Total
356 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-43449 | 1 Openharmony | 1 Openharmony | 2024-11-21 | N/A | 6.2 MEDIUM |
| OpenHarmony-v3.1.2 and prior versions had an Arbitrary file read vulnerability via download_server. Local attackers can install an malicious application on the device and reveal any file from the filesystem that is accessible to download_server service which run with UID 1000. | |||||
| CVE-2022-42234 | 1 Ucms Project | 1 Ucms | 2024-11-21 | N/A | 8.8 HIGH |
| There is a file inclusion vulnerability in the template management module in UCMS 1.6 | |||||
| CVE-2022-41710 | 1 Markdownify Project | 1 Markdownify | 2024-11-21 | N/A | 5.5 MEDIUM |
| Markdownify version 1.4.1 allows an external attacker to remotely obtain arbitrary local files on any client that attempts to view a malicious markdown file through Markdownify. This is possible because the application does not have a CSP policy (or at least not strict enough) and/or does not properly validate the contents of markdown files before rendering them. | |||||
| CVE-2022-41343 | 1 Dompdf Project | 1 Dompdf | 2024-11-21 | N/A | 7.5 HIGH |
| registerFont in FontMetrics.php in Dompdf before 2.0.1 allows remote file inclusion because a URI validation failure does not halt font registration, as demonstrated by a @font-face rule. | |||||
| CVE-2022-40126 | 1 Clash Project | 1 Clash | 2024-11-21 | N/A | 7.8 HIGH |
| A misconfiguration in the Service Mode profile directory of Clash for Windows v0.19.9 allows attackers to escalate privileges and execute arbitrary commands when Service Mode is activated. | |||||
| CVE-2022-3691 | 1 Fluenx | 1 Deepl Pro Api Translation | 2024-11-21 | N/A | 7.5 HIGH |
| The DeepL Pro API translation plugin WordPress plugin before 1.7.5 discloses sensitive information (including the DeepL API key) in files that are publicly accessible to an external, unauthenticated visitor. | |||||
| CVE-2022-3287 | 1 Fwupd | 1 Fwupd | 2024-11-21 | N/A | 6.5 MEDIUM |
| When creating an OPERATOR user account on the BMC, the redfish plugin saved the auto-generated password to /etc/fwupd/redfish.conf without proper restriction, allowing any user on the system to read the same configuration file. | |||||
| CVE-2022-39208 | 1 Onedev Project | 1 Onedev | 2024-11-21 | N/A | 7.5 HIGH |
| Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. All files in the /opt/onedev/sites/ directory are exposed and can be read by unauthenticated users. This directory contains all projects, including their bare git repos and build artifacts. This file disclosure vulnerability can be used by unauthenticated attackers to leak all project files of any project. Since project IDs are incremental, an attacker could iterate through them and leak all project data. This issue has been resolved in version 7.3.0 and users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-37424 | 2 Linux, Opennebula | 2 Linux Kernel, Opennebula | 2024-11-21 | N/A | 6.5 MEDIUM |
| Files or Directories Accessible to External Parties vulnerability in OpenNebula on Linux allows File Discovery. | |||||
| CVE-2022-36552 | 1 Tendacn | 2 Ac6, Ac6 Firmware | 2024-11-21 | N/A | 7.5 HIGH |
| Tenda AC6(AC1200) v5.0 Firmware v02.03.01.114 and below contains an issue in the component /cgi-bin/DownloadFlash which allows attackers to steal all data such as source code and system files via a crafted GET request. | |||||
| CVE-2022-36306 | 1 Airspan | 2 Airvelocity 1500, Airvelocity 1500 Firmware | 2024-11-21 | N/A | 6.5 MEDIUM |
| An authenticated attacker can enumerate and download sensitive files, including the eNodeB's web management UI's TLS private key, the web server binary, and the web server configuration file. These vulnerabilities were found in AirVelocity 1500 running software version 9.3.0.01249, were still present in 15.18.00.2511, and may affect other AirVelocity and AirSpeed models. | |||||
| CVE-2022-34049 | 1 Wavlink | 2 Wl-wn530hg4, Wl-wn530hg4 Firmware | 2024-11-21 | N/A | 5.3 MEDIUM |
| An access control issue in Wavlink WN530HG4 M30HG4.V5030.191116 allows unauthenticated attackers to download log files and configuration data. | |||||
| CVE-2022-33686 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 2.3 LOW |
| Exposure of Sensitive Information in GsmAlarmManager prior to SMR Jul-2022 Release 1 allows local attacker to access iccid via log. | |||||
| CVE-2022-33158 | 2 Microsoft, Trendmicro | 2 Windows, Vpn Proxy One Pro | 2024-11-21 | N/A | 7.8 HIGH |
| Trend Micro VPN Proxy Pro version 5.2.1026 and below contains a vulnerability involving some overly permissive folders in a key directory which could allow a local attacker to obtain privilege escalation on an affected system. | |||||
| CVE-2022-32143 | 1 Codesys | 2 Plcwinnt, Runtime Toolkit | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| In multiple CODESYS products, file download and upload function allows access to internal files in the working directory e.g. firmware files of the PLC. All requests are processed on the controller only if no level 1 password is configured on the controller or if remote attacker has previously successfully authenticated himself to the controller. A successful Attack may lead to a denial of service, change of local files, or drain of confidential Information. User interaction is not required | |||||
| CVE-2022-30428 | 1 Ginadmin Project | 1 Ginadmin | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In ginadmin through 05-10-2022, the incoming path value is not filtered, resulting in arbitrary file reading. | |||||
| CVE-2022-2981 | 1 Wpchill | 1 Download Monitor | 2024-11-21 | N/A | 4.9 MEDIUM |
| The Download Monitor WordPress plugin before 4.5.98 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup. | |||||
| CVE-2022-2834 | 1 Helpful Project | 1 Helpful | 2024-11-21 | N/A | 5.3 MEDIUM |
| The Helpful WordPress plugin before 4.5.26 puts the exported logs and feedbacks in a publicly accessible location and guessable names, which could allow attackers to download them and retrieve sensitive information such as IP, Names and Email Address depending on the plugin's settings | |||||
| CVE-2022-2392 | 1 Lana | 1 Lana Downloads Manager | 2024-11-21 | N/A | 6.5 MEDIUM |
| The Lana Downloads Manager WordPress plugin before 1.8.0 is affected by an arbitrary file download vulnerability that can be exploited by users with "Contributor" permissions or higher. | |||||
| CVE-2022-2357 | 1 Wsm Downloader Project | 1 Wsm Downloader | 2024-11-21 | N/A | 7.5 HIGH |
| The WSM Downloader WordPress plugin through 1.4.0 allows any visitor to use its remote file download feature to download any local files, including sensitive ones like wp-config.php. | |||||