2022-06-06
2022-06-06 23:15Z
HIGH

CVE-2022-27438 — Caphyon Advanced_installer: Ltd Advanced Installer 19.3 and earlier and many products that use the updater

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-27438

Caphyon Ltd Advanced Installer 19.3 and earlier and many products that use the updater from Advanced Installer (Advanced Updater) are affected by a remote code execution vulnerability via the CustomDetection parameter in the update check function. To exploit this vulnerability, a user must start an affected installation to trigger the update check. CVSSv3.1 8.1 (HIGH) · EPSS 82th percentile

CWECWE 494VNDCaphyonVND3cxVNDBoomTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2022-06-06
2022-06-06 22:15Z
CRIT

CVE-2022-32511 — Jmespath Jmespath: jmespath.rb (aka JMESPath for Ruby) before 1.6.1 uses JSON.load in a situation where JSON.parse

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-32511

jmespath.rb (aka JMESPath for Ruby) before 1.6.1 uses JSON.load in a situation where JSON.parse is preferable. CVSSv3.1 9.8 (CRITICAL) · EPSS 84th percentile

VNDFedoraprojectVNDJmespathTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2022-06-02
2022-06-02 19:15Z
CRIT

CVE-2021-42875 — Totolink Ex1200t_firmware: EX1200T V4.1.2cu.5215 contains a remote command injection vulnerability in the function setDiagnosisCfg of

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-42875

TOTOLINK EX1200T V4.1.2cu.5215 contains a remote command injection vulnerability in the function setDiagnosisCfg of the file lib/cste_modules/system.so to control the ipDoamin. CVSSv3.1 9.8 (CRITICAL) · EPSS 91th percentile

CWECWE 78VNDTotolinkTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2022-06-02
2022-06-02 18:15Z
CRIT

CVE-2022-29704 — Browsbox Brows_box: CMS v4.0 was discovered to contain a SQL injection vulnerability.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-29704

BrowsBox CMS v4.0 was discovered to contain a SQL injection vulnerability. CVSSv3.1 9.8 (CRITICAL) · EPSS 64th percentile

CWECWE 89VNDBrowsboxTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2022-06-02
2022-06-02 14:15Z
CRIT

CVE-2022-30490 — Badminton_center_management_system_project Badminton_center_management_system: Badminton Center Management System V1.0 is vulnerable to SQL Injection via parameter 'id' in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-30490

Badminton Center Management System V1.0 is vulnerable to SQL Injection via parameter 'id' in /bcms/admin/court_rentals/update_status.php. CVSSv3.1 9.8 (CRITICAL) · EPSS 66th percentile

CWECWE 89VNDBadminton Center Management System ProjectVNDBadmintonTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2022-06-02
2022-06-02 14:15Z
HIGH

CVE-2022-30034 — Flower_project Flower: Flower, a web UI for the Celery Python RPC framework, all versions as of

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-30034

Flower, a web UI for the Celery Python RPC framework, all versions as of 05-02-2022 is vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. CVSSv3.1 8.6 (HIGH) · EPSS 68th percentile

CWECWE 287VNDFlower ProjectVNDFlowerTYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2022-06-02
2022-06-02 14:15Z
CRIT

CVE-2022-28945 — Webbank Webcube: An issue in Webbank WeCube v3.2.2 allows attackers to execute a directory traversal via

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-28945

An issue in Webbank WeCube v3.2.2 allows attackers to execute a directory traversal via a crafted ZIP file. CVSSv3.1 9.8 (CRITICAL) · EPSS 78th percentile

CWECWE 22VNDWebbankTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
728 × 90 / responsive · programmatic ad slot
2022-06-02
2022-06-02 14:15Z
CRIT

CVE-2022-24240 — Aceware Aceweb_online_portal: ACEweb Online Portal 3.5.065 was discovered to contain a SQL injection vulnerability via the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-24240

ACEweb Online Portal 3.5.065 was discovered to contain a SQL injection vulnerability via the criteria parameter in showschedule.awp. CVSSv3.1 9.8 (CRITICAL) · EPSS 61th percentile

CWECWE 89VNDAcewareVNDAcewebTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2022-06-02
2022-06-02 14:15Z
CRIT

CVE-2022-24239 — Aceware Aceweb_online_portal: ACEweb Online Portal 3.5.065 was discovered to contain an unrestricted file upload vulnerability via

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-24239

ACEweb Online Portal 3.5.065 was discovered to contain an unrestricted file upload vulnerability via attachments.awp. CVSSv3.1 9.8 (CRITICAL) · EPSS 66th percentile

CWECWE 434VNDAcewareVNDAcewebTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2022-06-02
2022-06-02 14:15Z
CRIT

CVE-2021-42872 — Totolink Ex1200t_firmware: EX1200T V4.1.2cu.5215 is affected by a command injection vulnerability that can remotely execute

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-42872

TOTOLINK EX1200T V4.1.2cu.5215 is affected by a command injection vulnerability that can remotely execute arbitrary code. CVSSv3.1 9.8 (CRITICAL) · EPSS 94th percentile

CWECWE 78VNDTotolinkTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2022-05-26
2022-05-26 17:15Z
HIGH

CVE-2022-22576 — Haxx Curl: An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-22576

An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only). CVSSv3.1 8.1 (HIGH) · EPSS 57th percentile

CWECWE 306CWECWE 287VNDNetappVNDHaxxTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2022-05-25
2022-05-25 16:15Z
HIGH

CVE-2022-27305 — Gibbonedu Gibbon: v23 does not generate a new session ID cookie after a user authenticates

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-27305

Gibbon v23 does not generate a new session ID cookie after a user authenticates, making the application vulnerable to session fixation. CVSSv3.1 8.8 (HIGH) · EPSS 59th percentile

CWECWE 384VNDGibboneduVNDGibbonTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-05-23
2022-05-23 18:16Z
HIGH

CVE-2022-28944 — Emcosoftware Msi_package_builder: The impact is: execute arbitrary code (remote).

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-28944

Certain EMCO Software products are affected by: CWE-494: Download of Code Without Integrity Check. This affects MSI Package Builder for Windows 9.1.4 and Remote Installer for Windows 6.0.13 and Ping Monitor for Windows 8.0.18 and Remote Shutdown for Windows 7.2.2 and WakeOnLan 2.0.8 and Network Inventory for Windows 5.8.22 and Network Software Scanner for Windows 2.0.8 and UnLock IT for Windows 6.1.1. The impact is: execute arbitrary code (remote). The component is: Updater. CVSSv3.1 8.8 (HIGH)

CWECWE 494VNDCertainVNDEmcosoftwareTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-05-23
2022-05-23 16:16Z
HIGH

CVE-2022-30014 — Simple_food_website_project Simple_food_website: Lumidek Associates Simple Food Website 1.0 is vulnerable to Cross Site Request Forgery (CSRF)

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-30014

Lumidek Associates Simple Food Website 1.0 is vulnerable to Cross Site Request Forgery (CSRF) which allows anyone to takeover admin/moderater account. CVSSv3.1 8.8 (HIGH) · EPSS 45th percentile

CWECWE 352VNDSimple Food Website ProjectVNDLumidekTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-05-23
2022-05-23 16:16Z
CRIT

CVE-2022-28932 — Dlink Dsl-g2452dg_firmware: D-Link DSL-G2452DG HW:T1\\tFW:ME_2.00 was discovered to contain insecure permissions.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-28932

D-Link DSL-G2452DG HW:T1\\tFW:ME_2.00 was discovered to contain insecure permissions. CVSSv3.1 9.8 (CRITICAL) · EPSS 86th percentile

CWECWE 276VNDDlinkVNDLinkTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2022-05-16
2022-05-16 14:15Z
CRIT

CVE-2022-29351 — Tiddlywiki Tiddlywiki5: An arbitrary file upload vulnerability in the file upload module of Tiddlywiki5 v5.2.2 allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-29351

An arbitrary file upload vulnerability in the file upload module of Tiddlywiki5 v5.2.2 allows attackers to execute arbitrary code via a crafted SVG file. Note: The vendor argues that this is not a legitimate issue and there is no vulnerability here. CVSSv3.1 9.8 (CRITICAL) · EPSS 82th percentile

CWECWE 434VNDTiddlywikiTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2022-05-13
2022-05-13 13:15Z
HIGH

CVE-2020-22983 — Microstrategy Microstrategy_web: A Server-Side Request Forgery (SSRF) vulnerability exists in MicroStrategy Web SDK 11.1 and earlier

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-22983

A Server-Side Request Forgery (SSRF) vulnerability exists in MicroStrategy Web SDK 11.1 and earlier, allows remote unauthenticated attackers to conduct a server-side request forgery (SSRF) attack via the srcURL parameter to the shortURL task. CVSSv3.1 8.1 (HIGH) · EPSS 81th percentile

CWECWE 918VNDMicrostrategyTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2022-05-10
2022-05-10 21:15Z
MED

CVE-2022-26934 — Microsoft 365_apps: Windows Graphics Component Information Disclosure Vulnerability

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-26934

Windows Graphics Component Information Disclosure Vulnerability CVSSv3.1 6.5 (MEDIUM) · EPSS 95th percentile

VNDMicrosoftTYPVulnerability
6.5
CVSS v3.1
88
Edit Score
2022-05-10
2022-05-10 20:15Z
CRIT

CVE-2022-1505 — Carrcommunications Rsvpmaker: The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to missing

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-1505

The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to missing SQL escaping and parameterization on user supplied data passed to a SQL query in the rsvpmaker-api-endpoints.php file. This makes it possible for unauthenticated attackers to steal sensitive information from the database in versions up to and including 9.2.6. CVSSv3.1 9.8 (CRITICAL) · EPSS 88th percentile

CWECWE 89VNDCarrcommunicationsVNDRsvpmakerTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2022-05-10
2022-05-10 20:15Z
MED

CVE-2022-1476 — Servmask All-in-one_wp_migration: The All-in-One WP Migration plugin for WordPress is vulnerable to arbitrary file deletion via

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-1476

The All-in-One WP Migration plugin for WordPress is vulnerable to arbitrary file deletion via directory traversal due to insufficient file validation via the ~/lib/model/class-ai1wm-backups.php file, in versions up to, and including, 7.58. This can be exploited by administrative users, and users who have access to the site's secret key. CVSSv3.1 6.6 (MEDIUM) · EPSS 97th percentile

CWECWE 22VNDServmaskVNDOneTYPVulnerability
6.6
CVSS v3.1
94
Edit Score
2022-05-10
2022-05-10 20:15Z
CRIT

CVE-2022-1453 — Carrcommunications Rsvpmaker: The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to missing

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-1453

The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to missing SQL escaping and parameterization on user supplied data passed to a SQL query in the rsvpmaker-util.php file. This makes it possible for unauthenticated attackers to steal sensitive information from the database in versions up to and including 9.2.5. CVSSv3.1 9.8 (CRITICAL) · EPSS 99th percentile

CWECWE 89VNDCarrcommunicationsVNDRsvpmakerTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2022-05-10
2022-05-10 20:15Z
HIGH

CVE-2022-1442 — Wpmet Metform_elementor_contact_form_builder: The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper access

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-1442

The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper access control in the ~/core/forms/action.php file which can be exploited by an unauthenticated attacker to view all API keys and secrets of integrated third-party APIs like that of PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA and many more, in versions up to and including 2.1.3. CVSSv3.1 7.5 (HIGH) · EPSS 99th percentile

CWECWE 862VNDWpmetVNDMetformTYPVulnerability
7.5
CVSS v3.1
100
Edit Score
2022-05-04
2022-05-04 18:38Z
INFO

Impacket 0.10.0

Impacket releases·github.com

Impacket 0.10.0 released with significant library improvements including Python 2.7 deprecation, refactored testing infrastructure, and multiple new attack capabilities. Notable additions include MS-DSSP protocol implementation, ADCS ESC1/ESC6 attack support, Shadow Credentials attack, Kerberos Key List attack implementation, and enhanced ntlmrelayx.py with multi-relay and StartTLS support.

SRFNetworkTACTA0006SRFIdentityTACTA0008VNDImpacketTYPToolSTGDiscoverySTGCred Access
78
Edit Score
2022-05-04
2022-05-04 15:15Z
CRIT

CVE-2022-29347 — Web\@rchiv_project Web\@rchiv: An arbitrary file upload vulnerability in Web@rchiv 1.0 allows attackers to execute arbitrary commands

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-29347

An arbitrary file upload vulnerability in Web@rchiv 1.0 allows attackers to execute arbitrary commands via a crafted PHP file. CVSSv3.1 9.8 (CRITICAL) · EPSS 79th percentile

CWECWE 434VNDWeb Rchiv ProjectTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2022-05-04
2022-05-04 15:15Z
CRIT

CVE-2022-28568 — Simple_doctor\'s_appointment_system_project Simple_doctor\'s_appointment_system: Sourcecodester Doctor's Appointment System 1.0 is vulnerable to File Upload to RCE via Image

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-28568

Sourcecodester Doctor's Appointment System 1.0 is vulnerable to File Upload to RCE via Image upload from the administrator panel. An attacker can obtain remote command execution just by knowing the path where the images are stored. CVSSv3.1 9.8 (CRITICAL) · EPSS 89th percentile

CWECWE 434VNDSourcecodesterVNDSimple Doctor S Appointment System ProjectTYPVulnerability
9.8
CVSS v3.1
100
Edit Score