Total
34640 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-31742 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-04-15 | N/A | 6.5 MEDIUM |
|
An attacker could have exploited a timing attack by sending a large number of allowCredential entries and detecting the difference between invalid key handles and cross-origin key handles. This could have led to cross-origin account linking in violation of WebAuthn goals. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.
|
|||||
| CVE-2022-45186 | 1 Salesagility | 1 Suitecrm | 2025-04-15 | N/A | 8.1 HIGH |
|
An issue was discovered in SuiteCRM 7.12.7. Authenticated users can recover an arbitrary field of a database.
|
|||||
| CVE-2022-34483 | 1 Mozilla | 1 Firefox | 2025-04-15 | N/A | 8.8 HIGH |
|
An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. While very similar, this is a separate issue from CVE-2022-34482. This vulnerability affects Firefox < 102.
|
|||||
| CVE-2022-34482 | 1 Mozilla | 1 Firefox | 2025-04-15 | N/A | 8.8 HIGH |
|
An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. While very similar, this is a separate issue from CVE-2022-34483. This vulnerability affects Firefox < 102.
|
|||||
| CVE-2025-2954 | 1 Mannaandpoem | 1 Openmanus | 2025-04-15 | 1.7 LOW | 3.3 LOW |
|
A vulnerability, which was classified as problematic, was found in mannaandpoem OpenManus up to 2025.3.13. This affects the function execute of the file app/tool/file_saver.py of the component File Handler. The manipulation leads to improper access controls. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2022-40957 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-04-15 | N/A | 6.5 MEDIUM |
|
Inconsistent data in instruction and data cache when creating wasm code could lead to a potentially exploitable crash.<br>*This bug only affects Firefox on ARM64 platforms.*. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.
|
|||||
| CVE-2022-36319 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-04-15 | N/A | 7.5 HIGH |
|
When combining CSS properties for overflow and transform, the mouse cursor could interact with different coordinates than displayed. This vulnerability affects Firefox ESR < 102.1, Firefox ESR < 91.12, Firefox < 103, Thunderbird < 102.1, and Thunderbird < 91.12.
|
|||||
| CVE-2022-36317 | 2 Google, Mozilla | 2 Android, Firefox | 2025-04-15 | N/A | 6.5 MEDIUM |
|
When visiting a website with an overly long URL, the user interface would start to hang. Due to session restore, this could lead to a permanent Denial of Service.<br>*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 103.
|
|||||
| CVE-2022-42929 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-04-15 | N/A | 6.5 MEDIUM |
|
If a website called `window.print()` in a particular way, it could cause a denial of service of the browser, which may persist beyond browser restart depending on the user's session restore settings. This vulnerability affects Firefox < 106, Firefox ESR < 102.4, and Thunderbird < 102.4.
|
|||||
| CVE-2022-40899 | 1 Pythoncharmers | 1 Python-future | 2025-04-15 | N/A | 7.5 HIGH |
|
An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server.
|
|||||
| CVE-2022-40898 | 1 Wheel Project | 1 Wheel | 2025-04-15 | N/A | 7.5 HIGH |
|
An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.
|
|||||
| CVE-2022-3155 | 2 Apple, Mozilla | 2 Macos, Thunderbird | 2025-04-15 | N/A | 7.8 HIGH |
|
When saving or opening an email attachment on macOS, Thunderbird did not set attribute com.apple.quarantine on the received file. If the received file was an application and the user attempted to open it, then the application was started immediately without asking the user to confirm. This vulnerability affects Thunderbird < 102.3.
|
|||||
| CVE-2022-29915 | 1 Mozilla | 1 Firefox | 2025-04-15 | N/A | 4.3 MEDIUM |
|
The Performance API did not properly hide the fact whether a request cross-origin resource has observed redirects. This vulnerability affects Firefox < 100.
|
|||||
| CVE-2022-46871 | 2 Debian, Mozilla | 2 Debian Linux, Firefox | 2025-04-15 | N/A | 8.8 HIGH |
|
An out of date library (libusrsctp) contained vulnerabilities that could potentially be exploited. This vulnerability affects Firefox < 108.
|
|||||
| CVE-2022-45415 | 1 Mozilla | 1 Firefox | 2025-04-15 | N/A | 7.8 HIGH |
|
When downloading an HTML file, if the title of the page was formatted as a filename with a malicious extension, Firefox may have saved the file with that extension, leading to possible system compromise if the downloaded file was later ran. This vulnerability affects Firefox < 107.
|
|||||
| CVE-2022-45410 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-04-15 | N/A | 6.5 MEDIUM |
|
When a ServiceWorker intercepted a request with <code>FetchEvent</code>, the origin of the request was lost after the ServiceWorker took ownership of it. This had the effect of negating SameSite cookie protections. This was addressed in the spec and then in browsers. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.
|
|||||
| CVE-2022-31736 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-04-15 | N/A | 9.8 CRITICAL |
|
A malicious website could have learned the size of a cross-origin resource that supported Range requests. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.
|
|||||
| CVE-2022-29916 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-04-15 | N/A | 6.5 MEDIUM |
|
Firefox behaved slightly differently for already known resources when loading CSS resources involving CSS variables. This could have been used to probe the browser history. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100.
|
|||||
| CVE-2022-46877 | 2 Debian, Mozilla | 2 Debian Linux, Firefox | 2025-04-15 | N/A | 4.3 MEDIUM |
|
By confusing the browser, the fullscreen notification could have been delayed or suppressed, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox < 108.
|
|||||
| CVE-2022-46875 | 2 Apple, Mozilla | 4 Macos, Firefox, Firefox Esr and 1 more | 2025-04-15 | N/A | 6.5 MEDIUM |
|
The executable file warning was not presented when downloading .atloc and .ftploc files, which can run commands on a user's computer. <br>*Note: This issue only affected Mac OS operating systems. Other operating systems are unaffected.*. This vulnerability affects Firefox < 108, Firefox ESR < 102.6, and Thunderbird < 102.6.
|
|||||
| CVE-2022-46874 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-04-15 | N/A | 8.8 HIGH |
|
A file with a long filename could have had its filename truncated to remove the valid extension, leaving a malicious extension in its place. This could potentially led to user confusion and the execution of malicious code.<br/>*Note*: This issue was originally included in the advisories for Thunderbird 102.6, but a patch (specific to Thunderbird) was omitted, resulting in it actually being fixed in Thunderbird 102.6.1. This vulnerability affects Firefox < 108, Thunderbird < 102.6.1, Thunderbird ...
Show More |
|||||
| CVE-2022-46872 | 2 Linux, Mozilla | 4 Linux Kernel, Firefox, Firefox Esr and 1 more | 2025-04-15 | N/A | 8.6 HIGH |
|
An attacker who compromised a content process could have partially escaped the sandbox to read arbitrary files via clipboard-related IPC messages.<br>*This bug only affects Thunderbird for Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox < 108, Firefox ESR < 102.6, and Thunderbird < 102.6.
|
|||||
| CVE-2022-44014 | 1 Simmeth | 1 Lieferantenmanager | 2025-04-15 | N/A | 6.5 MEDIUM |
|
An issue was discovered in Simmeth Lieferantenmanager before 5.6. In the design of the API, a user is inherently able to fetch arbitrary SQL tables. This leaks all user passwords and MSSQL hashes via /DS/LM_API/api/SelectionService/GetPaggedTab.
|
|||||
| CVE-2022-28229 | 1 Userver | 1 Userver | 2025-04-15 | N/A | 7.5 HIGH |
|
The hash functionality in userver before 42059b6319661583b3080cab9b595d4f8ac48128 allows attackers to cause a denial of service via crafted HTTP request, involving collisions.
|
|||||
| CVE-2017-20022 | 1 Solar-log | 16 Solar-log 1000, Solar-log 1000 Firmware, Solar-log 1000 Pm\+ and 13 more | 2025-04-15 | 5.0 MEDIUM | 7.5 HIGH |
|
A vulnerability has been found in Solare Solar-Log 2.8.4-56/3.5.2-85 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to information disclosure. The attack can be initiated remotely. Upgrading to version 3.5.3-86 is able to address this issue. It is recommended to upgrade the affected component.
|
|||||
| CVE-2022-4515 | 2 Debian, Exuberant Ctags Project | 2 Debian Linux, Exuberant Ctags | 2025-04-14 | N/A | 7.8 HIGH |
|
A flaw was found in Exuberant Ctags in the way it handles the "-o" option. This option specifies the tag filename. A crafted tag filename specified in the command line or in the configuration file results in arbitrary command execution because the externalSortTags() in sort.c calls the system(3) function in an unsafe way.
|
|||||
| CVE-2022-4287 | 1 Devolutions | 1 Remote Desktop Manager | 2025-04-14 | N/A | 8.8 HIGH |
|
Authentication bypass in local application lock feature in Devolutions Remote Desktop Manager 2022.3.26 and earlier on Windows allows malicious user to access the application.
|
|||||
| CVE-2022-4130 | 1 Redhat | 1 Satellite | 2025-04-14 | N/A | 4.5 MEDIUM |
|
A blind site-to-site request forgery vulnerability was found in Satellite server. It is possible to trigger an external interaction to an attacker's server by modifying the Referer header in an HTTP request of specific resources in the server.
|
|||||
| CVE-2021-35954 | 1 Fastrack | 2 Reflex 2.0, Reflex 2.0 Firmware | 2025-04-14 | N/A | 8.1 HIGH |
|
fastrack Reflex 2.0 W307S_REFLEX_v90.89 Activity Tracker allows physically proximate attackers to dump the firmware, flash custom malicious firmware, and brick the device via the Serial Wire Debug (SWD) feature.
|
|||||
| CVE-2021-35953 | 1 Fastrack | 2 Reflex 2.0, Reflex 2.0 Firmware | 2025-04-14 | N/A | 7.5 HIGH |
|
fastrack Reflex 2.0 W307S_REFLEX_v90.89 Activity Tracker allows a Remote attacker to cause a Denial of Service (device outage) via crafted choices of the last three bytes of a characteristic value.
|
|||||
| CVE-2021-35952 | 1 Fastrack | 2 Reflex 2.0, Reflex 2.0 Firmware | 2025-04-14 | N/A | 5.3 MEDIUM |
|
fastrack Reflex 2.0 W307S_REFLEX_v90.89 Activity Tracker allows a Remote attacker to change the time, date, and month via Bluetooth LE Characteristics on handle 0x0017.
|
|||||
| CVE-2021-35951 | 1 Fastrack | 2 Reflex 2.0, Reflex 2.0 Firmware | 2025-04-14 | N/A | 7.5 HIGH |
|
fastrack Reflex 2.0 W307S_REFLEX_v90.89 Activity Tracker allows an Unauthenticated Remote attacker to send a malicious firmware update via BLE and brick the device.
|
|||||
| CVE-2018-16135 | 1 Opera | 1 Opera Mini | 2025-04-14 | N/A | 6.5 MEDIUM |
|
The Opera Mini application 47.1.2249.129326 for Android allows remote attackers to spoof the Location Permission dialog via a crafted web site.
|
|||||
| CVE-2019-18177 | 1 Citrix | 3 Application Delivery Controller, Application Delivery Controller Firmware, Gateway | 2025-04-14 | N/A | 6.5 MEDIUM |
|
In certain Citrix products, information disclosure can be achieved by an authenticated VPN user when there is a configured SSL VPN endpoint. This affects Citrix ADC and Citrix Gateway 13.0-58.30 and later releases before the CTX276688 update.
|
|||||
| CVE-2019-14802 | 1 Hashicorp | 1 Nomad | 2025-04-14 | N/A | 5.3 MEDIUM |
|
HashiCorp Nomad 0.5.0 through 0.9.4 (fixed in 0.9.5) reveals unintended environment variables to the rendering task during template rendering, aka GHSA-6hv3-7c34-4hx8. This applies to nomad/client/allocrunner/taskrunner/template.
|
|||||
| CVE-2020-11101 | 1 Sierrawireless | 1 Airlink Mobility Manager | 2025-04-14 | N/A | 9.8 CRITICAL |
|
Sierra Wireless AirLink Mobility Manager (AMM) before 2.17 mishandles sessions and thus an unauthenticated attacker can obtain a login session with administrator privileges.
|
|||||
| CVE-2019-19030 | 1 Linuxfoundation | 1 Harbor | 2025-04-14 | N/A | 5.3 MEDIUM |
|
Cloud Native Computing Foundation Harbor before 1.10.3 and 2.x before 2.0.1 allows resource enumeration because unauthenticated API calls reveal (via the HTTP status code) whether a resource exists.
|
|||||
| CVE-2019-13988 | 1 Sierrawireless | 3 Airlink Mg90, Airlink Omg2000, Mgos | 2025-04-14 | N/A | 6.5 MEDIUM |
|
Sierra Wireless MGOS before 3.15.2 and 4.x before 4.3 allows attackers to read log files via a Direct Request (aka Forced Browsing).
|
|||||
| CVE-2022-41767 | 1 Mediawiki | 1 Mediawiki | 2025-04-14 | N/A | 5.3 MEDIUM |
|
An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. When changes made by an IP address are reassigned to a user (using reassignEdits.php), the changes will still be attributed to the IP address on Special:Contributions when doing a range lookup.
|
|||||
| CVE-2022-26969 | 1 Monospace | 1 Directus | 2025-04-14 | N/A | 9.8 CRITICAL |
|
In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true.
|
|||||