Total
1786 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-23064 | 1 Snipeitapp | 1 Snipe-it | 2022-05-10 | 6.8 MEDIUM | 8.8 HIGH |
| In Snipe-IT, versions v3.0-alpha to v5.3.7 are vulnerable to Host Header Injection. By sending a specially crafted host header in the reset password request, it is possible to send password reset links to users which once clicked lead to an attacker controlled server and thus leading to password reset token leak. This leads to account take over. | |||||
| CVE-2021-3027 | 1 Librit | 1 Passhport | 2022-05-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| app/views_mod/user/user.py in LibrIT PaSSHport through 2.5 is affected by LDAP Injection. There is an information leak through the crafting of special queries, escaping the provided search filter because user input gets no sanitization. | |||||
| CVE-2021-28979 | 1 Thalesgroup | 1 Safenet Keysecure | 2022-05-03 | 4.3 MEDIUM | 6.5 MEDIUM |
| SafeNet KeySecure Management Console 8.12.0 is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. | |||||
| CVE-2020-9757 | 1 Craftcms | 1 Craft Cms | 2022-04-26 | 7.5 HIGH | 9.8 CRITICAL |
| The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller. | |||||
| CVE-2022-28345 | 1 Signal | 1 Signal | 2022-04-26 | 5.0 MEDIUM | 7.5 HIGH |
| The Signal app before 5.34 for iOS allows URI spoofing via RTLO injection. It incorrectly renders RTLO encoded URLs beginning with a non-breaking space, when there is a hash character in the URL. This technique allows a remote unauthenticated attacker to send legitimate looking links, appearing to be any website URL, by abusing the non-http/non-https automatic rendering of URLs. An attacker can spoof, for example, example.com, and masquerade any URL with a malicious destination. An attacker requires a subdomain such as gepj, txt, fdp, or xcod, which would appear backwards as jpeg, txt, pdf, and docx respectively. | |||||
| CVE-2021-29210 | 1 Hp | 29 Integrated Lights-out 4, Integrated Lights-out 5, Proliant Bl460c Gen10 Server Blade and 26 more | 2022-04-25 | 3.5 LOW | 4.8 MEDIUM |
| A remote dom xss, crlf injection vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78. | |||||
| CVE-2021-29209 | 1 Hp | 29 Integrated Lights-out 4, Integrated Lights-out 5, Proliant Bl460c Gen10 Server Blade and 26 more | 2022-04-25 | 3.5 LOW | 4.8 MEDIUM |
| A remote dom xss, crlf injection vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78. | |||||
| CVE-2021-29208 | 1 Hp | 29 Integrated Lights-out 4, Integrated Lights-out 5, Proliant Bl460c Gen10 Server Blade and 26 more | 2022-04-25 | 3.5 LOW | 4.8 MEDIUM |
| A remote dom xss, crlf injection vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78. | |||||
| CVE-2022-24832 | 1 Thoughtworks | 1 Gocd | 2022-04-19 | 4.9 MEDIUM | 6.8 MEDIUM |
| GoCD is an open source a continuous delivery server. The bundled gocd-ldap-authentication-plugin included with the GoCD Server fails to correctly escape special characters when using the username to construct LDAP queries. While this does not directly allow arbitrary LDAP data exfiltration, it can allow an existing LDAP-authenticated GoCD user with malicious intent to construct and execute malicious queries, allowing them to deduce facts about other users or entries within the LDAP database (e.g alternate fields, usernames, hashed passwords etc) through brute force mechanisms. This only affects users who have a working LDAP authorization configuration enabled on their GoCD server, and only is exploitable by users authenticating using such an LDAP configuration. This issue has been fixed in GoCD 22.1.0, which is bundled with gocd-ldap-authentication-plugin v2.2.0-144. | |||||
| CVE-2019-11354 | 1 Ea | 1 Origin | 2022-04-18 | 6.8 MEDIUM | 7.8 HIGH |
| The client in Electronic Arts (EA) Origin 10.5.36 on Windows allows template injection in the title parameter of the Origin2 URI handler. This can be used to escape the underlying AngularJS sandbox and achieve remote code execution via an origin2://game/launch URL for QtApplication QDesktopServices communication. | |||||
| CVE-2021-22055 | 1 Vmware | 1 Photon Os | 2022-04-18 | 5.0 MEDIUM | 5.3 MEDIUM |
| The SchedulerServer in Vmware photon allows remote attackers to inject logs through \r in the package parameter. Attackers can also insert malicious data and fake entries. | |||||
| CVE-2022-1287 | 1 School Club Application System Project | 1 School Club Application System | 2022-04-15 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability classified as critical was found in School Club Application System 1.0. This vulnerability affects a request to the file /scas/classes/Users.php?f=save_user. The manipulation with a POST request leads to privilege escalation. The attack can be initiated remotely and does not require authentication. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2019-12303 | 1 Suse | 1 Rancher | 2022-04-13 | 6.5 MEDIUM | 8.8 HIGH |
| In Rancher 2 through 2.2.3, Project owners can inject additional fluentd configuration to read files or execute arbitrary commands inside the fluentd container. | |||||
| CVE-2022-25420 | 1 Nttr | 1 Goo Blog | 2022-04-04 | 7.5 HIGH | 9.8 CRITICAL |
| NTT Resonant Incorporated goo blog App Web Application 1.0 is vulnerable to CLRF injection. This vulnerability allows attackers to execute arbitrary code via a crafted HTTP request. | |||||
| CVE-2021-26069 | 1 Atlassian | 4 Data Center, Jira, Jira Data Center and 1 more | 2022-03-30 | 5.0 MEDIUM | 5.3 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to download temporary files and enumerate project keys via an Information Disclosure vulnerability in the /rest/api/1.0/issues/{id}/ActionsAndOperations API endpoint. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0. | |||||
| CVE-2022-23701 | 1 Hpe | 2 Integrated Lights-out, Integrated Lights-out 4 | 2022-03-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| A potential remote host header injection security vulnerability has been identified in HPE Integrated Lights-Out 4 (iLO 4) firmware version(s): Prior to 2.60. This vulnerability could be remotely exploited to allow an attacker to supply invalid input to the iLO 4 webserver, causing it to respond with a redirect to an attacker-controlled domain. HPE has provided a firmware update to resolve this vulnerability in HPE Integrated Lights-Out 4 (iLO 4). | |||||
| CVE-2022-25337 | 1 Ibexa | 1 Ez Platform Kernel | 2022-03-03 | 6.8 MEDIUM | 9.8 CRITICAL |
| Ibexa DXP ezsystems/ezpublish-kernel 7.5.x before 7.5.26 and 1.3.x before 1.3.12 allows injection attacks via image filenames. | |||||
| CVE-2004-1157 | 1 Opera | 1 Opera Browser | 2022-02-28 | 7.5 HIGH | N/A |
| Opera 7.x up to 7.54, and possibly other versions, allows remote attackers to spoof arbitrary web sites by injecting content from one window into a target window whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the "window injection" vulnerability. | |||||
| CVE-2004-2570 | 1 Opera | 1 Opera Browser | 2022-02-28 | 5.0 MEDIUM | N/A |
| Opera before 7.54 allows remote attackers to modify properties and methods of the location object and execute Javascript to read arbitrary files from the client's local filesystem or display a false URL to the user. | |||||
| CVE-2005-3007 | 1 Opera | 1 Opera Browser | 2022-02-28 | 2.6 LOW | N/A |
| Opera before 8.50 allows remote attackers to spoof the content type of files via a filename with a trailing "." (dot), which might allow remote attackers to trick users into processing dangerous content. | |||||