U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.


The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.

For information on how to the cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity
  • CVE-2022-41922 - `yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. This has been patched in 1.1.27.
    Published: November 23, 2022; 1:15:12 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2022-39067 - There is a buffer overflow vulnerability in ZTE MF286R. Due to lack of input validation on parameters of the wifi interface, an authenticated attacker could use the vulnerability to perform a denial of service attack.
    Published: November 22, 2022; 12:15:10 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2022-39066 - There is a SQL injection vulnerability in ZTE MF286R. Due to insufficient validation of the input parameters of the phonebook interface, an authenticated attacker could use the vulnerability to execute arbitrary SQL injection.
    Published: November 22, 2022; 12:15:10 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2022-45214 - A cross-site scripting (XSS) vulnerability in Sanitization Management System v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username parameter at /php-sms/classes/Login.php.
    Published: November 28, 2022; 5:15:10 PM -0500

    V3.1: 6.1 MEDIUM

  • CVE-2022-45221 - Web-Based Student Clearance System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in changepassword.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into th... read CVE-2022-45221
    Published: November 28, 2022; 5:15:10 PM -0500

    V3.1: 4.8 MEDIUM

  • CVE-2022-32966 - RTL8168FP-CG Dash remote management function has missing authorization. An unauthenticated attacker within the adjacent network can connect to DASH service port to disrupt service.
    Published: November 28, 2022; 11:15:10 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2022-32967 - RTL8111EP-CG/RTL8111FP-CG DASH function has hard-coded password. An unauthenticated physical attacker can use the hard-coded default password during system reboot triggered by other user, to acquire partial system information such as serial number... read CVE-2022-32967
    Published: November 28, 2022; 11:15:10 PM -0500

    V3.1: 2.1 LOW

  • CVE-2022-42099 - KLiK SocialMediaWebsite Version 1.0.1 has XSS vulnerabilities that allow attackers to store XSS via location Forum Subject input.
    Published: November 28, 2022; 11:15:10 PM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2022-42100 - KLiK SocialMediaWebsite Version 1.0.1 has XSS vulnerabilities that allow attackers to store XSS via location input reply-form.
    Published: November 28, 2022; 11:15:10 PM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2022-42109 - Online-shopping-system-advanced 1.0 was discovered to contain a SQL injection vulnerability via the p parameter at /shopping/product.php.
    Published: November 28, 2022; 11:15:10 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2022-45329 - AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability via the Search parameter. This vulnerability allows attackers to access database information.
    Published: November 29, 2022; 12:15:11 AM -0500

    V3.1: 7.5 HIGH

  • CVE-2022-36137 - ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input sHeader.
    Published: November 28, 2022; 11:15:10 PM -0500

    V3.1: 4.8 MEDIUM

  • CVE-2022-36136 - ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input Deposit Comment.
    Published: November 28, 2022; 11:15:10 PM -0500

    V3.1: 4.8 MEDIUM

  • CVE-2022-45224 - Web-Based Student Clearance System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in Admin/add-admin.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into t... read CVE-2022-45224
    Published: November 28, 2022; 5:15:11 PM -0500

    V3.1: 4.8 MEDIUM

  • CVE-2022-45223 - Web-Based Student Clearance System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /Admin/add-student.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected int... read CVE-2022-45223
    Published: November 28, 2022; 5:15:10 PM -0500

    V3.1: 4.8 MEDIUM

  • CVE-2022-31877 - An issue in the component MSI.TerminalServer.exe of MSI Center v1.0.41.0 allows attackers to escalate privileges via a crafted TCP packet.
    Published: November 28, 2022; 10:15:10 AM -0500

    V3.1: 8.8 HIGH

  • CVE-2022-3865 - The WP User Merger WordPress plugin before 1.5.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as admin
    Published: November 28, 2022; 9:15:18 AM -0500

    V3.1: 8.8 HIGH

  • CVE-2022-3850 - The Find and Replace All WordPress plugin before 1.3 does not have CSRF check when replacing string, which could allow attackers to make a logged admin replace arbitrary string in database tables via a CSRF attack
    Published: November 28, 2022; 9:15:18 AM -0500

    V3.1: 4.3 MEDIUM

  • CVE-2022-3849 - The WP User Merger WordPress plugin before 1.5.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as admin
    Published: November 28, 2022; 9:15:17 AM -0500

    V3.1: 8.8 HIGH

  • CVE-2022-3848 - The WP User Merger WordPress plugin before 1.5.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as admin
    Published: November 28, 2022; 9:15:17 AM -0500

    V3.1: 8.8 HIGH