Lista CVE - 2022 / Gennaio
Visualizzazione 601 - 700 di 1988 CVE per Gennaio 2022 (Pagina 7 di 20)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2021-42561 | 2022-01-12 | An issue was discovered in CALDERA 2.8.1. When activated, the Human plugin passes the unsanitized name parameter to a python "os.system" function. This allows attackers to use shell metacharacters (e.g.,... |
| CVE-2021-42560 | 2022-01-12 | An issue was discovered in CALDERA 2.9.0. The Debrief plugin receives base64 encoded "SVG" parameters when generating a PDF document. These SVG documents are parsed in an unsafe manner and... |
| CVE-2022-20612 | 2022-01-12 | A cross-site request forgery (CSRF) vulnerability in Jenkins 2.329 and earlier, LTS 2.319.1 and earlier allows attackers to trigger build of job without parameters when no security realm is set. |
| CVE-2022-20615 | 2022-01-12 | Jenkins Matrix Project Plugin 1.19 and earlier does not escape HTML metacharacters in node and label names, and label descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by... |
| CVE-2022-20616 | 2022-01-12 | Jenkins Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read access to validate if a credential ID... |
| CVE-2022-20617 | 2022-01-12 | Jenkins Docker Commons Plugin 1.17 and earlier does not sanitize the name of an image or a tag, resulting in an OS command execution vulnerability exploitable by attackers with Item/Configure... |
| CVE-2022-20618 | 2022-01-12 | A missing permission check in Jenkins Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins. |
| CVE-2022-20619 | 2022-01-12 | A cross-site request forgery (CSRF) vulnerability in Jenkins Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another... |
| CVE-2022-20620 | 2022-01-12 | Missing permission checks in Jenkins SSH Agent Plugin 1.23 and earlier allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins. |
| CVE-2022-20621 | 2022-01-12 | Jenkins Metrics Plugin 4.0.2.8 and earlier stores an access key unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to... |
| CVE-2022-23105 | 2022-01-12 | Jenkins Active Directory Plugin 2.25 and earlier does not encrypt the transmission of data between the Jenkins controller and Active Directory servers in most configurations. |
| CVE-2022-23107 | 2022-01-12 | Jenkins Warnings Next Generation Plugin 9.10.2 and earlier does not restrict the name of a file when configuring custom ID, allowing attackers with Item/Configure permission to write and read specific... |
| CVE-2022-23108 | 2022-01-12 | Jenkins Badge Plugin 1.9 and earlier does not escape the description and does not check for allowed protocols when creating a badge, resulting in a stored cross-site scripting (XSS) vulnerability... |
| CVE-2022-23109 | 2022-01-12 | Jenkins HashiCorp Vault Plugin 3.7.0 and earlier does not mask Vault credentials in Pipeline build logs or in Pipeline step descriptions when Pipeline: Groovy Plugin 2.85 or later is installed. |
| CVE-2022-23110 | 2022-01-12 | Jenkins Publish Over SSH Plugin 1.22 and earlier does not escape the SSH server name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission. |
| CVE-2022-23111 | 2022-01-12 | A cross-site request forgery (CSRF) vulnerability in Jenkins Publish Over SSH Plugin 1.22 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials. |
| CVE-2022-23112 | 2022-01-12 | A missing permission check in Jenkins Publish Over SSH Plugin 1.22 and earlier allows attackers with Overall/Read access to connect to an attacker-specified SSH server using attacker-specified credentials. |
| CVE-2022-23113 | 2022-01-12 | Jenkins Publish Over SSH Plugin 1.22 and earlier performs a validation of the file name specifying whether it is present or not, resulting in a path traversal vulnerability allowing attackers... |
| CVE-2022-23114 | 2022-01-12 | Jenkins Publish Over SSH Plugin 1.22 and earlier stores password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to... |
| CVE-2022-23115 | 2022-01-12 | Cross-site request forgery (CSRF) vulnerabilities in Jenkins batch task Plugin 1.19 and earlier allows attackers with Overall/Read access to retrieve logs, build or delete a batch task. |
| CVE-2022-23116 | 2022-01-12 | Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method. |
| CVE-2022-23117 | 2022-01-12 | Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to retrieve all username/password credentials stored on the Jenkins controller. |
| CVE-2022-23118 | 2022-01-12 | Jenkins Debian Package Builder Plugin 1.6.11 and earlier implements functionality that allows agents to invoke command-line `git` at an attacker-specified path on the controller, allowing attackers able to control agent... |
| CVE-2021-42558 | 2022-01-12 | An issue was discovered in CALDERA 2.8.1. It contains multiple reflected, stored, and self XSS vulnerabilities that may be exploited by authenticated and unauthenticated attackers. |
| CVE-2021-42559 | 2022-01-12 | An issue was discovered in CALDERA 2.8.1. It contains multiple startup "requirements" that execute commands when starting the server. Because these commands can be changed via the REST API, an... |
| CVE-2021-41597 | 2022-01-12 | SuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the UpgradeWizard functionality, if a PHP file is included in a ZIP archive. |
| CVE-2021-45449 | 2022-01-12 | Docker Desktop version 4.3.0 and 4.3.1 has a bug that may log sensitive information (access token or password) on the user's machine during login. This only affects users if they... |
| CVE-2021-46225 | 2022-01-12 | A buffer overflow in the GmfOpenMesh() function of libMeshb v7.61 allows attackers to cause a Denial of Service (DoS) via a crafted MESH file. |
| CVE-2021-37529 | 2022-01-12 | A double-free vulnerability exists in fig2dev through 3.28a is affected by: via the free_stream function in readpics.c, which could cause a denial of service (context-dependent). |
| CVE-2021-37530 | 2022-01-12 | A denial of service vulnerabiity exists in fig2dev through 3.28a due to a segfault in the open_stream function in readpics.c. |
| CVE-2021-40567 | 2022-01-13 | Segmentation fault vulnerability exists in Gpac through 1.0.1 via the gf_odf_size_descriptor function in desc_private.c when using mp4box, which causes a denial of service. |
| CVE-2021-40568 | 2022-01-13 | A buffer overflow vulnerability exists in Gpac through 1.0.1 via a malformed MP4 file in the svc_parse_slice function in av_parsers.c, which allows attackers to cause a denial of service, even... |
| CVE-2021-40569 | 2022-01-13 | The binary MP4Box in Gpac through 1.0.1 has a double-free vulnerability in the iloc_entry_del funciton in box_code_meta.c, which allows attackers to cause a denial of service. |
| CVE-2021-40570 | 2022-01-13 | The binary MP4Box in Gpac 1.0.1 has a double-free vulnerability in the avc_compute_poc function in av_parsers.c, which allows attackers to cause a denial of service, even code execution and escalation... |
| CVE-2021-40571 | 2022-01-13 | The binary MP4Box in Gpac 1.0.1 has a double-free vulnerability in the ilst_box_read function in box_code_apple.c, which allows attackers to cause a denial of service, even code execution and escalation... |
| CVE-2021-40572 | 2022-01-13 | The binary MP4Box in Gpac 1.0.1 has a double-free bug in the av1dmx_finalize function in reframe_av1.c, which allows attackers to cause a denial of service. |
| CVE-2021-40575 | 2022-01-13 | The binary MP4Box in Gpac 1.0.1 has a null pointer dereference vulnerability in the mpgviddmx_process function in reframe_mpgvid.c, which allows attackers to cause a denial of service. This vulnerability is... |
| CVE-2021-40576 | 2022-01-13 | The binary MP4Box in Gpac 1.0.1 has a null pointer dereference vulnerability in the gf_isom_get_payt_count function in hint_track.c, which allows attackers to cause a denial of service. |
| CVE-2021-45760 | 2022-01-13 | GPAC v1.1.0 was discovered to contain an invalid memory address dereference via the function gf_list_last(). This vulnerability allows attackers to cause a Denial of Service (DoS). |
| CVE-2022-21682 | 2022-01-13 | flatpak-builder can access files outside the build directory. |
| CVE-2021-40574 | 2022-01-13 | The binary MP4Box in Gpac from 0.9.0-preview to 1.0.1 has a double-free vulnerability in the gf_text_get_utf8_line function in load_text.c, which allows attackers to cause a denial of service, even code... |
| CVE-2022-0197 | 2022-01-13 | Cross-Site Request Forgery (CSRF) in phoronix-test-suite/phoronix-test-suite |
| CVE-2022-0196 | 2022-01-13 | Cross-Site Request Forgery (CSRF) in phoronix-test-suite/phoronix-test-suite |
| CVE-2022-0198 | 2022-01-13 | Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp |
| CVE-2022-22112 | 2022-01-13 | DayByDay CRM - Application-Wide Client-Side Template Injection (CSTI) |
| CVE-2022-22113 | 2022-01-13 | DayByDay CRM - Insufficient Session Expiration after Password Change |
| CVE-2021-30285 | 2022-01-13 | Improper validation of memory region in Hypervisor can lead to incorrect region mapping in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music,... |
| CVE-2021-30287 | 2022-01-13 | Possible assertion due to improper validation of symbols configured for PDCCH monitoring in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile |
| CVE-2021-30300 | 2022-01-13 | Possible denial of service due to incorrectly decoding hex data for the SIB2 OTA message and assigning a garbage value to choice when processing the SRS configuration in Snapdragon Auto,... |
| CVE-2021-30301 | 2022-01-13 | Possible denial of service due to out of memory while processing RRC and NAS OTA message in Snapdragon Auto, Snapdragon Industrial IOT, Snapdragon Mobile |
| CVE-2021-30307 | 2022-01-13 | Possible denial of service due to improper validation of DNS response when DNS client requests with PTR, NAPTR or SRV query type in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon... |
| CVE-2021-30308 | 2022-01-13 | Possible buffer overflow while printing the HARQ memory partition detail due to improper validation of buffer size in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT,... |
| CVE-2021-30311 | 2022-01-13 | Possible heap overflow due to lack of index validation before allocating and writing to heap buffer in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile |
| CVE-2021-30313 | 2022-01-13 | Use after free condition can occur in wired connectivity due to a race condition while creating and deleting folders in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon... |
| CVE-2021-30314 | 2022-01-13 | Lack of validation for third party application accessing the service can lead to information disclosure in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile,... |
| CVE-2021-30319 | 2022-01-13 | Possible integer overflow due to improper validation of command length parameters while processing WMI command in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon... |
| CVE-2021-30330 | 2022-01-13 | Possible null pointer dereference due to improper validation of APE clip in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music, Snapdragon Wearables |
| CVE-2021-30353 | 2022-01-13 | Improper validation of function pointer type with actual function signature can lead to assertion in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice &... |
| CVE-2021-45806 | 2022-01-13 | jpress v4.2.0 admin panel provides a function through which attackers can modify the template and inject some malicious code. |
| CVE-2021-23514 | 2022-01-13 | Path Traversal |
| CVE-2021-23824 | 2022-01-13 | Content Injection |
| CVE-2021-40327 | 2022-01-13 | Trusted Firmware-M (TF-M) 1.4.0, when Profile Small is used, has incorrect access control. NSPE can access a secure key (held by the Crypto service) based solely on knowledge of its... |
| CVE-2022-23131 | 2022-01-13 | Unsafe client-side session storage leading to authentication bypass/instance takeover via Zabbix Frontend with configured SAML |
| CVE-2022-23132 | 2022-01-13 | Incorrect permissions of [/var/run/zabbix] forces dac_override |
| CVE-2022-23133 | 2022-01-13 | Stored XSS in host groups configuration window in Zabbix Frontend |
| CVE-2022-23134 | 2022-01-13 | Possible view of the setup pages by unauthenticated users if config file already exists |
| CVE-2022-22123 | 2022-01-13 | Halo CMS - Stored Cross-Site Scripting (XSS) in Article's Title |
| CVE-2022-22124 | 2022-01-13 | Halo CMS - Stored Cross-Site Scripting (XSS) in Profile Image |
| CVE-2022-22125 | 2022-01-13 | Halo CMS - Stored Cross-Site Scripting (XSS) in Article's Tag |
| CVE-2022-21678 | 2022-01-13 | User's bio visible even if profile is restricted in Discourse |
| CVE-2021-40813 | 2022-01-13 | A cross-site scripting (XSS) vulnerability in the "Zip content" feature in Element-IT HTTP Commander 3.1.9 allows remote authenticated users to inject arbitrary web script or HTML via filenames. |
| CVE-2021-39056 | 2022-01-13 | The IBM i 7.1, 7.2, 7.3, and 7.4 Extended Dynamic Remote SQL server (EDRSQL) could allow a remote authenticated user to send a specially crafted request and cause a denial... |
| CVE-2021-40573 | 2022-01-13 | The binary MP4Box in Gpac 1.0.1 has a double-free vulnerability in the gf_list_del function in list.c, which allows attackers to cause a denial of service. |
| CVE-2021-45422 | 2022-01-13 | Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability in the /goform/activate_process "count" parameter via GET. No authentication is required. |
| CVE-2021-45807 | 2022-01-13 | jpress v4.2.0 is vulnerable to command execution via io.jpress.web.admin._AddonController::doUploadAndInstall. |
| CVE-2021-33046 | 2022-01-13 | Some Dahua products have access control vulnerability in the password reset process. Attackers can exploit this vulnerability through specific deployments to reset device passwords. |
| CVE-2021-43762 | 2022-01-13 | Adobe Experience Manager Unicode normalization leads to dispatcher bypass |
| CVE-2021-44178 | 2022-01-13 | Adobe Experience Manager Reflected XSS in /bin/wcm/contentfinder/page/view.html |
| CVE-2021-43765 | 2022-01-13 | Adobe Experience Manager Stored XSS in the Carousel Set |
| CVE-2021-40722 | 2022-01-13 | AEM Forms Improper Restriction of XML External Entity Reference |
| CVE-2021-44177 | 2022-01-13 | Adobe Experience Manager Stored XSS in user name parameter in the package manager |
| CVE-2021-43761 | 2022-01-13 | Adobe Experience Manager Stored XSS on Edit Tag page via Localization input |
| CVE-2021-44176 | 2022-01-13 | Adobe Experience Manager Stored XSS in workflow Stages parameter |
| CVE-2021-43764 | 2022-01-13 | Adobe Experience Manager Stored XSS in the Spin Set |
| CVE-2022-22989 | 2022-01-13 | Pre-authenticated stack overflow vulnerability on FTP Service |
| CVE-2022-22991 | 2022-01-13 | Command injection through unsecured HTTP calls on Western Digital My Cloud devices |
| CVE-2022-22990 | 2022-01-13 | Limited authentication bypass vulnerability on Western Digital My Cloud devices |
| CVE-2022-22988 | 2022-01-13 | Insecure file and directory permissions on EdgeRover |
| CVE-2021-23227 | 2022-01-13 | WordPress PHP Everywhere Plugin <= 2.0.2 is vulnerable to Cross Site Request Forgery (CSRF) |
| CVE-2021-45054 | 2022-01-13 | Adobe InCopy JPEG2000 Parsing Use-After-Free Information Disclosure Vulnerability |
| CVE-2021-45053 | 2022-01-13 | Adobe InCopy JPEG2000 Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
| CVE-2021-45056 | 2022-01-13 | Adobe InCopy JPEG File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
| CVE-2021-45055 | 2022-01-13 | Adobe InCopy TIF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
| CVE-2021-45058 | 2022-01-13 | Adobe InDesign JPEG File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
| CVE-2021-45057 | 2022-01-13 | Adobe InDesign JPEG2000 Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
| CVE-2021-45059 | 2022-01-13 | Adobe InDesign JPEG2000 Parsing Use-After-Free Information Disclosure Vulnerability |
| CVE-2022-21684 | 2022-01-13 | User can bypass approval when invited to Discourse |
| CVE-2021-34858 | 2022-01-13 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of TeamViewer. User interaction is required to exploit this vulnerability in that the target must visit a malicious... |
| CVE-2021-34871 | 2022-01-13 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley View 10.15.0.75. User interaction is required to exploit this vulnerability in that the target must visit... |
| CVE-2021-34872 | 2022-01-13 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley View 10.15.0.75. User interaction is required to exploit this vulnerability in that the target must visit... |