Total
1062 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-22288 | 1 Samsung | 1 Galaxy Store | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Improper authorization vulnerability in Galaxy Store prior to 4.5.36.5 allows remote app installation of the allowlist.
|
|||||
| CVE-2022-22272 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 4.0 MEDIUM |
|
Improper authorization in TelephonyManager prior to SMR Jan-2022 Release 1 allows attackers to get IMSI without READ_PRIVILEGED_PHONE_STATE permission
|
|||||
| CVE-2022-22269 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 4.0 MEDIUM |
|
Keeping sensitive data in unprotected BluetoothSettingsProvider prior to SMR Jan-2022 Release 1 allows untrusted applications to get a local Bluetooth MAC address.
|
|||||
| CVE-2022-22268 | 1 Google | 1 Android | 2024-11-21 | 3.6 LOW | 6.1 MEDIUM |
|
Incorrect implementation of Knox Guard prior to SMR Jan-2022 Release 1 allows physically proximate attackers to temporary unlock the Knox Guard via Samsung DeX mode.
|
|||||
| CVE-2022-22267 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 4.0 MEDIUM |
|
Implicit Intent hijacking vulnerability in ActivityMetricsLogger prior to SMR Jan-2022 Release 1 allows attackers to get running application information.
|
|||||
| CVE-2022-21196 | 1 Airspan | 9 A5x, A5x Firmware, C5c and 6 more | 2024-11-21 | 10.0 HIGH | 10.0 CRITICAL |
|
MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 does not perform proper authorization and authentication checks on multiple API routes. An attacker may gain access to these API routes and achieve remote code execution, create a denial-of-service condition, and obtain sensitive information.
|
|||||
| CVE-2022-20921 | 1 Cisco | 1 Aci Multi-site Orchestrator | 2024-11-21 | N/A | 8.8 HIGH |
|
A vulnerability in the API implementation of Cisco ACI Multi-Site Orchestrator (MSO) could allow an authenticated, remote attacker to elevate privileges on an affected device. This vulnerability is due to improper authorization on specific APIs. An attacker could exploit this vulnerability by sending crafted HTTP requests. A successful exploit could allow an attacker who is authenticated with non-Administrator privileges to elevate to Administrator privileges on an affected device.
|
|||||
| CVE-2022-1224 | 1 Phpipam | 1 Phpipam | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Improper Authorization in GitHub repository phpipam/phpipam prior to 1.4.6.
|
|||||
| CVE-2022-0860 | 2 Cobbler Project, Fedoraproject | 2 Cobbler, Fedora | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2.
|
|||||
| CVE-2022-0829 | 1 Webmin | 1 Webmin | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
|
Improper Authorization in GitHub repository webmin/webmin prior to 1.990.
|
|||||
| CVE-2022-0821 | 1 Orchardcore | 1 Orchardcore | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Improper Authorization in GitHub repository orchardcms/orchardcore prior to 1.3.0.
|
|||||
| CVE-2022-0587 | 1 Librenms | 1 Librenms | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Improper Authorization in Packagist librenms/librenms prior to 22.2.0.
|
|||||
| CVE-2022-0406 | 1 Janeczku | 1 Calibre-web | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Improper Authorization in GitHub repository janeczku/calibre-web prior to 0.6.16.
|
|||||
| CVE-2022-0027 | 1 Paloaltonetworks | 1 Cortex Xsoar | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
An improper authorization vulnerability in Palo Alto Network Cortex XSOAR software enables authenticated users in non-Read-Only groups to generate an email report that contains summary information about all incidents in the Cortex XSOAR instance, including incidents to which the user does not have access. This issue impacts: All versions of Cortex XSOAR 6.1; All versions of Cortex XSOAR 6.2; All versions of Cortex XSOAR 6.5; Cortex XSOAR 6.6 versions earlier than Cortex XSOAR 6.6.0 build 6.6.0.2 ...
Show More |
|||||
| CVE-2021-44204 | 2 Acronis, Microsoft | 5 Agent, Cyber Protect, Cyber Protect Home Office and 2 more | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
Local privilege escalation via named pipe due to improper access control checks. The following products are affected: Acronis Cyber Protect 15 (Windows) before build 28035, Acronis Agent (Windows) before build 27147, Acronis Cyber Protect Home Office (Windows) before build 39612, Acronis True Image 2021 (Windows) before build 39287
|
|||||
| CVE-2021-43939 | 1 Smartptt | 1 Smartptt Scada | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
Elcomplus SmartPTT is vulnerable when a low-authenticated user can access higher level administration authorization by issuing requests directly to the desired endpoints.
|
|||||
| CVE-2021-43847 | 1 Humhub | 1 Humhub | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
HumHub is an open-source social network kit written in PHP. Prior to HumHub version 1.10.3 or 1.9.3, it could be possible for registered users to become unauthorized members of private Spaces. Versions 1.10.3 and 1.9.3 contain a patch for this issue.
|
|||||
| CVE-2021-42338 | 1 4mosan | 1 Gcb Doctor | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
4MOSAn GCB Doctor’s login page has improper validation of Cookie, which allows an unauthenticated remote attacker to bypass authentication by code injection in cookie, and arbitrarily manipulate the system or interrupt services by upload and execution of arbitrary files.
|
|||||
| CVE-2021-42337 | 1 Aifu | 1 Cashier Accounting Management System | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
The permission control of AIFU cashier management salary query function can be bypassed, thus after obtaining general user’s permission, the remote attacker can access account information except passwords by crafting URL parameters.
|
|||||
| CVE-2021-42336 | 1 Huaju | 1 Easytest Online Learning Test Platform | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
The learning history page of the Easytest is vulnerable by permission bypass. After obtaining a user’s permission, remote attackers can access other users’ and administrator’s account information except password by crafting URL parameters.
|
|||||
| CVE-2021-42332 | 1 Xinheinformation | 1 Xinhe Teaching Platform System | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
The “List View” function of ShinHer StudyOnline System is not under authority control. After logging in with user’s privilege, remote attackers can access the content of other users’ message boards by crafting URL parameters.
|
|||||
| CVE-2021-42331 | 1 Xinheinformation | 1 Xinhe Teaching Platform System | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
|
The “Study Edit” function of ShinHer StudyOnline System does not perform permission control. After logging in with user’s privilege, remote attackers can access and edit other users’ tutorial schedule by crafting URL parameters.
|
|||||
| CVE-2021-42330 | 1 Xinheinformation | 1 Xinhe Teaching Platform System | 2024-11-21 | 5.5 MEDIUM | 8.8 HIGH |
|
The “Teacher Edit” function of ShinHer StudyOnline System does not perform authority control. After logging in with user’s privilege, remote attackers can access and edit other users’ credential and personal information by crafting URL parameters.
|
|||||
| CVE-2021-42126 | 1 Ivanti | 1 Avalanche | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
An improper authorization control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform privilege escalation.
|
|||||
| CVE-2021-42000 | 1 Pingidentity | 1 Pingfederate | 2024-11-21 | 3.5 LOW | 5.3 MEDIUM |
|
When a password reset or password change flow with an authentication policy is configured and the adapter in the reset or change policy supports multiple parallel reset flows, an existing user can reset another existing users password.
|
|||||
| CVE-2021-41976 | 1 Tad Uploader Project | 1 Tad Uploader | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
Tad Uploader edit book list function is vulnerable to authorization bypass, thus remote attackers can use the function to amend the folder names in the book list without logging in.
|
|||||
| CVE-2021-41975 | 1 Tadtools Project | 1 Tadtools | 2024-11-21 | 6.4 MEDIUM | 7.5 HIGH |
|
TadTools special page is vulnerable to authorization bypass, thus remote attackers can use the specific parameter to delete arbitrary files in the system without logging in.
|
|||||
| CVE-2021-41974 | 1 Tad Book3 Project | 1 Tad Book3 | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
Tad Book3 editing book page does not perform identity verification. Remote attackers can use the vulnerability to view and modify arbitrary content of books without permission.
|
|||||
| CVE-2021-41568 | 1 Tad Web Project | 1 Tad Web | 2024-11-21 | 6.4 MEDIUM | 5.3 MEDIUM |
|
Tad Web is vulnerable to authorization bypass, thus remote attackers can exploit the vulnerability to use the original function of viewing bulletin boards and uploading files in the system.
|
|||||
| CVE-2021-41564 | 1 Tad Honor Project | 1 Tad Honor | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
Tad Honor viewing book list function is vulnerable to authorization bypass, thus remote attackers can use special parameters to delete articles arbitrarily without logging in.
|
|||||
| CVE-2021-41313 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Affected versions of Atlassian Jira Server and Data Center allow authenticated but non-admin remote attackers to edit email batch configurations via an Improper Authorization vulnerability in the /secure/admin/ConfigureBatching!default.jspa endpoint. The affected versions are before version 8.20.7.
|
|||||
| CVE-2021-41308 | 1 Atlassian | 4 Jira, Jira Data Center, Jira Server and 1 more | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Affected versions of Atlassian Jira Server and Data Center allow authenticated yet non-administrator remote attackers to edit the File Replication settings via a Broken Access Control vulnerability in the `ReplicationSettings!default.jspa` endpoint. The affected versions are before version 8.6.0, from version 8.7.0 before 8.13.12, and from version 8.14.0 before 8.20.1.
|
|||||
| CVE-2021-41137 | 1 Minio | 1 Minio | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Minio is a Kubernetes native application for cloud storage. All users on release `RELEASE.2021-10-10T16-53-30Z` are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in `RELEASE.2021-10-13T00-23-17Z`. A downgrade back to rele ...
Show More |
|||||
| CVE-2021-41100 | 1 Wire | 1 Wire-server | 2024-11-21 | 7.5 HIGH | 7.4 HIGH |
|
Wire-server is the backing server for the open source wire secure messaging application. In affected versions it is possible to trigger email address change of a user with only the short-lived session token in the `Authorization` header. As the short-lived token is only meant as means of authentication by the client for less critical requests to the backend, the ability to change the email address with a short-lived token constitutes a privilege escalation attack. Since the attacker can change t ...
Show More |
|||||
| CVE-2021-41093 | 1 Wire | 1 Wire | 2024-11-21 | 7.5 HIGH | 7.4 HIGH |
|
Wire is an open source secure messenger. In affected versions if the an attacker gets an old but valid access token they can take over an account by changing the email. This issue has been resolved in version 3.86 which uses a new endpoint which additionally requires an authentication cookie. See wire-ios-sync-engine and wire-ios-transport references. This is the root advisory that pulls the changes together.
|
|||||
| CVE-2021-3837 | 1 Openwhyd | 1 Openwhyd | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
openwhyd is vulnerable to Improper Authorization
|
|||||
| CVE-2021-3616 | 1 Lenovo | 6 Smart Camera C2e, Smart Camera C2e Firmware, Smart Camera X3 and 3 more | 2024-11-21 | 7.5 HIGH | 9.4 CRITICAL |
|
A vulnerability was reported in Lenovo Smart Camera X3, X5, and C2E that could allow an unauthorized user to view device information, alter firmware content and device configuration. This vulnerability is the same as CNVD-2020-68651.
|
|||||
| CVE-2021-3049 | 1 Paloaltonetworks | 1 Cortex Xsoar | 2024-11-21 | 4.0 MEDIUM | 2.6 LOW |
|
An improper authorization vulnerability in the Palo Alto Networks Cortex XSOAR server enables an authenticated network-based attacker with investigation read permissions to download files from incident investigations of which they are aware but are not a part of. This issue impacts: All Cortex XSOAR 5.5.0 builds; Cortex XSOAR 6.1.0 builds earlier than 12099345. This issue does not impact Cortex XSOAR 6.2.0 versions.
|
|||||
| CVE-2021-3044 | 1 Paloaltonetworks | 1 Cortex Xsoar | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An improper authorization vulnerability in Palo Alto Networks Cortex XSOAR enables a remote unauthenticated attacker with network access to the Cortex XSOAR server to perform unauthorized actions through the REST API. This issue impacts: Cortex XSOAR 6.1.0 builds later than 1016923 and earlier than 1271064; Cortex XSOAR 6.2.0 builds earlier than 1271065. This issue does not impact Cortex XSOAR 5.5.0, Cortex XSOAR 6.0.0, Cortex XSOAR 6.0.1, or Cortex XSOAR 6.0.2 versions. All Cortex XSOAR instanc ...
Show More |
|||||
| CVE-2021-39341 | 1 Optinmonster | 1 Optinmonster | 2024-11-21 | 6.4 MEDIUM | 8.2 HIGH |
|
The OptinMonster WordPress plugin is vulnerable to sensitive information disclosure and unauthorized setting updates due to insufficient authorization validation via the logged_in_or_has_api_key function in the ~/OMAPI/RestApi.php file that can used to exploit inject malicious web scripts on sites with the plugin installed. This affects versions up to, and including, 2.6.4.
|
|||||