Lista CVE - 2022 / Aprile
Visualizzazione 2001 - 2039 di 2039 CVE per Aprile 2022 (Pagina 21 di 21)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2022-28452 | 2022-04-29 | Red Planet Laundry Management System 1.0 is vulnerable to SQL Injection. |
| CVE-2022-29856 | 2022-04-29 | A hardcoded cryptographic key in Automation360 22 allows an attacker to decrypt exported RPA packages. |
| CVE-2021-43937 | 2022-04-29 | Elcomplus SmartPTT SCADA Server Cross-site Request Forgery |
| CVE-2021-43938 | 2022-04-29 | Elcomplus SmartPTT SCADA Server Information Exposure |
| CVE-2022-1048 | 2022-04-29 | A use-after-free flaw was found in the Linux kernel’s sound subsystem in the way a user triggers concurrent calls of PCM hw_params. The hw_free ioctls or similar race condition happens... |
| CVE-2022-1114 | 2022-04-29 | A heap-use-after-free flaw was found in ImageMagick's RelinquishDCMInfo() function of dcm.c file. This vulnerability is triggered when an attacker passes a specially crafted DICOM image file to ImageMagick for conversion,... |
| CVE-2022-1195 | 2022-04-29 | A use-after-free vulnerability was found in the Linux kernel in drivers/net/hamradio. This flaw allows a local attacker with a user privilege to cause a denial of service (DOS) when the... |
| CVE-2022-1249 | 2022-04-29 | A NULL pointer dereference flaw was found in pesign's cms_set_pw_data() function of the cms_common.c file. The function fails to handle the NULL pwdata invocation from daemon.c, which leads to an... |
| CVE-2022-1227 | 2022-04-29 | A privilege escalation flaw was found in Podman. This flaw allows an attacker to publish a malicious image to a public registry. Once this image is downloaded by a potential... |
| CVE-2022-1353 | 2022-04-29 | A vulnerability was found in the pfkey_register function in net/key/af_key.c in the Linux kernel. This flaw allows a local, unprivileged user to gain access to kernel memory, leading to a... |
| CVE-2022-0985 | 2022-04-29 | Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability. |
| CVE-2021-39082 | 2022-04-29 | IBM UrbanCode Deploy (UCD) 7.1.1.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. |
| CVE-2022-0984 | 2022-04-29 | Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site... |
| CVE-2021-4207 | 2022-04-29 | A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small... |
| CVE-2022-1402 | 2022-04-29 | Delta Electronics ASDA-Soft Out-of-bounds Read |
| CVE-2022-1403 | 2022-04-29 | Delta Electronics ASDA-Soft Out-of-bounds Write |
| CVE-2022-28480 | 2022-04-29 | ALLMediaServer 1.6 is vulnerable to Buffer Overflow via MediaServer.exe. |
| CVE-2022-28994 | 2022-04-29 | Small HTTP Server version 3.06 suffers from a remote buffer overflow vulnerability via long GET request. |
| CVE-2021-4206 | 2022-04-29 | A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc() function can lead to the allocation of a small cursor object followed... |
| CVE-2022-29937 | 2022-04-29 | USU Oracle Optimization before 5.17.5 allows authenticated DataCollection users to achieve agent root access because some common OS commands are blocked but (for example) an OS command for base64 decoding... |
| CVE-2022-29936 | 2022-04-29 | USU Oracle Optimization before 5.17 allows authenticated quantum users to achieve remote code execution because of /v2/quantum/save-data-upload-big-file Java deserialization. NOTE: this is not an Oracle Corporation product. |
| CVE-2022-29935 | 2022-04-29 | USU Oracle Optimization before 5.17.5 allows attackers to discover the quantum credentials via an agent-installer download. NOTE: this is not an Oracle Corporation product. |
| CVE-2022-29934 | 2022-04-29 | USU Oracle Optimization before 5.17.5 lacks Polkit authentication, which allows smartcollector users to achieve root access via pkexec. NOTE: this is not an Oracle Corporation product. |
| CVE-2021-36207 | 2022-04-29 | Metasys privilege management |
| CVE-2022-29414 | 2022-04-29 | WordPress Subscribe To Comments Reloaded plugin <= 211130 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities |
| CVE-2022-29451 | 2022-04-29 | WordPress Rara One Click Demo Import plugin <= 1.2.9 - Cross-Site Request Forgery (CSRF) leads to Arbitrary File Upload vulnerability |
| CVE-2022-1543 | 2022-04-29 | Improper handling of Length parameter in erudika/scoold |
| CVE-2022-29945 | 2022-04-29 | DJI drone devices sold in 2017 through 2022 broadcast unencrypted information about the drone operator's physical location via the AeroScope protocol. |
| CVE-2022-25854 | 2022-04-29 | Cross-site Scripting (XSS) |
| CVE-2022-29947 | 2022-04-29 | Woodpecker before 0.15.1 allows XSS via build logs because web/src/components/repo/build/BuildLog.vue lacks escaping. |
| CVE-2022-28198 | 2022-04-29 | NVIDIA Omniverse Nucleus and Cache contain a vulnerability in its configuration of OpenSSL, where an attacker with physical access to the system can cause arbitrary code execution which can impact... |
| CVE-2022-29967 | 2022-04-29 | static_compressed_inmemory_website_callback.c in Glewlwyd through 2.6.2 allows directory traversal. |
| CVE-2022-29265 | 2022-04-30 | Improper Restriction of XML External Entity References in Multiple Components |
| CVE-2022-28323 | 2022-04-30 | An issue was discovered in MediaWiki through 1.37.2. The SecurePoll extension allows a leak because sorting by timestamp is supported, |
| CVE-2021-41992 | 2022-04-30 | PingID Windows Login RSA cryptographic weakness with possible offline MFA bypass |
| CVE-2021-41993 | 2022-04-30 | PingID Android mobile application prior to 1.19 vulnerable to pre-computed dictionary attacks |
| CVE-2021-41994 | 2022-04-30 | PingID iOS mobile application prior to 1.19 vulnerable to pre-computed dictionary attacks |
| CVE-2021-42001 | 2022-04-30 | PingID Desktop encryption libraries misconfiguration can lead to sensitive data exposure |
| CVE-2022-1544 | 2022-05-01 | Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File in luyadev/yii-helpers |
| CVE-2022-23060 | 2022-05-01 | Shopizer - Stored XSS in Manage Files |
| CVE-2022-23061 | 2022-05-01 | Shopizer - IDOR delete superadmin |
| CVE-2022-28481 | 2022-05-01 | CSV-Safe gem < 3.0.0 doesn't filter out special characters which could trigger CSV Injection. |
| CVE-2022-25850 | 2022-05-01 | Server-side Request Forgery (SSRF) |
| CVE-2022-24437 | 2022-05-01 | Command Injection |
| CVE-2022-21230 | 2022-05-01 | Information Exposure |
| CVE-2022-21144 | 2022-05-01 | Denial of Service (DoS) |
| CVE-2022-21227 | 2022-05-01 | Denial of Service (DoS) |
| CVE-2022-21189 | 2022-05-01 | Prototype Pollution |
| CVE-2022-23923 | 2022-05-01 | Sandbox Bypass |
| CVE-2022-25844 | 2022-05-01 | Regular Expression Denial of Service (ReDoS) |
| CVE-2022-25842 | 2022-05-01 | Arbitrary File Write via Archive Extraction (Zip Slip) |
| CVE-2022-26068 | 2022-05-01 | Path Traversal |
| CVE-2022-21167 | 2022-05-01 | Arbitrary Code Execution |
| CVE-2022-25349 | 2022-05-01 | Cross-site Scripting (XSS) |
| CVE-2022-25647 | 2022-05-01 | Deserialization of Untrusted Data |
| CVE-2022-25767 | 2022-05-01 | Remote Code Execution |
| CVE-2022-25645 | 2022-05-01 | Prototype Pollution |
| CVE-2022-22143 | 2022-05-01 | Prototype Pollution |
| CVE-2022-21149 | 2022-05-01 | Cross-site Scripting (XSS) |
| CVE-2022-25301 | 2022-05-01 | Prototype Pollution |
| CVE-2021-31674 | 2022-05-01 | Cyclos 4 PRO 4.14.7 and before does not validate user input at error inform, which allows remote unauthenticated attacker to execute javascript code via undefine enum constant. |
| CVE-2021-31673 | 2022-05-01 | A Dom-based Cross-site scripting (XSS) vulnerability at registration account in Cyclos 4 PRO.14.7 and before allows remote attackers to inject arbitrary web script or HTML via the groupId parameter. |
| CVE-2022-28451 | 2022-05-01 | nopCommerce 4.50.1 is vulnerable to Directory Traversal via the backup file in the Maintenance feature. |
| CVE-2021-40822 | 2022-05-01 | GeoServer through 2.18.5 and 2.19.x through 2.19.2 allows SSRF via the option for setting a proxy host. |
| CVE-2022-29849 | 2022-05-01 | In Progress OpenEdge before 11.7.14 and 12.x before 12.2.9, certain SUID binaries within the OpenEdge application were susceptible to privilege escalation. If exploited, a local attacker could elevate their privileges... |
| CVE-2022-1475 | 2022-05-02 | An integer overflow vulnerability was found in FFmpeg versions before 4.4.2 and before 5.0.1 in g729_parse() in llibavcodec/g729_parser.c when processing a specially crafted file. |
| CVE-2022-29970 | 2022-05-02 | Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files. |
| CVE-2022-29968 | 2022-05-02 | An issue was discovered in the Linux kernel through 5.17.5. io_rw_init_file in fs/io_uring.c lacks initialization of kiocb->private. |
| CVE-2022-29969 | 2022-05-02 | The RSS extension before 2022-04-29 for MediaWiki allows XSS via an rss element (if the feed is in $wgRSSUrlWhitelist and $wgRSSAllowLinkTag is true). |
| CVE-2022-29973 | 2022-05-02 | relan exFAT 1.3.0 allows local users to obtain sensitive information (data from deleted files in the filesystem) in certain situations involving offsets beyond ValidDataLength. |
| CVE-2021-46790 | 2022-05-02 | ntfsck in NTFS-3G through 2021.8.22 has a heap-based buffer overflow involving buffer+512*3-2. NOTE: the upstream position is that ntfsck is deprecated; however, it is shipped by some Linux distributions. |
| CVE-2021-36778 | 2022-05-02 | Exposure of repository credentials to external third-party sources |
| CVE-2021-36784 | 2022-05-02 | Privilege escalation for users with create/update permissions in Global Roles |
| CVE-2021-4200 | 2022-05-02 | Write access to the Catalog for any user when restricted-admin role is enabled |
| CVE-2022-1300 | 2022-05-02 | Missing authentication in TRUMPF products may result in corruption of data |
| CVE-2022-23904 | 2022-05-02 | Rainworx Auctionworx < 3.1R2 is vulnerable to a Cross-Site Request Forgery (CSRF) attack that allows an authenticated user to upgrade his account to admin and gain access to the auctionworx... |
| CVE-2022-23064 | 2022-05-02 | Snipe-IT - Host Header Injection |
| CVE-2022-23065 | 2022-05-02 | Vendure - XSS via SVG File Upload |
| CVE-2022-28571 | 2022-05-02 | D-link 882 DIR882A1_FW130B06 was discovered to contain a command injection vulnerability in`/usr/bin/cli. |
| CVE-2022-28572 | 2022-05-02 | Tenda AX1806 v1.0.0.1 was discovered to contain a command injection vulnerability in `SetIPv6Status` function |
| CVE-2022-28573 | 2022-05-02 | D-Link DIR-823-Pro v1.0.2 was discovered to contain a command injection vulnerability in the function SetNTPserverSeting. This vulnerability allows attackers to execute arbitrary commands via the system_time_timezone parameter. |
| CVE-2022-27466 | 2022-05-02 | MCMS v5.2.27 was discovered to contain a SQL injection vulnerability in the orderBy parameter at /dict/list.do. |
| CVE-2022-27982 | 2022-05-02 | RG-NBR-E Enterprise Gateway RG-NBR2100G-E was discovered to contain a remote code execution (RCE) vulnerability via the fileName parameter at /guest_auth/cfg/upLoadCfg.php. |
| CVE-2022-27983 | 2022-05-02 | RG-NBR-E Enterprise Gateway RG-NBR2100G-E was discovered to contain an arbitrary file read vulnerability via the url parameter in check.php. |
| CVE-2022-28054 | 2022-05-02 | Improper sanitization of trigger action scripts in VanDyke Software VShell for Windows v4.6.2 allows attackers to execute arbitrary code via a crafted value. |
| CVE-2022-28056 | 2022-05-02 | ShopXO v2.2.5 and below was discovered to contain a system re-install vulnerability via the Add function in app/install/controller/Index.php. |
| CVE-2021-25002 | 2022-05-02 | Tipsacarrier < 1.5.0.5 - Unauthenticated Orders Disclosure |
| CVE-2021-25086 | 2022-05-02 | Advanced Page Visit Counter < 6.1.2 - Unauthenticated Stored Cross-Site Scripting |
| CVE-2021-25102 | 2022-05-02 | All In One WP Security < 4.4.11 - Authenticated Reflected Cross-Site Scripting |
| CVE-2022-0191 | 2022-05-02 | Ad Invalid Click Protector (AICP) < 1.2.7 - Arbitrary Ban Deletion via CSRF |
| CVE-2022-0418 | 2022-05-02 | Event List < 0.8.8 - Admin+ Stored Cross-Site Scripting |
| CVE-2022-0428 | 2022-05-02 | Content Egg < 5.3.0 - Reflected Cross-Site Scripting |
| CVE-2022-0649 | 2022-05-02 | Adrotate < 5.8.23 - Admin+ XSS via Group Name |
| CVE-2022-0662 | 2022-05-02 | Adrotate < 5.8.23 - Admin+ XSS via Advert Name |
| CVE-2022-0771 | 2022-05-02 | SiteSuperCharger < 5.2.0 - Unauthenticated SQLi |
| CVE-2022-0773 | 2022-05-02 | Documentor <= 1.5.3 - Unauthenticated SQLi |
| CVE-2022-0783 | 2022-05-02 | Multiple Shipping Address Woocommerce < 2.0 - Unauthenticated SQLi |
| CVE-2022-0952 | 2022-05-02 | Sitemap by click5 < 1.0.36 - Unauthenticated Arbitrary Options Update |
| CVE-2022-1046 | 2022-05-02 | Visual Form Builder < 3.0.7 - Admin+ Stored Cross-Site Scripting |
| CVE-2022-1239 | 2022-05-02 | HubSpot < 8.8.15 - Contributor+ Blind SSRF |