Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2022-44088 — Ecisp Espcms: P8.21120101 was discovered to contain a remote code execution (RCE) vulnerability in the
ESPCMS P8.21120101 was discovered to contain a remote code execution (RCE) vulnerability in the component INPUT_ISDESCRIPTION. CVSSv3.1 9.8 (CRITICAL) · EPSS 97th percentile
CVE-2022-44087 — Ecisp Espcms: P8.21120101 was discovered to contain a remote code execution (RCE) vulnerability in the
ESPCMS P8.21120101 was discovered to contain a remote code execution (RCE) vulnerability in the component UPFILE_PIC_ZOOM_HIGHT. CVSSv3.1 9.8 (CRITICAL) · EPSS 73th percentile
CVE-2022-41106 — Microsoft 365_apps: Excel Remote Code Execution Vulnerability
Microsoft Excel Remote Code Execution Vulnerability CVSSv3.1 8.8 (HIGH) · EPSS 95th percentile
CVE-2022-3852 — Vr_calendar_project Vr_calendar: The VR Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions
The VR Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3.3. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to delete, and modify calendars as well as the plugin settings, via forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVSSv3.1 8.8 (HIGH) · EPSS 58th percentile
CVE-2022-3776 — Oracle Restaurant_menu_-_food_ordering_system_-_table_reservation: The Restaurant Menu – Food Ordering System – Table Reservation plugin for WordPress is
The Restaurant Menu – Food Ordering System – Table Reservation plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3.1. This is due to missing or incorrect nonce validation on several functions called via AJAX actions such as forms_action, set_option, & chosen_options to name a few . This makes it possible for unauthenticated attackers to perform a variety of administrative actions like modifying forms, via a forged request gra CVSSv3.1 8.8 (HIGH) · EPSS 73th percentile
CVE-2022-3786 — Openssl Openssl: This buffer overflow could result in a crash (causing a denial of service).
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the CVSSv3.1 7.5 (HIGH) · EPSS 96th percentile
CVE-2022-3602 — Openssl Openssl: This buffer overflow could result in a crash (causing a denial of service) or
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer CVSSv3.1 7.5 (HIGH) · EPSS 99th percentile
CVE-2022-3708 — Google Web_stories: The Web Stories plugin for WordPress is vulnerable to Server-Side Request Forgery in versions
The Web Stories plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including 1.24.0 due to insufficient validation of URLs supplied via the 'url' parameter found via the /v1/hotlink/proxy REST API Endpoint. This makes it possible for authenticated users to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. CVSSv3.1 9.6 (CRITICAL) · EPSS 78th percentile
CVE-2022-43340 — Dzzoffice Dzzoffice: A Cross-Site Request Forgery (CSRF) in dzzoffice 2.02.1_SC_UTF8 allows attackers to arbitrarily create user
A Cross-Site Request Forgery (CSRF) in dzzoffice 2.02.1_SC_UTF8 allows attackers to arbitrarily create user accounts and grant Administrator rights to regular users. CVSSv3.1 8.8 (HIGH) · EPSS 33th percentile
CVE-2022-38580 — Zalando Skipper: v0.13.236 is vulnerable to Server-Side Request Forgery (SSRF).
Zalando Skipper v0.13.236 is vulnerable to Server-Side Request Forgery (SSRF). CVSSv3.1 9.8 (CRITICAL) · EPSS 95th percentile
CVE-2022-41415 — Acer Altos_w2000h-w570h_f4_firmware: This vulnerability allows attackers to cause a Denial of Service (DoS) via injecting crafted
Acer Altos W2000h-W570h F4 R01.03.0018 was discovered to contain a stack overflow in the RevserveMem component. This vulnerability allows attackers to cause a Denial of Service (DoS) via injecting crafted shellcode into the NVRAM variable. CVSSv3.1 9.8 (CRITICAL) · EPSS 67th percentile
CVE-2022-40055 — Gxgroup Gpon_ont_titanium_2122a_firmware: An issue in GX Group GPON ONT Titanium 2122A T2122-V1.26EXL allows attackers to escalate
An issue in GX Group GPON ONT Titanium 2122A T2122-V1.26EXL allows attackers to escalate privileges via a brute force attack at the login page. CVSSv3.1 9.8 (CRITICAL) · EPSS 52th percentile
CVE-2022-33106 — Wijungle U250_firmware: NGFW Version U250 was discovered to be vulnerable to No Rate Limit attack
WiJungle NGFW Version U250 was discovered to be vulnerable to No Rate Limit attack, allowing the attacker to brute force the admin password leading to Account Take Over. CVSSv3.1 9.8 (CRITICAL) · EPSS 53th percentile
CVE-2022-31765 — Siemens 6gk6108-4am00-2ba2_firmware: This could allow low privileged users to escalate their privileges.
Affected devices do not properly authorize the change password function of the web interface. This could allow low privileged users to escalate their privileges. CVSSv3.1 8.8 (HIGH) · EPSS 66th percentile
CVE-2022-36635 — Zkteco Zkbiosecurity_v5000: ZKBioSecurity V5000 4.1.3 was discovered to contain a SQL injection vulnerability via the
ZKteco ZKBioSecurity V5000 4.1.3 was discovered to contain a SQL injection vulnerability via the component /baseOpLog.do. CVSSv3.1 8.8 (HIGH) · EPSS 97th percentile
CVE-2022-36634 — Zkteco Zkbiosecurity_v5000: An access control issue in ZKTeco ZKBioSecurity V5000 3.0.5_r allows attackers to arbitrarily create
An access control issue in ZKTeco ZKBioSecurity V5000 3.0.5_r allows attackers to arbitrarily create admin users via a crafted HTTP request. CVSSv3.1 8.8 (HIGH) · EPSS 68th percentile
CVE-2022-39269 — Teluu Pjsip: When processing certain packets, PJSIP may incorrectly switch from using SRTP media transport to
PJSIP is a free and open source multimedia communication library written in C. When processing certain packets, PJSIP may incorrectly switch from using SRTP media transport to using basic RTP upon SRTP restart, causing the media to be sent insecurely. The vulnerability impacts all PJSIP users that use SRTP. The patch is available as commit d2acb9a in the master branch of the project and will be included in version 2.13. Users are advised to manually patch or to upgrade. There CVSSv3.1 9.1 (CRITICAL) · EPSS 44th percentile
CVE-2022-40341 — Mojoportal Mojoportal: v2.7 was discovered to contain an arbitrary file upload vulnerability which allows attackers
mojoPortal v2.7 was discovered to contain an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted PNG file. CVSSv3.1 8.8 (HIGH) · EPSS 63th percentile
CVE-2022-35156 — Phpgurukul Bus_pass_management_system: Bus Pass Management System 1.0 was discovered to contain a SQL Injection vulnerability via
Bus Pass Management System 1.0 was discovered to contain a SQL Injection vulnerability via the searchdata parameter at /buspassms/download-pass.php.. CVSSv3.1 9.8 (CRITICAL) · EPSS 66th percentile
CVE-2022-40030 — Simple_task_managing_system_project Simple_task_managing_system: SourceCodester Simple Task Managing System v1.0 was discovered to contain a SQL injection vulnerability
SourceCodester Simple Task Managing System v1.0 was discovered to contain a SQL injection vulnerability via the bookId parameter at changeStatus.php. CVSSv3.1 9.8 (CRITICAL) · EPSS 64th percentile
CVE-2022-0495 — Parantezteknoloji Koha_library_automation: The library automation system product KOHA developed by Parantez Teknoloji before version 19.05.03 has
The library automation system product KOHA developed by Parantez Teknoloji before version 19.05.03 has an unauthenticated SQL Injection vulnerability. This has been fixed in the version 19.05.03.01. CVSSv3.1 9.4 (CRITICAL) · EPSS 61th percentile
CVE-2022-2315 — Databank Accreditation_tracking\/presentation_module: Database Software Accreditation Tracking/Presentation Module product before version 2 has an unauthenticated SQL Injection
Database Software Accreditation Tracking/Presentation Module product before version 2 has an unauthenticated SQL Injection vulnerability. This is fixed in version 2. CVSSv3.1 9.4 (CRITICAL) · EPSS 55th percentile
CVE-2022-38619 — Bpcbt Smartvista_front-end: SmartVista SVFE2 v2.2.22 was discovered to contain a SQL injection vulnerability via the UserForm:j_id90
SmartVista SVFE2 v2.2.22 was discovered to contain a SQL injection vulnerability via the UserForm:j_id90 parameter at /SVFE2/pages/feegroups/mcc_group.jsf. CVSSv3.1 9.8 (CRITICAL) · EPSS 56th percentile
CVE-2022-2177 — Kayrasoft Kayrasoft: product before version 2 has an unauthenticated SQL Injection vulnerability.
Kayrasoft product before version 2 has an unauthenticated SQL Injection vulnerability. This is fixed in version 2. CVSSv3.1 9.4 (CRITICAL) · EPSS 55th percentile
CVE-2022-38618 — Bpcbt Smartvista: SVFE2 v2.2.22 was discovered to contain a SQL injection vulnerability via the UserForm:j_id88
SmartVista SVFE2 v2.2.22 was discovered to contain a SQL injection vulnerability via the UserForm:j_id88, UserForm:j_id90, and UserForm:j_id92 parameters at /SVFE2/pages/feegroups/country_group.jsf. CVSSv3.1 8.8 (HIGH) · EPSS 50th percentile