05/30/2022 01:15 PM EDT
Original release date: May 30, 2022
High Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| badminton_center_management_ |
Badminton Center Management System 1.0 is vulnerable to SQL Injection via /bcms/classes/Master.php?f= |
2022-05-24 | 7.5 | CVE-2022-30455 MISC |
| battleye — battleye | BattlEye v0.9 contains an unquoted service path which allows attackers to escalate privileges to the system level. | 2022-05-20 | 7.2 | CVE-2022-27095 MISC |
| chatbot_application_with_a_ |
ChatBot Application with a Suggestion Feature 1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /simple_chat_bot/admin/ |
2022-05-20 | 7.5 | CVE-2022-30518 MISC MISC |
| chshcms — cscms_music_portal_system | CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/pic/admin/pic/del. | 2022-05-26 | 7.5 | CVE-2022-29660 MISC |
| covid-19_directory_on_ |
Sourcecodester Covid-19 Directory on Vaccination System1.0 is vulnerable to SQL Injection via the admin/login.php txtusername (aka Username) field. | 2022-05-20 | 7.5 | CVE-2022-28531 MISC MISC |
| covid_19_travel_pass_ |
Covid-19 Travel Pass Management System v1.0 is vulnerable to SQL Injection via /ctpms/classes/Master.php?f= |
2022-05-24 | 7.5 | CVE-2022-30838 MISC |
| merchandise_online_store_ |
Merchandise Online Store 1.0 is vulnerable to SQL Injection via /vloggers_merch/classes/ |
2022-05-24 | 7.5 | CVE-2022-30454 MISC |
| minitool — partition_wizard | MiniTool Partition Wizard v12.0 contains an unquoted service path which allows attackers to escalate privileges to the system level. | 2022-05-20 | 7.2 | CVE-2022-29320 MISC |
| multi-vendor_online_groceries_ |
Multi-Vendor Online Groceries Management System v1.0 was discovered to contain a blind SQL injection vulnerability via the id parameter in /products/view_product.php. | 2022-05-20 | 7.5 | CVE-2022-26632 MISC |
| nirweb — nirweb_support | The Nirweb support WordPress plugin before 2.8.2 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action (available to unauthenticated users), leading to an SQL injection | 2022-05-23 | 7.5 | CVE-2022-0781 MISC |
| online_sports_complex_booking_ |
Online Sports Complex Booking System v1.0 was discovered to allow attackers to take over user accounts via a crafted POST request. | 2022-05-20 | 7.5 | CVE-2022-28106 MISC |
| online_sports_complex_booking_ |
Online Sports Complex Booking System v1.0 was discovered to contain a blind SQL injection vulnerability via the id parameter in /scbs/view_facility.php. | 2022-05-20 | 7.5 | CVE-2022-28105 MISC |
| pharmacy_management_system_ |
Pharmacy Management System v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the component /php_action/editProductImage. |
2022-05-20 | 7.5 | CVE-2022-30887 MISC |
| privateinternetaccess — private_internet_access | Private Internet Access v3.3 contains an unquoted service path which allows attackers to escalate privileges to the system level. | 2022-05-20 | 7.2 | CVE-2022-27092 MISC |
| rengine_project — rengine | Rengine v1.0.2 was discovered to contain a remote code execution (RCE) vulnerability via the yaml configuration function. | 2022-05-20 | 7.5 | CVE-2022-28995 MISC |
| rengine_project — rengine | OS Command Injection in GitHub repository yogeshojha/rengine prior to 1.2.0. | 2022-05-22 | 7.5 | CVE-2022-1813 MISC CONFIRM |
| school_dormitory_management_ |
School Dormitory Management System v1.0 was discovered to contain a SQL injection vulnerability via the month parameter at /dms/admin/reports/daily_ |
2022-05-20 | 7.5 | CVE-2022-30886 MISC |
| siemens — 7kg8500-0aa00-0aa0_firmware | A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00). Affected devices do not properly validate parameters of certain GET and POST requests. This could allow an unauthenticated attacker to set the device to a denial of service state or to control the program counter and, thus, execute arbitrary code on the device. | 2022-05-20 | 7.5 | CVE-2022-29873 CONFIRM |
| simple_student_quarterly_ |
Simple Student Quarterly Result/Grade System v1.0 was discovered to contain a SQL injection vulnerability via /sqgs/Actions.php. | 2022-05-20 | 7.5 | CVE-2022-26633 MISC |
| sony — playmemories_home | Sony PlayMemories Home v6.0 contains an unquoted service path which allows attackers to escalate privileges to the system level. | 2022-05-20 | 7.2 | CVE-2022-27094 MISC |
| vmware — identity_manager | VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate. | 2022-05-20 | 7.5 | CVE-2022-22972 MISC |
| vmware — identity_manager | VMware Workspace ONE Access and Identity Manager contain a privilege escalation vulnerability. A malicious actor with local access can escalate privileges to ‘root’. | 2022-05-20 | 7.2 | CVE-2022-22973 MISC |
| water_billing_system_project — water_billing_system | Water-billing-management- |
2022-05-24 | 7.5 | CVE-2022-30461 MISC |
| wp_contacts_manager_project — wp_contacts_manager | The WP Contacts Manager WordPress plugin through 2.2.4 fails to properly sanitize user supplied POST data before it is being interpolated in an SQL statement and then executed, leading to an SQL injection vulnerability. | 2022-05-23 | 7.5 | CVE-2022-1014 MISC |
Medium Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| automotive_shop_management_ |
Automotive Shop Management System v1.0 is vulnerable to SQL Injection via /asms/classes/Master.php?f= |
2022-05-24 | 6.5 | CVE-2022-30463 MISC |
| avast — premium_security | Multiple DLL hijacking vulnerabilities via the components instup.exe and wsc_proxy.exe in Avast Premium Security before v21.11.2500 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via a crafted DLL file. | 2022-05-20 | 4.4 | CVE-2022-28965 MISC MISC |
| chatbot_app_with_suggestion_ |
ChatBot App with Suggestion in PHP/OOP v1.0 is vulnerable to SQL Injection via /simple_chat_bot/classes/ |
2022-05-24 | 6.5 | CVE-2022-30459 MISC |
| chshcms — cscms_music_portal_system | CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/pic/admin/lists/ |
2022-05-26 | 6.5 | CVE-2022-29676 MISC |
| chshcms — cscms_music_portal_system | CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/Label/page_del. | 2022-05-26 | 6.5 | CVE-2022-29683 MISC |
| chshcms — cscms_music_portal_system | CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/news/admin/lists/ |
2022-05-26 | 6.5 | CVE-2022-29669 MISC |
| chshcms — cscms_music_portal_system | CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/user/level_del. | 2022-05-26 | 6.5 | CVE-2022-29687 MISC |
| chshcms — cscms_music_portal_system | CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/singer/admin/lists/ |
2022-05-26 | 6.5 | CVE-2022-29686 MISC |
| chshcms — cscms_music_portal_system | CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/User/level_sort. | 2022-05-26 | 6.5 | CVE-2022-29685 MISC |
| chshcms — cscms_music_portal_system | CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/vod/admin/topic/ |
2022-05-26 | 6.5 | CVE-2022-29682 MISC |
| chshcms — cscms_music_portal_system | CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/Links/del. | 2022-05-26 | 6.5 | CVE-2022-29681 MISC |
| chshcms — cscms_music_portal_system | CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/user/zu_del. | 2022-05-26 | 6.5 | CVE-2022-29680 MISC |
| chshcms — cscms_music_portal_system | CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/Label/js_del. | 2022-05-26 | 6.5 | CVE-2022-29684 MISC |
| chshcms — cscms_music_portal_system | CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/news/admin/topic/ |
2022-05-26 | 6.5 | CVE-2022-29665 MISC |
| chshcms — cscms_music_portal_system | CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/pic/admin/lists/ |
2022-05-26 | 6.5 | CVE-2022-29666 MISC |
| chshcms — cscms_music_portal_system | CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via /admin.php/pic/admin/pic/hy. This vulnerability is exploited via restoring deleted photos. | 2022-05-26 | 6.5 | CVE-2022-29667 MISC |
| chshcms — cscms_music_portal_system | CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/singer/admin/ |
2022-05-26 | 6.5 | CVE-2022-29689 MISC |
| chshcms — cscms_music_portal_system | CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/pic/admin/type/pl_ |
2022-05-26 | 6.5 | CVE-2022-29664 MISC |
| chshcms — cscms_music_portal_system | CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/pic/admin/type/hy. | 2022-05-26 | 6.5 | CVE-2022-29663 MISC |
| chshcms — cscms_music_portal_system | CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/news/admin/news/ |
2022-05-26 | 6.5 | CVE-2022-29662 MISC |
| chshcms — cscms_music_portal_system | CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/pic/admin/type/ |
2022-05-26 | 6.5 | CVE-2022-29661 MISC |
| chshcms — cscms_music_portal_system | CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/singer/admin/ |
2022-05-26 | 6.5 | CVE-2022-29688 MISC |
| chshcms — cscms_music_portal_system | CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/pic/admin/type/del. | 2022-05-26 | 6.5 | CVE-2022-29670 MISC |
| disable_right_click_for_wp_ |
Cross-Site Request Forgery (CSRF) vulnerability in Aftab Muni’s Disable Right Click For WP plugin <= 1.1.6 at WordPress. | 2022-05-20 | 6.8 | CVE-2022-29427 CONFIRM CONFIRM |
| donate_extra_project — donate_extra | The Donate Extra WordPress plugin through 2.02 does not sanitise and escape a parameter before outputting it back in the response, leading to a Reflected cross-Site Scripting | 2022-05-23 | 4.3 | CVE-2022-1268 MISC |
| duogeek — domain_replace | The Domain Replace WordPress plugin through 1.3.8 does not sanitise and escape a parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting | 2022-05-23 | 4.3 | CVE-2022-1218 MISC |
| e-diary_management_system_ |
Diary Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Name parameter in search-result.php. | 2022-05-23 | 4.3 | CVE-2022-29004 MISC MISC MISC |
| gnu — libredwg | A heap buffer overflow was discovered in copy_bytes in decode_r2007.c in dwgread before 0.12.4 via a crafted dwg file. | 2022-05-23 | 6.8 | CVE-2021-42586 MISC |
| gnu — libredwg | A heap buffer overflow was discovered in copy_compressed_bytes in decode_r2007.c in dwgread before 0.12.4 via a crafted dwg file. | 2022-05-23 | 6.8 | CVE-2021-42585 MISC |
| gwyns_imagemap_selector_ |
The Gwyn’s Imagemap Selector WordPress plugin through 0.3.3 does not sanitise and escape some parameters before outputting them back in attributes, leading to a Reflected Cross-Site Scripting. | 2022-05-23 | 4.3 | CVE-2022-1221 MISC |
| imgurl_project — imgurl | imgurl v2.31 was discovered to contain a Blind SQL injection vulnerability via /upload/localhost. | 2022-05-24 | 6.8 | CVE-2022-29305 MISC |
| inoutscripts — blockchain_altexchanger | Inout Blockchain AltExchanger 1.2.1 and Inout Blockchain FiatExchanger 2.2.1 allow Chart/TradingView/chart_ |
2022-05-23 | 5 | CVE-2022-31487 MISC MISC |
| inoutscripts — blockchain_altexchanger | Inout Blockchain AltExchanger 1.2.1 allows index.php/home/about inoutio_language cookie SQL injection. | 2022-05-23 | 5 | CVE-2022-31489 MISC |
| inoutscripts — blockchain_altexchanger | Inout Blockchain AltExchanger 1.2.1 allows index.php/coins/update_ |
2022-05-23 | 5 | CVE-2022-31488 MISC |
| jgraph — drawio | Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.8. | 2022-05-20 | 5 | CVE-2022-1784 MISC CONFIRM |
| kubiq — cpt_base | Cross-Site Request Forgery (CSRF) vulnerability in KubiQ CPT base plugin <= 5.8 at WordPress allows an attacker to delete the CPT base. | 2022-05-20 | 5.8 | CVE-2022-29431 CONFIRM CONFIRM |
| online_banquet_booking_system_ |
A Cross-Site Request Forgery (CSRF) in Online Banquet Booking System v1.0 allows attackers to change admin credentials via a crafted POST request. | 2022-05-20 | 6.8 | CVE-2022-28992 MISC |
| online_birth_certificate_ |
Multiple cross-site scripting (XSS) vulnerabilities in the component /obcs/user/profile.php of Online Birth Certificate System v1.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the fname or lname parameters. | 2022-05-23 | 4.3 | CVE-2022-29005 MISC MISC MISC |
| openrazer_project — openrazer | A buffer overflow in the razerkbd driver of OpenRazer v3.3.0 and below allows attackers to cause a Denial of Service (DoS) via a crafted buffer sent to the matrix_custom_frame device. | 2022-05-20 | 5 | CVE-2022-29021 MISC |
| openrazer_project — openrazer | A buffer overflow in the razeraccessory driver of OpenRazer v3.3.0 and below allows attackers to cause a Denial of Service (DoS) via a crafted buffer sent to the matrix_custom_frame device. | 2022-05-20 | 5 | CVE-2022-29022 |
Share this:
Discover more from #News247WorldPress
Subscribe to get the latest posts sent to your email.