Total
3753 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-4768 | 1 Dropbox | 1 Merou | 2024-11-21 | 6.3 Medium |
| A vulnerability was found in Dropbox merou. It has been classified as critical. Affected is the function add_public_key of the file grouper/public_key.py of the component SSH Public Key Handler. The manipulation of the argument public_key_str leads to injection. It is possible to launch the attack remotely. The name of the patch is d93087973afa26bc0a2d0a5eb5c0fde748bdd107. It is recommended to apply a patch to fix this issue. VDB-216906 is the identifier assigned to this vulnerability. | ||||
| CVE-2022-4188 | 1 Google | 2 Android, Chrome | 2024-11-21 | 4.3 Medium |
| Insufficient validation of untrusted input in CORS in Google Chrome on Android prior to 108.0.5359.71 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2022-4145 | 1 Redhat | 2 Openshift, Openshift Container Platform | 2024-11-21 | 4.3 Medium |
| A content spoofing flaw was found in OpenShift's OAuth endpoint. This flaw allows a remote, unauthenticated attacker to inject text into a webpage, enabling the obfuscation of a phishing operation. | ||||
| CVE-2022-47583 | 1 Mintty Project | 1 Mintty | 2024-11-21 | 9.8 Critical |
| Terminal character injection in Mintty before 3.6.3 allows code execution via unescaped output to the terminal. | ||||
| CVE-2022-45801 | 1 Apache | 1 Streampark | 2024-11-21 | 5.4 Medium |
| Apache StreamPark 1.0.0 to 2.0.0 have a LDAP injection vulnerability. LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements through techniques similar to SQL Injection. LDAP injection attacks could result in the granting of permissions to unauthorized queries, and content modification inside the LDAP tree. This risk may only occur when the user logs in with ldap, and the user name and password login will not be affected, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later. | ||||
| CVE-2022-45143 | 2 Apache, Redhat | 4 Tomcat, Jboss Enterprise Web Server, Jboss Fuse and 1 more | 2024-11-21 | 7.5 High |
| The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output. | ||||
| CVE-2022-45048 | 1 Apache | 1 Ranger | 2024-11-21 | 8.4 High |
| Authenticated users with appropriate privileges can create policies having expressions that can exploit code execution vulnerability. This issue affects Apache Ranger: 2.3.0. Users are recommended to update to version 2.4.0. | ||||
| CVE-2022-42472 | 1 Fortinet | 2 Fortios, Fortiproxy | 2024-11-21 | 4 Medium |
| A improper neutralization of crlf sequences in http headers ('http response splitting') in Fortinet FortiOS versions 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.11, 6.2.0 through 6.2.12, 6.0.0 through 6.0.16, FortiProxy 7.2.0 through 7.2.1, 7.0.0 through 7.0.7, 2.0.0 through 2.0.10, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6 may allow an authenticated and remote attacker to perform an HTTP request splitting attack which gives attackers control of the remaining headers and body of the response. | ||||
| CVE-2022-42471 | 1 Fortinet | 1 Fortiweb | 2024-11-21 | 5.3 Medium |
| An improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') vulnerability [CWE-113] In FortiWeb version 7.0.0 through 7.0.2, FortiWeb version 6.4.0 through 6.4.2, FortiWeb version 6.3.6 through 6.3.20 may allow an authenticated and remote attacker to inject arbitrary headers. | ||||
| CVE-2022-40257 | 1 Cert | 1 Vince | 2024-11-21 | 5.4 Medium |
| An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via a crafted email with HTML content in the Subject field. | ||||
| CVE-2022-40248 | 1 Cert | 1 Vince | 2024-11-21 | 5.4 Medium |
| An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via form using the "Product Affected" field. | ||||
| CVE-2022-3962 | 2 Kiali, Redhat | 6 Kiali, Enterprise Linux, Enterprise Linux For Ibm Z Systems and 3 more | 2024-11-21 | 4.3 Medium |
| A content spoofing vulnerability was found in Kiali. It was discovered that Kiali does not implement error handling when the page or endpoint being accessed cannot be found. This issue allows an attacker to perform arbitrary text injection when an error response is retrieved from the URL being accessed. | ||||
| CVE-2022-3643 | 3 Broadcom, Debian, Linux | 3 Bcm5780, Debian Linux, Linux Kernel | 2024-11-21 | 6.5 Medium |
| Guests can trigger NIC interface reset/abort/crash via netback It is possible for a guest to trigger a NIC interface reset/abort/crash in a Linux based network backend by sending certain kinds of packets. It appears to be an (unwritten?) assumption in the rest of the Linux network stack that packet protocol headers are all contained within the linear section of the SKB and some NICs behave badly if this is not the case. This has been reported to occur with Cisco (enic) and Broadcom NetXtrem II BCM5780 (bnx2x) though it may be an issue with other NICs/drivers as well. In case the frontend is sending requests with split headers, netback will forward those violating above mentioned assumption to the networking core, resulting in said misbehavior. | ||||
| CVE-2022-38796 | 1 Feehi | 1 Feehi Cms | 2024-11-21 | 6.1 Medium |
| A Host Header Injection vulnerability in Feehi CMS 2.1.1 may allow an attacker to spoof a particular header. This can be exploited by abusing password reset emails. | ||||
| CVE-2022-38357 | 1 Eyeofnetwork | 1 Eyes Of Network Web | 2024-11-21 | 8.8 High |
| Improper neutralization of special elements leaves the Eyes of Network Web application vulnerable to an iFrame injection attack, via the url parameter of /module/module_frame/index.php. | ||||
| CVE-2022-37242 | 1 Altn | 1 Security Gateway For Email Servers | 2024-11-21 | 9.8 Critical |
| MDaemon Technologies SecurityGateway for Email Servers 8.5.2, is vulnerable to HTTP Response splitting via the data parameter. | ||||
| CVE-2022-37240 | 1 Altn | 1 Security Gateway For Email Servers | 2024-11-21 | 9.8 Critical |
| MDaemon Technologies SecurityGateway for Email Servers 8.5.2 is vulnerable to HTTP Response splitting via the format parameter. | ||||
| CVE-2022-37108 | 1 Securonix | 1 Snypr | 2024-11-21 | 8.7 High |
| An injection vulnerability in the syslog-ng configuration wizard in Securonix Snypr 6.4 allows an application user with the "Manage Ingesters" permission to execute arbitrary code on remote ingesters by appending arbitrary text to text files that are executed by the system, such as users' crontab files. The patch for this was present in SNYPR version 6.4 Jun 2022 R3_[06170871], but may have been introduced sooner. | ||||
| CVE-2022-36302 | 1 Bosch | 1 Bf-os | 2024-11-21 | 8.8 High |
| File path manipulation vulnerability in BF-OS version 3.00 up to and including 3.83 allows an attacker to modify the file path to access different resources, which may contain sensitive information. | ||||
| CVE-2022-35735 | 1 F5 | 11 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 8 more | 2024-11-21 | 7.2 High |
| In BIG-IP Versions 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and all versions of 13.1.x, an authenticated attacker with Resource Administrator or Manager privileges can create or modify existing monitor objects in the Configuration utility in an undisclosed manner leading to a privilege escalation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||