Total
2183 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-36010 | 1 React Editable Json Tree Project | 1 React Editable Json Tree | 2024-11-21 | N/A | 10.0 CRITICAL |
| This library allows strings to be parsed as functions and stored as a specialized component, [`JsonFunctionValue`](https://github.com/oxyno-zeta/react-editable-json-tree/blob/09a0ca97835b0834ad054563e2fddc6f22bc5d8c/src/components/JsonFunctionValue.js). To do this, Javascript's [`eval`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval) function is used to execute strings that begin with "function" as Javascript. This unfortunately could allow arbitrary code to be executed if it exists as a value within the JSON structure being displayed. Given that this component may often be used to display data from arbitrary, untrusted sources, this is extremely dangerous. One important note is that users who have defined a custom [`onSubmitValueParser`](https://github.com/oxyno-zeta/react-editable-json-tree/tree/09a0ca97835b0834ad054563e2fddc6f22bc5d8c#onsubmitvalueparser) callback prop on the [`JsonTree`](https://github.com/oxyno-zeta/react-editable-json-tree/blob/09a0ca97835b0834ad054563e2fddc6f22bc5d8c/src/JsonTree.js) component should be ***unaffected***. This vulnerability exists in the default `onSubmitValueParser` prop which calls [`parse`](https://github.com/oxyno-zeta/react-editable-json-tree/blob/master/src/utils/parse.js#L30). Prop is added to `JsonTree` called `allowFunctionEvaluation`. This prop will be set to `true` in v2.2.2, which allows upgrade without losing backwards-compatibility. In v2.2.2, we switched from using `eval` to using [`Function`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function) to construct anonymous functions. This is better than `eval` for the following reasons: - Arbitrary code should not be able to execute immediately, since the `Function` constructor explicitly *only creates* anonymous functions - Functions are created without local closures, so they only have access to the global scope If you use: - **Version `<2.2.2`**, you must upgrade as soon as possible. - **Version `^2.2.2`**, you must explicitly set `JsonTree`'s `allowFunctionEvaluation` prop to `false` to fully mitigate this vulnerability. - **Version `>=3.0.0`**, `allowFunctionEvaluation` is already set to `false` by default, so no further steps are necessary. | |||||
| CVE-2022-35975 | 1 Weave | 1 Gitops Tools | 2024-11-21 | N/A | 9.0 CRITICAL |
| The GitOps Tools Extension for VSCode can make it easier to manage Flux objects. A specially crafted Flux object may allow for remote code execution in the machine running the extension, in the context of the user that is running VSCode. Users using the VSCode extension to manage clusters that are shared amongst other users are affected by this issue. The only safe mitigation is to update to the latest version of the extension. | |||||
| CVE-2022-35912 | 1 Grails | 1 Grails | 2024-11-21 | N/A | 9.8 CRITICAL |
| In grails-databinding in Grails before 3.3.15, 4.x before 4.1.1, 5.x before 5.1.9, and 5.2.x before 5.2.1 (at least when certain Java 8 configurations are used), data binding allows a remote attacker to execute code by gaining access to the class loader. | |||||
| CVE-2022-35744 | 1 Microsoft | 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more | 2024-11-21 | N/A | 9.8 CRITICAL |
| Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability | |||||
| CVE-2022-35643 | 1 Ibm | 1 Powervm Virtual I\/o Server | 2024-11-21 | N/A | 9.1 CRITICAL |
| IBM PowerVM VIOS 3.1 could allow a remote attacker to tamper with system configuration or cause a denial of service. IBM X-Force ID: 230956. | |||||
| CVE-2022-35620 | 1 Dlink | 2 Dir-818l, Dir-818l Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| D-LINK DIR-818LW A1:DIR818L_FW105b01 was discovered to contain a remote code execution (RCE) vulnerability via the function binary.soapcgi_main. | |||||
| CVE-2022-35619 | 1 Dlink | 2 Dir-818l, Dir-818l Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| D-LINK DIR-818LW A1:DIR818L_FW105b01 was discovered to contain a remote code execution (RCE) vulnerability via the function ssdpcgi_main. | |||||
| CVE-2022-35201 | 1 Tenda | 2 Ac18, Ac18 Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| Tenda-AC18 V15.03.05.05 was discovered to contain a remote command execution (RCE) vulnerability. | |||||
| CVE-2022-34983 | 1 Scu-captcha Project | 1 Scu-captcha | 2024-11-21 | N/A | 9.8 CRITICAL |
| The scu-captcha package in PyPI v0.0.1 to v0.0.4 included a code execution backdoor inserted by a third party. | |||||
| CVE-2022-34982 | 1 Eziod Project | 1 Eziod | 2024-11-21 | N/A | 9.8 CRITICAL |
| The eziod package in PyPI before v0.0.1 included a code execution backdoor inserted by a third party. | |||||
| CVE-2022-34981 | 1 Pycrowdtangle Project | 1 Pycrowdtangle | 2024-11-21 | N/A | 9.8 CRITICAL |
| The PyCrowdTangle package in PyPI before v0.0.1 included a code execution backdoor inserted by a third party. | |||||
| CVE-2022-34722 | 1 Microsoft | 10 Windows 10, Windows 11, Windows 7 and 7 more | 2024-11-21 | N/A | 9.8 CRITICAL |
| Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-34721. | |||||
| CVE-2022-34721 | 1 Microsoft | 10 Windows 10, Windows 11, Windows 7 and 7 more | 2024-11-21 | N/A | 9.8 CRITICAL |
| Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-34722. | |||||
| CVE-2022-34718 | 1 Microsoft | 10 Windows 10, Windows 11, Windows 7 and 7 more | 2024-11-21 | N/A | 9.8 CRITICAL |
| Windows TCP/IP Remote Code Execution Vulnerability. | |||||
| CVE-2022-34598 | 1 H3c | 2 Magic R100, Magic R100 Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The udpserver in H3C Magic R100 V200R004 and V100R005 has the 9034 port opened, allowing attackers to execute arbitrary commands. | |||||
| CVE-2022-34577 | 1 Wavlink | 2 Wn535g3, Wn535g3 Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| A vulnerability in adm.cgi of WAVLINK WN535 G3 M35G3R.V5030.180927 allows attackers to execute arbitrary code via a crafted POST request. | |||||
| CVE-2022-34558 | 4 Global-workqueue Project, Reqmgr2 Project, Reqmon Project and 1 more | 4 Global-workqueue, Reqmgr2, Reqmon and 1 more | 2024-11-21 | N/A | 9.8 CRITICAL |
| WMAgent v1.3.3rc2 and 1.3.3rc1, reqmgr 2 1.4.1rc5 and 1.4.0rc2, reqmon 1.4.1rc5, and global-workqueue 1.4.1rc5 allows attackers to execute arbitrary code via a crafted dbs-client package. | |||||
| CVE-2022-34555 | 1 Tp-link | 2 Tl-r473g, Tl-r473g Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| TP-LINK TL-R473G 2.0.1 Build 220529 Rel.65574n was discovered to contain a remote code execution vulnerability which is exploited via a crafted packet. | |||||
| CVE-2022-34531 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A | 9.8 CRITICAL |
| DedeCMS v5.7.95 was discovered to contain a remote code execution (RCE) vulnerability via the component mytag_ main.php. | |||||
| CVE-2022-34509 | 1 Wikifaces Project | 1 Wikifaces | 2024-11-21 | N/A | 9.8 CRITICAL |
| The wikifaces package in PyPI v1.0 included a code execution backdoor inserted by a third party. | |||||