Selenium Server (Grid) before 4 allows CSRF because it permits non-JSON content types such as application/x-www-form-urlencoded, multipart/form-data, and text/plain. Date published : 2022-04-18 https://www.gabriel.urdhr.fr/2022/02/07/selenium-standalone-server-csrf-dns-rebinding-rce/ https://www.openwall.com/lists/oss-security/2022/02/07/3
Zoho ManageEngine OpManager before 125588 (and before 125603) is vulnerable to authenticated SQL Injection in the Inventory Reports module. Date published : 2022-04-18 https://www.manageengine.com/network-monitoring/security-updates/cve-2022-27908.html
Authenticated (author or higher role) Stored Cross-Site Scripting (XSS) in Contest Gallery (WordPress plugin)
A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This...
A maliciously crafted TIF or PICT file in Autodesk AutoCAD 2022, 2021, 2020, 2019 can be used to write beyond the allocated buffer through Buffer overflow vulnerability. This vulnerability may be exploited to execute...
A maliciously crafted PICT, BMP, PSD or TIF file in Autodesk AutoCAD 2022, 2021, 2020, 2019 may be used to write beyond the allocated buffer while parsing PICT, BMP, PSD or TIF file. This...
A malicious crafted TGA file when consumed through DesignReview.exe application could lead to memory corruption vulnerability. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the context of the current...
A malicious crafted .dwf file when consumed through DesignReview.exe application could lead to memory corruption vulnerability by write access violation. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the...
An Insecure Direct Object Reference issue exists in the Tyler Odyssey platform before 17.1.20. This may allow an external party to access sensitive case records. Date published : 2022-04-18 https://news.ycombinator.com/item?id=30502117 https://www.calbar.ca.gov/About-Us/News/Data-Breach-Updates
Automatic Question Paper Generator v1.0 contains a Time-Based Blind SQL injection vulnerability via the id GET parameter. Date published : 2022-04-18 https://github.com/Cyb3rR3ap3r/CVE-2022-26631 https://www.sourcecodester.com/php/15190/automatic-question-paper-generator-system-phpoop-free-source-code.html
ThinVNC version 1.0b1 allows an unauthenticated user to bypass the authentication process via ‘http://thin-vnc:8080/cmd?cmd=connect’ by obtaining a valid SID without any kind of authentication. It is possible to achieve code execution on the server...
http-swagger is an open source wrapper to automatically generate RESTful API documentation with Swagger 2.0. In versions of http-swagger prior to 1.2.6 an attacker may perform a denial of service attack consisting of memory...
PyPDF2 is an open source python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. In versions prior to 1.27.5 an attacker who uses this vulnerability can craft a...
fleetdm/fleet is an open source device management, built on osquery. All versions of fleet making use of the teams feature are affected by this authorization bypass issue. Fleet instances without teams, or with teams...