Total
9398 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-6563 | 2 Apple, Openbsd | 2 Mac Os X, Openssh | 2022-12-13 | 1.9 LOW | N/A |
| The monitor component in sshd in OpenSSH before 7.0 on non-OpenBSD platforms accepts extraneous username data in MONITOR_REQ_PAM_INIT_CTX requests, which allows local users to conduct impersonation attacks by leveraging any SSH login access in conjunction with control of the sshd uid to send a crafted MONITOR_REQ_PWNAM request, related to monitor.c and monitor_wrap.c. | |||||
| CVE-2019-4271 | 1 Ibm | 1 Websphere Application Server | 2022-12-09 | 3.5 LOW | 3.5 LOW |
| IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Admin console is vulnerable to a Client-side HTTP parameter pollution vulnerability. IBM X-Force ID: 160243. | |||||
| CVE-2017-7604 | 1 Libaacplus Project | 1 Libaacplus | 2022-12-09 | 6.8 MEDIUM | 7.8 HIGH |
| au_channel.h in HE-AAC+ Codec (aka libaacplus) 2.0.2 has a left-shift undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted audio file. | |||||
| CVE-2022-3656 | 1 Google | 1 Chrome | 2022-12-09 | N/A | 8.8 HIGH |
| Insufficient data validation in File System in Google Chrome prior to 107.0.5304.62 allowed a remote attacker to bypass file system restrictions via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2017-12124 | 1 Moxa | 2 Edr-810, Edr-810 Firmware | 2022-12-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| An exploitable denial of service vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP URI can cause a null pointer dereference resulting in the web server crashing. An attacker can send a crafted URI to trigger this vulnerability. | |||||
| CVE-2022-3661 | 1 Google | 1 Chrome | 2022-12-08 | N/A | 4.3 MEDIUM |
| Insufficient data validation in Extensions in Google Chrome prior to 107.0.5304.62 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Low) | |||||
| CVE-2022-28383 | 1 Verbatim | 8 Executive Fingerprint Secure Ssd, Executive Fingerprint Secure Ssd Firmware, Fingerprint Secure Portable Hard Drive and 5 more | 2022-12-08 | 4.6 MEDIUM | 6.8 MEDIUM |
| An issue was discovered in certain Verbatim drives through 2022-03-31. Due to insufficient firmware validation, an attacker can store malicious firmware code for the USB-to-SATA bridge controller on the USB drive (e.g., by leveraging physical access during the supply chain). This code is then executed. This affects Keypad Secure USB 3.2 Gen 1 Drive Part Number #49428, Store 'n' Go Secure Portable HDD GD25LK01-3637-C VER4.0, Executive Fingerprint Secure SSD GDMSFE01-INI3637-C VER1.1, and Fingerprint Secure Portable Hard Drive Part Number #53650. | |||||
| CVE-2017-14438 | 1 Moxa | 2 Edr-810, Edr-810 Firmware | 2022-12-08 | 5.0 MEDIUM | 7.5 HIGH |
| Exploitable denial of service vulnerabilities exists in the Service Agent functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted packet can cause a denial of service. An attacker can send a large packet to 4000/tcp to trigger this vulnerability. | |||||
| CVE-2017-14439 | 1 Moxa | 2 Edr-810, Edr-810 Firmware | 2022-12-08 | 5.0 MEDIUM | 7.5 HIGH |
| Exploitable denial of service vulnerabilities exists in the Service Agent functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted packet can cause a denial of service. An attacker can send a large packet to 4001/tcp to trigger this vulnerability. | |||||
| CVE-2022-26336 | 2 Apache, Netapp | 2 Poi, Active Iq Unified Manager | 2022-12-07 | 4.3 MEDIUM | 5.5 MEDIUM |
| A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1. | |||||
| CVE-2020-12351 | 1 Linux | 1 Linux Kernel | 2022-12-06 | 5.8 MEDIUM | 8.8 HIGH |
| Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access. | |||||
| CVE-2022-40265 | 1 Mitsubishielectric | 12 R04encpu, R04encpu Firmware, R08encpu and 9 more | 2022-12-06 | N/A | 7.5 HIGH |
| Improper Input Validation vulnerability in Mitsubishi Electric Corporation MELSEC iQ-R Series RJ71EN71 Firmware version "65" and prior and Mitsubishi Electric Corporation MELSEC iQ-R Series R04/08/16/32/120ENCPU Network Part Firmware version "65" and prior allows a remote unauthenticated attacker to cause a Denial of Service condition by sending specially crafted packets. A system reset is required for recovery. | |||||
| CVE-2018-3852 | 1 Onssi | 1 Ocularis | 2022-12-03 | 5.0 MEDIUM | 7.5 HIGH |
| An exploitable denial of service vulnerability exists in the Ocularis Recorder functionality of Ocularis 5.5.0.242. A specially crafted TCP packet can cause a process to terminate resulting in denial of service. An attacker can send a crafted TCP packet to trigger this vulnerability. | |||||
| CVE-2022-31779 | 3 Apache, Debian, Fedoraproject | 3 Traffic Server, Debian Linux, Fedora | 2022-12-03 | N/A | 7.5 HIGH |
| Improper Input Validation vulnerability in HTTP/2 header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 9.1.2. | |||||
| CVE-2021-25746 | 1 Kubernetes | 1 Ingress-nginx | 2022-12-02 | 5.5 MEDIUM | 7.1 HIGH |
| A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use .metadata.annotations in an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster. | |||||
| CVE-2021-25745 | 1 Kubernetes | 1 Ingress-nginx | 2022-12-02 | 5.5 MEDIUM | 8.1 HIGH |
| A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the spec.rules[].http.paths[].path field of an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster. | |||||
| CVE-2022-39338 | 1 Nextcloud | 1 Openid Connect User Backend | 2022-12-01 | N/A | 5.4 MEDIUM |
| user_oidc is an OpenID Connect user backend for Nextcloud. Versions prior to 1.2.1 did not properly validate discovery urls which may lead to a stored cross site scripting attack vector. The impact is limited due to the restrictive CSP that is applied on this endpoint. Additionally this vulnerability has only been shown to be exploitable in the Safari web browser. This issue has been addressed in version 1.2.1. Users are advised to upgrade. Users unable to upgrade should urge their users to avoid using the Safari web browser. | |||||
| CVE-2019-6555 | 1 Hornerautomation | 1 Cscape | 2022-11-30 | 6.8 MEDIUM | 7.8 HIGH |
| Cscape, 9.80 SP4 and prior. An improper input validation vulnerability may be exploited by processing specially crafted POC files. This may allow an attacker to read confidential information and remotely execute arbitrary code. | |||||
| CVE-2022-40266 | 1 Mitsubishielectric | 6 Got2000 Gt23, Got2000 Gt23 Firmware, Got2000 Gt25 and 3 more | 2022-11-30 | N/A | 6.5 MEDIUM |
| Improper Input Validation vulnerability in Mitsubishi Electric GOT2000 Series GT27 model FTP server versions 01.39.000 and prior, Mitsubishi Electric GOT2000 Series GT25 model FTP server versions 01.39.000 and prior and Mitsubishi Electric GOT2000 Series GT23 model FTP server versions 01.39.000 and prior allows a remote authenticated attacker to cause a Denial of Service condition by sending specially crafted command. | |||||
| CVE-2020-26291 | 1 Uri.js Project | 1 Uri.js | 2022-11-29 | 4.0 MEDIUM | 6.5 MEDIUM |
| URI.js is a javascript URL mutation library (npm package urijs). In URI.js before version 1.19.4, the hostname can be spoofed by using a backslash (`\`) character followed by an at (`@`) character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. For example the URL `https://expected-example.com\@observed-example.com` will incorrectly return `observed-example.com` if using an affected version. Patched versions correctly return `expected-example.com`. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class. Version 1.19.4 is patched against all known payload variants. Version 1.19.3 has a partial patch but is still vulnerable to a payload variant.] | |||||