Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2022-0537 The MapPress Maps for WordPress plugin before 2.73.13 allows a high privileged user to bypass the DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS settings and upload arbitrary files to the site through the ... | 7.2 | HIGH | β | 0 |
| CVE-2022-0709 The Booking Package WordPress plugin before 1.5.29 requires a token for exporting the ical representation of it's booking calendar, but this token is returned in the json response to unauthenticated u... | 7.5 | HIGH | β | 0 |
| CVE-2022-27131 An arbitrary file upload vulnerability at /zbzedit/php/zbz.php in zbzcms v1.0 allows attackers to execute arbitrary code via a crafted PHP file. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-33436 NoMachine for Windows prior to version 6.15.1 and 7.5.2 suffer from local privilege escalation due to the lack of safe DLL loading. This vulnerability allows local non-privileged users to perform DLL ... | 7.3 | HIGH | β | 0 |
| CVE-2021-41921 novel-plus V3.6.1 allows unrestricted file uploads. Unrestricted file suffixes and contents can lead to server attacks and arbitrary code execution. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-24935 Lexmark products through 2022-02-10 have Incorrect Access Control. | 7.5 | HIGH | β | 0 |
| CVE-2022-29152 The Ericom PowerTerm WebConnect 6.0 login portal can unsafely write an XSS payload from the AppPortal cookie into the page. | 6.1 | MEDIUM | β | 0 |
| CVE-2021-41945 Encode OSS httpx < 0.23.0 is affected by improper input validation in `httpx.URL`, `httpx.Client` and some functions using `httpx.URL.copy_with`. | 9.1 | CRITICAL | β | 0 |
| CVE-2022-24873 Shopware is an open source e-commerce software platform. Prior to version 5.7.9, Shopware is vulnerable to non-stored cross-site scripting in the storefront. This issue is fixed in version 5.7.9. User... | 5.4 | MEDIUM | β | 0 |
| CVE-2022-28101 Turtlapp Turtle Note v0.7.2.6 does not filter the <meta> tag during markdown parsing, allowing attackers to execute HTML injection. | 9.0 | CRITICAL | β | 0 |
| CVE-2022-28102 A cross-site scripting (XSS) vulnerability in PHP MySQL Admin Panel Generator v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected at /edit-db.php. | 5.4 | MEDIUM | β | 0 |
| CVE-2021-43930 Elcomplus SmartPTT is vulnerable as the backup and restore system does not adequately validate download requests, enabling malicious users to perform path traversal attacks and potentially download ar... | 4.9 | MEDIUM | β | 0 |
| CVE-2021-43932 Elcomplus SmartPTT is vulnerable when an attacker injects JavaScript code into a specific parameter that can executed upon accessing the dashboard or the main page. | 9.0 | CRITICAL | β | 0 |
| CVE-2021-43934 Elcomplus SmartPTT is vulnerable as the backup and restore system does not adequately validate upload requests, enabling a malicious user to potentially upload arbitrary files. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-43939 Elcomplus SmartPTT is vulnerable when a low-authenticated user can access higher level administration authorization by issuing requests directly to the desired endpoints. | 8.8 | HIGH | β | 0 |
| CVE-2022-1511 Missing Authorization in GitHub repository snipe/snipe-it prior to 5.4.4. | 6.5 | MEDIUM | β | 0 |
| CVE-2022-22781 The Zoom Client for Meetings for MacOS (Standard and for IT Admin) prior to version 5.9.6 failed to properly check the package version during the update process. This could lead to a malicious actor u... | 7.5 | HIGH | β | 0 |
| CVE-2022-22782 The Zoom Client for Meetings for Windows prior to version 5.9.7, Zoom Rooms for Conference Room for Windows prior to version 5.10.0, Zoom Plugins for Microsoft Outlook for Windows prior to version 5.1... | 7.9 | HIGH | β | 0 |
| CVE-2022-22783 A vulnerability in Zoom On-Premise Meeting Connector Controller version 4.8.102.20220310 and On-Premise Meeting Connector MMR version 4.8.102.20220310 exposes process memory fragments to connected cli... | 6.5 | MEDIUM | β | 0 |
| CVE-2022-24879 Shopware is an open source e-commerce software platform. Versions prior to 5.7.9 are vulnerable to malfunction of cross-site request forgery (CSRF) token validation. Under certain circumstances, the C... | 7.5 | HIGH | β | 0 |
| CVE-2022-24892 Shopware is an open source e-commerce software platform. Starting with version 5.0.4 and before version 5.7.9, multiple tokens for password reset can be requested. All tokens can be used to change the... | 6.4 | MEDIUM | β | 0 |
| CVE-2022-28114 DSCMS v3.0 was discovered to contain an arbitrary file deletion vulnerability via /controller/Adv.php. | 9.1 | CRITICAL | β | 0 |
| CVE-2022-27413 Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the adminname parameter in admin.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-28117 A Server-Side Request Forgery (SSRF) in feed_parser class of Navigate CMS v2.9.4 allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the fe... | 4.9 | MEDIUM | β | 0 |
| CVE-2021-38952 IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality ... | 5.4 | MEDIUM | β | 0 |
| CVE-2022-1514 Stored XSS via upload plugin functionality in zip format in GitHub repository neorazorx/facturascripts prior to 2022.06. Cross-site scripting attacks can have devastating consequences. Code injected i... | 5.4 | MEDIUM | β | 0 |
| CVE-2022-22322 IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality ... | 5.4 | MEDIUM | β | 0 |
| CVE-2022-22427 IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality ... | 6.1 | MEDIUM | β | 0 |
| CVE-2022-22441 IBM InfoSphere Information Server 11.7 could allow an authenticated user to view information of higher privileged users and groups due to a privilege escalation vulnerability. IBM X-Force ID: 224426. | 6.5 | MEDIUM | β | 0 |
| CVE-2025-49062 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cornfeed WP-jScrollPane wp-jscrollpane allows Reflected XSS.This issue affects WP-jScrollPane: fro... | N/A | NONE | β | 0 |
| CVE-2022-22443 IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality ... | 5.4 | MEDIUM | β | 0 |
| CVE-2022-27860 Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS) in Shea Bunge's Footer Text plugin <= 2.0.3 on WordPress. | 6.1 | MEDIUM | β | 0 |
| CVE-2022-28892 Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0 is vulnerable to Cross Site Request Forgery (CSRF) because randomly generated tokens are too easily guessable. | 8.8 | HIGH | β | 0 |
| CVE-2022-29415 Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability in Mati Skiba @ Rav Messer's Ravpage plugin <= 2.16 at WordPress. | 6.1 | MEDIUM | β | 0 |
| CVE-2022-29584 Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0 allows stored XSS when a particular Cascading Style Sheets (CSS) class for embedly is used, and JavaScript code is constructed to perform an action... | 5.4 | MEDIUM | β | 0 |
| CVE-2022-24449 Solar appScreener through 3.10.4, when a valid license is not present, allows XXE and SSRF attacks via a crafted XML document. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-29585 In Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0, a site using Isolated Institutions is vulnerable if more than ten groups are used. They are all shown from page 2 of the group results list (ra... | 7.5 | HIGH | β | 0 |
| CVE-2022-29410 Authenticated SQL Injection (SQLi) vulnerability in Mufeng's Hermit ι³δΉζζΎε¨ plugin <= 3.1.6 on WordPress allows attackers with Subscriber or higher user roles to execute SQLi attack via (&ids). | 7.4 | HIGH | β | 0 |
| CVE-2022-29411 SQL Injection (SQLi) vulnerability in Mufeng's Hermit ι³δΉζζΎε¨ plugin <= 3.1.6 on WordPress allows attackers to execute SQLi attack via (&id). | 8.3 | HIGH | β | 0 |
| CVE-2022-29412 Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Hermit ι³δΉζζΎε¨ plugin <= 3.1.6 on WordPress allow attackers to delete cache, delete a source, create source. | 5.4 | MEDIUM | β | 0 |
| CVE-2022-29413 Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in Mufeng's Hermit ι³δΉζζΎε¨ plugin <= 3.1.6 on WordPress via &title parameter. | 4.7 | MEDIUM | β | 0 |
| CVE-2022-29903 The Private Domains extension for MediaWiki through 1.37.2 (before 1ad65d4c1c199b375ea80988d99ab51ae068f766) allows CSRF for editing pages that store the extension's configuration. The attacker must t... | 4.3 | MEDIUM | β | 0 |
| CVE-2022-24898 org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Starting in version 2.7 and prior to versions 12.10.10, 13.4.4, and 13.8-rc-1, it is possible for a scrip... | 4.9 | MEDIUM | β | 0 |
| CVE-2022-28060 SQL Injection vulnerability in Victor CMS v1.0, via the user_name parameter to /includes/login.php. | 7.5 | HIGH | β | 0 |
| CVE-2022-28454 Limbas 4.3.36.1319 is vulnerable to Cross Site Scripting (XSS). | 6.1 | MEDIUM | β | 0 |
| CVE-2022-28477 WBCE CMS 1.5.2 is vulnerable to Cross Site Scripting (XSS). | 6.1 | MEDIUM | β | 0 |
| CVE-2022-29555 The Deviceconnect microservice through 1.3.0 in Northern.tech Mender Enterprise before 3.2.2. allows Cross-Origin Websocket Hijacking. | 8.8 | HIGH | β | 0 |
| CVE-2022-29556 The iot-manager microservice 1.0.0 in Northern.tech Mender Enterprise before 3.2.2 allows SSRF because the Azure IoT Hub integration provides several SSRF primitives that can execute cross-tenant acti... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-20582 Improper handling of invalid nested page table entries in the IOMMU may allow a privileged attacker to induce page table entry (PTE) faults to bypass RMP checks in SEV-SNP, potentially leading to a lo... | 5.3 | MEDIUM | β | 0 |
| CVE-2022-29904 The SemanticDrilldown extension for MediaWiki through 1.37.2 (before e688bdba6434591b5dff689a45e4d53459954773) allows SQL injection with certain '-' and '_' constraints. | 9.8 | CRITICAL | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.