Total
150 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-33188 | 1 Omninotes | 1 Omni Notes | 2023-12-10 | N/A | 5.5 MEDIUM |
Omni-notes is an open source note-taking application for Android. The Omni-notes Android app had an insufficient path validation vulnerability when displaying the details of a note received through an externally-provided intent. The paths of the note's attachments were not properly validated, allowing malicious or compromised applications in the same device to force Omni-notes to copy files from its internal storage to its external storage directory, where they would have become accessible to any component with permission to read the external storage. Updating to the newest version (6.2.7) of Omni-notes Android fixes this vulnerability. | |||||
CVE-2023-3256 | 1 Advantech | 1 R-seenet | 2023-12-10 | N/A | 8.1 HIGH |
Advantech R-SeeNet versions 2.4.22 allows low-level users to access and load the content of local files. | |||||
CVE-2023-21097 | 1 Google | 1 Android | 2023-12-10 | N/A | 7.8 HIGH |
In toUriInner of Intent.java, there is a possible way to launch an arbitrary activity due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-261858325 | |||||
CVE-2022-34669 | 2 Microsoft, Nvidia | 3 Windows, Cloud Gaming, Virtual Gpu | 2023-12-10 | N/A | 7.8 HIGH |
NVIDIA GPU Display Driver for Windows contains a vulnerability in the user mode layer, where an unprivileged regular user can access or modify system files or other files that are critical to the application, which may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering. | |||||
CVE-2022-42893 | 1 Siemens | 1 Syngo Dynamics Cardiovascular Imaging And Information System | 2023-12-10 | N/A | 7.5 HIGH |
A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper write access control that could allow to write data in any folder accessible to the account assigned to the website’s application pool. | |||||
CVE-2022-42733 | 1 Siemens | 1 Syngo Dynamics Cardiovascular Imaging And Information System | 2023-12-10 | N/A | 7.5 HIGH |
A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper read access control that could allow files to be retrieved from any folder accessible to the account assigned to the website’s application pool. | |||||
CVE-2022-42891 | 1 Siemens | 1 Syngo Dynamics Cardiovascular Imaging And Information System | 2023-12-10 | N/A | 7.5 HIGH |
A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper write access control that could allow to write data in any folder accessible to the account assigned to the website’s application pool. | |||||
CVE-2022-42732 | 1 Siemens | 1 Syngo Dynamics Cardiovascular Imaging And Information System | 2023-12-10 | N/A | 7.5 HIGH |
A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper read access control that could allow files to be retrieved from any folder accessible to the account assigned to the website’s application pool. | |||||
CVE-2022-42734 | 1 Siemens | 1 Syngo Dynamics Cardiovascular Imaging And Information System | 2023-12-10 | N/A | 7.5 HIGH |
A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper write access control that could allow to write data in any folder accessible to the account assigned to the website’s application pool. | |||||
CVE-2022-20199 | 1 Google | 1 Android | 2023-12-10 | N/A | 5.5 MEDIUM |
In multiple locations of NfcService.java, there is a possible disclosure of NFC tags due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-199291025 | |||||
CVE-2022-20239 | 1 Google | 1 Android | 2023-12-10 | N/A | 9.8 CRITICAL |
remap_pfn_range' here may map out of size kernel memory (for example, may map the kernel area), and because the 'vma->vm_page_prot' can also be controlled by userspace, so userspace may map the kernel area to be writable, which is easy to be exploitedProduct: AndroidVersions: Android SoCAndroid ID: A-233972091 | |||||
CVE-2016-0796 | 1 Mb.miniaudioplayer Project | 1 Mb.miniaudioplayer | 2023-12-10 | N/A | 7.5 HIGH |
WordPress Plugin mb.miniAudioPlayer-an HTML5 audio player for your mp3 files is prone to multiple vulnerabilities, including open proxy and security bypass vulnerabilities because it fails to properly verify user-supplied input. An attacker may leverage these issues to hide attacks directed at a target site from behind vulnerable website or to perform otherwise restricted actions and subsequently download files with the extension mp3, mp4a, wav and ogg from anywhere the web server application has read access to the system. WordPress Plugin mb.miniAudioPlayer-an HTML5 audio player for your mp3 files version 1.7.6 is vulnerable; prior versions may also be affected. | |||||
CVE-2015-10003 | 1 Filezilla-project | 1 Filezilla Server | 2023-12-10 | N/A | 4.3 MEDIUM |
A vulnerability, which was classified as problematic, was found in FileZilla Server up to 0.9.50. This affects an unknown part of the component PORT Handler. The manipulation leads to unintended intermediary. It is possible to initiate the attack remotely. Upgrading to version 0.9.51 is able to address this issue. It is recommended to upgrade the affected component. | |||||
CVE-2022-30245 | 1 Honeywell | 1 Alerton Compass | 2023-12-10 | N/A | 6.5 MEDIUM |
Honeywell Alerton Compass Software 1.6.5 allows unauthenticated configuration changes from remote users. This enables configuration data to be stored on the controller and then implemented. A user with malicious intent can send a crafted packet to change the controller configuration without the knowledge of other users, altering the controller's function capabilities. The changed configuration is not updated in the User Interface, which creates an inconsistency between the configuration display and the actual configuration on the controller. After the configuration change, remediation requires reverting to the correct configuration, requiring either physical or remote access depending on the configuration that was altered. | |||||
CVE-2022-28710 | 1 Wwbn | 1 Avideo | 2023-12-10 | N/A | 6.5 MEDIUM |
An information disclosure vulnerability exists in the chunkFile functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability. | |||||
CVE-2022-2431 | 1 Wpdownloadmanager | 1 Wordpress Download Manager | 2023-12-10 | N/A | 8.8 HIGH |
The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion in versions up to, and including 3.2.50. This is due to insufficient file type and path validation on the deleteFiles() function found in the ~/Admin/Menu/Packages.php file that triggers upon download post deletion. This makes it possible for contributor level users and above to supply an arbitrary file path via the 'file[files]' parameter when creating a download post and once the user deletes the post the supplied arbitrary file will be deleted. This can be used by attackers to delete the /wp-config.php file which will reset the installation and make it possible for an attacker to achieve remote code execution on the server. | |||||
CVE-2022-20319 | 1 Google | 1 Android | 2023-12-10 | N/A | 7.8 HIGH |
In DreamServices, there is a possible way to launch arbitrary protected activities due to a confused deputy. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-189574230 | |||||
CVE-2022-32761 | 1 Wwbn | 1 Avideo | 2023-12-10 | N/A | 6.5 MEDIUM |
An information disclosure vulnerability exists in the aVideoEncoderReceiveImage functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability. | |||||
CVE-2022-20223 | 1 Google | 1 Android | 2023-12-10 | 7.2 HIGH | 7.8 HIGH |
In assertSafeToStartCustomActivity of AppRestrictionsFragment.java, there is a possible way to start a phone call without permissions due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-223578534 | |||||
CVE-2022-2638 | 1 Atlasgondal | 1 Export All Urls | 2023-12-10 | N/A | 6.5 MEDIUM |
The Export All URLs WordPress plugin before 4.4 does not validate the path of the file to be removed on the system which is supposed to be the CSV file. This could allow high privilege users to delete arbitrary file from the server |