U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.


The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.

For information on how to the cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity
  • CVE-2022-38069 - Multiple globally default credentials exist across all CMS8000 devices, that once exposed, allow a threat actor with momentary physical access to gain privileged access to any device. Privileged credential access enables the extraction of sensitiv... read CVE-2022-38069
    Published: September 13, 2022; 11:15:08 AM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2022-38100 - The CMS800 device fails while attempting to parse malformed network data sent by a threat actor. A threat actor with network access can remotely issue a specially formatted UDP request that will cause the entire device to crash and require a physi... read CVE-2022-38100
    Published: September 13, 2022; 11:15:08 AM -0400

    V3.1: 7.5 HIGH

  • CVE-2022-38453 - Multiple binary application files on the CMS8000 device are compiled with 'not stripped' and 'debug_info' compilation settings. These compiler settings greatly decrease the level of effort for a threat actor to reverse engineer sensitive code and ... read CVE-2022-38453
    Published: September 13, 2022; 11:15:08 AM -0400

    V3.1: 4.4 MEDIUM

  • CVE-2022-3027 - The CMS8000 device does not properly control or sanitize the SSID name of a new Wi-Fi access point. A threat actor could create an SSID with a malicious name, including non-standard characters that, when the device attempts connecting to the malic... read CVE-2022-3027
    Published: September 13, 2022; 11:15:09 AM -0400

    V3.1: 5.7 MEDIUM

  • CVE-2022-3190 - Infinite loop in the F5 Ethernet Trailer protocol dissector in Wireshark 3.6.0 to 3.6.7 and 3.4.0 to 3.4.15 allows denial of service via packet injection or crafted capture file
    Published: September 13, 2022; 11:15:09 AM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2022-38538 - Archery v1.7.0 to v1.8.5 was discovered to contain a SQL injection vulnerability via the checksum parameter in the report module.
    Published: September 13, 2022; 11:15:09 AM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2022-38539 - Archery v1.7.5 to v1.8.5 was discovered to contain a SQL injection vulnerability via the where parameter at /archive/apply.
    Published: September 13, 2022; 11:15:09 AM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2022-38540 - Archery v1.4.0 to v1.8.5 was discovered to contain a SQL injection vulnerability via the ThreadIDs parameter in the create_kill_session interface.
    Published: September 13, 2022; 11:15:09 AM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2022-38541 - Archery v1.8.3 to v1.8.5 was discovered to contain multiple SQL injection vulnerabilities via the start_time and stop_time parameters in the my2sql interface.
    Published: September 13, 2022; 11:15:09 AM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2022-38542 - Archery v1.4.0 to v1.8.5 was discovered to contain a SQL injection vulnerability via the ThreadIDs parameter in the kill_session interface.
    Published: September 13, 2022; 11:15:09 AM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2022-38537 - Archery v1.4.5 to v1.8.5 was discovered to contain multiple SQL injection vulnerabilities via the start_file, end_file, start_time, and stop_time parameters in the binlog2sql interface.
    Published: September 13, 2022; 11:15:08 AM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2022-36873 - Improper restriction of broadcasting Intent in GalaxyStoreBridgePageLinker of?Waterplugin prior to version 2.2.11.22081151 leaks MAC address of the connected Bluetooth device.
    Published: September 09, 2022; 11:15:12 AM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2022-36874 - Improper Handling of Insufficient Permissions or Privileges vulnerability in Waterplugin prior to 2.2.11.22040751 allows attacker to access device IMEI and Serial number.
    Published: September 09, 2022; 11:15:13 AM -0400

    V3.1: 6.2 MEDIUM

  • CVE-2022-36875 - Improper restriction of broadcasting Intent in SaWebViewRelayActivity of?Waterplugin prior to version 2.2.11.22081151 allows attacker to access the file without permission.
    Published: September 09, 2022; 11:15:13 AM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2022-36876 - Improper authorization in UPI payment in Samsung Pass prior to version 4.0.04.10 allows physical attackers to access account list without authentication.
    Published: September 09, 2022; 11:15:13 AM -0400

    V3.1: 2.4 LOW

  • CVE-2022-36877 - Exposure of Sensitive Information in FaqSymptomCardViewModel in Samsung Members prior to versions 4.3.00.11 in Global and 14.0.02.4 in China allows local attackers to access device identification via log.
    Published: September 09, 2022; 11:15:13 AM -0400

    V3.1: 3.3 LOW

  • CVE-2022-36878 - Exposure of Sensitive Information in Find My Mobile prior to version 7.2.25.14 allows local attacker to access IMEI via log.
    Published: September 09, 2022; 11:15:13 AM -0400

    V3.1: 3.3 LOW

  • CVE-2022-37411 - Cross-Site Request Forgery (CSRF) vulnerability in Vinoj Cardoza's Captcha Code plugin <= 2.7 at WordPress.
    Published: September 09, 2022; 11:15:13 AM -0400

    V3.1: 8.8 HIGH

  • CVE-2022-38067 - Unauthenticated Event Deletion vulnerability in Totalsoft Event Calendar – Calendar plugin <= 1.4.6 at WordPress.
    Published: September 09, 2022; 11:15:14 AM -0400

    V3.1: 5.3 MEDIUM

  • CVE-2022-38081 - OpenHarmony-v3.1.2 and prior versions have a permission bypass vulnerability. LAN attackers can bypass the distributed permission control.To take advantage of this weakness, attackers need another vulnerability to obtain system.
    Published: September 09, 2022; 11:15:14 AM -0400

    V3.1: 5.5 MEDIUM