NVD

Icon for CISA Known Exploited Vulnerabilities Catalog Announcement

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.

For information on how to the cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

CVE-2022-38069 - Multiple globally default credentials exist across all CMS8000 devices, that once exposed, allow a threat actor with momentary physical access to gain privileged access to any device. Privileged credential access enables the extraction of sensitiv... read CVE-2022-38069
Published: September 13, 2022; 11:15:08 AM -0400

V3.1: 6.1 MEDIUM
CVE-2022-38100 - The CMS800 device fails while attempting to parse malformed network data sent by a threat actor. A threat actor with network access can remotely issue a specially formatted UDP request that will cause the entire device to crash and require a physi... read CVE-2022-38100
Published: September 13, 2022; 11:15:08 AM -0400

V3.1: 7.5 HIGH
CVE-2022-38453 - Multiple binary application files on the CMS8000 device are compiled with 'not stripped' and 'debug_info' compilation settings. These compiler settings greatly decrease the level of effort for a threat actor to reverse engineer sensitive code and ... read CVE-2022-38453
Published: September 13, 2022; 11:15:08 AM -0400

V3.1: 4.4 MEDIUM
CVE-2022-3027 - The CMS8000 device does not properly control or sanitize the SSID name of a new Wi-Fi access point. A threat actor could create an SSID with a malicious name, including non-standard characters that, when the device attempts connecting to the malic... read CVE-2022-3027
Published: September 13, 2022; 11:15:09 AM -0400

V3.1: 5.7 MEDIUM
CVE-2022-3190 - Infinite loop in the F5 Ethernet Trailer protocol dissector in Wireshark 3.6.0 to 3.6.7 and 3.4.0 to 3.4.15 allows denial of service via packet injection or crafted capture file
Published: September 13, 2022; 11:15:09 AM -0400

V3.1: 5.5 MEDIUM
CVE-2022-38538 - Archery v1.7.0 to v1.8.5 was discovered to contain a SQL injection vulnerability via the checksum parameter in the report module.
Published: September 13, 2022; 11:15:09 AM -0400

V3.1: 9.8 CRITICAL
CVE-2022-38539 - Archery v1.7.5 to v1.8.5 was discovered to contain a SQL injection vulnerability via the where parameter at /archive/apply.
Published: September 13, 2022; 11:15:09 AM -0400

V3.1: 9.8 CRITICAL
CVE-2022-38540 - Archery v1.4.0 to v1.8.5 was discovered to contain a SQL injection vulnerability via the ThreadIDs parameter in the create_kill_session interface.
Published: September 13, 2022; 11:15:09 AM -0400

V3.1: 9.8 CRITICAL
CVE-2022-38541 - Archery v1.8.3 to v1.8.5 was discovered to contain multiple SQL injection vulnerabilities via the start_time and stop_time parameters in the my2sql interface.
Published: September 13, 2022; 11:15:09 AM -0400

V3.1: 9.8 CRITICAL
CVE-2022-38542 - Archery v1.4.0 to v1.8.5 was discovered to contain a SQL injection vulnerability via the ThreadIDs parameter in the kill_session interface.
Published: September 13, 2022; 11:15:09 AM -0400

V3.1: 9.8 CRITICAL
CVE-2022-38537 - Archery v1.4.5 to v1.8.5 was discovered to contain multiple SQL injection vulnerabilities via the start_file, end_file, start_time, and stop_time parameters in the binlog2sql interface.
Published: September 13, 2022; 11:15:08 AM -0400

V3.1: 9.8 CRITICAL
CVE-2022-36873 - Improper restriction of broadcasting Intent in GalaxyStoreBridgePageLinker of?Waterplugin prior to version 2.2.11.22081151 leaks MAC address of the connected Bluetooth device.
Published: September 09, 2022; 11:15:12 AM -0400

V3.1: 6.5 MEDIUM
CVE-2022-36874 - Improper Handling of Insufficient Permissions or Privileges vulnerability in Waterplugin prior to 2.2.11.22040751 allows attacker to access device IMEI and Serial number.
Published: September 09, 2022; 11:15:13 AM -0400

V3.1: 6.2 MEDIUM
CVE-2022-36875 - Improper restriction of broadcasting Intent in SaWebViewRelayActivity of?Waterplugin prior to version 2.2.11.22081151 allows attacker to access the file without permission.
Published: September 09, 2022; 11:15:13 AM -0400

V3.1: 5.5 MEDIUM
CVE-2022-36876 - Improper authorization in UPI payment in Samsung Pass prior to version 4.0.04.10 allows physical attackers to access account list without authentication.
Published: September 09, 2022; 11:15:13 AM -0400

V3.1: 2.4 LOW
CVE-2022-36877 - Exposure of Sensitive Information in FaqSymptomCardViewModel in Samsung Members prior to versions 4.3.00.11 in Global and 14.0.02.4 in China allows local attackers to access device identification via log.
Published: September 09, 2022; 11:15:13 AM -0400

V3.1: 3.3 LOW
CVE-2022-36878 - Exposure of Sensitive Information in Find My Mobile prior to version 7.2.25.14 allows local attacker to access IMEI via log.
Published: September 09, 2022; 11:15:13 AM -0400

V3.1: 3.3 LOW
CVE-2022-37411 - Cross-Site Request Forgery (CSRF) vulnerability in Vinoj Cardoza's Captcha Code plugin <= 2.7 at WordPress.
Published: September 09, 2022; 11:15:13 AM -0400

V3.1: 8.8 HIGH
CVE-2022-38067 - Unauthenticated Event Deletion vulnerability in Totalsoft Event Calendar – Calendar plugin <= 1.4.6 at WordPress.
Published: September 09, 2022; 11:15:14 AM -0400

V3.1: 5.3 MEDIUM
CVE-2022-38081 - OpenHarmony-v3.1.2 and prior versions have a permission bypass vulnerability. LAN attackers can bypass the distributed permission control.To take advantage of this weakness, attackers need another vulnerability to obtain system.
Published: September 09, 2022; 11:15:14 AM -0400

V3.1: 5.5 MEDIUM

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database