Total
4422 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-1631 | 1 Microweber | 1 Microweber | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Users Account Pre-Takeover or Users Account Takeover. in GitHub repository microweber/microweber prior to 1.2.15. Victim Account Take Over. Since, there is no email confirmation, an attacker can easily create an account in the application using the Victim’s Email. This allows an attacker to gain pre-authentication to the victim’s account. Further, due to the lack of proper validation of email coming from Social Login and failing to check if an account already exists, the victim will not identify ...
Show More |
|||||
| CVE-2022-1553 | 1 Publify Project | 1 Publify | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
|
Leaking password protected articles content due to improper access control in GitHub repository publify/publify prior to 9.2.8. Attackers can leverage this vulnerability to view the contents of any password-protected article present on the publify website, compromising confidentiality and integrity of users.
|
|||||
| CVE-2022-1521 | 1 Illumina | 8 Iseq 100, Local Run Manager, Miniseq and 5 more | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
LRM does not implement authentication or authorization by default. A malicious actor can inject, replay, modify, and/or intercept sensitive data.
|
|||||
| CVE-2022-1261 | 1 Honeywell | 1 Matrikon Opc Server | 2024-11-21 | 9.0 HIGH | 5.8 MEDIUM |
|
Matrikon, a subsidary of Honeywell Matrikon OPC Server (all versions) is vulnerable to a condition where a low privileged user allowed to connect to the OPC server to use the functions of the IPersisFile to execute operating system processes with system-level privileges.
|
|||||
| CVE-2022-1025 | 1 Argoproj | 1 Argo Cd | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to an improper access control bug, allowing a malicious user to potentially escalate their privileges to admin-level.
|
|||||
| CVE-2022-0824 | 1 Webmin | 1 Webmin | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
Improper Access Control to Remote Code Execution in GitHub repository webmin/webmin prior to 1.990.
|
|||||
| CVE-2022-0732 | 1 1byte | 9 Copy9, Exactspy, Fonetracker and 6 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability.
|
|||||
| CVE-2022-0731 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0.
|
|||||
| CVE-2022-0727 | 1 Framasoft | 1 Peertube | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
|
Improper Access Control in GitHub repository chocobozzz/peertube prior to 4.1.0.
|
|||||
| CVE-2022-0574 | 1 Publify Project | 1 Publify | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
|
Improper Access Control in GitHub repository publify/publify prior to 9.2.8.
|
|||||
| CVE-2022-0541 | 1 Flothemes | 1 Flo-launch | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The flo-launch WordPress plugin before 2.4.1 injects code into wp-config.php when creating a cloned site, allowing any attacker to initiate a new site install by setting the flo_custom_table_prefix cookie to an arbitrary value.
|
|||||
| CVE-2022-0405 | 1 Janeczku | 1 Calibre-web | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Improper Access Control in GitHub repository janeczku/calibre-web prior to 0.6.16.
|
|||||
| CVE-2022-0273 | 1 Janeczku | 1 Calibre-web | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Improper Access Control in Pypi calibreweb prior to 0.6.16.
|
|||||
| CVE-2022-0270 | 1 Mirantis | 1 Bored-agent | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Prior to v0.6.1, bored-agent failed to sanitize incoming kubernetes impersonation headers allowing a user to override assigned user name and groups.
|
|||||
| CVE-2022-0203 | 1 Craterapp | 1 Crater | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
Improper Access Control in GitHub repository crater-invoice/crater prior to 6.0.2.
|
|||||
| CVE-2022-0170 | 1 Framasoft | 1 Peertube | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
peertube is vulnerable to Improper Access Control
|
|||||
| CVE-2022-0143 | 1 Forgerock | 1 Ldap Connector | 2024-11-21 | N/A | 9.3 CRITICAL |
|
When the LDAP connector is started with StartTLS configured, unauthenticated access is granted. This issue affects: all versions of the LDAP connector prior to 1.5.20.9. The LDAP connector is bundled with Identity Management (IDM) and Remote Connector Server (RCS)
|
|||||
| CVE-2022-0133 | 1 Framasoft | 1 Peertube | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
peertube is vulnerable to Improper Access Control
|
|||||
| CVE-2021-4300 | 1 Halcyon Project | 1 Halcyon | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability has been found in ghostlander Halcyon and classified as critical. Affected by this vulnerability is the function CBlock::AddToBlockIndex of the file src/main.cpp of the component Block Verification. The manipulation leads to improper access controls. The attack can be launched remotely. Upgrading to version 1.1.1.0-hal is able to address this issue. The identifier of the patch is 0675b25ae9cc10b5fdc8ea3a32c642979762d45e. It is recommended to upgrade the affected component. The id ...
Show More |
|||||
| CVE-2021-4201 | 1 Forgerock | 1 Access Management | 2024-11-21 | 7.5 HIGH | 9.6 CRITICAL |
|
Missing access control in ForgeRock Access Management 7.1.0 and earlier versions on all platforms allows remote unauthenticated attackers to hijack sessions, including potentially admin-level sessions. This issue affects: ForgeRock Access Management 7.1 versions prior to 7.1.1; 6.5 versions prior to 6.5.4; all previous versions.
|
|||||
| CVE-2021-4194 | 1 Bookstackapp | 1 Bookstack | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
bookstack is vulnerable to Improper Access Control
|
|||||
| CVE-2021-4119 | 1 Bookstackapp | 1 Bookstack | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
bookstack is vulnerable to Improper Access Control
|
|||||
| CVE-2021-4089 | 1 Snipeitapp | 1 Snipe-it | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
snipe-it is vulnerable to Improper Access Control
|
|||||
| CVE-2021-4037 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2024-11-21 | N/A | 7.8 HIGH |
|
A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel that allows local users to create files for the XFS file-system with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group and is writable by a user who is not a member of this group. This can lead to excessive permissions granted in case when they should not. This vulnerability is similar to the pr ...
Show More |
|||||
| CVE-2021-4026 | 1 Bookstackapp | 1 Bookstack | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
bookstack is vulnerable to Improper Access Control
|
|||||
| CVE-2021-4016 | 1 Rapid7 | 1 Insight Agent | 2024-11-21 | 2.1 LOW | 4.0 MEDIUM |
|
Rapid7 Insight Agent, versions prior to 3.1.3, suffer from an improper access control vulnerability whereby, the user has access to the snapshot directory. An attacker can access, read and copy any of the files in this directory e.g. asset_info.json or file_info.json, leading to a loss of confidentiality. This issue was fixed in Rapid7 Insight Agent 3.1.3.
|
|||||
| CVE-2021-47155 | 2024-11-21 | N/A | 9.1 CRITICAL | ||
|
The Net::IPV4Addr module 0.10 for Perl does not properly consider extraneous zero characters in an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses.
|
|||||
| CVE-2021-46270 | 1 Jfrog | 1 Artifactory | 2024-11-21 | 4.0 MEDIUM | 2.7 LOW |
|
JFrog Artifactory before 7.31.10, is vulnerable to Broken Access Control where a project admin user is able to list all available repository names due to insufficient permission validation.
|
|||||
| CVE-2021-45730 | 1 Jfrog | 1 Artifactory | 2024-11-21 | 4.0 MEDIUM | 6.0 MEDIUM |
|
JFrog Artifactory prior to 7.31.10, is vulnerable to Broken Access Control where a Project Admin is able to create, edit and delete Repository Layouts while Repository Layouts configuration should only be available for Platform Administrators.
|
|||||
| CVE-2021-45111 | 1 Odoo | 1 Odoo | 2024-11-21 | N/A | 8.1 HIGH |
|
Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to trigger the creation of demonstration data, including user accounts with known credentials.
|
|||||
| CVE-2021-45074 | 1 Jfrog | 1 Artifactory | 2024-11-21 | 5.5 MEDIUM | 4.3 MEDIUM |
|
JFrog Artifactory before 7.29.3 and 6.23.38, is vulnerable to Broken Access Control, a low-privileged user is able to delete other known users OAuth token, which will force a reauthentication on an active session or in the next UI session.
|
|||||
| CVE-2021-45034 | 1 Siemens | 8 Cp-8000 Master Module With I\/o -25\/\+70, Cp-8000 Master Module With I\/o -25\/\+70 Firmware, Cp-8000 Master Module With I\/o -40\/\+70 and 5 more | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
|
A vulnerability has been identified in CP-8000 MASTER MODULE WITH I/O -25/+70°C (All versions < V16.20), CP-8000 MASTER MODULE WITH I/O -40/+70°C (All versions < V16.20), CP-8021 MASTER MODULE (All versions < V16.20), CP-8022 MASTER MODULE WITH GPRS (All versions < V16.20). The web server of the affected system allows access to logfiles and diagnostic data generated by a privileged user. An unauthenticated attacker could access the files by knowing the corresponding download links.
|
|||||
| CVE-2021-44776 | 1 Lannerinc | 2 Iac-ast2500a, Iac-ast2500a Firmware | 2024-11-21 | N/A | 6.5 MEDIUM |
|
A broken access control vulnerability in the SubNet_handler_func function of spx_restservice allows an attacker to arbitrarily change the security access rights to KVM and Virtual Media functionalities. This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0.
|
|||||
| CVE-2021-44467 | 1 Lannerinc | 2 Iac-ast2500a, Iac-ast2500a Firmware | 2024-11-21 | N/A | 5.3 MEDIUM |
|
A broken access control vulnerability in the KillDupUsr_func function of spx_restservice allows an attacker to arbitrarily terminate active sessions of other users, causing a Denial-of-Service (DoS) condition, if an input parameter is correctly guessed. This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0.
|
|||||
| CVE-2021-44460 | 1 Odoo | 1 Odoo | 2024-11-21 | N/A | 6.5 MEDIUM |
|
Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows users with deactivated accounts to access the system with the deactivated account and any permission it still holds, via crafted RPC requests.
|
|||||
| CVE-2021-43986 | 1 Fanuc | 1 Roboguide | 2024-11-21 | 4.4 MEDIUM | 6.0 MEDIUM |
|
The setup program for the affected product configures its files and folders with full access, which may allow unauthorized users permission to replace original binaries and achieve privilege escalation.
|
|||||
| CVE-2021-42855 | 1 Riverbed | 1 Steelcentral Appinternals Dynamic Sampling Agent | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent (DSA) uses the ".debug_command.config" file to store a json string that contains a list of IDs and pre-configured commands. The config file is subsequently used by the "/api/appInternals/1.0/agent/configuration" API to map the corresponding ID to a command to be executed.
|
|||||
| CVE-2021-42808 | 2 Microsoft, Thalesgroup | 2 Windows, Sentinel Protection Installer | 2024-11-21 | 7.2 HIGH | 6.5 MEDIUM |
|
Improper Access Control in Thales Sentinel Protection Installer could allow a local user to escalate privileges.
|
|||||
| CVE-2021-42360 | 1 Brainstormforce | 1 Starter Templates | 2024-11-21 | 3.5 LOW | 7.6 HIGH |
|
On sites that also had the Elementor plugin for WordPress installed, it was possible for users with the edit_posts capability, which includes Contributor-level users, to import blocks onto any page using the astra-page-elementor-batch-process AJAX action. An attacker could craft and host a block containing malicious JavaScript on a server they controlled, and then use it to overwrite any post or page by sending an AJAX request with the action set to astra-page-elementor-batch-process and the url ...
Show More |
|||||
| CVE-2021-42359 | 1 Legalweb | 1 Wp Dsgvo Tools | 2024-11-21 | 6.4 MEDIUM | 7.5 HIGH |
|
WP DSGVO Tools (GDPR) <= 3.1.23 had an AJAX action, ‘admin-dismiss-unsubscribe‘, which lacked a capability check and a nonce check and was available to unauthenticated users, and did not check the post type when deleting unsubscription requests. As such, it was possible for an attacker to permanently delete an arbitrary post or page on the site by sending an AJAX request with the “action” parameter set to “admin-dismiss-unsubscribe” and the “id” parameter set to the post to be deleted. Sending s ...
Show More |
|||||