| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2022-38368 |
287 |
|
|
2022-08-15 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An issue was discovered in Aviatrix Gateway before 6.6.5712 and 6.7.x before 6.7.1376. Because Gateway API functions mishandle authentication, an authenticated VPN user can inject arbitrary commands. |
|
2 |
CVE-2022-38362 |
|
|
|
2022-08-16 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Apache Airflow Docker's Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host. |
|
3 |
CVE-2022-38359 |
|
|
CSRF |
2022-08-15 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Cross-site request forgery attacks can be carried out against the Eyes of Network web application, due to an absence of adequate protections. An attacker can, for instance, delete the admin user by directing an authenticated user to the URL https://<target-address>/module/admin_user/index.php?DataTables_Table_0_length=10&user_selected%5B%5D=1&user_mgt_list=delete_user&action=submit by means of a crafted link. |
|
4 |
CVE-2022-38358 |
|
|
XSS |
2022-08-15 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Improper neutralization of input during web page generation leaves the Eyes of Network web application vulnerable to cross-site scripting attacks at /module/admin_notifiers/rules.php and /module/report_event/indext.php via the parameters rule_notification, rule_name, and rule_name_old, and at /module/admin_user/add_modify_user.php via the parameters user_name and user_email. |
|
5 |
CVE-2022-38357 |
74 |
|
|
2022-08-15 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Improper neutralization of special elements leaves the Eyes of Network Web application vulnerable to an iFrame injection attack, via the url parameter of /module/module_frame/index.php. |
|
6 |
CVE-2022-38238 |
|
|
Overflow |
2022-08-16 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
XPDF commit ffaf11c was discovered to contain a heap-buffer overflow via DCTStream::lookChar() at /xpdf/Stream.cc. |
|
7 |
CVE-2022-38237 |
|
|
Overflow |
2022-08-16 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
XPDF commit ffaf11c was discovered to contain a heap-buffer overflow via DCTStream::readScan() at /xpdf/Stream.cc. |
|
8 |
CVE-2022-38236 |
|
|
Overflow |
2022-08-16 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
XPDF commit ffaf11c was discovered to contain a global-buffer overflow via Lexer::getObj(Object*) at /xpdf/Lexer.cc. |
|
9 |
CVE-2022-38235 |
|
|
|
2022-08-16 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
XPDF commit ffaf11c was discovered to contain a segmentation violation via DCTStream::getChar() at /xpdf/Stream.cc. |
|
10 |
CVE-2022-38234 |
|
|
|
2022-08-16 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
XPDF commit ffaf11c was discovered to contain a segmentation violation via Lexer::getObj(Object*) at /xpdf/Lexer.cc. |
|
11 |
CVE-2022-38233 |
|
|
|
2022-08-16 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
XPDF commit ffaf11c was discovered to contain a segmentation violation via DCTStream::readMCURow() at /xpdf/Stream.cc. |
|
12 |
CVE-2022-38231 |
|
|
Overflow |
2022-08-16 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
XPDF commit ffaf11c was discovered to contain a heap-buffer overflow via DCTStream::getChar() at /xpdf/Stream.cc. |
|
13 |
CVE-2022-38230 |
|
|
|
2022-08-16 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
XPDF commit ffaf11c was discovered to contain a floating point exception (FPE) via DCTStream::decodeImage() at /xpdf/Stream.cc. |
|
14 |
CVE-2022-38229 |
|
|
Overflow |
2022-08-16 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
XPDF commit ffaf11c was discovered to contain a heap-buffer overflow via DCTStream::readHuffSym(DCTHuffTable*) at /xpdf/Stream.cc. |
|
15 |
CVE-2022-38228 |
|
|
Overflow |
2022-08-16 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
XPDF commit ffaf11c was discovered to contain a heap-buffer overflow via DCTStream::transformDataUnit at /xpdf/Stream.cc. |
|
16 |
CVE-2022-38227 |
|
|
Overflow |
2022-08-16 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
XPDF commit ffaf11c was discovered to contain a stack overflow via __asan_memcpy at asan_interceptors_memintrinsics.cpp. |
|
17 |
CVE-2022-38223 |
787 |
|
DoS |
2022-08-15 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
There is an out-of-bounds write in checkType located in etc.c in w3m 0.5.3. It can be triggered by sending a crafted HTML file to the w3m binary. It allows an attacker to cause Denial of Service or possibly have unspecified other impact. |
|
18 |
CVE-2022-38221 |
|
|
Exec Code Overflow |
2022-08-15 |
2022-08-15 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A buffer overflow in the FTcpListener thread in The Isle Evrima (the dedicated server on Windows and Linux) 0.9.88.07 before 2022-08-12 allows a remote attacker to crash any server with an accessible RCON port, or possibly execute arbitrary code. |
|
19 |
CVE-2022-38216 |
|
|
Overflow |
2022-08-16 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An integer overflow exists in Mapbox's closed source gl-native library prior to version 10.6.1, which is bundled with multiple Mapbox products including open source libraries. The overflow is caused by large image height and width values when creating a new Image and allows for out of bounds writes, potentially crashing the Mapbox process. |
|
20 |
CVE-2022-38194 |
|
|
|
2022-08-16 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
In Esri Portal for ArcGIS versions 10.8.1, a system property is not properly encrypted. This may lead to a local user reading sensitive information from a properties file. |
|
21 |
CVE-2022-38193 |
|
|
Exec Code |
2022-08-16 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
There is a code injection vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below that may allow a remote, unauthenticated attacker to pass strings which could potentially cause arbitrary code execution in a victims browser. |
|
22 |
CVE-2022-38192 |
|
|
Exec Code XSS |
2022-08-16 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A stored Cross Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS may allow a remote, authenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser. |
|
23 |
CVE-2022-38191 |
74 |
|
|
2022-08-15 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
There is an HTML injection issue in Esri Portal for ArcGIS versions 10.9.0 and below which may allow a remote, authenticated attacker to inject HTML into some locations in the home application. |
|
24 |
CVE-2022-38190 |
79 |
|
Exec Code XSS |
2022-08-15 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A stored Cross Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS configurable apps may allow a remote, unauthenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser |
|
25 |
CVE-2022-38189 |
|
|
Exec Code XSS |
2022-08-16 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A stored Cross Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS may allow a remote, authenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser. |
|
26 |
CVE-2022-38188 |
79 |
|
Exec Code XSS |
2022-08-15 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1 which may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser. |
|
27 |
CVE-2022-38187 |
|
|
|
2022-08-15 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Prior to version 10.9.0, the sharing/rest/content/features/analyze endpoint is always accessible to anonymous users, which could allow an unauthenticated attacker to induce Esri Portal for ArcGIS to read arbitrary URLs. |
|
28 |
CVE-2022-38186 |
79 |
|
Exec Code XSS |
2022-08-15 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below which may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser. |
|
29 |
CVE-2022-38184 |
|
|
|
2022-08-16 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
There is an improper access control vulnerability in Portal for ArcGIS versions 10.8.1 and below which could allow a remote, unauthenticated attacker to access an API that may induce Esri Portal for ArcGIS to read arbitrary URLs. |
|
30 |
CVE-2022-38183 |
732 |
|
|
2022-08-12 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea (there was no permission check for fetching the issue). As a result, the attacker would get access to private issue titles. |
|
31 |
CVE-2022-38180 |
287 |
|
|
2022-08-12 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
In JetBrains Ktor before 2.1.0 the wrong authentication provider could be selected in some cases |
|
32 |
CVE-2022-38179 |
697 |
|
|
2022-08-12 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
JetBrains Ktor before 2.1.0 was vulnerable to the Reflect File Download attack |
|
33 |
CVE-2022-38161 |
|
|
|
2022-08-11 |
2022-08-11 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Gumstix Overo SBC on the VSKS board through 2022-08-09, as used on the Orlan-10 and other platforms, allows unrestricted remapping of the NOR flash memory containing the bitstream for the FPGA. |
|
34 |
CVE-2022-38155 |
770 |
|
|
2022-08-11 |
2022-08-15 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
TEE_Malloc in Samsung mTower through 0.3.0 allows a trusted application to achieve Excessive Memory Allocation via a large len value, as demonstrated by a Numaker-PFM-M2351 TEE kernel crash. |
|
35 |
CVE-2022-38150 |
|
|
|
2022-08-11 |
2022-08-15 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to assert and automatically restart through forged HTTP/1 backend responses. An attack uses a crafted reason phrase of the backend response status line. This is fixed in 7.0.3 and 7.1.1. |
|
36 |
CVE-2022-38133 |
532 |
|
|
2022-08-10 |
2022-08-12 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
In JetBrains TeamCity before 2022.04.3 the private SSH key could be written to the server log in some cases |
|
37 |
CVE-2022-38130 |
89 |
|
Sql |
2022-08-10 |
2022-08-15 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The com.keysight.tentacle.config.ResourceManager.smsRestoreDatabaseZip() method is used to restore the HSQLDB database used in SMS. It takes the path of the zipped database file as the single parameter. An unauthenticated, remote attacker can specify an UNC path for the database file (i.e., \\<attacker-host>\sms\<attacker-db.zip>), effectively controlling the content of the database to be restored. |
|
38 |
CVE-2022-38129 |
22 |
|
Dir. Trav. |
2022-08-10 |
2022-08-15 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A path traversal vulnerability exists in the com.keysight.tentacle.licensing.LicenseManager.addLicenseFile() method in the Keysight Sensor Management Server (SMS). This allows an unauthenticated remote attacker to upload arbitrary files to the SMS host. |
|
39 |
CVE-2022-37781 |
|
|
Overflow |
2022-08-16 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
fdkaac v1.0.3 was discovered to contain a heap buffer overflow via __interceptor_memcpy.part.46 at /sanitizer_common/sanitizer_common_interceptors.inc. |
|
40 |
CVE-2022-37452 |
787 |
|
Overflow |
2022-08-07 |
2022-08-11 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Exim before 4.95 has a heap-based buffer overflow for the alias list in host_name_lookup in host.c when sender_host_name is set. |
|
41 |
CVE-2022-37451 |
763 |
|
|
2022-08-06 |
2022-08-11 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Exim before 4.96 has an invalid free in pam_converse in auths/call_pam.c because store_free is not used after store_malloc. |
|
42 |
CVE-2022-37450 |
|
|
|
2022-08-05 |
2022-08-12 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Go Ethereum (aka geth) through 1.10.21 allows attackers to increase rewards by mining blocks in certain situations, and using a manipulation of time-difference values to achieve replacement of main-chain blocks, aka Riskless Uncle Making (RUM), as exploited in the wild in 2020 through 2022. |
|
43 |
CVE-2022-37439 |
|
|
|
2022-08-16 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
In Splunk Enterprise and Universal Forwarder versions in the following table, indexing a specially crafted ZIP file using the file monitoring input can result in a crash of the application. Attempts to restart the application would result in a crash and would require manually removing the malformed file. |
|
44 |
CVE-2022-37438 |
|
|
+Info |
2022-08-16 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
In Splunk Enterprise versions in the following table, an authenticated user can craft a dashboard that could potentially leak information (for example, username, email, and real name) about Splunk users, when visited by another user through the drilldown component. The vulnerability requires user access to create and share dashboards using Splunk Web. |
|
45 |
CVE-2022-37437 |
|
|
|
2022-08-16 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
When using Ingest Actions to configure a destination that resides on Amazon Simple Storage Service (S3) in Splunk Web, TLS certificate validation is not correctly performed and tested for the destination. The vulnerability only affects connections between Splunk Enterprise and an Ingest Actions Destination through Splunk Web and only applies to environments that have configured TLS certificate validation. It does not apply to Destinations configured directly in the outputs.conf configuration file. The vulnerability affects Splunk Enterprise version 9.0.0 and does not affect versions below 9.0.0, including the 8.1.x and 8.2.x versions. |
|
46 |
CVE-2022-37434 |
787 |
|
Overflow |
2022-08-05 |
2022-08-11 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference). |
|
47 |
CVE-2022-37431 |
79 |
|
XSS |
2022-08-05 |
2022-08-08 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
** DISPUTED ** A Reflected Cross-site scripting (XSS) issue was discovered in dotCMS Core through 22.06. This occurs in the admin portal when the configuration has XSS_PROTECTION_ENABLED=false. NOTE: the vendor disputes this because the current product behavior, in effect, has XSS_PROTECTION_ENABLED=true in all configurations. |
|
48 |
CVE-2022-37423 |
22 |
|
Dir. Trav. |
2022-08-12 |
2022-08-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Neo4j APOC (Awesome Procedures on Cypher) before 4.3.0.7 and 4.x before 4.4.0.8 allows Directory Traversal to sibling directories via apoc.log.stream. |
|
49 |
CVE-2022-37416 |
|
|
|
2022-08-05 |
2022-08-11 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Ittiam libmpeg2 before 2022-07-27 uses memcpy with overlapping memory blocks in impeg2_mc_fullx_fully_8x8. |
|
50 |
CVE-2022-37415 |
770 |
|
Overflow |
2022-08-05 |
2022-08-11 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Uniwill SparkIO.sys driver 1.0 is vulnerable to a stack-based buffer overflow via IOCTL 0x40002008. |
