Total
6931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-28993 | 1 Bdtask | 1 Multi Store Inventory Management System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Multi Store Inventory Management System v1.0 allows attackers to perform an account takeover via a crafted POST request.
|
|||||
| CVE-2022-28866 | 1 Nokia | 1 Airframe Bmc Web Gui R18 Firmware | 2024-11-21 | N/A | 8.8 HIGH |
|
Multiple Improper Access Control was discovered in Nokia AirFrame BMC Web GUI < R18 Firmware v4.13.00. It does not properly validate requests for access to (or editing of) data and functionality in all endpoints under /#settings/* and /api/settings/*. By not verifying the permissions for access to resources, it allows a potential attacker to view pages, with sensitive data, that are not allowed, and modify system configurations also causing DoS, which should be accessed only by user with adminis ...
Show More |
|||||
| CVE-2022-28789 | 1 Samsung | 1 Voice Note | 2024-11-21 | 2.1 LOW | 6.2 MEDIUM |
|
Unprotected activities in Voice Note prior to version 21.3.51.11 allows attackers to record voice without user interaction. The patch adds proper permission for vulnerable activities.
|
|||||
| CVE-2022-28158 | 1 Jenkins | 1 Pipeline\ | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
A missing permission check in Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
|
|||||
| CVE-2022-28151 | 1 Jenkins | 1 Job And Node Ownership | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A missing permission check in Jenkins Job and Node ownership Plugin 0.13.0 and earlier allows attackers with Item/Read permission to change the owners and item-specific permissions of a job.
|
|||||
| CVE-2022-28147 | 1 Jenkins | 1 Continuous Integration With Toad Edge | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A missing permission check in Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.
|
|||||
| CVE-2022-28144 | 1 Jenkins | 1 Proxmox | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Jenkins Proxmox Plugin 0.7.0 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified host using attacker-specified username and password (perform a connection test), disable SSL/TLS validation for the entire Jenkins controller JVM as part of the connection test (see CVE-2022-28142), and test a rollback with attacker-specified parameters.
|
|||||
| CVE-2022-28139 | 1 Jenkins | 1 Rocketchat Notifier | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A missing permission check in Jenkins RocketChat Notifier Plugin 1.4.10 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.
|
|||||
| CVE-2022-28137 | 1 Jenkins | 1 Jiratestresultreporter | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A missing permission check in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.
|
|||||
| CVE-2022-28134 | 1 Jenkins | 1 Bitbucket Server Integration | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
|
Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to create, view, and delete BitBucket Server consumers.
|
|||||
| CVE-2022-27948 | 1 Tesla | 6 Model 3, Model 3 Firmware, Model S and 3 more | 2024-11-21 | 3.3 LOW | 7.2 HIGH |
|
Certain Tesla vehicles through 2022-03-26 allow attackers to open the charging port via a 315 MHz RF signal containing a fixed sequence of approximately one hundred symbols. NOTE: the vendor's perspective is that the behavior is as intended
|
|||||
| CVE-2022-27669 | 1 Sap | 1 Netweaver Application Server For Java | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An unauthenticated user can use functions of XML Data Archiving Service of SAP NetWeaver Application Server for Java - version 7.50, to which access should be restricted. This may result in an escalation of privileges.
|
|||||
| CVE-2022-27658 | 1 Sap | 1 Innovation Management | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
|
Under certain conditions, SAP Innovation management - version 2.0, allows an attacker to access information which could lead to information gathering for further exploits and attacks.
|
|||||
| CVE-2022-27480 | 1 Siemens | 4 Sicam A8000 Cp-8031, Sicam A8000 Cp-8031 Firmware, Sicam A8000 Cp-8050 and 1 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A vulnerability has been identified in SICAM A8000 CP-8031 (All versions < V4.80), SICAM A8000 CP-8050 (All versions < V4.80). Affected devices do not require an user to be authenticated to access certain files. This could allow unauthenticated attackers to download these files.
|
|||||
| CVE-2022-27215 | 1 Jenkins | 1 Release Helper | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A missing permission check in Jenkins Release Helper Plugin 1.3.3 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.
|
|||||
| CVE-2022-27211 | 1 Jenkins | 1 Kubernetes Continuous Deploy | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
A missing permission check in Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
|
|||||
| CVE-2022-27209 | 1 Jenkins | 1 Kubernetes Continuous Deploy | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
A missing permission check in Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
|
|||||
| CVE-2022-27205 | 1 Jenkins | 1 Extended Choice Parameter | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A missing permission check in Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.
|
|||||
| CVE-2022-27199 | 1 Jenkins | 1 Cloudbees Aws Credentials | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A missing permission check in Jenkins CloudBees AWS Credentials Plugin 189.v3551d5642995 and earlier allows attackers with Overall/Read permission to connect to an AWS service using an attacker-specified token.
|
|||||
| CVE-2022-26581 | 1 Paxtechnology | 2 A930, Paydroid | 2024-11-21 | N/A | 6.8 MEDIUM |
|
PAX A930 device with PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 can allow an unauthorized attacker to perform privileged actions through the execution of specific binaries listed in ADB daemon. The attacker must have physical USB access to the device in order to exploit this vulnerability.
|
|||||
| CVE-2022-26546 | 1 Hospital Management System Project | 1 Hospital Management System | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
Hospital Management System v1.0 was discovered to lack an authorization component, allowing attackers to access sensitive information and obtain the admin password.
|
|||||
| CVE-2022-26429 | 2 Google, Mediatek | 42 Android, Mt6580, Mt6735 and 39 more | 2024-11-21 | N/A | 7.8 HIGH |
|
In cta, there is a possible way to write permission usage records of an app due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07025415; Issue ID: ALPS07025415.
|
|||||
| CVE-2022-26104 | 1 Sap | 1 Financial Consolidation | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
SAP Financial Consolidation - version 10.1, does not perform necessary authorization checks for updating homepage messages, resulting for an unauthorized user to alter the maintenance system message.
|
|||||
| CVE-2022-26103 | 1 Sap | 1 Netweaver Application Server Java | 2024-11-21 | 4.3 MEDIUM | 5.3 MEDIUM |
|
Under certain conditions, SAP NetWeaver (Real Time Messaging Framework) - version 7.50, allows an attacker to access information which could lead to information gathering for further exploits and attacks.
|
|||||
| CVE-2022-26102 | 1 Sap | 1 Netweaver Application Server Abap | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
|
Due to missing authorization check, SAP NetWeaver Application Server for ABAP - versions 700, 701, 702, 731, allows an authenticated attacker, to access content on the start screen of any transaction that is available with in the same SAP system even if he/she isn't authorized for that transaction. A successful exploitation could expose information and in worst case manipulate data before the start screen is executed, resulting in limited impact on confidentiality and integrity of the applicatio ...
Show More |
|||||
| CVE-2022-25810 | 1 Transposh | 1 Transposh Wordpress Translation | 2024-11-21 | N/A | 6.5 MEDIUM |
|
The Transposh WordPress Translation WordPress plugin through 1.0.8 exposes a couple of sensitive actions such has “tp_reset” under the Utilities tab (/wp-admin/admin.php?page=tp_utils), which can be used/executed as the lowest-privileged user. Basically all Utilities functionalities are vulnerable this way, which involves resetting configurations and backup/restore operations.
|
|||||
| CVE-2022-25342 | 1 Olivetti | 2 D-color Mf3555, D-color Mf3555 Firmware | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
|
An issue was discovered on Olivetti d-COLOR MF3555 2XD_S000.002.271 devices. The Web Application is affected by Broken Access Control. It does not properly validate requests for access to data and functionality under the /mngset/authset path. By not verifying permissions for access to resources, it allows a potential attacker to view pages that are not allowed.
|
|||||
| CVE-2022-25211 | 1 Jenkins | 1 Swamp | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
A missing permission check in Jenkins SWAMP Plugin 1.2.6 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified web server using attacker-specified credentials.
|
|||||
| CVE-2022-25208 | 1 Jenkins | 1 Chef Sinatra | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
A missing permission check in Jenkins Chef Sinatra Plugin 1.20 and earlier allows attackers with Overall/Read permission to have Jenkins send an HTTP request to an attacker-controlled URL and have it parse an XML response.
|
|||||
| CVE-2022-25206 | 1 Jenkins | 1 Dbcharts | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
A missing check in Jenkins dbCharts Plugin 0.5.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified database via JDBC using attacker-specified credentials.
|
|||||
| CVE-2022-25201 | 1 Jenkins | 1 Checkmarx | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Missing permission checks in Jenkins Checkmarx Plugin 2022.1.2 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
|
|||||
| CVE-2022-25199 | 1 Jenkins | 1 Scp Publisher | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
A missing permission check in Jenkins SCP publisher Plugin 1.8 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials.
|
|||||
| CVE-2022-25195 | 1 Jenkins | 1 Autonomiq | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A missing permission check in Jenkins autonomiq Plugin 1.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.
|
|||||
| CVE-2022-25193 | 1 Jenkins | 1 Snow Commander | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Missing permission checks in Jenkins Snow Commander Plugin 1.10 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
|
|||||
| CVE-2022-25190 | 1 Jenkins | 1 Conjur Secrets | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A missing permission check in Jenkins Conjur Secrets Plugin 1.0.11 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
|
|||||
| CVE-2022-24896 | 1 Enalean | 1 Tuleap | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Tuleap is a Free & Open Source Suite to manage software developments and collaboration. In versions prior to 13.7.99.239 Tuleap does not properly verify authorizations when displaying the content of tracker report renderer and chart widgets. Malicious users could use this vulnerability to retrieve the name of a tracker they cannot access as well as the name of the fields used in reports.
|
|||||
| CVE-2022-24768 | 1 Argoproj | 1 Argo Cd | 2024-11-21 | 6.5 MEDIUM | 9.9 CRITICAL |
|
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All unpatched versions of Argo CD starting with 1.0.0 are vulnerable to an improper access control bug, allowing a malicious user to potentially escalate their privileges to admin-level. Versions starting with 0.8.0 and 0.5.0 contain limited versions of this issue. To perform exploits, an authorized Argo CD user must have push access to an Application's source git or Helm repository or `sync` and `override` access to an Ap ...
Show More |
|||||
| CVE-2022-24669 | 1 Forgerock | 1 Access Management | 2024-11-21 | N/A | 6.5 MEDIUM |
|
It may be possible to gain some details of the deployment through a well-crafted attack. This may allow that data to be used to probe internal network services.
|
|||||
| CVE-2022-24594 | 1 Waline | 1 Waline | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
In waline 1.6.1, an attacker can submit messages using X-Forwarded-For to forge any IP address.
|
|||||
| CVE-2022-24450 | 1 Nats | 2 Nats Server, Nats Streaming Server | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature.
|
|||||