Skip to main content
CVE-2022-29081 CRITICAL POC THREAT Act Now

Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Path Traversal Manageengine Access Manager Plus Manageengine Pam360 Manageengine Password Manager Pro
NVD
CVSS 3.1
9.8
EPSS
83.3%
CVE-2021-41945 CRITICAL POC PATCH Act Now

Encode OSS httpx < 0.23.0 is affected by improper input validation in `httpx.URL`, `httpx.Client` and some functions using `httpx.URL.copy_with`. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure HTTPX
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
2.2%
CVE-2022-28114 CRITICAL POC Act Now

DSCMS v3.0 was discovered to contain an arbitrary file deletion vulnerability via /controller/Adv.php. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure Dscms
NVD
CVSS 3.1
9.1
EPSS
1.0%
CVE-2022-28101 CRITICAL POC Act Now

Turtlapp Turtle Note v0.7.2.6 does not filter the <meta> tag during markdown parsing, allowing attackers to execute HTML injection. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Turtl
NVD GitHub
CVSS 3.1
9.0
EPSS
1.0%
CVE-2022-24449 CRITICAL Act Now

Solar appScreener through 3.10.4, when a valid license is not present, allows XXE and SSRF attacks via a crafted XML document. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF XXE Solar Appscreener
NVD GitHub
CVSS 3.1
9.8
EPSS
1.9%
CVE-2022-29556 CRITICAL Act Now

The iot-manager microservice 1.0.0 in Northern.tech Mender Enterprise before 3.2.2 allows SSRF because the Azure IoT Hub integration provides several SSRF primitives that can execute cross-tenant. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Microsoft Mender
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2022-29411 CRITICAL Act Now

SQL Injection (SQLi) vulnerability in Mufeng's Hermit 音乐播放器 plugin <= 3.1.6 on WordPress allows attackers to execute SQLi attack via (&id). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi WordPress Hermit
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2022-28719 CRITICAL Act Now

Missing authentication for critical function in AssetView prior to Ver.13.2.0 allows a remote unauthenticated attacker with some knowledge on the system configuration to upload a crafted. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass RCE Assetview
NVD
CVSS 3.1
9.8
EPSS
4.3%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy