Skip to main content
CVE-2022-25301 CRITICAL POC Act Now

All versions of package jsgui-lang-essentials are vulnerable to Prototype Pollution due to allowing all Object attributes to be altered, including their magical attributes such as proto, constructor. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Prototype Pollution Information Disclosure Jsgui Lang Essentials
NVD GitHub
CVSS 3.1
9.8
EPSS
1.2%
CVE-2022-25842 CRITICAL POC PATCH Act Now

All versions of package com.alibaba.oneagent:one-java-agent-plugin are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) using a specially crafted archive that holds directory. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal One Java Agent
NVD GitHub
CVSS 3.1
9.8
EPSS
3.6%
CVE-2022-25767 CRITICAL POC Act Now

All versions of package com.bstek.ureport:ureport2-console are vulnerable to Remote Code Execution by connecting to a malicious database server, causing arbitrary file read and deserialization of. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE Ureport2
NVD GitHub
CVSS 3.1
9.8
EPSS
2.9%
CVE-2022-24437 CRITICAL POC PATCH Act Now

The package git-pull-or-clone before 2.0.2 are vulnerable to Command Injection due to the use of the --upload-pack feature of git which is also supported for git clone. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Command Injection Git Pull Or Clone
NVD GitHub
CVSS 3.1
9.8
EPSS
3.9%
CVE-2022-23923 CRITICAL POC Act Now

All versions of package jailed are vulnerable to Sandbox Bypass via an exported alert() method which can access the main application. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Jailed
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2022-22143 CRITICAL POC PATCH Act Now

The package convict before 6.2.2 are vulnerable to Prototype Pollution via the convict function due to missing validation of parentKey. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Prototype Pollution Information Disclosure Convict
NVD GitHub
CVSS 3.1
9.8
EPSS
2.0%
CVE-2022-21189 CRITICAL POC PATCH Act Now

The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Prototype Pollution Information Disclosure Dexie
NVD GitHub
CVSS 3.1
9.8
EPSS
1.9%
CVE-2022-28481 CRITICAL POC PATCH Act Now

CSV-Safe gem < 3.0.0 doesn't filter out special characters which could trigger CSV Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Csv Safe
NVD GitHub
CVSS 3.1
9.8
EPSS
1.7%
CVE-2022-25645 HIGH POC PATCH This Week

All versions of package dset are vulnerable to Prototype Pollution via 'dset/merge' mode, as the dset function checks for prototype pollution by validating if the top-level path contains __proto__,. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Authentication Bypass Prototype Pollution Dset
NVD GitHub
CVSS 3.1
8.1
EPSS
1.8%
CVE-2022-1544 HIGH POC PATCH This Week

Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File in GitHub repository luyadev/yii-helpers prior to 1.2.1. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

RCE Command Injection Yii Helpers
NVD GitHub
CVSS 3.1
7.8
EPSS
2.3%
CVE-2022-26068 HIGH POC This Week

This affects the package pistacheio/pistache before 0.0.3.20220425. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Pistache
NVD GitHub
CVSS 3.1
7.5
EPSS
1.5%
CVE-2022-25850 HIGH POC PATCH This Week

The package github.com/hoppscotch/proxyscotch before 1.0.0 are vulnerable to Server-side Request Forgery (SSRF) when interceptor mode is set to proxy. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Proxyscotch
NVD GitHub
CVSS 3.1
7.5
EPSS
1.3%
CVE-2022-25844 HIGH POC This Week

The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat(). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Angularjs Fedora Ontap Select Deploy Administration Utility
NVD
CVSS 3.1
7.5
EPSS
4.7%
CVE-2022-21144 HIGH POC PATCH This Week

This affects all versions of package libxmljs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Libxmljs
NVD GitHub
CVSS 3.1
7.5
EPSS
1.8%
CVE-2022-23061 MEDIUM POC PATCH This Month

In Shopizer versions 2.0 to 2.17.0 a regular admin can permanently delete a superadmin (although this cannot happen according to the documentation) via Insecure Direct Object Reference (IDOR). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Shopizer
NVD GitHub
CVSS 3.1
6.5
EPSS
1.1%
CVE-2022-21167 CRITICAL Act Now

All versions of package masuit.tools.core are vulnerable to Arbitrary Code Execution via the ReceiveVarData<T> function in the SocketClient.cs component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Masuit Tools
NVD GitHub
CVSS 3.1
9.8
EPSS
1.3%
CVE-2022-25349 MEDIUM POC This Month

All versions of package materialize-css are vulnerable to Cross-site Scripting (XSS) due to improper escape of user input (such as &lt;not-a-tag /&gt;) that is being parsed as HTML/JavaScript, and. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Materialize CSS
NVD GitHub
CVSS 3.1
5.4
EPSS
1.0%
CVE-2022-23060 MEDIUM POC PATCH This Month

A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer versions 2.0 through 2.17.0, where a privileged user (attacker) can inject malicious JavaScript in the filename under the “Manage. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Shopizer
NVD GitHub
CVSS 3.1
4.8
EPSS
0.6%
CVE-2022-25647 HIGH PATCH This Week

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required.

Deserialization Google Gson Debian Linux Active Iq Unified Manager +3
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
2.8%
CVE-2022-21227 HIGH PATCH This Week

The package sqlite3 before 5.0.3 are vulnerable to Denial of Service (DoS) which will invoke the toString function of the passed parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Sqlite3
NVD GitHub
CVSS 3.1
7.5
EPSS
2.0%
CVE-2022-21230 MEDIUM This Month

This affects all versions of package org.nanohttpd:nanohttpd. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Java Information Disclosure Nanohttpd
NVD GitHub
CVSS 3.1
5.5
EPSS
0.3%
CVE-2022-21149 LOW PATCH Monitor

The package s-cart/s-cart before 6.9; the package s-cart/core before 6.9 are vulnerable to Cross-site Scripting (XSS) which can lead to cookie stealing of any victim that visits the affected URL so. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass XSS S Cart
NVD
CVSS 3.1
3.5
EPSS
0.6%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy