | The web app client of TP-Link AX10v1 V1_211117 uses hard-coded cryptographic keys when communicating with the router. Attackers who are able to intercept the communications between the web client and router through a man-in-the-middle attack can then obtain the sequence key via a brute-force attack, and access sensitive information. | -- | Oct 20, 2022 | n/a |
| CVE-2022-41537 | Online Tours & Travels Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via the component /user_operations/profile.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file. | -- | Oct 19, 2022 | n/a |
| CVE-2022-41504 | An arbitrary file upload vulnerability in the component /php_action/editProductImage.php of Billing System Project v1.0 allows attackers to execute arbitrary code via a crafted PHP file. | -- | Oct 19, 2022 | n/a |
