CVE-2022-33148

A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability.This vulnerability exists in the Live Schedules...

CVE-2022-33147

A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability.This vulnerability exists in the aVideoEncoder...

CVE-2022-32778

WWBN AVideo 11.6 and dev master commit 3f7c0364 are affected by information-disclosure cookies issues (CVE-2022-32777 and CVE-2022-32778) per TALOS-2022-1542. The session cookie lacks HttpOnly and Secure flags, allowing access via JavaScript and leakage over non-HTTPS. The pass cookie also lacks ...

CVE-2022-32778

An information disclosure vulnerability exists in the cookie functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. The session cookie and the pass cookie miss the HttpOnly flag, making them accessible via JavaScript. The session cookie also misses the secure flag, which allows the...

CVE-2022-32777

CVE-2022-32777 affects WWBN AVideo 11.6 and dev-master (commit 3f7c0364). The vulnerability centers on cookie handling: session cookie lacks HttpOnly and Secure flags on some deployments, enabling JavaScript access and potential leakage over non-HTTPS. The related pass cookie is explicitly set wi...

CVE-2022-32777

An information disclosure vulnerability exists in the cookie functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. The session cookie and the pass cookie miss the HttpOnly flag, making them accessible via JavaScript. The session cookie also misses the secure flag, which allows the...

CVE-2022-32282

An improper password check exists in the login functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. An attacker that owns a users' password hash will be able to use it to directly login into the account, leading to increased privileges...

CVE-2022-30605

A privilege escalation vulnerability exists in the session id functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to increased privileges. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability...

CVE-2022-30534

An OS command injection vulnerability exists in the aVideoEncoder chunkfile functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability...

CVE-2022-30534

CVE-2022-30534 affects WWBN AVideo 11.6 and dev master commit 3f7c0364. The OS command injection occurs in the aVideoEncoder chunkfile handling, where a specially crafted HTTP request leads to arbitrary command execution. Talos details show the vulnerability path via the aVideoEncoder.json.php fl...

CVE-2022-26061

A heap-based buffer overflow vulnerability exists in the gif2h5 functionality of HDF5 Group libhdf5 1.10.4. A specially-crafted GIF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability...

CVE-2021-3521

There is a flaw in RPM's signature functionality. OpenPGP subkeys are associated with a primary key via a "binding signature." RPM does not check the binding signature of subkeys prior to importing them. If an attacker is able to add or socially engineer another party to add a malicious subkey to...

PT-2022-4351

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 11.3.4 through 15.1.5 GitLab CE/EE versions 15.2 through 15.2.3 GitLab CE/EE versions 15.3 through 15.3.1 Description A vulnerability in GitLab CE/EE allows an authenticated user to achieve remote code execution via the...

CVE-2021-3521

CVE-2021-3521 describes a flaw in RPM’s handling of OpenPGP subkeys: binding signatures on subkeys are not checked before import, enabling potential trust of malicious signatures and risking data integrity. Exploitation requires compromising a repository or persuading an administrator to install ...

CVE-2021-3521

There is a flaw in RPM's signature functionality. OpenPGP subkeys are associated with a primary key via a "binding signature." RPM does not check the binding signature of subkeys prior to importing them. If an attacker is able to add or socially engineer another party to add a malicious subkey to...

PT-2022-19186 · Wwbn · Avideo

Name of the Vulnerable Software and Affected Versions: WWBN AVideo versions 11.6 and dev master commit 3f7c0364 Description: An information disclosure issue exists in the chunkFile functionality, allowing an attacker to read arbitrary files by sending a specially-crafted HTTP request...

Privilege escalation

Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository notrinos/notrinoserp prior to v0.7. This results in privilege escalation to a system administrator account. An attacker can gain access to protected functionality such as create/update companies, install/update...

CVE-2022-2921 Exposure of Private Personal Information to an Unauthorized Actor in notrinos/notrinoserp

Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository notrinos/notrinoserp prior to v0.7. This results in privilege escalation to a system administrator account. An attacker can gain access to protected functionality such as create/update companies, install/update...

CVE-2022-35909

In Jellyfin before 10.8, the /users endpoint has incorrect access control for admin functionality...

CVE-2022-35909

In Jellyfin before 10.8, the /users endpoint has incorrect access control for admin functionality...