Skip to main content
CVE-2022-29081 CRITICAL POC THREAT Act Now

Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Path Traversal Manageengine Access Manager Plus Manageengine Pam360 Manageengine Password Manager Pro
NVD
CVSS 3.1
9.8
EPSS
83.3%
CVE-2021-41945 CRITICAL POC PATCH Act Now

Encode OSS httpx < 0.23.0 is affected by improper input validation in `httpx.URL`, `httpx.Client` and some functions using `httpx.URL.copy_with`. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure HTTPX
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
2.2%
CVE-2022-28114 CRITICAL POC Act Now

DSCMS v3.0 was discovered to contain an arbitrary file deletion vulnerability via /controller/Adv.php. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure Dscms
NVD
CVSS 3.1
9.1
EPSS
1.0%
CVE-2022-28101 CRITICAL POC Act Now

Turtlapp Turtle Note v0.7.2.6 does not filter the <meta> tag during markdown parsing, allowing attackers to execute HTML injection. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Turtl
NVD GitHub
CVSS 3.1
9.0
EPSS
1.0%
CVE-2022-1509 HIGH POC PATCH This Week

Command Injection Vulnerability in GitHub repository hestiacp/hestiacp prior to 1.5.12. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Command Injection Control Panel
NVD GitHub
CVSS 3.1
8.8
EPSS
4.5%
CVE-2022-28060 HIGH POC This Week

SQL Injection vulnerability in Victor CMS v1.0, via the user_name parameter to /includes/login.php. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Victor Cms
NVD GitHub
CVSS 3.1
7.5
EPSS
1.5%
CVE-2022-1511 MEDIUM POC PATCH This Month

Missing Authorization in GitHub repository snipe/snipe-it prior to 5.4.4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Snipe It
NVD GitHub
CVSS 3.1
6.5
EPSS
1.0%
CVE-2022-28477 MEDIUM POC This Month

WBCE CMS 1.5.2 is vulnerable to Cross Site Scripting (XSS). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Wbce Cms
NVD GitHub
CVSS 3.1
6.1
EPSS
0.9%
CVE-2022-28454 MEDIUM POC This Month

Limbas 4.3.36.1319 is vulnerable to Cross Site Scripting (XSS). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Limbas
NVD GitHub
CVSS 3.1
6.1
EPSS
1.1%
CVE-2022-24449 CRITICAL Act Now

Solar appScreener through 3.10.4, when a valid license is not present, allows XXE and SSRF attacks via a crafted XML document. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF XXE Solar Appscreener
NVD GitHub
CVSS 3.1
9.8
EPSS
1.9%
CVE-2022-29556 CRITICAL Act Now

The iot-manager microservice 1.0.0 in Northern.tech Mender Enterprise before 3.2.2 allows SSRF because the Azure IoT Hub integration provides several SSRF primitives that can execute cross-tenant. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Microsoft Mender
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2022-29411 CRITICAL Act Now

SQL Injection (SQLi) vulnerability in Mufeng's Hermit 音乐播放器 plugin <= 3.1.6 on WordPress allows attackers to execute SQLi attack via (&id). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi WordPress Hermit
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2022-28719 CRITICAL Act Now

Missing authentication for critical function in AssetView prior to Ver.13.2.0 allows a remote unauthenticated attacker with some knowledge on the system configuration to upload a crafted. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass RCE Assetview
NVD
CVSS 3.1
9.8
EPSS
4.3%
CVE-2022-28102 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in PHP MySQL Admin Panel Generator v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected at /edit-db.php. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Php Mysql Admin Panel Generator
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.5%
CVE-2022-1514 MEDIUM POC PATCH This Month

Stored XSS via upload plugin functionality in zip format in GitHub repository neorazorx/facturascripts prior to 2022.06. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Facturascripts
NVD GitHub
CVSS 3.1
5.4
EPSS
0.7%
CVE-2022-24898 MEDIUM POC PATCH This Month

org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XXE Commons
NVD GitHub
CVSS 3.1
4.9
EPSS
1.4%
CVE-2022-28117 MEDIUM POC THREAT This Month

A Server-Side Request Forgery (SSRF) in feed_parser class of Navigate CMS v2.9.4 allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Navigate Cms
NVD Exploit-DB
CVSS 3.1
4.9
EPSS
21.9%
CVE-2022-29555 HIGH This Week

The Deviceconnect microservice through 1.3.0 in Northern.tech Mender Enterprise before 3.2.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Mender
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2022-29410 HIGH This Week

Authenticated SQL Injection (SQLi) vulnerability in Mufeng's Hermit 音乐播放器 plugin <= 3.1.6 on WordPress allows attackers with Subscriber or higher user roles to execute SQLi attack via (&ids). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi WordPress Hermit
NVD
CVSS 3.1
8.8
EPSS
0.9%
CVE-2022-28892 HIGH PATCH This Week

Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0 is vulnerable to Cross Site Request Forgery (CSRF) because randomly generated tokens are too easily guessable. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Mahara
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2022-29821 HIGH This Week

In JetBrains Rider before 2022.1 local code execution via links in ReSharper Quick Documentation was possible. Rated high severity (CVSS 7.7), this vulnerability is low attack complexity. No vendor patch available.

RCE Code Injection Pycharm
NVD
CVSS 3.1
7.7
EPSS
0.2%
CVE-2022-29819 HIGH This Week

In JetBrains IntelliJ IDEA before 2022.1 local code execution via links in Quick Documentation was possible. Rated high severity (CVSS 7.7), this vulnerability is low attack complexity. No vendor patch available.

RCE Code Injection Intellij Idea
NVD
CVSS 3.1
7.7
EPSS
0.2%
CVE-2022-29814 HIGH This Week

In JetBrains IntelliJ IDEA before 2022.1 local code execution via HTML descriptions in custom JSON schemas was possible. Rated high severity (CVSS 7.7), this vulnerability is low attack complexity. No vendor patch available.

RCE Code Injection Intellij Idea
NVD
CVSS 3.1
7.7
EPSS
0.2%
CVE-2022-29585 HIGH This Week

In Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0, a site using Isolated Institutions is vulnerable if more than ten groups are used. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Mahara
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2022-24892 HIGH PATCH This Week

Shopware is an open source e-commerce software platform. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable.

Information Disclosure Shopware
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2022-24879 HIGH PATCH This Week

Shopware is an open source e-commerce software platform. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Shopware
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2022-22783 HIGH This Week

A vulnerability in Zoom On-Premise Meeting Connector Controller version 4.8.102.20220310 and On-Premise Meeting Connector MMR version 4.8.102.20220310 exposes process memory fragments to connected. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Zoom On Premise Meeting Connector Controller Zoom On Premise Meeting Connector Mmr
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2022-22781 HIGH This Week

The Zoom Client for Meetings for MacOS (Standard and for IT Admin) prior to version 5.9.6 failed to properly check the package version during the update process. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple Information Disclosure Meetings
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2022-24935 HIGH This Week

Lexmark products through 2022-02-10 have Incorrect Access Control. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Lexmark Firmware
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2022-22782 HIGH This Week

The Zoom Client for Meetings for Windows prior to version 5.9.7, Zoom Rooms for Conference Room for Windows prior to version 5.10.0, Zoom Plugins for Microsoft Outlook for Windows prior to version. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Microsoft Meetings Rooms For Conference Rooms Vdi Windows Meeting Clients +1
NVD
CVSS 3.1
7.1
EPSS
0.4%
CVE-2022-29818 HIGH This Week

In JetBrains IntelliJ IDEA before 2022.1 origin checks in the internal web server were flawed. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2022-29815 MEDIUM This Month

In JetBrains IntelliJ IDEA before 2022.1 local code execution via workspace settings was possible. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

RCE Code Injection Intellij Idea
NVD
CVSS 3.1
6.7
EPSS
0.2%
CVE-2022-29813 MEDIUM This Month

In JetBrains IntelliJ IDEA before 2022.1 local code execution via custom Pandoc path was possible. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

RCE Code Injection Intellij Idea
NVD
CVSS 3.1
6.7
EPSS
0.2%
CVE-2022-22441 MEDIUM This Month

IBM InfoSphere Information Server 11.7 could allow an authenticated user to view information of higher privileged users and groups due to a privilege escalation vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation IBM Infosphere Information Server
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2022-29413 MEDIUM This Month

Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in Mufeng's Hermit 音乐播放器 plugin <= 3.1.6 on WordPress via &title parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS CSRF WordPress Hermit
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2022-29415 MEDIUM This Month

Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability in Mati Skiba @ Rav Messer's Ravpage plugin <= 2.16 at WordPress. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS WordPress Ravpage
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2022-27860 MEDIUM This Month

Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS) in Shea Bunge's Footer Text plugin <= 2.0.3 on WordPress. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS CSRF WordPress Footer Text
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2022-22427 MEDIUM This Month

IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM XSS Infosphere Information Server
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2022-24873 MEDIUM PATCH This Month

Shopware is an open source e-commerce software platform. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Shopware
NVD GitHub
CVSS 3.1
6.1
EPSS
0.7%
CVE-2022-29152 MEDIUM This Month

The Ericom PowerTerm WebConnect 6.0 login portal can unsafely write an XSS payload from the AppPortal cookie into the page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Powerterm Webconnect
NVD GitHub
CVSS 3.1
6.1
EPSS
0.5%
CVE-2022-29817 MEDIUM This Month

In JetBrains IntelliJ IDEA before 2022.1 reflected XSS via error messages in internal web server was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Intellij Idea
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2022-29412 MEDIUM This Month

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Hermit 音乐播放器 plugin <= 3.1.6 on WordPress allow attackers to delete cache, delete a source, create source. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF WordPress Hermit
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2022-29584 MEDIUM This Month

Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0 allows stored XSS when a particular Cascading Style Sheets (CSS) class for embedly is used, and JavaScript code is constructed to perform an. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Mahara
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2022-22443 MEDIUM This Month

IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM XSS Infosphere Information Server
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2022-22322 MEDIUM This Month

IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM XSS Infosphere Information Server
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2022-29869 MEDIUM PATCH This Month

cifs-utils through 6.14, with verbose logging, can cause an information leak when a file contains = (equal sign) characters but is not a valid credentials file. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Cifs Utils Fedora Debian Linux
NVD GitHub
CVSS 3.1
5.3
EPSS
1.8%
CVE-2022-29811 MEDIUM This Month

In JetBrains Hub before 2022.1.14638 stored XSS via project icon was possible. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Hub
NVD
CVSS 3.1
4.8
EPSS
0.5%
CVE-2022-29820 LOW Monitor

In JetBrains PyCharm before 2022.1 exposure of the debugger port to the internal network was possible. Rated low severity (CVSS 3.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Pycharm
NVD
CVSS 3.1
3.5
EPSS
0.4%
CVE-2022-29816 LOW Monitor

In JetBrains IntelliJ IDEA before 2022.1 HTML injection into IDE messages was possible. Rated low severity (CVSS 3.2), this vulnerability is low attack complexity. No vendor patch available.

Code Injection Intellij Idea
NVD
CVSS 3.1
3.2
EPSS
0.3%
CVE-2022-29812 LOW Monitor

In JetBrains IntelliJ IDEA before 2022.1 notification mechanisms about using Unicode directionality formatting characters were insufficient. Rated low severity (CVSS 2.3), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
CVSS 3.1
2.3
EPSS
0.2%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy