2022-09-19
2022-09-19 16:15Z
HIGH

CVE-2022-38618 — Bpcbt Smartvista: SVFE2 v2.2.22 was discovered to contain a SQL injection vulnerability via the UserForm:j_id88

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-38618

SmartVista SVFE2 v2.2.22 was discovered to contain a SQL injection vulnerability via the UserForm:j_id88, UserForm:j_id90, and UserForm:j_id92 parameters at /SVFE2/pages/feegroups/country_group.jsf. CVSSv3.1 8.8 (HIGH) · EPSS 50th percentile

CWECWE 89VNDBpcbtVNDSmartvistaTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-09-19
2022-09-19 16:15Z
HIGH

CVE-2022-38577 — Processmaker Processmaker: This vulnerability allows attackers to escalate normal users to Administrators.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-38577

ProcessMaker before v3.5.4 was discovered to contain insecure permissions in the user profile page. This vulnerability allows attackers to escalate normal users to Administrators. CVSSv3.1 8.8 (HIGH) · EPSS 73th percentile

CWECWE 281VNDProcessmakerTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-09-19
2022-09-19 13:15Z
HIGH

CVE-2022-38617 — Bpcbt Smartvista: SVFE2 v2.2.22 was discovered to contain a SQL injection vulnerability via the voiceAudit:j_id97

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-38617

SmartVista SVFE2 v2.2.22 was discovered to contain a SQL injection vulnerability via the voiceAudit:j_id97 parameter at /SVFE2/pages/audit/voiceaudit.jsf. CVSSv3.1 8.8 (HIGH) · EPSS 55th percentile

CWECWE 89VNDBpcbtVNDSmartvistaTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-09-16
2022-09-16 03:15Z
CRIT

CVE-2022-36536 — Syncovery Syncovery: KG Syncovery 9 for Linux v9.47x and below allows attackers to escalate privileges via

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-36536

An issue in the component post_applogin.php of Super Flexible Software GmbH & Co. KG Syncovery 9 for Linux v9.47x and below allows attackers to escalate privileges via creating crafted session tokens. CVSSv3.1 9.8 (CRITICAL) · EPSS 91th percentile

CWECWE 330VNDSyncoveryTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2022-09-16
2022-09-16 03:15Z
HIGH

CVE-2022-36534 — Syncovery Syncovery: KG Syncovery 9 for Linux v9.47x and below was discovered to contain multiple remote

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-36534

Super Flexible Software GmbH & Co. KG Syncovery 9 for Linux v9.47x and below was discovered to contain multiple remote code execution (RCE) vulnerabilities via the Job_ExecuteBefore and Job_ExecuteAfter parameters at post_profilesettings.php. CVSSv3.1 8.8 (HIGH) · EPSS 99th percentile

VNDSyncoveryVNDSuperTYPVulnerability
8.8
CVSS v3.1
100
Edit Score
2022-09-16
2022-09-16 03:15Z
MED

CVE-2022-36533 — Syncovery Syncovery: KG Syncovery 9 for Linux v9.47x and below was discovered to contain a cross-site

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-36533

Super Flexible Software GmbH & Co. KG Syncovery 9 for Linux v9.47x and below was discovered to contain a cross-site scripting (XSS) vulnerability. CVSSv3.1 5.4 (MEDIUM) · EPSS 99th percentile

CWECWE 79VNDSyncoveryVNDSuperTYPVulnerability
5.4
CVSS v3.1
90
Edit Score
2022-09-16
2022-09-16 03:15Z
HIGH

CVE-2022-36532 — Bolt Bolt_cms: CMS contains a vulnerability in version 5.1.12 and below that allows an authenticated

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-36532

Bolt CMS contains a vulnerability in version 5.1.12 and below that allows an authenticated user with the ROLE_EDITOR privileges to upload and rename a malicious file to achieve remote code execution. CVSSv3.1 8.8 (HIGH) · EPSS 98th percentile

VNDBoltTYPVulnerability
8.8
CVSS v3.1
100
Edit Score
728 × 90 / responsive · programmatic ad slot
2022-09-15
2022-09-15 13:15Z
CRIT

CVE-2022-37257 — Stealjs Steal: Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal 2.2.4 via the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-37257

Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal 2.2.4 via the requestedVersion variable in npm-convert.js. CVSSv3.1 9.8 (CRITICAL) · EPSS 62th percentile

CWECWE 1321VNDPrototypeVNDStealjsTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2022-09-13
2022-09-13 12:15Z
HIGH

CVE-2022-38616 — Bpcbt Smartvista_front-end: SmartVista SVFE2 v2.2.22 was discovered to contain a SQL injection vulnerability via the UserForm:j_id90

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-38616

SmartVista SVFE2 v2.2.22 was discovered to contain a SQL injection vulnerability via the UserForm:j_id90 parameter at /feegroups/tgrt_group.jsf. CVSSv3.1 8.8 (HIGH) · EPSS 58th percentile

CWECWE 89VNDBpcbtVNDSmartvistaTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-09-09
2022-09-09 20:15Z
HIGH

CVE-2022-36110 — Netmaker Netmaker: Prior to version 0.15.1, Improper Authorization functions lead to non-privileged users running privileged API

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-36110

Netmaker makes networks with WireGuard. Prior to version 0.15.1, Improper Authorization functions lead to non-privileged users running privileged API calls. If someone adds users to the Netmaker platform who do not have admin privileges, they can use their auth tokens to run admin-level functions via the API. This problem has been patched in v0.15.1. CVSSv3.1 8.8 (HIGH) · EPSS 53th percentile

CWECWE 285CWECWE 1220VNDNetmakerTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-09-09
2022-09-09 17:15Z
HIGH

CVE-2022-38615 — Bpcbt Smartvista_front-end: SmartVista SVFE2 v2.2.22 was discovered to contain multiple SQL injection vulnerabilities via the UserForm:j_id88

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-38615

SmartVista SVFE2 v2.2.22 was discovered to contain multiple SQL injection vulnerabilities via the UserForm:j_id88, UserForm:j_id90, and UserForm:j_id92 parameters at /SVFE2/pages/feegroups/service_group.jsf. CVSSv3.1 8.8 (HIGH) · EPSS 56th percentile

CWECWE 89VNDBpcbtVNDSmartvistaTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-09-08
2022-09-08 12:15Z
HIGH

CVE-2022-30079 — Netgear R6200: Command injection vulnerability was discovered in Netgear R6200 v2 firmware through R6200v2-V1.0.3.12 via binary

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-30079

Command injection vulnerability was discovered in Netgear R6200 v2 firmware through R6200v2-V1.0.3.12 via binary /sbin/acos_service that could allow remote authenticated attackers the ability to modify values in the vulnerable parameter. CVSSv3.1 8.8 (HIGH) · EPSS 98th percentile

CWECWE 78VNDNetgearVNDCommandTYPVulnerability
8.8
CVSS v3.1
100
Edit Score
2022-09-08
2022-09-08 01:15Z
HIGH

CVE-2022-37144 — Plextrac Plextrac: The PlexTrac platform prior to API version 1.17.0 does not restrict excessive MFA TOTP

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-37144

The PlexTrac platform prior to API version 1.17.0 does not restrict excessive MFA TOTP submission attempts. An unauthenticated remote attacker in possession of a valid username and password can bruteforce their way past MFA protections to login as the targeted user. CVSSv3.1 8.8 (HIGH) · EPSS 52th percentile

CWECWE 307VNDPlextracTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-09-07
2022-09-07 19:15Z
HIGH

CVE-2022-30078 — Netgear R6200_firmware: R6200_V2 firmware versions through R6200v2-V1.0.3.12_10.1.11 and R6300_V2 firmware versions through R6300v2-V1.0.4.52_10.0.93 allow remote

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-30078

NETGEAR R6200_V2 firmware versions through R6200v2-V1.0.3.12_10.1.11 and R6300_V2 firmware versions through R6300v2-V1.0.4.52_10.0.93 allow remote authenticated attackers to execute arbitrary command via shell metacharacters in the ipv6_fix.cgi ipv6_wan_ipaddr, ipv6_lan_ipaddr, ipv6_wan_length, or ipv6_lan_length parameters. CVSSv3.1 8.8 (HIGH) · EPSS 76th percentile

CWECWE 78VNDNetgearTYPVulnerability
8.8
CVSS v3.1
95
Edit Score
2022-09-06
2022-09-06 18:15Z
HIGH

CVE-2022-2542 — Summitmediaconcepts Ucontext_for_clickbank: The uContext for Clickbank plugin for WordPress is vulnerable to Cross-Site Request Forgery to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-2542

The uContext for Clickbank plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. This is due to missing nonce validation in the ~/app/sites/ajax/actions/keyword_save.php file that is called via the doAjax() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into CVSSv3.1 8.8 (HIGH) · EPSS 58th percentile

CWECWE 352VNDSummitmediaconceptsVNDClickbankTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-09-06
2022-09-06 18:15Z
HIGH

CVE-2022-2541 — Summitmediaconcepts Ucontext_for_amazon: The uContext for Amazon plugin for WordPress is vulnerable to Cross-Site Request Forgery to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-2541

The uContext for Amazon plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. This is due to missing nonce validation in the ~/app/sites/ajax/actions/keyword_save.php file that is called via the doAjax() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into per CVSSv3.1 8.8 (HIGH) · EPSS 58th percentile

CWECWE 352VNDAmazonVNDSummitmediaconceptsTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-09-06
2022-09-06 18:15Z
HIGH

CVE-2022-2540 — Link_optimizer_lite_project Link_optimizer_lite: The Link Optimizer Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-2540

The Link Optimizer Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 1.4.5. This is due to missing nonce validation on the admin_page function found in the ~/admin.php file. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on CVSSv3.1 8.8 (HIGH) · EPSS 40th percentile

CWECWE 352VNDLink Optimizer Lite ProjectVNDLinkTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-09-06
2022-09-06 18:15Z
HIGH

CVE-2022-2518 — Berocket Stockists_manager_for_woocommerce: The Stockists Manager for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-2518

The Stockists Manager for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.2.1. This is due to missing nonce validation on the stockist_settings_main() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVSSv3.1 8.8 (HIGH) · EPSS 43th percentile

CWECWE 352VNDBerocketVNDStockistsTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-09-06
2022-09-06 18:15Z
MED

CVE-2022-2461 — Transposh Transposh_wordpress_translation: The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-2461

The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and including, 1.0.9.6. This is due to insufficient permissions checking on the 'tp_translation' AJAX action and default settings which makes it possible for unauthenticated attackers to influence the data shown on the site. CVSSv3.1 5.3 (MEDIUM) · EPSS 95th percentile

CWECWE 862VNDTransposhTYPVulnerability
5.3
CVSS v3.1
82
Edit Score
2022-09-06
2022-09-06 18:15Z
HIGH

CVE-2022-2436 — W3eden Download_manager: The Download Manager plugin for WordPress is vulnerable to deserialization of untrusted input via

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-2436

The Download Manager plugin for WordPress is vulnerable to deserialization of untrusted input via the 'file[package_dir]' parameter in versions up to, and including 3.2.49. This makes it possible for authenticated attackers with contributor privileges and above to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the CVSSv3.1 8.8 (HIGH) · EPSS 78th percentile

CWECWE 502VNDW3edenVNDDownloadTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-09-06
2022-09-06 18:15Z
HIGH

CVE-2022-2434 — Instawp String_locator: The String Locator plugin for WordPress is vulnerable to deserialization of untrusted input via

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-2434

The String Locator plugin for WordPress is vulnerable to deserialization of untrusted input via the 'string-locator-path' parameter in versions up to, and including 2.5.0. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site administrator into performing an action such as clicking on a link, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP CVSSv3.1 8.8 (HIGH) · EPSS 90th percentile

CWECWE 502VNDInstawpTYPVulnerability
8.8
CVSS v3.1
96
Edit Score
2022-09-06
2022-09-06 18:15Z
HIGH

CVE-2022-2233 — Banner_cycler_project Banner_cycler: The Banner Cycler plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-2233

The Banner Cycler plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.4. This is due to missing nonce protection on the pabc_admin_slides_postback() function found in the ~/admin/admin.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site’s administrator into performing an action such as clicking on a link CVSSv3.1 8.8 (HIGH) · EPSS 55th percentile

CWECWE 352VNDBanner Cycler ProjectVNDBannerTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-09-02
2022-09-02 21:15Z
CRIT

CVE-2022-36640 — Influxdata Influxdb: The default settings do NOT enable authentication and authorization."

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-36640

influxData influxDB before v1.8.10 contains no authentication mechanism or controls, allowing unauthenticated attackers to execute arbitrary commands. NOTE: the CVE ID assignment is disputed because the vendor's documentation states "If InfluxDB is being deployed on a publicly accessible endpoint, we strongly recommend authentication be enabled. Otherwise the data will be publicly available to any unauthenticated user. The default settings do NOT enable authentication and aut CVSSv3.1 9.8 (CRITICAL) · EPSS 79th percentile

CWECWE 276VNDInfluxdataTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2022-08-31
2022-08-31 21:15Z
CRIT

CVE-2022-36202 — Doctor\'s_appointment_system_project Doctor\'s_appointment_system: Doctor's Appointment System1.0 is vulnerable to Incorrect Access Control via edoc/patient/settings.php.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-36202

Doctor's Appointment System1.0 is vulnerable to Incorrect Access Control via edoc/patient/settings.php. The settings.php is affected by Broken Access Control (IDOR) via id= parameter. CVSSv3.1 9.8 (CRITICAL) · EPSS 55th percentile

CWECWE 639VNDAppointmentVNDDoctor S Appointment System ProjectTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2022-08-30
2022-08-30 16:15Z
CRIT

CVE-2022-37176 — Tendacn Ac6_firmware: Tenda AC6(AC1200) v5.0 Firmware v02.03.01.114 and below contains a vulnerability which allows attackers to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-37176

Tenda AC6(AC1200) v5.0 Firmware v02.03.01.114 and below contains a vulnerability which allows attackers to remove the Wi-Fi password and force the device into open security mode via a crafted packet sent to goform/setWizard. CVSSv3.1 9.8 (CRITICAL) · EPSS 57th percentile

VNDTendaVNDTendacnTYPVulnerability
9.8
CVSS v3.1
99
Edit Score