CVE漏洞

OStack程序员社区-中国程序员成长平台 › 门户 › 漏洞›CVE漏洞

RSS

CVE-2022-2189

The WP Video Lightbox WordPress plugin before 1.9.5 does not escape the $_SERVER parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web brow ...……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：1095 | 回复：0
CVE-2022-2219

The Unyson WordPress plugin before 2.7.27 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：658 | 回复：0
CVE-2022-2239

The Request a Quote WordPress plugin through 2.3.7 does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the ...……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：935 | 回复：0
CVE-2022-2240

The Request a Quote WordPress plugin through 2.3.7 does not validate uploaded CSV files, allowing unauthenticated users to attach a malicious CSV file to a quote, which could lead to a CSV injection o ...……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：664 | 回复：0
CVE-2022-2299

The Allow SVG Files WordPress plugin through 1.1 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：1102 | 回复：0
CVE-2022-2340

The W-DALIL WordPress plugin through 2.0 does not sanitise and escape some of its fields, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the u ...……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：930 | 回复：0
CVE-2022-2341

The Simple Page Transition WordPress plugin through 1.4.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting ...……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：928 | 回复：0
CVE-2020-28422

All versions of package git-archive are vulnerable to Command Injection via the exports function.……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：608 | 回复：0
CVE-2020-28435

This affects all versions of package ffmpeg-sdk. The injection point is located in line 9 in index.js.……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：645 | 回复：0
CVE-2020-28436

This affects all versions of package google-cloudstorage-commands.……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：586 | 回复：0
CVE-2020-28438

This affects all versions of package deferred-exec. The injection point is located in line 42 in lib/deferred-exec.js……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：788 | 回复：0
CVE-2020-28441

This affects the package conf-cfg-ini before 1.2.2. If an attacker submits a malicious INI file to an application that parses it with decode, they will pollute the prototype on the application. This c ...……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：712 | 回复：0
CVE-2020-28443

This affects all versions of package sonar-wrapper. The injection point is located in lib/sonarRunner.js.……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：908 | 回复：0
CVE-2020-28445

This affects all versions of package npm-help. The injection point is located in line 13 in index.js file in export.latestVersion() function.……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：1366 | 回复：0
CVE-2020-28446

The package ntesseract before 0.2.9 are vulnerable to Command Injection via lib/tesseract.js.……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：562 | 回复：0
CVE-2020-28447

This affects all versions of package xopen. The injection point is located in line 14 in index.js in the exported function xopen(filepath)……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：646 | 回复：0
CVE-2020-28455

This affects all versions of package markdown-it-toc. The title of the generated toc and the contents of the header are not escaped.……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：729 | 回复：0
CVE-2020-28459

This affects all versions of package markdown-it-decorate. An attacker can add an event handler or use javascript:xxx for the link.……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：602 | 回复：0
CVE-2020-28461

This affects the package js-ini before 1.3.0. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be ...……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：672 | 回复：0
CVE-2020-28462

This affects all versions of package ion-parser. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can ...……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：948 | 回复：0
CVE-2020-28471

This affects the package properties-reader before 2.2.0.……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：677 | 回复：0
CVE-2020-7649

This affects the package snyk-broker before 4.73.0. It allows arbitrary file reads for users with access to Snyk's internal network via directory traversal.……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：642 | 回复：0
CVE-2020-7677

This affects the package thenify before 3.3.1. The name argument provided to the package can be controlled by users without any sanitization, and this is provided to the eval function without any sani ...……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：797 | 回复：0
CVE-2020-7678

This affects all versions of package node-import. The params argument of module function can be controlled by users without any sanitization.b. This is then provided to the “eval” function located i ...……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：603 | 回复：0
CVE-2021-23373

All versions of package set-deep-prop are vulnerable to Prototype Pollution via the main functionality.……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：591 | 回复：0
CVE-2021-23397

All versions of package @ianwalter/merge are vulnerable to Prototype Pollution via the main (merge) function. Maintainer suggests using @generates/merger instead.……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：859 | 回复：0
CVE-2021-23451

The package otp-generator before 3.0.0 are vulnerable to Insecure Randomness due to insecure generation of random one-time passwords, which may allow a brute-force attack.……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：632 | 回复：0
CVE-2022-0670

A flaw was found in Openstack manilla owning a Ceph File system share, which enables the owner to read/write any manilla share or entire file system. The vulnerability is due to a bug in the volumes p ...……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：616 | 回复：0
CVE-2022-1232

Type confusion in V8 in Google Chrome prior to 100.0.4896.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：611 | 回复：0
CVE-2022-1305

Use after free in storage in Google Chrome prior to 100.0.4896.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：602 | 回复：0
CVE-2022-1306

Inappropriate implementation in compositing in Google Chrome prior to 100.0.4896.88 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：633 | 回复：0
CVE-2022-1307

Inappropriate implementation in full screen in Google Chrome on Android prior to 100.0.4896.88 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：612 | 回复：0
CVE-2022-1308

Use after free in BFCache in Google Chrome prior to 100.0.4896.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：649 | 回复：0
CVE-2022-1309

Insufficient policy enforcement in developer tools in Google Chrome prior to 100.0.4896.88 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：759 | 回复：0
CVE-2022-1310

Use after free in regular expressions in Google Chrome prior to 100.0.4896.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.……

作者：菜鸟教程小白 | 时间：2022-7-29 17:18 | 阅读：774 | 回复：0
CVE-2022-2193

Insecure Direct Object Reference vulnerability in HYPR Server before version 6.14.1 allows remote authenticated attackers to add a FIDO2 authenticator to arbitrary accounts via parameter tampering in ...……

作者：菜鸟教程小白 | 时间：2022-7-29 17:17 | 阅读：1225 | 回复：0
CVE-2022-35405

Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects ManageEngine Access Manager Plus before 4303 with ...……

作者：菜鸟教程小白 | 时间：2022-7-29 17:17 | 阅读：1125 | 回复：0
CVE-2022-27544

BigFix Web Reports authorized users may see SMTP credentials in clear text.……

作者：菜鸟教程小白 | 时间：2022-7-29 17:17 | 阅读：706 | 回复：0
CVE-2022-27545

BigFix Web Reports authorized users may perform HTML injection for the email administrative configuration page.……

作者：菜鸟教程小白 | 时间：2022-7-29 17:17 | 阅读：650 | 回复：0
CVE-2022-27579

A deserialization vulnerability in a .NET framework class used and not properly checked by Flexi Soft Designer in all versions up to and including 1.9.4 SP1 allows an attacker to craft malicious proje ...……

作者：菜鸟教程小白 | 时间：2022-7-29 17:17 | 阅读：802 | 回复：0