Total
188 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-34316 | 1 Ibm | 1 Cics Tx | 2023-12-10 | N/A | 5.3 MEDIUM |
IBM CICS TX 11.1 does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers. IBM X-Force ID: 229452. | |||||
CVE-2022-22151 | 1 Yokogawa | 9 Centum Cs 3000, Centum Cs 3000 Entry, Centum Cs 3000 Entry Firmware and 6 more | 2023-12-10 | 4.9 MEDIUM | 8.1 HIGH |
CAMS for HIS Log Server contained in the following Yokogawa Electric products fails to properly neutralize log outputs: CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, and from R6.01.00 to R6.08.00, and Exaopc versions from R3.72.00 to R3.79.00. | |||||
CVE-2021-43106 | 1 Compassplus | 2 Tranzware Online, Tranzware Online Financial Institution Maintenance Interface | 2023-12-10 | 5.8 MEDIUM | 6.1 MEDIUM |
A Header Injection vulnerability exists in Compass Plus TranzWare Online FIMI Web Interface Tranzware Online (TWO) 5.3.33.3 F38 and FIMI 4.2.19.4 25.The HTTP host header can be manipulated and cause the application to behave in unexpected ways. Any changes made to the header would just cause the request to be sent to a completely different Domain/IP address. This is due to that the server implicitly trusts the Host header, and fails to validate or escape it properly. An attacker can use this input to redirect target users to a malicious domain/web page. This would result in expanding the potential to further attacks and malicious actions. | |||||
CVE-2022-32549 | 1 Apache | 2 Sling Api, Sling Commons Log | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
Apache Sling Commons Log <= 5.4.0 and Apache Sling API <= 2.25.0 are vulnerable to log injection. The ability to forge logs may allow an attacker to cover tracks by injecting fake logs and potentially corrupt log files. | |||||
CVE-2022-30781 | 1 Gitea | 1 Gitea | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Gitea before 1.16.7 does not escape git fetch remote. | |||||
CVE-2021-39027 | 1 Ibm | 1 Guardium Data Encryption | 2023-12-10 | 4.0 MEDIUM | 5.0 MEDIUM |
IBM Guardium Data Encryption (GDE) 4.0.0 and 5.0.0 prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. IBM X-Force ID: 213865. | |||||
CVE-2021-29854 | 1 Ibm | 2 Maximo Application Suite, Maximo Asset Management | 2023-12-10 | 4.3 MEDIUM | 7.2 HIGH |
IBM Maximo Asset Management 7.6.1.1 and 7.6.1.2 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to inject HTTP HOST header, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 205680. | |||||
CVE-2022-23079 | 1 Getmotoradmin | 1 Motor Admin | 2023-12-10 | 6.8 MEDIUM | N/A |
In motor-admin versions 0.0.1 through 0.2.56 are vulnerable to host header injection in the password reset functionality where malicious actor can send fake password reset email to arbitrary victim. | |||||
CVE-2022-25235 | 5 Debian, Fedoraproject, Libexpat Project and 2 more | 6 Debian Linux, Fedora, Libexpat and 3 more | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. | |||||
CVE-2022-28960 | 1 Spip | 1 Spip | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
A PHP injection vulnerability in Spip before v3.2.8 allows attackers to execute arbitrary PHP code via the _oups parameter at /ecrire. | |||||
CVE-2022-29599 | 2 Apache, Debian | 2 Maven Shared Utils, Debian Linux | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks. | |||||
CVE-2021-23266 | 1 Craftercms | 1 Crafter Cms | 2023-12-10 | 4.3 MEDIUM | 4.3 MEDIUM |
An anonymous user can craft a URL with text that ends up in the log viewer as is. The text can then include textual messages to mislead the administrator. | |||||
CVE-2022-0741 | 1 Gitlab | 1 Gitlab | 2023-12-10 | 4.3 MEDIUM | 7.5 HIGH |
Improper input validation in all versions of GitLab CE/EE using sendmail to send emails allowed an attacker to steal environment variables via specially crafted email addresses. | |||||
CVE-2020-27958 | 1 Osu | 1 Ohio Supercomputer Center Open Ondemand | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
The Job Composer app in Ohio Supercomputer Center Open OnDemand before 1.7.19 and 1.8.x before 1.8.18 allows remote authenticated users to provide crafted input in a job template. | |||||
CVE-2022-0935 | 1 Livehelperchat | 1 Live Helper Chat | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
Host Header injection in password Reset in GitHub repository livehelperchat/livehelperchat prior to 3.97. | |||||
CVE-2022-23620 | 1 Xwiki | 1 Xwiki | 2023-12-10 | 5.8 MEDIUM | 5.4 MEDIUM |
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions AbstractSxExportURLFactoryActionHandler#processSx does not escape anything from SSX document references when serializing it on filesystem, it is possible to for the HTML export process to contain reference elements containing filesystem syntax like "../", "./". or "/" in general. The referenced elements are not properly escaped. This issue has been resolved in version 13.6-rc-1. This issue can be worked around by limiting or disabling document export. | |||||
CVE-2022-26174 | 1 Beekeeperstudio | 1 Beekeeper-studio | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
A remote code execution (RCE) vulnerability in Beekeeper Studio v3.2.0 allows attackers to execute arbitrary code via a crafted payload injected into the display fields. | |||||
CVE-2022-30966 | 1 Jenkins | 1 Random String Parameter | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
Jenkins Random String Parameter Plugin 1.0 and earlier does not escape the name and description of Random String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
CVE-2021-45848 | 2 Fedoraproject, Nicotine-plus | 2 Fedora, Nicotine\+ | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Denial of service (DoS) vulnerability in Nicotine+ 3.0.3 and later allows a user with a modified Soulseek client to crash Nicotine+ by sending a file download request with a file path containing a null character. | |||||
CVE-2021-21684 | 1 Jenkins | 1 Git | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Jenkins Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability. |