CVEs from 2022
Total
5,314
critical
critical 94
high
high 1,236
medium
medium 950
low
low 24
% Critical
1.8%
% with KEV
2.5%
% with exploit
3.3%
Top vendors
- oracle 616
- netapp 438
- microsoft 165
- omron 109
- azul 82
- schneider-electric 33
- mitsubishielectric 32
- siemens 10
Top products
- jdk 116
- jre 109
- openjdk 100
- zulu 82
- graalvm 74
- cloud_secure_agent 35
- oncommand_insight 34
- cloud_insights_acquisition_unit 34
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-2586 | medium | — | 7.0 | 4y ago | Linux Kernel contains a use-after-free vulnerability in the nft_object, allowing local attackers to escalate privileges. | |||
| CVE-2022-32893 | medium | — | 7.0 | 4y ago | Apple iOS and macOS contain an out-of-bounds write vulnerability that could allow for remote code execution when processing malicious crafted web content. | |||
| CVE-2022-22620 | medium | — | 7.0 | 4y ago | Apple iOS, iPadOS, and macOS WebKit contain a use-after-free vulnerability that leads to code execution when processing maliciously crafted web content. This vulnerability could impact HTML parsers t… | |||
| CVE-2022-28247 | medium | 6.7 | 6.7 | 4y ago | Acrobat Reader DC version 22.001.2011x (and earlier), 20.005.3033x (and earlier) and 17.012.3022x (and earlier) are affected by an uncontrolled search path vulnerability that could lead to local priv… | |||
| CVE-2022-45899 | medium | 6.5 | 6.5 | 27d ago | Nokia Broadcast Message Center (BMC) before 13.1 allows an unauthenticated remote attacker to do OS command injection as root via shell metacharacters in the Log Scanner Search Pattern field. | |||
| CVE-2022-41650 | medium | 6.5 | 6.5 | 4mo ago | Missing Authorization vulnerability in Paul Custom Content by Country (by Shield Security) custom-content-by-country.This issue affects Custom Content by Country (by Shield Security): from n/a throug… | |||
| CVE-2022-47594 | medium | 6.5 | 6.5 | 2y ago | Missing Authorization vulnerability in WPDeveloper Essential Blocks for Gutenberg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Blocks for Guten… | |||
| CVE-2022-46796 | medium | 6.5 | 6.5 | 2y ago | Missing Authorization vulnerability in VillaTheme CURCY allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CURCY: from n/a through 2.1.25. | |||
| CVE-2022-46795 | medium | 6.5 | 6.5 | 2y ago | Missing Authorization vulnerability in Tyche Softwares Print Invoice & Delivery Notes for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Print … | |||
| CVE-2022-45840 | medium | 6.5 | 6.5 | 2y ago | Missing Authorization vulnerability in Lucian Apostol Auto Affiliate Links allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Auto Affiliate Links: from n/a th… | |||
| CVE-2022-45852 | medium | 6.5 | 6.5 | 2y ago | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in FormAssembly / Drew Buschhorn WP-FormAssembly allows Path Traversal.This issue affects WP-FormAssembly:… | |||
| CVE-2022-41698 | medium | 6.5 | 6.5 | 2y ago | Missing Authorization vulnerability in Layered If Menu.This issue affects If Menu: from n/a through 0.16.3. | |||
| CVE-2022-44633 | medium | 6.5 | 6.5 | 2y ago | Missing Authorization vulnerability in YITH YITH WooCommerce Gift Cards Premium.This issue affects YITH WooCommerce Gift Cards Premium: from n/a through 3.23.1. | |||
| CVE-2022-47160 | medium | 6.5 | 6.5 | 2y ago | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wpmet Wp Social Login and Register Social Counter.This issue affects Wp Social Login and Register Social Counter: from n/a … | |||
| CVE-2022-41695 | medium | 6.5 | 6.5 | 2y ago | Missing Authorization vulnerability in SedLex Traffic Manager.This issue affects Traffic Manager: from n/a through 1.4.5. | |||
| CVE-2022-41619 | medium | 6.5 | 6.5 | 2y ago | Missing Authorization vulnerability in SedLex Image Zoom.This issue affects Image Zoom: from n/a through 1.8.8. | |||
| CVE-2022-38141 | medium | 6.5 | 6.5 | 2y ago | Missing Authorization vulnerability in Zorem Sales Report Email for WooCommerce.This issue affects Sales Report Email for WooCommerce: from n/a through 2.8. | |||
| CVE-2022-43450 | medium | 6.5 | 6.5 | 3y ago | Authorization Bypass Through User-Controlled Key vulnerability in XWP Stream.This issue affects Stream: from n/a through 3.9.2. | |||
| CVE-2022-40312 | medium | 6.5 | 6.5 | 3y ago | Server-Side Request Forgery (SSRF) vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform.This issue affects GiveWP – Donation Plugin and Fundraising Platform: from n/a through 2.2… | |||
| CVE-2022-45362 | medium | 6.5 | 6.5 | 3y ago | Server-Side Request Forgery (SSRF) vulnerability in Paytm Paytm Payment Gateway.This issue affects Paytm Payment Gateway: from n/a through 2.7.0. | |||
| CVE-2022-47593 | medium | 6.5 | 6.5 | 3y ago | Auth. (subscriber+) SQL Injection (SQLi) vulnerability in RapidLoad RapidLoad Power-Up for Autoptimize plugin <= 1.6.35 versions. | |||
| CVE-2022-45085 | medium | 6.5 | 6.5 | 3y ago | Server-Side Request Forgery (SSRF) vulnerability in Group Arge Energy and Control Systems Smartpower Web allows : Server Side Request Forgery. This issue affects Smartpower Web: before 23.01.01. | |||
| CVE-2022-45824 | medium | 6.5 | 6.5 | 4y ago | Cross-Site Request Forgery (CSRF) vulnerability in Advanced Booking Calendar plugin <= 1.7.1 on WordPress. | |||
| CVE-2022-40216 | medium | 6.5 | 6.5 | 4y ago | Auth. (subscriber+) Messaging Block Bypass vulnerability in Better Messages plugin <= 1.9.10.69 on WordPress. | |||
| CVE-2022-24038 | medium | 6.5 | 6.5 | 4y ago | Karmasis Informatics Infraskope SIEM+ has an unauthenticated access vulnerability which could allow an unauthenticated attacker to damage the page where the agents are listed. | |||
| CVE-2022-34768 | medium | 6.5 | 6.5 | 4y ago | insert HTML / js code inside input how to get to the vulnerable input : Workers > worker nickname > inject in this input the code. | |||
| CVE-2022-2160 | medium | 6.5 | 6.5 | 4y ago | Insufficient policy enforcement in DevTools in Google Chrome on Windows prior to 103.0.5060.53 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitiv… | |||
| CVE-2022-26934 | medium | 6.5 | 6.5 | 4y ago | Windows Graphics Component Information Disclosure Vulnerability | |||
| CVE-2022-50961 | medium | 6.4 | 6.4 | 25d ago | WordPress Plugin IP2Location Country Blocker 2.26.7 contains a stored cross-site scripting vulnerability that allows authenticated users to inject arbitrary JavaScript code through the Frontend Setti… | |||
| CVE-2022-50949 | medium | 6.4 | 6.4 | 25d ago | WordPress Plugin Videos sync PDF 1.7.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting unsanitized mov, pdf, mp4, we… | |||
| CVE-2022-50948 | medium | 6.4 | 6.4 | 25d ago | Motopress Hotel Booking Lite 4.2.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting payloads in accommodation type fi… | |||
| CVE-2022-50947 | medium | 6.4 | 6.4 | 25d ago | WordPress Plugin Testimonial Slider and Showcase 2.2.6 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the po… | |||
| CVE-2022-50946 | medium | 6.4 | 6.4 | 25d ago | WordPress Plugin Netroics Blog Posts Grid 1.0 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the post_title … | |||
| CVE-2022-50945 | medium | 6.4 | 6.4 | 25d ago | WordPress 3dady Real-Time Web Stats plugin 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by exploiting unsanitized input … | |||
| CVE-2022-44626 | medium | 6.3 | 6.3 | 2y ago | Missing Authorization vulnerability in Squirrly SEO Plugin by Squirrly SEO.This issue affects SEO Plugin by Squirrly SEO: from n/a through 12.1.20. | |||
| CVE-2022-28244 | medium | 6.3 | 6.3 | 4y ago | Acrobat Reader DC versions 22.001.20085 (and earlier), 20.005.3031x (and earlier) and 17.012.30205 (and earlier) is affected by a violation of secure design principles through bypassing the content s… | |||
| CVE-2022-24512 | medium | 6.3 | 6.3 | 4y ago | RHSA-2022:0830: .NET 5.0 security and bugfix update (Important) | |||
| CVE-2022-50956 | medium | 6.2 | 6.2 | 25d ago | WordPress Plugin amministrazione-aperta 3.7.3 contains a local file read vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in the… | |||
| CVE-2022-50954 | medium | 6.2 | 6.2 | 25d ago | WordPress Plugin cab-fare-calculator 1.0.3 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the controller parameter in tbli… | |||
| CVE-2022-50969 | medium | 6.1 | 6.1 | 25d ago | uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the backend/mailingLog/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functi… | |||
| CVE-2022-50968 | medium | 6.1 | 6.1 | 25d ago | uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the auctions/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality ar… | |||
| CVE-2022-50967 | medium | 6.1 | 6.1 | 25d ago | uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the tickets/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are… | |||
| CVE-2022-50966 | medium | 6.1 | 6.1 | 25d ago | uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the news/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are no… | |||
| CVE-2022-50965 | medium | 6.1 | 6.1 | 25d ago | uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the posts/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are n… | |||
| CVE-2022-50964 | medium | 6.1 | 6.1 | 25d ago | uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the auctions/myAuctions/status/loose module. The date_created, date_from, date_to, and created_at parameters in the filter… | |||
| CVE-2022-50963 | medium | 6.1 | 6.1 | 25d ago | uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the auctions/myAuctions/status/active module. The date_created, date_from, date_to, and created_at parameters in the filte… | |||
| CVE-2022-50962 | medium | 6.1 | 6.1 | 25d ago | uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the orders/myOrders module. The date_created, date_from, date_to, and created_at parameters in the filter functionality ar… | |||
| CVE-2022-50960 | medium | 6.1 | 6.1 | 25d ago | WordPress International SMS for Contact Form 7 Integration version 1.2 contains a reflected cross-site scripting vulnerability in the page parameter of the admin settings interface. Attackers can inj… | |||
| CVE-2022-50959 | medium | 6.1 | 6.1 | 25d ago | WordPress Contact Form Builder 1.6.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting the form_id parameter. Att… | |||
| CVE-2022-50958 | medium | 6.1 | 6.1 | 25d ago | WordPress Plugin Jetpack 9.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the post_id parameter. Attackers… | |||
| CVE-2022-50957 | medium | 6.1 | 6.1 | 25d ago | Drupal avatar_uploader 7.x-1.0-beta8 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the file parameter. Atta… | |||
| CVE-2022-50943 | medium | 6.1 | 6.1 | 25d ago | Moodle LMS 4.0 contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search parameter. Attackers can injec… | |||
| CVE-2022-23961 | medium | 6.1 | 6.1 | 27d ago | In Thruk Monitoring through 2.46.3, the login field of the login form is vulnerable to reflected XSS. This vulnerability can be exploited by unauthenticated remote attackers to target users of the mo… | |||
| CVE-2022-47153 | medium | 6.1 | 6.1 | 2y ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPJobBoard Jobeleon Theme allows Reflected XSS.This issue affects Jobeleon Theme: from n/a throug… | |||
| CVE-2022-45850 | medium | 6.1 | 6.1 | 2y ago | Cross-Site Request Forgery (CSRF) vulnerability in Nickys Image Map Pro allows Stored XSS.This issue affects Image Map Pro: from n/a before 5.6.9. | |||
| CVE-2022-45847 | medium | 6.1 | 6.1 | 2y ago | Cross-Site Request Forgery (CSRF) vulnerability in WPAssist.Me WordPress Countdown Widget allows Cross-Site Scripting (XSS).This issue affects WordPress Countdown Widget: from n/a through 3.1.9.1. | |||
| CVE-2022-45365 | medium | 6.1 | 6.1 | 3y ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aleksandar Urošević Stock Ticker allows Reflected XSS.This issue affects Stock Ticker: from n/a t… | |||
| CVE-2022-45084 | medium | 6.1 | 6.1 | 3y ago | Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Softaculous Loginizer plugin <= 1.7.5 versions. | |||
| CVE-2022-45836 | medium | 6.1 | 6.1 | 3y ago | Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in W3 Eden, Inc. Download Manager plugin <= 3.2.59 versions. | |||
| CVE-2022-23791 | medium | 6.1 | 6.1 | 3y ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Firmanet Software and Technology Customer Relation Manager allows Cross-Site Scripting (XSS). Th… | |||
| CVE-2022-23790 | medium | 6.1 | 6.1 | 3y ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Firmanet Software and Technology Customer Relation Manager allows Cross-Site Scripting (XSS). Th… | |||
| CVE-2022-2178 | medium | 6.1 | 6.1 | 3y ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saysis Computer Starcities allows Cross-Site Scripting (XSS). This issue affects Starcities: bef… | |||
| CVE-2022-45087 | medium | 6.1 | 6.1 | 3y ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Group Arge Energy and Control Systems Smartpower Web allows Cross-Site Scripting (XSS). This issu… | |||
| CVE-2022-2266 | medium | 6.1 | 6.1 | 4y ago | University Library Automation System developed by Yordam Bilgi Teknolojileri before version 19.2 has an unauthenticated Reflected XSS vulnerability. This has been fixed in the version 19.2 | |||
| CVE-2022-26859 | medium | 6.1 | 6.1 | 4y ago | Dell BIOS contains a race condition vulnerability. A local attacker could exploit this vulnerability by sending malicious input via SMI in order to bypass security checks during SMM. | |||
| CVE-2022-26858 | medium | 6.1 | 6.1 | 4y ago | Dell BIOS versions contain an Improper Authentication vulnerability. A locally authenticated malicious user could potentially exploit this vulnerability by sending malicious input to an SMI in order … | |||
| CVE-2022-27774 | medium | 5.7 | 5.7 | 4y ago | An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is … | |||
| CVE-2022-32205 | medium | — | 5.5 | — | A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent H… | |||
| CVE-2022-27780 | medium | — | 5.5 | — | The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a *different* URL usingthe wrong host name when it is later retrieved.F… | |||
| CVE-2022-2456 | medium | — | 5.5 | — | unknown in gitlab | |||
| CVE-2022-2500 | medium | — | 5.5 | — | unknown in gitlab | |||
| CVE-2022-2095 | medium | — | 5.5 | — | unknown in gitlab | |||
| CVE-2022-2497 | medium | — | 5.5 | — | unknown in gitlab | |||
| CVE-2022-2512 | medium | — | 5.5 | — | unknown in gitlab | |||
| CVE-2022-0669 | medium | — | 5.5 | — | A flaw was found in dpdk. This flaw allows a malicious vhost-user master to attach an unexpected number of fds as ancillary data to VHOST_USER_GET_INFLIGHT_FD / VHOST_USER_SET_INFLIGHT_FD messages th… | |||
| CVE-2022-2303 | medium | — | 5.5 | — | unknown in gitlab | |||
| CVE-2022-27778 | medium | — | 5.5 | — | A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used together with `--remove-on-error`. | |||
| CVE-2022-2417 | medium | — | 5.5 | — | unknown in gitlab | |||
| CVE-2022-2534 | medium | — | 5.5 | — | unknown in gitlab | |||
| CVE-2022-33070 | medium | — | 5.5 | — | Protobuf-c v1.4.0 was discovered to contain an invalid arithmetic shift via the function parse_tag_and_wiretype in protobuf-c/protobuf-c.c. This vulnerability allows attackers to cause a Denial of Se… | |||
| CVE-2022-2307 | medium | — | 5.5 | — | unknown in gitlab | |||
| CVE-2022-2539 | medium | — | 5.5 | — | unknown in gitlab | |||
| CVE-2022-2326 | medium | — | 5.5 | — | unknown in gitlab | |||
| CVE-2022-27779 | medium | — | 5.5 | — | libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's "cookie engine" can bebuilt … | |||
| CVE-2022-30115 | medium | — | 5.5 | — | Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the hos… | |||
| CVE-2022-0419 | medium | — | 5.5 | — | NULL Pointer Dereference in GitHub repository radareorg/radare2 prior to 5.6.0. | |||
| CVE-2022-28202 | medium | — | 5.5 | — | An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. The widthheight, widthheightpage, and nbytes properties of messages are not escaped when used i… | |||
| CVE-2022-49643 | medium | — | 5.5 | 7mo ago | In the Linux kernel, the following vulnerability has been resolved: ima: Fix a potential integer overflow in ima_appraise_measurement When the ima-modsig is enabled, the rc passed to evm_verifyxatt… | |||
| CVE-2022-49648 | medium | — | 5.5 | 7mo ago | In the Linux kernel, the following vulnerability has been resolved: tracing/histograms: Fix memory leak problem This reverts commit 46bbe5c671e06f070428b9be142cc4ee5cedebac. As commit 46bbe5c671e0… | |||
| CVE-2022-49657 | medium | — | 5.5 | 7mo ago | In the Linux kernel, the following vulnerability has been resolved: usbnet: fix memory leak in error case usbnet_write_cmd_async() mixed up which buffers need to be freed in which error case. v2: … | |||
| CVE-2022-49845 | medium | — | 5.5 | 7mo ago | In the Linux kernel, the following vulnerability has been resolved: can: j1939: j1939_send_one(): fix missing CAN header initialization The read access to struct canxl_frame::len inside of a j1939 … | |||
| CVE-2022-50504 | medium | — | 5.5 | 7mo ago | In the Linux kernel, the following vulnerability has been resolved: powerpc/rtas: avoid scheduling in rtas_os_term() It's unsafe to use rtas_busy_delay() to handle a busy status from the ibm,os-ter… | |||
| CVE-2022-49432 | medium | — | 5.5 | 7mo ago | In the Linux kernel, the following vulnerability has been resolved: powerpc/xics: fix refcount leak in icp_opal_init() The of_find_compatible_node() function returns a node pointer with refcount in… | |||
| CVE-2022-49353 | medium | — | 5.5 | 7mo ago | In the Linux kernel, the following vulnerability has been resolved: powerpc/papr_scm: don't requests stats with '0' sized stats buffer Sachin reported [1] that on a POWER-10 lpar he is seeing a ker… | |||
| CVE-2022-49357 | medium | — | 5.5 | 7mo ago | In the Linux kernel, the following vulnerability has been resolved: efi: Do not import certificates from UEFI Secure Boot for T2 Macs On Apple T2 Macs, when Linux attempts to read the db and dbx ef… | |||
| CVE-2022-49443 | medium | — | 5.5 | 7mo ago | In the Linux kernel, the following vulnerability has been resolved: list: fix a data-race around ep->rdllist ep_poll() first calls ep_events_available() with no lock held and checks if ep->rdllist … | |||
| CVE-2022-49627 | medium | — | 5.5 | 7mo ago | In the Linux kernel, the following vulnerability has been resolved: ima: Fix potential memory leak in ima_init_crypto() On failure to allocate the SHA1 tfm, IMA fails to initialize and exits withou… | |||
| CVE-2022-49670 | medium | — | 5.5 | 7mo ago | In the Linux kernel, the following vulnerability has been resolved: linux/dim: Fix divide by 0 in RDMA DIM Fix a divide 0 error in rdma_dim_stats_compare() when prev->cpe_ratio == 0. CallTrace: … | |||
| CVE-2022-49672 | medium | — | 5.5 | 7mo ago | In the Linux kernel, the following vulnerability has been resolved: net: tun: unlink NAPI from device on destruction Syzbot found a race between tun file and device destruction. NAPIs live in struc… | |||
| CVE-2022-49437 | medium | — | 5.5 | 7mo ago | In the Linux kernel, the following vulnerability has been resolved: powerpc/xive: Fix refcount leak in xive_spapr_init of_find_compatible_node() returns a node pointer with refcount incremented, we… |