Total
324 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-39216 | 1 Combodo | 1 Itop | 2024-11-21 | N/A | 7.4 HIGH |
| Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, the reset password token is generated without any randomness parameter. This may lead to account takeover. The issue is fixed in versions 2.7.8 and 3.0.2-1. | |||||
| CVE-2022-38970 | 2 Hipcam, Iegeek | 3 Realserver, Ig20, Ig20 Firmware | 2024-11-21 | N/A | 6.5 MEDIUM |
| ieGeek IG20 hipcam RealServer V1.0 is vulnerable to Incorrect Access Control. The algorithm used to generate device IDs (UIDs) for devices that utilize Shenzhen Yunni Technology iLnkP2P suffers from a predictability flaw that allows remote attackers to establish direct connections to arbitrary devices. | |||||
| CVE-2022-37400 | 1 Apache | 1 Openoffice | 2024-11-21 | N/A | 8.8 HIGH |
| Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user's configuration data. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26306 - LibreOffice | |||||
| CVE-2022-36536 | 2 Linux, Syncovery | 2 Linux Kernel, Syncovery | 2024-11-21 | N/A | 9.8 CRITICAL |
| An issue in the component post_applogin.php of Super Flexible Software GmbH & Co. KG Syncovery 9 for Linux v9.47x and below allows attackers to escalate privileges via creating crafted session tokens. | |||||
| CVE-2022-36045 | 1 Nodebb | 1 Nodebb | 2024-11-21 | N/A | 9.0 CRITICAL |
| NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. It utilizes web sockets for instant interactions and real-time notifications. `utils.generateUUID`, a helper function available in essentially all versions of NodeBB (as far back as v1.0.1 and potentially earlier) used a cryptographically insecure Pseudo-random number generator (`Math.random()`), which meant that a specially crafted script combined with multiple invocations of the password reset functionality could enable an attacker to correctly calculate the reset code for an account they do not have access to. This vulnerability impacts all installations of NodeBB. The vulnerability allows for an attacker to take over any account without the involvement of the victim, and as such, the remediation should be applied immediately (either via NodeBB upgrade or cherry-pick of the specific changeset. The vulnerability has been patched in version 2.x and 1.19.x. There is no known workaround, but the patch sets listed above will fully patch the vulnerability. | |||||
| CVE-2022-36022 | 1 Eclipse | 1 Deeplearning4j | 2024-11-21 | N/A | 5.3 MEDIUM |
| Deeplearning4J is a suite of tools for deploying and training deep learning models using the JVM. Packages org.deeplearning4j:dl4j-examples and org.deeplearning4j:platform-tests through version 1.0.0-M2.1 may use some unclaimed S3 buckets in tests in examples. This is likely affect people who use some older NLP examples that reference an old S3 bucket. The problem has been patched. Users should upgrade to snapshots as Deeplearning4J plan to publish a release with the fix at a later date. As a workaround, download a word2vec google news vector from a new source using git lfs from here. | |||||
| CVE-2022-34295 | 1 Totd Project | 1 Totd | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| totd before 1.5.3 does not properly randomize mesg IDs. | |||||
| CVE-2022-33707 | 1 Samsung | 1 Find My Mobile | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Improper identifier creation logic in Find My Mobile prior to version 7.2.24.12 allows attacker to identify the device. | |||||
| CVE-2022-32296 | 1 Linux | 1 Linux Kernel | 2024-11-21 | 2.1 LOW | 3.3 LOW |
| The Linux kernel before 5.17.9 allows TCP servers to identify clients by observing what source ports are used. This occurs because of use of Algorithm 4 ("Double-Hash Port Selection Algorithm") of RFC 6056. | |||||
| CVE-2022-32284 | 1 Yokogawa | 2 Aw810d, Aw810d Firmware | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
| Use of insufficiently random values vulnerability exists in Vnet/IP communication module VI461 of YOKOGAWA Wide Area Communication Router (WAC Router) AW810D, which may allow a remote attacker to cause denial-of-service (DoS) condition by sending a specially crafted packet. | |||||
| CVE-2022-31157 | 1 Packback | 1 Lti 1.3 Tool Library | 2024-11-21 | N/A | 7.5 HIGH |
| LTI 1.3 Tool Library is a library used for building IMS-certified LTI 1.3 tool providers in PHP. Prior to version 5.0, the function used to generate random nonces was not sufficiently cryptographically complex. Users should upgrade to version 5.0 to receive a patch. There are currently no known workarounds. | |||||
| CVE-2022-31034 | 1 Argoproj | 1 Argo Cd | 2024-11-21 | 6.8 MEDIUM | 8.3 HIGH |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v0.11.0 are vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or UI. The vulnerabilities are due to the use of insufficiently random values in parameters in Oauth2/OIDC login flows. In each case, using a relatively-predictable (time-based) seed in a non-cryptographically-secure pseudo-random number generator made the parameter less random than required by the relevant spec or by general best practices. In some cases, using too short a value made the entropy even less sufficient. The attacks on login flows which are meant to be mitigated by these parameters are difficult to accomplish but can have a high impact potentially granting an attacker admin access to Argo CD. Patches for this vulnerability has been released in the following Argo CD versions: v2.4.1, v2.3.5, v2.2.10 and v2.1.16. There are no known workarounds for this vulnerability. | |||||
| CVE-2022-30935 | 1 B2evolution | 1 B2evolution | 2024-11-21 | N/A | 9.1 CRITICAL |
| An authorization bypass in b2evolution allows remote, unauthenticated attackers to predict password reset tokens for any user through the use of a bad randomness function. This allows the attacker to get valid sessions for arbitrary users, and optionally reset their password. Tested and confirmed in a default installation of version 7.2.3. Earlier versions are affected, possibly earlier major versions as well. | |||||
| CVE-2022-30782 | 1 Openmoney Api Project | 1 Openmoney Api | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Openmoney API through 2020-06-29 uses the JavaScript Math.random function, which does not provide cryptographically secure random numbers. | |||||
| CVE-2022-30629 | 1 Golang | 1 Go | 2024-11-21 | N/A | 3.1 LOW |
| Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption. | |||||
| CVE-2022-30295 | 2 Uclibc, Uclibc-ng Project | 2 Uclibc, Uclibc-ng | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| uClibc-ng through 1.0.40 and uClibc through 0.9.33.2 use predictable DNS transaction IDs that may lead to DNS cache poisoning. This is related to a reset of a value to 0x2. | |||||
| CVE-2022-29930 | 1 Jetbrains | 1 Ktor | 2024-11-21 | 4.0 MEDIUM | 8.7 HIGH |
| SHA1 implementation in JetBrains Ktor Native 2.0.0 was returning the same value. The issue was fixed in Ktor version 2.0.1. | |||||
| CVE-2022-29808 | 1 Quest | 1 Kace Systems Management Appliance | 2024-11-21 | N/A | 7.5 HIGH |
| In Quest KACE Systems Management Appliance (SMA) through 12.0, predictable token generation occurs when appliance linking is enabled. | |||||
| CVE-2022-29330 | 1 Vitalpbx | 1 Vitalpbx | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| Missing access control in the backup system of Telesoft VitalPBX before 3.2.1 allows attackers to access the PJSIP and SIP extension credentials, cryptographic keys and voicemails files via unspecified vectors. | |||||
| CVE-2022-29035 | 1 Jetbrains | 1 Ktor | 2024-11-21 | 4.0 MEDIUM | 3.3 LOW |
| In JetBrains Ktor Native before version 2.0.0 random values used for nonce generation weren't using SecureRandom implementations | |||||