Total
3988 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-44569 | 1 Ivanti | 1 Automation | 2024-11-21 | 7.8 High |
| A locally authenticated attacker with low privileges can bypass authentication due to insecure inter-process communication. | ||||
| CVE-2022-43451 | 1 Openharmony | 1 Openharmony | 2024-11-21 | 8.4 High |
| OpenHarmony-v3.1.2 and prior versions had an Multiple path traversal vulnerability in appspawn and nwebspawn services. Local attackers can create arbitrary directories or escape application sandbox.If chained with other vulnerabilities it would allow an unprivileged process to gain full root privileges. | ||||
| CVE-2022-41678 | 2 Apache, Redhat | 4 Activemq, Amq Broker, Jboss Fuse and 1 more | 2024-11-21 | 8.8 High |
| Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution. In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia org.jolokia.http.HttpRequestHandler#handlePostRequest is able to create JmxRequest through JSONObject. And calls to org.jolokia.http.HttpRequestHandler#executeRequest. Into deeper calling stacks, org.jolokia.handler.ExecHandler#doHandleRequest can be invoked through refection. This could lead to RCE through via various mbeans. One example is unrestricted deserialization in jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11. 1 Call newRecording. 2 Call setConfiguration. And a webshell data hides in it. 3 Call startRecording. 4 Call copyTo method. The webshell will be written to a .jsp file. The mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia. A more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0. | ||||
| CVE-2022-40622 | 1 Wavlink | 2 Wn531g3, Wn531g3 Firmware | 2024-11-21 | 8.8 High |
| The WAVLINK Quantum D4G (WN531G3) running firmware version M31G3.V5030.200325 uses IP addresses to hold sessions and does not not use session tokens. Therefore, if an attacker changes their IP address to match the logged-in administrator's, or is behind the same NAT as the logged in administrator, session takeover is possible. | ||||
| CVE-2022-40536 | 1 Qualcomm | 162 315 5g Iot Modem, 315 5g Iot Modem Firmware, Ar8035 and 159 more | 2024-11-21 | 7.5 High |
| Transient DOS due to improper authentication in modem while receiving plain TLB OTA request message from network. | ||||
| CVE-2022-40521 | 1 Qualcomm | 484 315 5g Iot Modem, 315 5g Iot Modem Firmware, 8953pro and 481 more | 2024-11-21 | 7.5 High |
| Transient DOS due to improper authorization in Modem | ||||
| CVE-2022-40144 | 2 Microsoft, Trendmicro | 2 Windows, Apex One | 2024-11-21 | 9.8 Critical |
| A vulnerability in Trend Micro Apex One and Trend Micro Apex One as a Service could allow an attacker to bypass the product's login authentication by falsifying request parameters on affected installations. | ||||
| CVE-2022-3681 | 1 Motorola | 1 Mr2600 | 2024-11-21 | 6.5 Medium |
| A vulnerability has been identified in the MR2600 router v1.0.18 and earlier that could allow an attacker within range of the wireless network to successfully brute force the WPS pin, potentially allowing them unauthorized access to a wireless network. | ||||
| CVE-2022-3218 | 1 Necta | 1 Wifi Mouse Server | 2024-11-21 | 9.8 Critical |
| Due to a reliance on client-side authentication, the WiFi Mouse (Mouse Server) from Necta LLC's authentication mechanism is trivially bypassed, which can result in remote code execution. | ||||
| CVE-2022-3173 | 1 Snipeitapp | 1 Snipe-it | 2024-11-21 | 4.3 Medium |
| Improper Authentication in GitHub repository snipe/snipe-it prior to 6.0.10. | ||||
| CVE-2022-3152 | 1 Php-fusion | 1 Phpfusion | 2024-11-21 | 8.8 High |
| Unverified Password Change in GitHub repository phpfusion/phpfusion prior to 9.10.20. | ||||
| CVE-2022-38700 | 1 Openharmony | 1 Openharmony | 2024-11-21 | 8.8 High |
| OpenHarmony-v3.1.1 and prior versions have a permission bypass vulnerability. LAN attackers can bypass permission control and get control of camera service. | ||||
| CVE-2022-38557 | 1 Dlink | 2 Dir-845l, Dir-845l Firmware | 2024-11-21 | 9.8 Critical |
| D-Link DIR845L v1.00-v1.03 contains a Static Default Credential vulnerability in /etc/init0.d/S80telnetd.sh. | ||||
| CVE-2022-38556 | 1 Trendnet | 2 Tew733gr, Tew733gr Firmware | 2024-11-21 | 9.8 Critical |
| Trendnet TEW733GR v1.03B01 contains a Static Default Credential vulnerability in /etc/init0.d/S80telnetd.sh. | ||||
| CVE-2022-38399 | 1 Planex | 4 Cs-qr10, Cs-qr10 Firmware, Cs-qr20 and 1 more | 2024-11-21 | 6.8 Medium |
| Missing protection mechanism for alternate hardware interface in SmaCam CS-QR10 all versions and SmaCam Night Vision CS-QR20 all versions allows an attacker to execute an arbitrary OS command by having the product connect to the product's specific serial connection | ||||
| CVE-2022-38368 | 1 Aviatrix | 1 Gateway | 2024-11-21 | 8.8 High |
| An issue was discovered in Aviatrix Gateway before 6.6.5712 and 6.7.x before 6.7.1376. Because Gateway API functions mishandle authentication, an authenticated VPN user can inject arbitrary commands. | ||||
| CVE-2022-38180 | 1 Jetbrains | 1 Ktor | 2024-11-21 | 5.3 Medium |
| In JetBrains Ktor before 2.1.0 the wrong authentication provider could be selected in some cases | ||||
| CVE-2022-38081 | 1 Openharmony | 1 Openharmony | 2024-11-21 | 6.2 Medium |
| OpenHarmony-v3.1.2 and prior versions have a permission bypass vulnerability. LAN attackers can bypass the distributed permission control.To take advantage of this weakness, attackers need another vulnerability to obtain system. | ||||
| CVE-2022-38064 | 1 Openharmony | 1 Openharmony | 2024-11-21 | 6.2 Medium |
| OpenHarmony-v3.1.2 and prior versions have a permission bypass vulnerability. Local attackers can bypass permission control and get sensitive information. | ||||
| CVE-2022-37397 | 1 Yugabyte | 1 Yugabytedb | 2024-11-21 | 8.3 High |
| An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft’s Active Directory. When anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password. | ||||