2022-08-29
2022-08-29 21:15Z
CRIT

CVE-2022-32993 — Totolink A7000r_firmware: A7000R V4.1cu.4134 was discovered to contain an access control issue via /cgi-bin/ExportSettings.sh.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-32993

TOTOLINK A7000R V4.1cu.4134 was discovered to contain an access control issue via /cgi-bin/ExportSettings.sh. CVSSv3.1 9.8 (CRITICAL) · EPSS 52th percentile

VNDTotolinkTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2022-08-28
2022-08-28 17:15Z
CRIT

CVE-2022-38555 — Linksys E1200_firmware: E1200 v1.0.04 is vulnerable to Buffer Overflow via ej_get_web_page_name.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-38555

Linksys E1200 v1.0.04 is vulnerable to Buffer Overflow via ej_get_web_page_name. CVSSv3.1 9.8 (CRITICAL) · EPSS 96th percentile

CWECWE 787VNDLinksysTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2022-08-28
2022-08-28 16:15Z
CRIT

CVE-2022-37053 — Trendnet Tew733gr_firmware: TEW733GR v1.03B01 is vulnerable to Command injection via /htdocs/upnpinc/gena.php.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-37053

TRENDnet TEW733GR v1.03B01 is vulnerable to Command injection via /htdocs/upnpinc/gena.php. CVSSv3.1 9.8 (CRITICAL) · EPSS 84th percentile

CWECWE 94VNDTrendnetTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2022-08-23
2022-08-23 12:15Z
CRIT

CVE-2021-42627 — Dlink Dir-615_firmware: The WAN configuration page "wan.htm" on D-Link DIR-615 devices with firmware 20.06 can be

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-42627

The WAN configuration page "wan.htm" on D-Link DIR-615 devices with firmware 20.06 can be accessed directly without authentication which can lead to disclose the information about WAN settings and also leverage attacker to modify the data fields of page. CVSSv3.1 9.8 (CRITICAL) · EPSS 99th percentile

VNDDlinkVNDWanTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2022-08-23
2022-08-23 01:15Z
CRIT

CVE-2021-42232 — Tp-link Archer_a7_firmware: Archer A7 Archer A7(US)_V5_210519 is affected by a command injection vulnerability in /usr/bin/tddp.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-42232

TP-Link Archer A7 Archer A7(US)_V5_210519 is affected by a command injection vulnerability in /usr/bin/tddp. The vulnerability is caused by the program taking part of the received data packet as part of the command. This will cause an attacker to execute arbitrary commands on the router. CVSSv3.1 9.8 (CRITICAL) · EPSS 86th percentile

CWECWE 78VNDTp LinkVNDLinkTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2022-08-19
2022-08-19 15:15Z
CRIT

CVE-2022-35201 — Tenda Ac18_firmware: Tenda-AC18 V15.03.05.05 was discovered to contain a remote command execution (RCE) vulnerability.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-35201

Tenda-AC18 V15.03.05.05 was discovered to contain a remote command execution (RCE) vulnerability. CVSSv3.1 9.8 (CRITICAL) · EPSS 76th percentile

VNDTendaTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2022-08-19
2022-08-19 02:15Z
HIGH

CVE-2022-35167 — Prinitix Cloud_print_management: Printix Cloud Print Management v1.3.1149.0 for Windows was discovered to contain insecure permissions.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-35167

Printix Cloud Print Management v1.3.1149.0 for Windows was discovered to contain insecure permissions. CVSSv3.1 8.8 (HIGH) · EPSS 57th percentile

CWECWE 732VNDPrintixVNDPrinitixTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
728 × 90 / responsive · programmatic ad slot
2022-08-15
2022-08-15 12:15Z
CRIT

CVE-2022-36262 — Taogogo Taocms: in the website settings that allows arbitrary php code to be injected by modifying

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-36262

An issue was discovered in taocms 3.0.2. in the website settings that allows arbitrary php code to be injected by modifying config.php. CVSSv3.1 9.8 (CRITICAL) · EPSS 71th percentile

CWECWE 94VNDTaogogoTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2022-08-10
2022-08-10 12:15Z
CRIT

CVE-2022-36323 — Siemens Scalance_m-800_firmware: This could allow an authenticated remote attacker with administrative privileges to inject code or

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-36323

Affected devices do not properly sanitize an input field. This could allow an authenticated remote attacker with administrative privileges to inject code or spawn a system root shell. CVSSv3.1 9.1 (CRITICAL) · EPSS 68th percentile

CWECWE 74VNDSiemensTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2022-08-05
2022-08-05 07:15Z
CRIT

CVE-2022-37434 — Zlib Zlib: through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-37434

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference). CVSSv3.1 9.8 (CRITICAL) · EPSS 97th percentile

CWECWE 120CWECWE 787VNDFedoraprojectVNDZlibTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2022-08-01
2022-08-01 20:15Z
CRIT

CVE-2022-31321 — Boltcms Bolt: The foldername parameter in Bolt 5.1.7 was discovered to have incorrect input validation, allowing

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-31321

The foldername parameter in Bolt 5.1.7 was discovered to have incorrect input validation, allowing attackers to perform directory enumeration or cause a Denial of Service (DoS) via a crafted input. CVSSv3.1 9.1 (CRITICAL) · EPSS 50th percentile

CWECWE 20VNDBoltVNDBoltcmsTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2022-07-29
2022-07-29 13:15Z
CRIT

CVE-2022-1277 — Inavitas Solar_log: Solar Log product has an unauthenticated SQL Injection vulnerability.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-1277

Inavitas Solar Log product has an unauthenticated SQL Injection vulnerability. CVSSv3.1 9.4 (CRITICAL) · EPSS 52th percentile

CWECWE 89VNDInavitasTYPVulnerability
9.4
CVSS v3.1
97
Edit Score
2022-07-28
2022-07-28 21:15Z
CRIT

CVE-2021-41556 — Squirrel-lang Squirrel: sqclass.cpp in Squirrel through 2.2.5 and 3.x through 3.1 allows an out-of-bounds read (in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-41556

sqclass.cpp in Squirrel through 2.2.5 and 3.x through 3.1 allows an out-of-bounds read (in the core interpreter) that can lead to Code Execution. If a victim executes an attacker-controlled squirrel script, it is possible for the attacker to break out of the squirrel script sandbox even if all dangerous functionality such as File System functions has been disabled. An attacker might abuse this bug to target (for example) Cloud services that allow customization via SquirrelScr CVSSv3.1 10.0 (CRITICAL) · EPSS 85th percentile

CWECWE 125VNDFedoraprojectVNDSquirrel LangTYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2022-07-25
2022-07-25 21:15Z
CRIT

CVE-2022-35131 — Joplinapp Joplin: v2.8.8 allows attackers to execute arbitrary commands via a crafted payload injected into

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-35131

Joplin v2.8.8 allows attackers to execute arbitrary commands via a crafted payload injected into the Node titles. CVSSv3.1 9.0 (CRITICAL) · EPSS 79th percentile

CWECWE 79VNDJoplinVNDJoplinappTYPVulnerability
9.0
CVSS v3.1
96
Edit Score
2022-07-18
2022-07-18 17:15Z
HIGH

CVE-2022-2444 — Themeisle Visualizer: The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-2444

The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to deserialization of untrusted input via the 'remote_data' parameter in versions up to, and including 3.7.9. This makes it possible for authenticated attackers with contributor privileges and above to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also presen CVSSv3.1 8.8 (HIGH) · EPSS 86th percentile

CWECWE 502VNDThemeisleVNDVisualizerTYPVulnerability
8.8
CVSS v3.1
95
Edit Score
2022-07-18
2022-07-18 17:15Z
HIGH

CVE-2022-2443 — Freemind_wp_browser_project Freemind_wp_browser: The FreeMind WP Browser plugin for WordPress is vulnerable to Cross-Site Request Forgery in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-2443

The FreeMind WP Browser plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.2. This is due to missing nonce protection on the FreemindOptions() function found in the ~/freemind-wp-browser.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site's administrator into performing an action such as clicking on a link. CVSSv3.1 8.8 (HIGH) · EPSS 44th percentile

CWECWE 352VNDFreemind Wp Browser ProjectVNDFreemindTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-07-18
2022-07-18 17:15Z
CRIT

CVE-2022-2437 — Slickremix Feed_them_social: The Feed Them Social – for Twitter feed, Youtube and more plugin for WordPress

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-2437

The Feed Them Social – for Twitter feed, Youtube and more plugin for WordPress is vulnerable to deserialization of untrusted input via the 'fts_url' parameter in versions up to, and including 2.9.8.5. This makes it possible for unauthenticated attackers to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacke CVSSv3.1 9.8 (CRITICAL) · EPSS 93th percentile

CWECWE 502VNDSlickremixVNDFeedTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2022-07-18
2022-07-18 17:15Z
HIGH

CVE-2022-2435 — Anymind Anymind_widget: The AnyMind Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-2435

The AnyMind Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.1. This is due to missing nonce protection on the createDOMStructure() function found in the ~/anymind-widget-id.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site’s administrator into performing an action such as clicking on a link. CVSSv3.1 8.8 (HIGH) · EPSS 68th percentile

CWECWE 352VNDAnymindTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-07-18
2022-07-18 17:15Z
HIGH

CVE-2022-2039 — Livesupporti Free_live_chat_support: The Free Live Chat Support plugin for WordPress is vulnerable to Cross-Site Request Forgery

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-2039

The Free Live Chat Support plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.0.11. This is due to missing nonce protection on the livesupporti_settings() function found in the ~/livesupporti.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site's administrator into performing an action such as clicking on a link. CVSSv3.1 8.8 (HIGH) · EPSS 51th percentile

CWECWE 352VNDLivesupportiVNDFreeTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-07-18
2022-07-18 17:15Z
HIGH

CVE-2022-2001 — Devrix Dx_share_selection: The DX Share Selection plugin for WordPress is vulnerable to Cross-Site Request Forgery in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-2001

The DX Share Selection plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.4. This is due to missing nonce protection on the dxss_admin_page() function found in the ~/dx-share-selection.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site's administrator into performing an action such as clicking on a link. CVSSv3.1 8.8 (HIGH) · EPSS 55th percentile

CWECWE 352VNDDevrixVNDShareTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-07-18
2022-07-18 17:15Z
HIGH

CVE-2022-1912 — Smartsoft Button_widget_smartsoft: The Button Widget Smartsoft plugin for WordPress is vulnerable to Cross-Site Request Forgery in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-1912

The Button Widget Smartsoft plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.1. This is due to missing nonce validation on the smartsoftbutton_settings page. This makes it possible for unauthenticated attackers to update the plugins settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVSSv3.1 8.8 (HIGH) · EPSS 41th percentile

CWECWE 352VNDSmartsoftVNDButtonTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-07-18
2022-07-18 17:15Z
HIGH

CVE-2022-1565 — Wpallimport Wp_all_import: The plugin WP All Import is vulnerable to arbitrary file uploads due to missing

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-1565

The plugin WP All Import is vulnerable to arbitrary file uploads due to missing file type validation via the wp_all_import_get_gz.php file in versions up to, and including, 3.6.7. This makes it possible for authenticated attackers, with administrator level permissions and above, to upload arbitrary files on the affected sites server which may make remote code execution possible. CVSSv3.1 7.2 (HIGH) · EPSS 98th percentile

CWECWE 434VNDWpallimportVNDImportTYPVulnerability
7.2
CVSS v3.1
100
Edit Score
2022-07-15
2022-07-15 14:15Z
CRIT

CVE-2022-35409 — Arm Mbed_tls: This can cause a server crash or possibly information disclosure based on error responses.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-35409

An issue was discovered in Mbed TLS before 2.28.1 and 3.x before 3.2.0. In some configurations, an unauthenticated attacker can send an invalid ClientHello message to a DTLS server that causes a heap-based buffer over-read of up to 255 bytes. This can cause a server crash or possibly information disclosure based on error responses. Affected configurations have MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled and MBEDTLS_SSL_IN_CONTENT_LEN less than a threshold that depends on the c CVSSv3.1 9.1 (CRITICAL) · EPSS 84th percentile

CWECWE 125VNDArmVNDTrustedfirmwareTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2022-07-15
2022-07-15 12:15Z
HIGH

CVE-2022-32119 — Arox School_erp_pro: School ERP Pro v1.0 was discovered to contain multiple arbitrary file upload vulnerabilities

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-32119

Arox School ERP Pro v1.0 was discovered to contain multiple arbitrary file upload vulnerabilities via the Add Photo function at photogalleries.inc.php and the import staff excel function at 1finance_master.inc.php. CVSSv3.1 8.8 (HIGH) · EPSS 78th percentile

CWECWE 434VNDAroxTYPVulnerability
8.8
CVSS v3.1
95
Edit Score
2022-07-14
2022-07-14 14:15Z
HIGH

CVE-2022-30024 — Tp-link Tl-wr841_firmware: A buffer overflow in the httpd daemon on TP-Link TL-WR841N V12 (firmware version 3.16.9)

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-30024

A buffer overflow in the httpd daemon on TP-Link TL-WR841N V12 (firmware version 3.16.9) devices allows an authenticated remote attacker to execute arbitrary code via a GET request to the page for the System Tools of the Wi-Fi network. This affects TL-WR841 V12 TL-WR841N(EU)_V12_160624 and TL-WR841 V11 TL-WR841N(EU)_V11_160325 , TL-WR841N_V11_150616 and TL-WR841 V10 TL-WR841N_V10_150310 are also affected. CVSSv3.1 8.8 (HIGH) · EPSS 80th percentile

CWECWE 120VNDTp LinkTYPVulnerability
8.8
CVSS v3.1
95
Edit Score