聚合 NVD、CVE 及多源情报,深度解析 RCE 等高危风险。系统集成 CVSS 与 EPSS 模型,动态追踪 Exploit 资源与 PoC 公开状态,研判可利用性。结合官方补丁与修复方案,优化漏洞管理优先级,缩短响应周期,保障资产安全。
分配机构(CNA / 来源):[email protected] 移除此筛选
| CVE | 描述 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|
| CVE-2022-22701 | PartKeepr versions up to v1.4.0, loads attachments using a URL while creating a part and allows the use of the 'file://' URI scheme, allowing an authenticated user to read local files. | 6.5 | 0.38% | 2022-01-10 | 2024-11-21 |
| CVE-2022-22702 | PartKeepr versions up to v1.4.0, in the functionality to upload attachments using a URL when creating a part does not validate that requests can be made to local ports, allowing an authenticated user to carry out SSRF attacks and port enumeration. | 4.3 | 0.16% | 2022-01-10 | 2024-11-21 |
| CVE-2022-23045 | PhpIPAM v1.4.4 allows an authenticated admin user to inject persistent JavaScript code inside the "Site title" parameter while updating the site settings. The "Site title" setting is injected in several locations which triggers the XSS. | 4.8 | 0.44% | 2022-01-19 | 2024-11-21 |
| CVE-2022-23046 | PhpIPAM v1.4.4 allows an authenticated admin user to inject SQL sentences in the "subnet" parameter while searching a subnet via app/admin/routing/edit-bgp-mapping-search.php | 7.2 | 48.98% | 2022-01-19 | 2024-11-21 |
| CVE-2022-23047 | Exponent CMS 2.6.0patch2 allows an authenticated admin user to inject persistent JavaScript code inside the "Site/Organization Name","Site Title" and "Site Header" parameters while updating the site settings on "/exponentcms/administration/configure_site" | 4.8 | 0.52% | 2022-02-09 | 2024-11-21 |
| CVE-2022-23048 | Exponent CMS 2.6.0patch2 allows an authenticated admin user to upload a malicious extension in the format of a ZIP file with a PHP file inside it. After upload it, the PHP file will be placed at "themes/simpletheme/{rce}.php" from where can be accessed in order to execute commands. | 7.2 | 4.58% | 2022-02-09 | 2024-11-21 |
| CVE-2022-23049 | Exponent CMS 2.6.0patch2 allows an authenticated user to inject persistent JavaScript code on the "User-Agent" header when logging in. When an administrator user visits the "User Sessions" tab, the JavaScript will be triggered allowing an attacker to compromise the administrator session. | 5.4 | 0.50% | 2022-02-09 | 2024-11-21 |
| CVE-2022-23043 | Zenario CMS 9.2 allows an authenticated admin user to bypass the file upload restriction by creating a new 'File/MIME Types' using the '.phar' extension. Then an attacker can upload a malicious file, intercept the request and change the extension to '.phar' in order to run commands on the server. | 7.2 | 0.58% | 2022-02-24 | 2024-11-21 |
| CVE-2022-22700 | CyberArk Identity versions up to and including 22.1 in the 'StartAuthentication' resource, exposes the response header 'X-CFY-TX-TM'. In certain configurations, that response header contains different, predictable value ranges which can be used to determine whether a user exists in the tenant. | 5.3 | 0.26% | 2022-03-03 | 2024-11-21 |
| CVE-2022-23051 | PeteReport Version 0.5 allows an authenticated admin user to inject persistent JavaScript code while adding an 'Attack Tree' by modifying the 'svg_file' parameter. | 5.4 | 0.23% | 2022-03-03 | 2024-11-21 |
| CVE-2022-23052 | PeteReport Version 0.5 contains a Cross Site Request Forgery (CSRF) vulnerability allowing an attacker to trick users into deleting users, products, reports and findings on the application. | 6.5 | 0.05% | 2022-03-03 | 2024-11-21 |
| CVE-2022-25220 | PeteReport Version 0.5 allows an authenticated admin user to inject persistent JavaScript code inside the markdown descriptions while creating a product, report or finding. | 4.8 | 0.32% | 2022-03-03 | 2024-11-21 |
| CVE-2022-25225 | Network Olympus version 1.8.0 allows an authenticated admin user to inject SQL queries in '/api/eventinstance' via the 'sqlparameter' JSON parameter. It is also possible to achieve remote code execution in the default installation (PostgreSQL) by exploiting this issue. | 7.2 | 4.43% | 2022-03-10 | 2024-11-21 |
| CVE-2022-25221 | Money Transfer Management System Version 1.0 allows an attacker to inject JavaScript code in the URL and then trick a user into visit the link in order to execute JavaScript code. | 6.1 | 0.23% | 2022-03-23 | 2024-11-21 |
| CVE-2022-25222 | Money Transfer Management System Version 1.0 allows an unauthenticated user to inject SQL queries in 'admin/maintenance/manage_branch.php' and 'admin/maintenance/manage_fee.php' via the 'id' parameter. | 9.8 | 2.73% | 2022-03-23 | 2024-11-21 |
| CVE-2022-25223 | Money Transfer Management System Version 1.0 allows an authenticated user to inject SQL queries in 'mtms/admin/?page=transaction/view_details' via the 'id' parameter. | 4.3 | 0.24% | 2022-03-23 | 2024-11-21 |
| CVE-2022-25226 | ThinVNC version 1.0b1 allows an unauthenticated user to bypass the authentication process via 'http://thin-vnc:8080/cmd?cmd=connect' by obtaining a valid SID without any kind of authentication. It is possible to achieve code execution on the server by sending keyboard or mouse events to the server. | 10.0 | 81.89% | 2022-04-18 | 2024-11-21 |
| CVE-2022-25229 | Popcorn Time 0.4.7 has a Stored XSS in the 'Movies API Server(s)' field via the 'settings' page. The 'nodeIntegration' configuration is set to on which allows the 'webpage' to use 'NodeJs' features, an attacker can leverage this to run OS commands. | 5.4 | 0.25% | 2022-05-20 | 2024-11-21 |
| CVE-2022-25224 | Proton v0.2.0 allows an attacker to create a malicious link inside a markdown file. When the victim clicks the link, the application opens the site in the current frame allowing an attacker to host JavaScript code in the malicious link in order to trigger an XSS attack. The 'nodeIntegration' configuration is set to on which allows the 'webpage' to use 'NodeJs' features, an attacker can leverage this to run OS commands. | 5.4 | 0.34% | 2022-05-20 | 2024-11-21 |
| CVE-2022-25227 | Thinfinity VNC v4.0.0.1 contains a Cross-Origin Resource Sharing (CORS) vulnerability which can allow an unprivileged remote attacker, if they can trick a user into browse malicious site, to obtain an 'ID' that can be used to send websocket requests and achieve RCE. | 8.8 | 0.21% | 2022-05-20 | 2024-11-21 |