2022-11-29
2022-11-29 21:15Z
HIGH

CVE-2022-3383 — Ultimatemember Ultimate_member: The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-3383

The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the get_option_value_from_callback function that accepts user supplied input and passes it through call_user_func(). This makes it possible for authenticated attackers, with administrative capabilities, to execute code on the server. CVSSv3.1 7.2 (HIGH) · EPSS 97th percentile

CWECWE 94VNDUltimatememberVNDUltimateTYPVulnerability
7.2
CVSS v3.1
96
Edit Score
2022-11-29
2022-11-29 17:15Z
HIGH

CVE-2022-46152 — Trustedfirmware Op-tee: Therefore, an attacker in the normal world can craft an SMC call that will

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-46152

OP-TEE Trusted OS is the secure side implementation of OP-TEE project, a Trusted Execution Environment. Versions prior to 3.19.0, contain an Improper Validation of Array Index vulnerability. The function `cleanup_shm_refs()` is called by both `entry_invoke_command()` and `entry_open_session()`. The commands `OPTEE_MSG_CMD_OPEN_SESSION` and `OPTEE_MSG_CMD_INVOKE_COMMAND` can be executed from the normal world via an OP-TEE SMC. This function is not validating the `num_params` a CVSSv3.1 8.2 (HIGH) · EPSS 62th percentile

CWECWE 129VNDTeeVNDTrustedfirmwareTYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2022-11-28
2022-11-28 15:15Z
HIGH

CVE-2022-31877 — Msi Center: An issue in the component MSI.TerminalServer.exe of MSI Center v1.0.41.0 allows attackers to escalate

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-31877

An issue in the component MSI.TerminalServer.exe of MSI Center v1.0.41.0 allows attackers to escalate privileges via a crafted TCP packet. CVSSv3.1 8.8 (HIGH) · EPSS 35th percentile

CWECWE 345VNDMsiTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-11-25
2022-11-25 17:15Z
CRIT

CVE-2022-45207 — Jeecg Jeecg_boot: Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component updateNullByEmptyString.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-45207

Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component updateNullByEmptyString. CVSSv3.1 9.8 (CRITICAL) · EPSS 56th percentile

CWECWE 89VNDJeecgTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2022-11-25
2022-11-25 17:15Z
CRIT

CVE-2022-45206 — Jeecg Jeecg_boot: Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component /sys/duplicate/check.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-45206

Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component /sys/duplicate/check. CVSSv3.1 9.8 (CRITICAL) · EPSS 51th percentile

CWECWE 89VNDJeecgTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2022-11-25
2022-11-25 17:15Z
CRIT

CVE-2022-37721 — Pyrocms Pyrocms: 3.9 is vulnerable to a stored Cross Site Scripting (XSS_ when a low

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-37721

PyroCMS 3.9 is vulnerable to a stored Cross Site Scripting (XSS_ when a low privileged user such as an author, injects a crafted html and javascript payload in a blog post, leading to full admin account takeover or privilege escalation. CVSSv3.1 9.0 (CRITICAL) · EPSS 49th percentile

CWECWE 79VNDPyrocmsTYPVulnerability
9.0
CVSS v3.1
95
Edit Score
2022-11-25
2022-11-25 16:15Z
CRIT

CVE-2022-37720 — Orchardcore Orchard_cms: Orchardproject Orchard CMS 1.10.3 is vulnerable to Cross Site Scripting (XSS).

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-37720

Orchardproject Orchard CMS 1.10.3 is vulnerable to Cross Site Scripting (XSS). When a low privileged user such as an author or publisher, injects a crafted html and javascript payload in a blog post, leading to full admin account takeover or privilege escalation when the malicious blog post is loaded in the victim's browser. CVSSv3.1 9.0 (CRITICAL) · EPSS 57th percentile

CWECWE 79VNDOrchardcoreVNDOrchardprojectTYPVulnerability
9.0
CVSS v3.1
95
Edit Score
728 × 90 / responsive · programmatic ad slot
2022-11-22
2022-11-22 14:15Z
CRIT

CVE-2022-44194 — Netgear R7000p_firmware: R7000P V1.3.0.8 is vulnerable to Buffer Overflow via parameters apmode_dns1_pri and apmode_dns1_sec.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-44194

Netgear R7000P V1.3.0.8 is vulnerable to Buffer Overflow via parameters apmode_dns1_pri and apmode_dns1_sec. CVSSv3.1 9.8 (CRITICAL) · EPSS 69th percentile

CWECWE 787VNDNetgearTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2022-11-22
2022-11-22 14:15Z
CRIT

CVE-2022-42989 — Sankhya Sankhya_om: ERP Sankhya before v4.11b81 was discovered to contain a cross-site scripting (XSS) vulnerability via

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-42989

ERP Sankhya before v4.11b81 was discovered to contain a cross-site scripting (XSS) vulnerability via the component Caixa de Entrada. CVSSv3.1 9.0 (CRITICAL) · EPSS 59th percentile

CWECWE 79VNDErpVNDSankhyaTYPVulnerability
9.0
CVSS v3.1
95
Edit Score
2022-11-22
2022-11-22 01:15Z
CRIT

CVE-2022-40842 — Ndk-design Ndkadvancedcustomizationfields: ndk design NdkAdvancedCustomizationFields 3.5.0 is vulnerable to Server-side request forgery (SSRF) via rotateimg.php.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-40842

ndk design NdkAdvancedCustomizationFields 3.5.0 is vulnerable to Server-side request forgery (SSRF) via rotateimg.php. CVSSv3.1 9.1 (CRITICAL) · EPSS 52th percentile

CWECWE 918VNDNdk DesignVNDNdkadvancedcustomizationfieldsTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2022-11-22
2022-11-22 01:15Z
CRIT

CVE-2022-36180 — Fusiondirectory Fusiondirectory: 1.3 is vulnerable to Cross Site Scripting (XSS) via /fusiondirectory/index.php?message=[injection], /fusiondirectory/index.php?message=invalidparamete

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-36180

Fusiondirectory 1.3 is vulnerable to Cross Site Scripting (XSS) via /fusiondirectory/index.php?message=[injection], /fusiondirectory/index.php?message=invalidparameter&plug={Injection], /fusiondirectory/index.php?signout=1&message=[injection]&plug=106. CVSSv3.1 9.6 (CRITICAL) · EPSS 60th percentile

CWECWE 79VNDFusiondirectoryTYPVulnerability
9.6
CVSS v3.1
98
Edit Score
2022-11-22
2022-11-22 01:15Z
CRIT

CVE-2022-36179 — Fusiondirectory Fusiondirectory: 1.3 suffers from Improper Session Handling.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-36179

Fusiondirectory 1.3 suffers from Improper Session Handling. CVSSv3.1 9.8 (CRITICAL) · EPSS 62th percentile

CWECWE 613VNDFusiondirectoryTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2022-11-21
2022-11-21 13:15Z
HIGH

CVE-2022-3861 — Muffingroup Betheme: The Betheme theme for WordPress is vulnerable to PHP Object Injection in versions up

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-3861

The Betheme theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 26.5.1.4 via deserialization of untrusted input supplied via the import, mfn-items-import-page, and mfn-items-import parameters passed through the mfn_builder_import, mfn_builder_import_page, importdata, importsinglepage, and importfromclipboard functions. This makes it possible for authenticated attackers, with subscriber level permissions and above to inject a PHP Object CVSSv3.1 8.8 (HIGH) · EPSS 89th percentile

CWECWE 502VNDMuffingroupVNDBethemeTYPVulnerability
8.8
CVSS v3.1
95
Edit Score
2022-11-18
2022-11-18 08:15Z
HIGH

CVE-2022-24037 — Karmasis Infraskope_siem\+: Informatics Infraskope SIEM+ has an unauthenticated access vulnerability which could allow an unauthenticated

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-24037

Karmasis Informatics Infraskope SIEM+ has an unauthenticated access vulnerability which could allow an unauthenticated attacker to obtain critical information. CVSSv3.1 8.2 (HIGH) · EPSS 65th percentile

CWECWE 20VNDKarmasisTYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2022-11-16
2022-11-16 14:15Z
HIGH

CVE-2022-4021 — Permalink_manager_lite_project Permalink_manager_lite: The Permalink Manager Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-4021

The Permalink Manager Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.2.20.1. This is due to missing or incorrect nonce validation on the extra_actions function. This makes it possible for unauthenticated attackers to change plugin settings including permalinks and site maps, via forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVSSv3.1 8.8 (HIGH) · EPSS 37th percentile

CWECWE 352VNDPermalink Manager Lite ProjectVNDPermalinkTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-11-16
2022-11-16 12:15Z
HIGH

CVE-2022-24036 — Karmasis Infraskope_siem\+: Informatics Infraskope SIEM+ has an unauthenticated access vulnerability which could allow an unauthenticated

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-24036

Karmasis Informatics Infraskope SIEM+ has an unauthenticated access vulnerability which could allow an unauthenticated attacker to modificate logs. CVSSv3.1 8.6 (HIGH) · EPSS 78th percentile

CWECWE 284VNDKarmasisTYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2022-11-16
2022-11-16 09:15Z
CRIT

CVE-2022-45047 — Apache Sshd: Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-45047

Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server. CVSSv3.1 9.8 (CRITICAL) · EPSS 90th percentile

CWECWE 502VNDApacheVNDClassTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2022-11-15
2022-11-15 14:15Z
HIGH

CVE-2022-3240 — Follow_me_plugin_project Follow_me_plugin: The "Follow Me Plugin" plugin for WordPress is vulnerable to Cross-Site Request Forgery in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-3240

The "Follow Me Plugin" plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.1.1. This is due to missing nonce validation on the FollowMeIgniteSocialMedia_options_page() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVSSv3.1 8.8 (HIGH) · EPSS 54th percentile

CWECWE 352VNDFollow Me Plugin ProjectTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-11-15
2022-11-15 01:15Z
CRIT

CVE-2022-42122 — Liferay Dxp: A SQL injection vulnerability in the Friendly Url module in Liferay Portal 7.3.7, and

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-42122

A SQL injection vulnerability in the Friendly Url module in Liferay Portal 7.3.7, and Liferay DXP 7.3 fix pack 2 through update 4 allows attackers to execute arbitrary SQL commands via a crafted payload injected into the `title` field of a friendly URL. CVSSv3.1 9.8 (CRITICAL) · EPSS 52th percentile

CWECWE 89VNDLiferayTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2022-11-15
2022-11-15 01:15Z
HIGH

CVE-2022-42121 — Liferay Liferay_portal: A SQL injection vulnerability in the Layout module in Liferay Portal 7.1.3 through 7.4.3.4

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-42121

A SQL injection vulnerability in the Layout module in Liferay Portal 7.1.3 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before service pack 3, and 7.4 GA allows remote authenticated attackers to execute arbitrary SQL commands via a crafted payload injected into a page template's 'Name' field. CVSSv3.1 8.8 (HIGH) · EPSS 61th percentile

CWECWE 89VNDLiferayTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-11-15
2022-11-15 01:15Z
CRIT

CVE-2022-42120 — Liferay Dxp: A SQL injection vulnerability in the Fragment module in Liferay Portal 7.3.3 through 7.4.3.16

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-42120

A SQL injection vulnerability in the Fragment module in Liferay Portal 7.3.3 through 7.4.3.16, and Liferay DXP 7.3 before update 4, and 7.4 before update 17 allows attackers to execute arbitrary SQL commands via a PortletPreferences' `namespace` attribute. CVSSv3.1 9.8 (CRITICAL) · EPSS 53th percentile

CWECWE 89VNDLiferayTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2022-11-10
2022-11-10 16:15Z
CRIT

CVE-2022-45063 — Invisible-island Xterm: before 375 allows code execution via font ops, e.g., because an OSC 50

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-45063

xterm before 375 allows code execution via font ops, e.g., because an OSC 50 response may have Ctrl-g and therefore lead to command execution within the vi line-editing mode of Zsh. NOTE: font ops are not allowed in the xterm default configurations of some Linux distributions. CVSSv3.1 9.8 (CRITICAL) · EPSS 95th percentile

CWECWE 77VNDInvisible IslandVNDFedoraprojectTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2022-11-10
2022-11-10 15:15Z
CRIT

CVE-2022-44089 — Ecisp Espcms: P8.21120101 was discovered to contain a remote code execution (RCE) vulnerability in the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-44089

ESPCMS P8.21120101 was discovered to contain a remote code execution (RCE) vulnerability in the component IS_GETCACHE. CVSSv3.1 9.8 (CRITICAL) · EPSS 73th percentile

CWECWE 94VNDEcispVNDEspcmsTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2022-11-10
2022-11-10 15:15Z
CRIT

CVE-2022-44088 — Ecisp Espcms: P8.21120101 was discovered to contain a remote code execution (RCE) vulnerability in the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-44088

ESPCMS P8.21120101 was discovered to contain a remote code execution (RCE) vulnerability in the component INPUT_ISDESCRIPTION. CVSSv3.1 9.8 (CRITICAL) · EPSS 97th percentile

CWECWE 94VNDEcispVNDEspcmsTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2022-11-10
2022-11-10 15:15Z
CRIT

CVE-2022-44087 — Ecisp Espcms: P8.21120101 was discovered to contain a remote code execution (RCE) vulnerability in the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-44087

ESPCMS P8.21120101 was discovered to contain a remote code execution (RCE) vulnerability in the component UPFILE_PIC_ZOOM_HIGHT. CVSSv3.1 9.8 (CRITICAL) · EPSS 73th percentile

CWECWE 94VNDEcispVNDEspcmsTYPVulnerability
9.8
CVSS v3.1
99
Edit Score