Total
5454 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-42889 | 4 Apache, Juniper, Netapp and 1 more | 21 Commons Text, Jsa1500, Jsa3500 and 18 more | 2024-11-21 | 9.8 Critical |
| Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default. | ||||
| CVE-2022-42045 | 2 Watchdog, Zemana | 2 Anti-virus, Antimalware | 2024-11-21 | 6.7 Medium |
| Certain Zemana products are vulnerable to Arbitrary code injection. This affects Watchdog Anti-Malware 4.1.422 and Zemana AntiMalware 3.2.28. | ||||
| CVE-2022-41763 | 1 Nokia | 1 Access Management System | 2024-11-21 | 8.8 High |
| An issue was discovered in NOKIA AMS 9.7.05. Remote Code Execution exists via the debugger of the ipAddress variable. A remote user, authenticated to the AMS server, could inject code in the PING function. The privileges of the command executed depend on the user that runs the service. | ||||
| CVE-2022-39424 | 1 Oracle | 1 Vm Virtualbox | 2024-11-21 | 8.1 High |
| Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.1.40. Difficult to exploit vulnerability allows unauthenticated attacker with network access via VRDP to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). | ||||
| CVE-2022-38078 | 1 Sixapart | 1 Movable Type | 2024-11-21 | 9.8 Critical |
| Movable Type XMLRPC API provided by Six Apart Ltd. contains a command injection vulnerability. Sending a specially crafted message by POST method to Movable Type XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. Affected products and versions are as follows: Movable Type 7 r.5202 and earlier, Movable Type Advanced 7 r.5202 and earlier, Movable Type 6.8.6 and earlier, Movable Type Advanced 6.8.6 and earlier, Movable Type Premium 1.52 and earlier, and Movable Type Premium Advanced 1.52 and earlier. Note that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are also affected by this vulnerability. | ||||
| CVE-2022-37396 | 1 Jetbrains | 1 Rider | 2024-11-21 | 4.1 Medium |
| In JetBrains Rider before 2022.2 Trust and Open Project dialog could be bypassed, leading to local code execution | ||||
| CVE-2022-37053 | 1 Trendnet | 2 Tew733gr, Tew733gr Firmware | 2024-11-21 | 9.8 Critical |
| TRENDnet TEW733GR v1.03B01 is vulnerable to Command injection via /htdocs/upnpinc/gena.php. | ||||
| CVE-2022-37009 | 1 Jetbrains | 1 Intellij Idea | 2024-11-21 | 3.9 Low |
| In JetBrains IntelliJ IDEA before 2022.2 local code execution via a Vagrant executable was possible | ||||
| CVE-2022-36799 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2024-11-21 | 7.2 High |
| This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Server and Data Center allowed remote attackers with system administrator permissions to execute arbitrary code via Template Injection leading to Remote Code Execution (RCE) in the Email Templates feature. In this case the security improvement was to protect against using the XStream library to be able to execute arbitrary code in velocity templates. The affected versions are before version 8.13.19, from version 8.14.0 before 8.20.7, and from version 8.21.0 before 8.22.1. | ||||
| CVE-2022-36756 | 1 Dlink | 2 Dir-845l, Dir-845l Firmware | 2024-11-21 | 9.8 Critical |
| DIR845L A1 v1.00-v1.03 is vulnerable to command injection via /htdocs/upnpinc/gena.php. | ||||
| CVE-2022-36262 | 1 Taogogo | 1 Taocms | 2024-11-21 | 9.8 Critical |
| An issue was discovered in taocms 3.0.2. in the website settings that allows arbitrary php code to be injected by modifying config.php. | ||||
| CVE-2022-36216 | 1 Dedecms | 1 Dedecms | 2024-11-21 | 7.2 High |
| DedeCMS v5.7.94 - v5.7.97 was discovered to contain a remote code execution vulnerability in member_toadmin.php. | ||||
| CVE-2022-35847 | 1 Fortinet | 1 Fortisoar | 2024-11-21 | 6.3 Medium |
| An improper neutralization of special elements used in a template engine vulnerability [CWE-1336] in FortiSOAR management interface 7.2.0, 7.0.0 through 7.0.3, 6.4.0 through 6.4.4 may allow a remote and authenticated attacker to execute arbitrary code via a crafted payload. | ||||
| CVE-2022-35649 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2024-11-21 | 9.8 Critical |
| The vulnerability was found in Moodle, occurs due to improper input validation when parsing PostScript code. An omitted execution parameter results in a remote code execution risk for sites running GhostScript versions older than 9.50. Successful exploitation of this vulnerability may result in complete compromise of vulnerable system. | ||||
| CVE-2022-35516 | 1 Dedecms | 1 Dedecms | 2024-11-21 | 9.8 Critical |
| DedeCMS v5.7.93 - v5.7.96 was discovered to contain a remote code execution vulnerability in login.php. | ||||
| CVE-2022-34625 | 1 Mealie Project | 1 Mealie | 2024-11-21 | 7.2 High |
| Mealie1.0.0beta3 was discovered to contain a Server-Side Template Injection vulnerability, which allows attackers to execute arbitrary code via a crafted Jinja2 template. | ||||
| CVE-2022-33725 | 1 Google | 1 Android | 2024-11-21 | 4 Medium |
| A vulnerability using PendingIntent in Knox VPN prior to SMR Aug-2022 Release 1 allows attackers to access content providers with system privilege. | ||||
| CVE-2022-33721 | 1 Google | 1 Android | 2024-11-21 | 4.4 Medium |
| A vulnerability using PendingIntent in DeX for PC prior to SMR Aug-2022 Release 1 allows attackers to access files with system privilege. | ||||
| CVE-2022-32897 | 1 Apple | 1 Macos | 2024-11-21 | 7.8 High |
| A memory corruption issue was addressed with improved validation. This issue is fixed in macOS Monterey 12.5. Processing a maliciously crafted tiff file may lead to arbitrary code execution. | ||||
| CVE-2022-32417 | 1 Pbootcms | 1 Pbootcms | 2024-11-21 | 9.8 Critical |
| PbootCMS v3.1.2 was discovered to contain a remote code execution (RCE) vulnerability via the function parserIfLabel at function.php. | ||||