Exploit Intelligence Platform – 370K+ CVEs, Ranked Exploits & EPSS Scores

CVE-2022-23950 7.5 HIGH 1 Writeup EPSS 0.00

Keylime <6.3.0 - Privilege Escalation

In Keylime before 6.3.0, Revocation Notifier uses a fixed /tmp path for UNIX domain socket which can allow unprivileged users a method to prohibit keylime operations.

CWE-379 Sep 21, 2022

CVE-2022-40234 5.9 MEDIUM EPSS 0.00

IBM Spectrum Protect Plus < 10.1.12 - Exposure to Wrong Actor

Versions of IBM Spectrum Protect Plus prior to 10.1.12 (excluding 10.1.12) include the private key information for a certificate inside the generated .crt file when uploading a TLS certificate to IBM Spectrum Protect Plus. If this generated .crt file is shared, an attacker can obtain the private key information for the uploaded certificate. IBM X-Force ID: 235718.

CWE-668 Sep 19, 2022

CVE-2022-34867 7.3 HIGH EPSS 0.01

WP Libre Form < 2.0.8 - Information Disclosure

Unauthenticated Sensitive Information Disclosure vulnerability in WP Libre Form 2 plugin <= 2.0.8 at WordPress allows attackers to list and delete submissions. Affects only versions from 2.0.0 to 2.0.8.

CWE-200 Sep 06, 2022

CVE-2022-2403 6.5 MEDIUM EPSS 0.00

Redhat Openshift - Exposure to Wrong Actor

A credentials leak was found in the OpenShift Container Platform. The private key for the external cluster certificate was stored incorrectly in the oauth-serving-cert ConfigMaps, and accessible to any authenticated OpenShift user or service-account. A malicious user could exploit this flaw by reading the oauth-serving-cert ConfigMap in the openshift-config-managed namespace, compromising any web traffic secured using that certificate.

CWE-668 Sep 01, 2022

CVE-2022-1902 8.8 HIGH EPSS 0.01

Red Hat Advanced Cluster Security - Privilege Escalation

A flaw was found in the Red Hat Advanced Cluster Security for Kubernetes. Notifier secrets were not properly sanitized in the GraphQL API. This flaw allows authenticated ACS users to retrieve Notifiers from the GraphQL API, revealing secrets that can escalate their privileges.

CWE-668 Sep 01, 2022

CVE-2022-0852 5.5 MEDIUM 1 Writeup EPSS 0.00

Convert2rhel < 0.26 - Exposure to Wrong Actor

There is a flaw in convert2rhel. convert2rhel passes the Red Hat account password to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the password via the process command line via e.g. htop or ps. The specific impact varies upon the privileges of the Red Hat account in question, but it could affect the integrity, availability, and/or data confidentiality of other systems that are administered by that account. This occurs regardless of how the password is supplied to convert2rhel.

CWE-359 Aug 29, 2022

CVE-2021-3859 7.5 HIGH 1 Writeup EPSS 0.00

Undertow - DoS

A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.

CWE-214 Aug 26, 2022

CVE-2022-29850 8.1 HIGH EPSS 0.01

Lexmark B2236 Firmware < mslsg.081.014 - Exposure to Wrong Actor

Various Lexmark products through 2022-04-27 allow an attacker who has already compromised an affected Lexmark device to maintain persistence across reboots.

CWE-20 Aug 26, 2022

CVE-2022-2610 6.5 MEDIUM EPSS 0.00

Google Chrome <104.0.5112.79 - Info Disclosure

Insufficient policy enforcement in Background Fetch in Google Chrome prior to 104.0.5112.79 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

CWE-668 Aug 12, 2022

CVE-2021-0734 5.5 MEDIUM EPSS 0.00

Android <13 - Info Disclosure

In Settings, there is a possible way to determine whether an app is installed without query permissions, due to side channel information disclosure. This could lead to local information disclosure of an installed package, without proper query permissions, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-189122911

CWE-668 Aug 11, 2022

CVE-2022-35936 8.2 HIGH 1 Writeup EPSS 0.00

Ethermint <0.17.2 - Info Disclosure

Ethermint is an Ethereum library. In Ethermint running versions before `v0.17.2`, the contract `selfdestruct` invocation permanently removes the corresponding bytecode from the internal database storage. However, due to a bug in the `DeleteAccount`function, all contracts that used the identical bytecode (i.e shared the same `CodeHash`) will also stop working once one contract invokes `selfdestruct`, even though the other contracts did not invoke the `selfdestruct` OPCODE. This vulnerability has been patched in Ethermint version v0.18.0. The patch has state machine-breaking changes for applications using Ethermint, so a coordinated upgrade procedure is required. A workaround is available. If a contract is subject to DoS due to this issue, the user can redeploy the same contract, i.e. with identical bytecode, so that the original contract's code is recovered. The new contract deployment restores the `bytecode hash -> bytecode` entry in the internal state.

CWE-668 Aug 05, 2022

CVE-2022-1875 4.3 MEDIUM EPSS 0.00

Google Chrome <102.0.5005.61 - Info Disclosure

Inappropriate implementation in PDF in Google Chrome prior to 102.0.5005.61 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

CWE-668 Jul 27, 2022

CVE-2022-1873 6.5 MEDIUM EPSS 0.00

Google Chrome <102.0.5005.61 - Info Disclosure

Insufficient policy enforcement in COOP in Google Chrome prior to 102.0.5005.61 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

CWE-668 Jul 27, 2022

CVE-2022-1637 4.3 MEDIUM EPSS 0.00

Google Chrome < 101.0.4951.64 - Exposure to Wrong Actor

Inappropriate implementation in Web Contents in Google Chrome prior to 101.0.4951.64 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

CWE-668 Jul 26, 2022

CVE-2022-1501 6.5 MEDIUM EPSS 0.00

Google Chrome < 101.0.4951.41 - Exposure to Wrong Actor

Inappropriate implementation in iframe in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

CWE-668 Jul 26, 2022

CVE-2022-1498 4.3 MEDIUM EPSS 0.00

Google Chrome < 101.0.4951.41 - Exposure to Wrong Actor

Inappropriate implementation in HTML Parser in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

CWE-668 Jul 26, 2022

CVE-2022-1488 4.3 MEDIUM EPSS 0.00

Google Chrome < 101.0.4951.41 - Exposure to Wrong Actor

Inappropriate implementation in Extensions API in Google Chrome prior to 101.0.4951.41 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension.

CWE-668 Jul 26, 2022

CVE-2022-1137 6.5 MEDIUM EPSS 0.00

Google Chrome < 100.0.4896.60 - Exposure to Wrong Actor

Inappropriate implementation in Extensions in Google Chrome prior to 100.0.4896.60 allowed an attacker who convinced a user to install a malicious extension to leak potentially sensitive information via a crafted HTML page.

CWE-668 Jul 23, 2022

CVE-2022-34047 7.5 HIGH 1 PoC Analysis NUCLEI EPSS 0.59

Wavlink WN530HG4 M30HG4.V5030.191116 - Info Disclosure

An access control issue in Wavlink WN530HG4 M30HG4.V5030.191116 allows attackers to obtain usernames and passwords via view-source:http://IP_ADDRESS/set_safety.shtml?r=52300 and searching for [var syspasswd].

CWE-668 Jul 20, 2022

CVE-2022-23825 6.5 MEDIUM EPSS 0.00

AMD Processors - Info Disclosure

Aliases in the branch predictor may cause some AMD processors to predict the wrong branch type potentially leading to information disclosure.

CWE-668 Jul 14, 2022

CVE & Exploit Intelligence Database

Investigate

Ecosystems

Reference Indexes

Recent Blog Posts

CVEForge Labs

KEV Gaps