Total
4065 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-26136 | 1 Atlassian | 11 Bamboo, Bitbucket, Confluence Data Center and 8 more | 2024-11-21 | N/A | 9.8 CRITICAL |
|
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo ...
Show More |
|||||
| CVE-2022-26091 | 1 Google | 1 Android | 2024-11-21 | 4.6 MEDIUM | 5.7 MEDIUM |
|
Improper access control vulnerability in Knox Manage prior to SMR Apr-2022 Release 1 allows that physical attackers can bypass Knox Manage using a function key of hardware keyboard.
|
|||||
| CVE-2022-26034 | 1 Yokogawa | 2 B\/m9000 Vp, Centum Vp | 2024-11-21 | 5.8 MEDIUM | 9.1 CRITICAL |
|
Improper authentication vulnerability in the communication protocol provided by AD (Automation Design) server of CENTUM VP R6.01.10 to R6.09.00, CENTUM VP Small R6.01.10 to R6.09.00, CENTUM VP Basic R6.01.10 to R6.09.00, and B/M9000 VP R8.01.01 to R8.03.01 allows an attacker to use the functions provided by AD server. This may lead to leakage or tampering of data managed by AD server.
|
|||||
| CVE-2022-25833 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 3.3 LOW |
|
Improper authentication in ImsService prior to SMR Apr-2022 Release 1 allows attackers to get IMSI without READ_PRIVILEGED_PHONE_STATE permission.
|
|||||
| CVE-2022-25832 | 1 Google | 1 Android | 2024-11-21 | 4.6 MEDIUM | 4.0 MEDIUM |
|
Improper authentication vulnerability in S Secure prior to SMR Apr-2022 Release 1 allows physical attackers to use locked Myfiles app without authentication.
|
|||||
| CVE-2022-25825 | 1 Samasung | 1 Account | 2024-11-21 | 2.1 LOW | 6.2 MEDIUM |
|
Improper access control vulnerability in Samsung Account prior to version 13.1.0.1 allows attackers to access to the authcode for sign-in.
|
|||||
| CVE-2022-25817 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 4.0 MEDIUM |
|
Improper authentication in One UI Home prior to SMR Mar-2022 Release 1 allows attacker to generate pinned-shortcut without user consent.
|
|||||
| CVE-2022-25816 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 4.1 MEDIUM |
|
Improper authentication in Samsung Lock and mask apps setting prior to SMR Mar-2022 Release 1 allows attacker to change enable/disable without authentication
|
|||||
| CVE-2022-25652 | 1 Qualcomm | 120 Csr8811, Csr8811 Firmware, Ipq5010 and 117 more | 2024-11-21 | N/A | 9.0 CRITICAL |
|
Cryptographic issues in BSP due to improper hash verification in Snapdragon Wired Infrastructure and Networking
|
|||||
| CVE-2022-25157 | 1 Mitsubishielectric | 32 Fx5uc, Fx5uc-32mr\/ds-ts, Fx5uc-32mr\/ds-ts Firmware and 29 more | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
Use of Password Hash Instead of Password for Authentication vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions, Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU all versions, Mitsubishi Electric MELSEC iQ-R series R04/08/16/32/120(EN)CPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120SFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PCPU all versions, Mitsubish ...
Show More |
|||||
| CVE-2022-25155 | 1 Mitsubishielectric | 32 Fx5uc, Fx5uc-32mr\/ds-ts, Fx5uc-32mr\/ds-ts Firmware and 29 more | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
|
Use of Password Hash Instead of Password for Authentication vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions, Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU all versions, Mitsubishi Electric MELSEC iQ-R series R04/08/16/32/120(EN)CPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120SFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PCPU all versions, Mitsubish ...
Show More |
|||||
| CVE-2022-24976 | 1 Atheme | 1 Atheme | 2024-11-21 | 5.8 MEDIUM | 9.1 CRITICAL |
|
Atheme IRC Services before 7.2.12, when used in conjunction with InspIRCd, allows authentication bypass by ending an IRC handshake at a certain point during a challenge-response login sequence.
|
|||||
| CVE-2022-24901 | 1 Parseplatform | 1 Parse-server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Improper validation of the Apple certificate URL in the Apple Game Center authentication adapter allows attackers to bypass authentication, making the server vulnerable to DoS attacks. The vulnerability has been fixed by improving the URL validation and adding additional checks of the resource the URL points to before downloading it.
|
|||||
| CVE-2022-24885 | 1 Nextcloud | 1 Nextcloud | 2024-11-21 | 2.1 LOW | 2.0 LOW |
|
Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. Prior to version 3.19.1, users can bypass a lock on the Nextcloud app on an Android device by repeatedly reopening the app. Version 3.19.1 contains a fix for the problem. There are currently no known workarounds.
|
|||||
| CVE-2022-24857 | 1 Django-mfa3 Project | 1 Django-mfa3 | 2024-11-21 | 6.5 MEDIUM | 7.3 HIGH |
|
django-mfa3 is a library that implements multi factor authentication for the django web framework. It achieves this by modifying the regular login view. Django however has a second login view for its admin area. This second login view was not modified, so the multi factor authentication can be bypassed. Users are affected if they have activated both django-mfa3 (< 0.5.0) and django.contrib.admin and have not taken any other measures to prevent users from accessing the admin login view. The issue ...
Show More |
|||||
| CVE-2022-24813 | 1 Miraheze | 1 Createwiki | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. Without the patch for this issue, anonymous comments can be made using Special:RequestWikiQueue when sent directly via POST. A patch for this issue is available in the `master` branch of CreateWiki's GitHub repository.
|
|||||
| CVE-2022-24748 | 1 Shopware | 1 Shopware | 2024-11-21 | 5.0 MEDIUM | 6.8 MEDIUM |
|
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In versions prior to 6.4.8.2 it is possible to modify customers and to create orders without App Permission. This issue is a result of improper api route checking. Users are advised to upgrade to version 6.4.8.2. There are no known workarounds.
|
|||||
| CVE-2022-24740 | 1 Plone | 1 Volto | 2024-11-21 | 6.0 MEDIUM | 5.0 MEDIUM |
|
Volto is a ReactJS-based frontend for the Plone Content Management System. Between versions 14.0.0-alpha.5 and 15.0.0-alpha.0, a user could have their authentication cookie replaced with an authentication cookie from another user, effectively giving them control of the other user's account and privileges. This occurs when using an outdated version of the `react-cookie` library and a server is under high load. A proof of concept does not currently exist, but it is possible for this issue to occur ...
Show More |
|||||
| CVE-2022-24738 | 1 Evmos | 1 Evmos | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
|
Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. In versions of evmos prior to 2.0.1 attackers are able to drain unclaimed funds from user addresses. To do this an attacker must create a new chain which does not enforce signature verification and connects it to the target evmos instance. The attacker can use this joined chain to transfer unclaimed funds. Users are advised to upgrade. There are no known workarounds for this issue.
|
|||||
| CVE-2022-24551 | 1 Starwindsoftware | 2 Nas, San | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
A flaw was found in StarWind Stack. The endpoint for setting a new password doesn’t check the current username and old password. An attacker could reset any local user password (including system/administrator user) using any available user This affects StarWind SAN and NAS v0.2 build 1633.
|
|||||
| CVE-2022-24422 | 1 Dell | 1 Idrac9 | 2024-11-21 | 10.0 HIGH | 9.6 CRITICAL |
|
Dell iDRAC9 versions 5.00.00.00 and later but prior to 5.10.10.00, contain an improper authentication vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to gain access to the VNC Console.
|
|||||
| CVE-2022-24286 | 1 Acer | 1 Quickaccess | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
Acer QuickAccess 2.01.300x before 2.01.3030 and 3.00.30xx before 3.00.3038 contains a local privilege escalation vulnerability. The user process communicates with a service of system authority through a named pipe. In this case, the Named Pipe is also given Read and Write rights to the general user. In addition, the service program does not verify the user when communicating. A thread may exist with a specific command. When the path of the program to be executed is sent, there is a local privile ...
Show More |
|||||
| CVE-2022-24285 | 1 Acer | 1 Care Center | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
Acer Care Center 4.00.30xx before 4.00.3042 contains a local privilege escalation vulnerability. The user process communicates with a service of system authority called ACCsvc through a named pipe. In this case, the Named Pipe is also given Read and Write rights to the general user. In addition, the service program does not verify the user when communicating. A thread may exist with a specific command. When the path of the program to be executed is sent, there is a local privilege escalation in ...
Show More |
|||||
| CVE-2022-24259 | 1 Voipmonitor | 1 Voipmonitor | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An incorrect check in the component cdr.php of Voipmonitor GUI before v24.96 allows unauthenticated attackers to escalate privileges via a crafted request.
|
|||||
| CVE-2022-24047 | 1 Bmc | 1 Track-it\! | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
This vulnerability allows remote attackers to bypass authentication on affected installations of BMC Track-It! 20.21.01.102. Authentication is not required to exploit this vulnerability. The specific flaw exists within the authorization of HTTP requests. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-14618.
|
|||||
| CVE-2022-23807 | 1 Phpmyadmin | 1 Phpmyadmin | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances.
|
|||||
| CVE-2022-23795 | 1 Joomla | 1 Joomla\! | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
|
An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. A user row was not bound to a specific authentication mechanism which could under very special circumstances allow an account takeover.
|
|||||
| CVE-2022-23769 | 2 Megazone, Microsoft | 2 Reversewall-mds, Windows | 2024-11-21 | N/A | 7.5 HIGH |
|
Remote code execution vulnerability due to insufficient user privilege verification in reverseWall-MDS. Remote attackers can exploit the vulnerability such as stealing account, through remote code execution.
|
|||||
| CVE-2022-23729 | 1 Google | 1 Android | 2024-11-21 | 6.9 MEDIUM | 7.8 HIGH |
|
When the device is in factory state, it can be access the shell without adb authentication process. The LG ID is LVE-SMP-210010.
|
|||||
| CVE-2022-23723 | 1 Pingidentity | 1 Pingone Mfa Integration Kit | 2024-11-21 | 5.0 MEDIUM | 7.7 HIGH |
|
An MFA bypass vulnerability exists in the PingFederate PingOne MFA Integration Kit when adapter HTML templates are used as part of an authentication flow.
|
|||||
| CVE-2022-23722 | 1 Pingidentity | 1 Pingfederate | 2024-11-21 | 3.5 LOW | 6.5 MEDIUM |
|
When a password reset mechanism is configured to use the Authentication API with an Authentication Policy, email One-Time Password, PingID or SMS authentication, an existing user can reset another existing user’s password.
|
|||||
| CVE-2022-23654 | 1 Requarks | 1 Wiki.js | 2024-11-21 | 3.5 LOW | 8.1 HIGH |
|
Wiki.js is a wiki app built on Node.js. In affected versions an authenticated user with write access on a restricted set of paths can update a page outside the allowed paths by specifying a different target page ID while keeping the path intact. The access control incorrectly check the path access against the user-provided values instead of the actual path associated to the page ID. Commit https://github.com/Requarks/wiki/commit/411802ec2f654bb5ed1126c307575b81e2361c6b fixes this vulnerability b ...
Show More |
|||||
| CVE-2022-23652 | 1 Clastix | 1 Capsule-proxy | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
capsule-proxy is a reverse proxy for Capsule Operator which provides multi-tenancy in Kubernetes. In versions prior to 0.2.1 an attacker with a proper authentication mechanism may use a malicious `Connection` header to start a privilege escalation attack towards the Kubernetes API Server. This vulnerability allows for an exploit of the `cluster-admin` Role bound to `capsule-proxy`. There are no known workarounds for this issue.
|
|||||
| CVE-2022-23635 | 1 Istio | 1 Istio | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Istio is an open platform to connect, manage, and secure microservices. In affected versions the Istio control plane, `istiod`, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing. This endpoint is served over TLS port 15012, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radi ...
Show More |
|||||
| CVE-2022-23600 | 1 Fleetdm | 1 Fleet | 2024-11-21 | 3.5 LOW | 5.3 MEDIUM |
|
fleet is an open source device management, built on osquery. Versions prior to 4.9.1 expose a limited ability to spoof SAML authentication with missing audience verification. This impacts deployments using SAML SSO in two specific cases: 1. A malicious or compromised Service Provider (SP) could reuse the SAML response to log into Fleet as a user -- only if the user has an account with the same email in Fleet, _and_ the user signs into the malicious SP via SAML SSO from the same Identity Provider ...
Show More |
|||||
| CVE-2022-23555 | 1 Goauthentik | 1 Authentik | 2024-11-21 | N/A | 9.4 CRITICAL |
|
authentik is an open-source Identity Provider focused on flexibility and versatility. Versions prior to 2022.11.4 and 2022.10.4 are vulnerable to Improper Authentication. Token reuse in invitation URLs leads to access control bypass via the use of a different enrollment flow than in the one provided. The vulnerability allows an attacker that knows different invitation flows names (e.g. `enrollment-invitation-test` and `enrollment-invitation-admin`) via either different invite links or via brute ...
Show More |
|||||
| CVE-2022-23554 | 1 Alpine Project | 1 Alpine | 2024-11-21 | N/A | 6.5 MEDIUM |
|
Alpine is a scaffolding library in Java. Alpine prior to version 1.10.4 allows Authentication Filter bypass. The AuthenticationFilter relies on the request URI to evaluate if the user is accessing the swagger endpoint. By accessing a URL with a path such as /api/foo;%2fapi%2fswagger the contains condition will hold and will return from the authentication filter without aborting the request. Note that the principal object will not be assigned and therefore the issue wont allow user impersonation. ...
Show More |
|||||
| CVE-2022-23541 | 1 Auth0 | 1 Jsonwebtoken | 2024-11-21 | N/A | 5.0 MEDIUM |
|
jsonwebtoken is an implementation of JSON Web Tokens. Versions `<= 8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the `secretOrPublicKey` argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key c ...
Show More |
|||||
| CVE-2022-23505 | 1 Auth0 | 1 Passport-wsfed-saml2 | 2024-11-21 | N/A | 5.3 MEDIUM |
|
Passport-wsfed-saml2 is a ws-federation protocol and SAML2 tokens authentication provider for Passport. In versions prior to 4.6.3, a remote attacker may be able to bypass WSFed authentication on a website using passport-wsfed-saml2. A successful attack requires that the attacker is in possession of an arbitrary IDP signed assertion. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be trigge ...
Show More |
|||||
| CVE-2022-23501 | 1 Typo3 | 1 Typo3 | 2024-11-21 | N/A | 5.9 MEDIUM |
|
TYPO3 is an open source PHP based web content management system. In versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1 TYPO3 is vulnerable to Improper Authentication. Restricting frontend login to specific users, organized in different storage folders (partitions), can be bypassed. A potential attacker might use this ambiguity in usernames to get access to a different account - however, credentials must be known to the adversary. This issue is patched in versions 8.7.49 ELTS, 9.5.38 ...
Show More |
|||||