GSD-2022-1007778 riscv: process: fix kernel info leakage

riscv: process: fix kernel info leakage This is an automated ID intended to aid in discovery of potential security vulnerabilities. The actual impact and attack plausibility have not yet been proven. This ID is fixed in Linux Kernel version v6.0.9 by commit 358a68f98304b40b201ba5afe94c20355aa3dc6...

GSD-2022-1007710 scsi: zfcp: Fix double free of FSF request when qdio send fails

scsi: zfcp: Fix double free of FSF request when qdio send fails This is an automated ID intended to aid in discovery of potential security vulnerabilities. The actual impact and attack plausibility have not yet been proven. This ID is fixed in Linux Kernel version v6.0.10 by commit...

GSD-2022-1007700 scsi: target: tcm_loop: Fix possible name leak in tcm_loop_setup_hba_bus()

scsi: target: tcmloop: Fix possible name leak in tcmloopsetuphbabus This is an automated ID intended to aid in discovery of potential security vulnerabilities. The actual impact and attack plausibility have not yet been proven. This ID is fixed in Linux Kernel version v6.0.10 by commit...

GSD-2022-1007687 9p: trans_fd/p9_conn_cancel: drop client lock earlier

9p: transfd/p9conncancel: drop client lock earlier This is an automated ID intended to aid in discovery of potential security vulnerabilities. The actual impact and attack plausibility have not yet been proven. This ID is fixed in Linux Kernel version v6.0.10 by commit...

GHSA-JVGW-GCCV-Q5P8 libp2p DoS vulnerability from lack of resource management

Impact An attacker node can cause a victim node to allocate a large number of small memory chunks, which can ultimately lead to the victim’s process running out of memory and thus getting killed by its operating system. When executed continuously, this can lead to a denial of service attack,...

CVE-2022-4322

The CVE-2022-4322 issue affects maku-boot up to version 2.2.0, specifically the Scheduled Task Handler’s doExecute function, where manipulation leads to injection. Remote exploitation is possible and the exploit has been disclosed publicly. The patch to fix this is named 446eb7294332efca2bfd791bc...

GC Testimonials <= 1.3.2 - Contributor+ Stored XSS

The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks...

CVE-2022-46688

A cross-site request forgery CSRF vulnerability in Jenkins Sonar Gerrit Plugin 377.v8f3808963dc5 and earlier allows attackers to have Jenkins connect to Gerrit servers previously configured by Jenkins administrators using attacker-specified credentials IDs obtained through another method,...

Senayan Library Management System 9.5.1 SQL Injection

Title: Senayan Library Management System v9.5.1 a.k.a SLIMS 9 SQLi Author: nu11secur1ty Date: 12.06.2022 Vendor: https://slims.web.id/web/ Software: https://slims.web.id/web/news/rilis-9.5.1/ Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.1...

CVE-2022-3926

The WP OAuth Server OAuth Authentication WordPress plugin before 3.4.2 does not have CSRF check when regenerating secrets, which could allow attackers to make logged in admins regenerate the secret of an arbitrary client given they know the client ID...

CVE-2022-3892 WP OAuth Server < 4.2.2 - Admin+ Stored XSS

The WP OAuth Server OAuth Authentication WordPress plugin before 4.2.2 does not sanitize and escape Client IDs, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

Code injection

Telepad allows an attacker in a man-in-the-middle position between the server and a connected device to see all data including keypresses in cleartext. CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N...

Improper Certificate Validation

nextcloud-desktop is vulnerable to improper certificate validation. The vulnerability exists due to man in the middle attacks in invalid TLS certificates which allows an attacker to take control of a machine between the client and the server...

CVE-2022-45478

Telepad allows an attacker in a man-in-the-middle position between the server and a connected device to see all data including keypresses in cleartext. CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N...

Researchers Disclose Supply-Chain Flaw Affecting IBM Cloud Databases for PostgreSQL

IBM has fixed a high-severity security vulnerability affecting its Cloud Databases ICD for PostgreSQL product that could be potentially exploited to tamper with internal repositories and run unauthorized code. The privilege escalation flaw CVSS score: 8.8, dubbed "Hell's Keychain" by cloud securi...

CVE-2022-45480

Technical details (affected products/versions, root cause, impact specifics, or fixes) are not provided in the supplied documents. Monitor for updates for any new public disclosures.

CVE-2022-41968 Nextcloud Server's calendar name length not validated before writing to database

Nextcloud Server is an open source personal cloud server. Prior to versions 23.0.10 and 24.0.5, calendar name lengths are not validated before writing to a database. As a result, an attacker can send unnecessary amounts of data against the database. Version 23.0.10 and 24.0.5 contain patches for...

CVE-2022-37925

CVE-2022-37925 is an XSS vulnerability in Aruba EdgeConnect Enterprise web-based management interface. The issue affects Aruba EdgeConnect Enterprise software versions ECOS 9.2.1.0 and below, ECOS 9.1.3.0 and below, ECOS 9.0.7.0 and below, and ECOS 8.3.7.1 and below. The root cause is a reflected...

IBM WebSphere Application Server Liberty Denial of Service Vulnerability

IBM WebSphere Application Server Liberty is a Java application server built on top of the Open Liberty project from International Business Machines IBM. IBM WebSphere Application Server Liberty has a denial-of-service vulnerability that stems from a flaw in the parser of text-formatted data, whic...

WordPress Analytics for WP plugin cross-site scripting vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a set of blogging platforms developed using the PHP language. WordPress plugin is an application plugin. WordPress Analytics for WP plugin 1.5.1 and earlier versions contain a cross-site scripting...