• Skip to primary navigation
  • Skip to main content
CVE Vulnerability

CVE Vulnerability

  • CVE’s
  • Products
  • Vendors
Home » CVE’s

CVE’s


CVE
Vendors
Products
Updated
CVSS v2
CVSS v3
CVE-2022-0873
2022-05-26
N/A
4.8 MEDIUM
The Gmedia Photo Gallery WordPress plugin before 1.20.0 does not sanitise and escape the Album's name before outputting it in pages/posts with a media embed, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered-html capability is disallowed
CVE-2022-0871
2022-03-22
N/A
9.1 CRITICAL
Improper Authorization in GitHub repository gogs/gogs prior to 0.12.5.
CVE-2022-0870
2022-03-22
N/A
5.3 MEDIUM
Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prior to 0.12.5.
CVE-2022-0869
2022-03-11
N/A
6.1 MEDIUM
Multiple Open Redirect in GitHub repository nitely/spirit prior to 0.12.3.
CVE-2022-0868
2022-03-11
N/A
6.1 MEDIUM
Open Redirect in GitHub repository medialize/uri.js prior to 1.19.10.
CVE-2022-0867
2022-05-24
N/A
9.8 CRITICAL
The Pricing Table WordPress plugin before 3.6.1 fails to properly sanitize and escape user supplied POST data before it is being interpolated in an SQL statement and then executed via an AJAX action available to unauthenticated users
CVE-2022-0866
2022-05-18
N/A
5.3 MEDIUM
This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. In particular, the org.jboss.as.ejb3.component.EJBComponent class has an incomingRunAsIdentity field. This field is used by the org.jboss.as.ejb3.security.RunAsPrincipalInterceptor to keep track of the current identity prior to switching to a new identity created using the RunAs principal. The exploit consist that the EJBComponent#incomingRunAsIdentity field is currently just a SecurityIdentity. This means in a concurrent environment, where multiple users are repeatedly invoking an EJB that is configured with a RunAs principal, it's possible for the wrong the caller principal to be returned from EJBComponent#getCallerPrincipal. Similarly, it's also possible for EJBComponent#isCallerInRole to return the wrong value. Both of these methods rely on incomingRunAsIdentity. Affects all versions of JBoss EAP from 7.1.0 and all versions of WildFly 11+ when Elytron is enabled.
CVE-2022-0865
2023-02-22
N/A
6.5 MEDIUM
Reachable Assertion in tiffcp in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 5e180045.
CVE-2022-0864
2022-04-11
N/A
6.1 MEDIUM
The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.22.9 does not sanitise and escape the updraft_interval parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting (XSS) vulnerability.
CVE-2022-0863
2023-01-19
N/A
7.2 HIGH
The WP SVG Icons WordPress plugin through 3.2.3 does not properly validate uploaded custom icon packs, allowing an high privileged user like an admin to upload a zip file containing malicious php code, leading to remote code execution.
« Previous 1 … 11,011 11,012 11,013 11,014 11,015 … 11,258 Next »

Copyright CVE Vulnerabilities 2023
Data Sources:

  • NIST
  • MITRE
  • CVE Search
  • Open CVE