CVE-2022-29427
Cross-Site Request Forgery (CSRF) vulnerability in Aftab Muni’s Disable Right Click For WP plugin <= 1.1.6 at WordPress.
Source: CVE-2022-29427
CVE-2022-29427
Cross-Site Request Forgery (CSRF) vulnerability in Aftab Muni’s Disable Right Click For WP plugin <= 1.1.6 at WordPress.
Source: CVE-2022-29427
CVE-2022-29426
Authenticated (contributor or higher user role) Reflected Cross-Site Scripting (XSS) vulnerability in 2J Slideshow Team’s Slideshow, Image Slider by 2J plugin <= 1.3.54 at WordPress.
Source: CVE-2022-29426
CVE-2022-29432
Multiple Authenticated (administrator or higher user role) Persistent Cross-Site Scripting (XSS) vulnerabilities in TMS-Plugins wpDataTables plugin <= 2.1.27 on WordPress via &data-link-text, &data-link-url, &data, &data-shortcode, &data-star-num vulnerable parameters.
Source: CVE-2022-29432
CVE-2022-29434
Insecure Direct Object References (IDOR) vulnerability in Spiffy Plugins Spiffy Calendar <= 4.9.0 at WordPress allows an attacker to edit or delete events.
Source: CVE-2022-29434
CVE-2022-29186
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rundeck community and rundeck-enterprise docker images contained a pre-generated SSH keypair. If the id_rsa.pub public key of the keypair was copied to authorized_keys files on remote host, those hosts would allow access to anyone with the exposed private credentials. This misconfiguration only impacts Rundeck Docker instances of PagerDuty® Process Automation On Prem (formerly Rundeck) version 4.0 and earlier, not Debian, RPM or .WAR. Additionally, the id_rsa.pub file would have to be copied from the Docker image filesystem contents without overwriting it and used to configure SSH access on a host. A patch on Rundeck’s `main` branch has removed the pre-generated SSH key pair, but it does not remove exposed keys that have been configured. To patch, users must run a script on hosts in their environment to search for exposed keys and rotate them. Two workarounds are available: Do not use any pre-existing public key file from the rundeck docker images to allow SSH access by adding it to authorized_keys files and, if you have copied the public key file included in the docker image, remove it from any authorized_keys files.
Source: CVE-2022-29186
CVE-2022-29430
Cross-Site Scripting (XSS) vulnerability in KubiQ’s PNG to JPG plugin <= 4.0 at WordPress via Cross-Site Request Forgery (CSRF). Vulnerable parameter &jpg_quality.
Source: CVE-2022-29430
CVE-2022-22973
VMware Workspace ONE Access and Identity Manager contain a privilege escalation vulnerability. A malicious actor with local access can escalate privileges to ‘root’.
Source: CVE-2022-22973
CVE-2022-22972
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.
Source: CVE-2022-22972
CVE-2022-29425
Cross-Site Scripting (XSS) vulnerability in WP Wham’s Checkout Files Upload for WooCommerce plugin <= 2.1.2 at WordPress.
Source: CVE-2022-29425
CVE-2022-29424
Authenticated (admin or higher user role) Reflected Cross-Site Scripting (XSS) vulnerability in Biplob Adhikari’s Image Hover Effects Ultimate plugin <= 9.7.1 at WordPress.
Source: CVE-2022-29424