CVE漏洞

OGeek|极客世界-中国程序员成长平台 › 门户 › 漏洞›CVE漏洞

RSS

CVE-2022-1152

The Menubar WordPress plugin before 5.8 does not sanitise and escape the command parameter before outputting it back in the response via the menubar AJAX action (available to any authenticated users), ...……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：30 | 回复：0
CVE-2022-1153

The LayerSlider WordPress plugin before 7.1.2 does not sanitise and escape Project's slug before outputting it back in various place, which could allow high privilege users such as admin to perfor ...……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：38 | 回复：0
CVE-2022-1156

The Books Papers WordPress plugin through 0.20210223 does not escape its Custom DB prefix settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html ...……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：34 | 回复：0
CVE-2022-1228

The Opensea WordPress plugin before 1.0.3 does not sanitize and escape some of its settings, like its Referer address field, which could allow high privilege users to perform Cross-Site Scripting atta ...……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：29 | 回复：0
CVE-2022-1390

The Admin Word Count Column WordPress plugin through 2.2 does not validate the path parameter given to readfile(), which could allow unauthenticated attackers to read arbitrary files on server running ...……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：28 | 回复：0
CVE-2022-1391

The Cab fare calculator WordPress plugin through 1.0.3 does not validate the controller parameter before using it in require statements, which could lead to Local File Inclusion issues.……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：33 | 回复：0
CVE-2022-1392

The Videos sync PDF WordPress plugin through 1.7.4 does not validate the p parameter before using it in an include statement, which could lead to Local File Inclusion issues……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：27 | 回复：0
CVE-2022-1396

The Donorbox WordPress plugin before 7.1.7 does not sanitise and escape its Campaign URL settings before outputting it in an attribute, leading to a Stored Cross-Site Scripting issue even when the unf ...……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：21 | 回复：0
CVE-2022-22392

IBM Planning Analytics Local 2.0 could allow an attacker to upload arbitrary executable files which, when executed by an unsuspecting victim could result in code execution. IBM X-Force ID: 222066.……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：25 | 回复：0
CVE-2022-24792

PJSIP is a free and open source multimedia communication library written in C. A denial-of-service vulnerability affects applications on a 32-bit systems that use PJSIP versions 2.12 and prior to play ...……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：40 | 回复：0
CVE-2022-26596

Cross-site scripting (XSS) vulnerability in Journal module's web content display configuration page in Liferay Portal 7.1.0 through 7.3.3, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pa ...……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：47 | 回复：0
CVE-2022-26597

Cross-site scripting (XSS) vulnerability in the Layout module's Open Graph integration in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to i ...……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：77 | 回复：0
CVE-2022-27374

Tenda AX12 V22.03.01.21_CN was discovered to contain a Cross-Site Request Forgery (CSRF) via the function sub_42E328 at /goform/SysToolReboot.……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：153 | 回复：0
CVE-2022-27375

Tenda AX12 V22.03.01.21_CN was discovered to contain a Cross-Site Request Forgery (CSRF) via the function sub_422168 at /goform/WifiExtraSet.……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：63 | 回复：0
CVE-2022-0477

An issue has been discovered in GitLab affecting all versions starting from 11.9 before 14.5.4, all versions starting from 14.6.0 before 14.6.4, all versions starting from 14.7.0 before 14.7.1. GitLab ...……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：59 | 回复：0
CVE-2022-1441

MP4Box is a component of GPAC-2.0.0, which is a widely-used third-party package on RPM Fusion. When MP4Box tries to parse a MP4 file, it calls the function `diST_box_read()` to read from video. In thi ...……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：74 | 回复：0
CVE-2022-25866

The package czproject/git-php before 4.0.3 are vulnerable to Command Injection via git argument injection. When calling the isRemoteUrlReadable($url, array $refs = NULL) function, both the url and ref ...……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：60 | 回复：0
CVE-2022-28290

Reflective Cross-Site Scripting vulnerability in WordPress Country Selector Plugin Version 1.6.5. The XSS payload executes whenever the user tries to access the country selector page with the specifie ...……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：93 | 回复：0
CVE-2022-29417

Plugin Settings Update vulnerability in ShortPixel's ShortPixel Adaptive Images plugin = 3.3.1 at WordPress allows an attacker with a low user role like a subscriber or higher to change the plugin ...……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：137 | 回复：0
CVE-2022-29418

Authenticated (admin user role) Persistent Cross-Site Scripting (XSS) in Mark Daniels Night Mode plugin = 1.0.0 on WordPress via vulnerable parameters: ntmode_page_setting, ntmode_page_setting, ntmode ...……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：96 | 回复：0
CVE-2022-29419

SQL Injection (SQLi) vulnerability in Don Crowther's 3xSocializer plugin = 0.98.22 at WordPress possible for users with a low role like a subscriber or higher.……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：69 | 回复：0
CVE-2021-35250

A researcher reported a Directory Transversal Vulnerability in Serv-U 15.3. This may allow access to files relating to the Serv-U installation and server files. This issue has been resolved in Serv-U ...……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：67 | 回复：0
CVE-2022-23457

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of `Validator.getValidDirectoryPath(Str ...……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：51 | 回复：0
CVE-2022-24880

flask-session-captcha is a package which allows users to extend Flask by adding an image based captcha stored in a server side session. In versions prior to 1.2.1, he `captcha.validate()` function wou ...……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：47 | 回复：0
CVE-2022-29499

The Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 allows remote code execution because of incorrect data validation. The Service Appliances are SA 100, SA 400, and Virtual SA.……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：62 | 回复：0
CVE-2022-29806

ZoneMinder before 1.36.13 allows remote code execution via an invalid language. Ability to create a debug log file at an arbitrary pathname contributes to exploitability.……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：59 | 回复：0
CVE-2022-24706

In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommen ...……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：64 | 回复：0
CVE-2022-27299

Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the component room.php.……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：82 | 回复：0
CVE-2022-27468

Monstaftp v2.10.3 was discovered to contain an arbitrary file upload which allows attackers to execute arbitrary code via a crafted file uploaded to the web server.……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：115 | 回复：0
CVE-2022-27469

Monstaftp v2.10.3 was discovered to allow attackers to execute Server-Side Request Forgery (SSRF).……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：95 | 回复：0
CVE-2022-27984

CuppaCMS v1.0 was discovered to contain a SQL injection vulnerability via the menu_filter parameter at /administrator/templates/default/html/windows/right.php.……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：93 | 回复：0
CVE-2022-27985

CuppaCMS v1.0 was discovered to contain a SQL injection vulnerability via /administrator/alerts/alertLightbox.php.……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：80 | 回复：0
CVE-2022-1173

stored xss in GitHub repository getgrav/grav prior to 1.7.33.……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：52 | 回复：0
CVE-2022-23942

Apache Doris, prior to 1.0.0, used a hardcoded key and IV to initialize the cipher used for ldap password, which may lead to information disclosure.……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：56 | 回复：0
CVE-2022-24881

Ballcat Codegen provides the function of online editing code to generate templates. In versions prior to 1.0.0.beta.2, attackers can implement remote code execution through malicious code injection of ...……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：59 | 回复：0
CVE-2022-24882

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). In versions prior to 2.7.0, NT LAN Manager (NTLM) authentication does not properly abort when someone provides and empty password ...……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：77 | 回复：0
CVE-2022-24883

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). Prior to version 2.7.0, server side authentication against a `SAM` file might be successful for invalid credentials if the server ...……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：60 | 回复：0
CVE-2022-28218

An issue was discovered in CipherMail Webmail Messenger 1.1.1 through 4.1.4. A local attacker could access secret keys (found in a Roundcube configuration file) that are used to protect Webmail user p ...……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：90 | 回复：0
CVE-2021-26628

Insufficient script validation of the admin page enables XSS, which causes unauthorized users to steal admin privileges. When uploading file in a specific menu, the verification of the files is insuff ...……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：63 | 回复：0
CVE-2021-26629

A path traversal vulnerability in XPLATFORM's runtime archive function could lead to arbitrary file creation. When the .xzip archive file is decompressed, an arbitrary file can be d in the parent ...……

作者：菜鸟教程小白 | 时间：2022-6-23 10:17 | 阅读：94 | 回复：0