CVE-2022-21642

Discourse is an open source platform for community discussion. In affected versions when composing a message from topic the composer user suggestions reveals whisper participants. The issue has been patched in stable version 2.7.13 and beta version 2.8.0.beta11. There is no workaround for this...

CVE-2022-42840

The issue was addressed with improved memory handling. This issue is fixed in macOS Monterey 12.6.2, macOS Ventura 13.1, macOS Big Sur 11.7.2, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2. An app may be able to execute arbitrary code with kernel privileges...

CVE-2022-39315

Kirby is a Content Management System. Prior to versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, a user enumeration vulnerability affects all Kirby sites with user accounts unless Kirby's API and Panel are disabled in the config. It can only be exploited for targeted attacks because the attack does...

CVE-2022-39225

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.15, or 5.0.0 and above prior to 5.2.6, a user can write to the session object of another user if the session object ID is known. For example, an attacker can assign th...

CVE-2022-24849

DisCatSharp is a Discord API wrapper for .NET. Users of versions 9.8.5, 9.8.6, 9.9.0 and previously published prereleases of 10.0.0 who have used either one of the two RequireDisCatSharpDeveloperAttributes or the BaseDiscordClient.LibraryDeveloperTeam have potentially had their bot token sent to ...

CVE-2022-24820

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A guest user without the right to view pages of the wiki can still list documents by rendering some velocity documents. The problem has been patched in XWiki versions 12.10.11, 13.4.4, and...

CVE-2022-24891

ESAPI The OWASP Enterprise Security API is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the antisamy-esapi.xml configurati...

CVE-2022-21829

Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concretesecure’ instead of ‘concrete’. Concrete now only makes requests over https even a request comes in via http...

CVE-2022-39340

OpenFGA is an authorization/permission engine. Prior to version 0.2.4, the streamed-list-objects endpoint was not validating the authorization header, resulting in disclosure of objects in the store. Users openfga/openfga versions 0.2.3 and prior who are exposing the OpenFGA service to the intern...

CVE-2022-39384

OpenZeppelin Contracts is a library for secure smart contract development. Before version 4.4.1 but after 3.2.0, initializer functions that are invoked separate from contract creation the most prominent example being minimal proxies may be reentered if they make an untrusted non-view external cal...

CVE-2022-39202

matrix-appservice-irc is an open source Node.js IRC bridge for Matrix. The Internet Relay Chat IRC protocol allows you to specify multiple modes in a single mode command. Due to a bug in the underlying matrix-org/node-irc library, affected versions of matrix-appservice-irc perform parsing of such...

CVE-2022-39242

Frontier is an Ethereum compatibility layer for Substrate. Prior to commit d3beddc6911a559a3ecc9b3f08e153dbe37a8658, the worst case weight was always accounted as the block weight for all cases. In case of large EVM gas refunds, this can lead to block spamming attacks -- the adversary can constru...

CVE-2022-39233

Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In versions 12.9.99.228 and above, prior to 14.0.99.24, authorizations are not properly verified when updating the branch prefix used by the GitLab repository integration. Authenticated users ca...

CVE-2022-39350

@dependencytrack/frontend is a Single Page Application SPA used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Due to the common practice of providing vulnerability details in markdown format, the...

CVE-2022-32814

A type confusion issue was addressed with improved state handling. This issue is fixed in watchOS 8.7, tvOS 15.6, iOS 15.6 and iPadOS 15.6, macOS Monterey 12.5. An app may be able to execute arbitrary code with kernel privileges...

CVE-2022-36031

Directus is a free and open-source data platform for headless content management. The Directus process can be aborted by having an authorized user update the filenamedisk value to a folder and accessing that file through the /assets endpoint. This vulnerability has been patched and release v9.15....

CVE-2022-35988

TensorFlow is an open source platform for machine learning. When tf.linalg.matrixrank receives an empty input a, the GPU kernel gives a CHECK fail that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit c55b476aa0e0bd4ee99d0f3ad18d9d706cd1260a. The fix...

CVE-2022-35972

TensorFlow is an open source platform for machine learning. If QuantizedBiasAdd is given mininput, maxinput, minbias, maxbias tensors of a nonzero rank, it results in a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit...

CVE-2022-46160

Tuleap is an Open Source Suite to improve management of software developments and collaboration. In versions prior to 14.2.99.104, project level authorizations are not properly verified when accessing the project "homepage"/dashboards. Users not authorized to access a project may still be able to...

CVE-2022-46689

A race condition was addressed with additional validation. This issue is fixed in tvOS 16.2, macOS Monterey 12.6.2, macOS Ventura 13.1, macOS Big Sur 11.7.2, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. An app may be able to execute arbitrary code with kernel privileges...