Total
6931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-24317 | 1 Schneider-electric | 1 Interactive Graphical Scada System Data Server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A CWE-862: Missing Authorization vulnerability exists that could cause information exposure when an attacker sends a specific message. Affected Product: Interactive Graphical SCADA System Data Server (V15.0.0.22020 and prior)
|
|||||
| CVE-2022-23945 | 1 Apache | 1 Shenyu | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
|
|||||
| CVE-2022-23944 | 1 Apache | 1 Shenyu | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
|
|||||
| CVE-2022-23709 | 1 Elastic | 1 Kibana | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. A user with this privilege would be able to create new alerting rules or overwrite existing ones. However, any new or modified rules would not be enabled, and a user with this privilege could not modify alerting connectors. This effectively means that Read users could disable existing alerting rules.
|
|||||
| CVE-2022-23642 | 1 Sourcegraph | 1 Sourcegraph | 2024-11-21 | 6.0 MEDIUM | 8.8 HIGH |
|
Sourcegraph is a code search and navigation engine. Sourcegraph prior to version 3.37 is vulnerable to remote code execution in the `gitserver` service. The service acts as a git exec proxy, and fails to properly restrict calling `git config`. This allows an attacker to set the git `core.sshCommand` option, which sets git to use the specified command instead of ssh when they need to connect to a remote system. Exploitation of this vulnerability depends on how Sourcegraph is deployed. An attacker ...
Show More |
|||||
| CVE-2022-23621 | 1 Xwiki | 1 Xwiki | 2024-11-21 | 4.0 MEDIUM | 5.5 MEDIUM |
|
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can read any file located in the XWiki WAR (for example xwiki.cfg and xwiki.properties) through XWiki#invokeServletAndReturnAsString as `$xwiki.invokeServletAndReturnAsString("/WEB-INF/xwiki.cfg")`. This issue has been patched in XWiki versions 12.10.9, 13.4.3 and 13.7-rc-1. Users are advised to update. The only workaround is to limit SCRIPT rig ...
Show More |
|||||
| CVE-2022-23617 | 1 Xwiki | 1 Xwiki | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit right can copy the content of a page it does not have access to by using it as template of a new page. This issue has been patched in XWiki 13.2CR1 and 12.10.6. Users are advised to update. There are no known workarounds for this issue.
|
|||||
| CVE-2022-23183 | 1 Advancedcustomfields | 1 Advanced Custom Fields | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Missing authorization vulnerability in Advanced Custom Fields versions prior to 5.12.1 and Advanced Custom Fields Pro versions prior to 5.12.1 allows a remote authenticated attacker to view the information on the database without the access permission.
|
|||||
| CVE-2022-23112 | 1 Jenkins | 1 Publish Over Ssh | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
A missing permission check in Jenkins Publish Over SSH Plugin 1.22 and earlier allows attackers with Overall/Read access to connect to an attacker-specified SSH server using attacker-specified credentials.
|
|||||
| CVE-2022-23055 | 1 Frappe | 1 Erpnext | 2024-11-21 | 5.5 MEDIUM | N/A |
|
In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of other users.
|
|||||
| CVE-2022-22854 | 1 Hospital\'s Patient Records Management System Project | 1 Hospital\'s Patient Records Management System | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
An access control issue in hprms/admin/?page=user/list of Hospital Patient Record Management System v1.0 allows attackers to escalate privileges via accessing and editing the user list.
|
|||||
| CVE-2022-22535 | 1 Sap | 1 Erp Human Capital Management | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
SAP ERP HCM Portugal - versions 600, 604, 608, does not perform necessary authorization checks for a report that reads the payroll data of employees in a certain area. Since the affected report only reads the payroll information, the attacker can neither modify any information nor cause availability impacts.
|
|||||
| CVE-2022-22111 | 1 Daybydaycrm | 1 Daybyday Crm | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
In DayByDay CRM, version 2.2.0 is vulnerable to missing authorization. Any application user in the application who has update user permission enabled is able to change the password of other users, including the administrator’s. This allows the attacker to gain access to the highest privileged user in the application.
|
|||||
| CVE-2022-22108 | 1 Daybydaycrm | 1 Daybyday Crm | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the absences of all users in the system including administrators. This type of user is not authorized to view this kind of information.
|
|||||
| CVE-2022-22107 | 1 Daybydaycrm | 1 Daybyday Crm | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. However, this type of user is not authorized to view the calendar at all.
|
|||||
| CVE-2022-21953 | 1 Suse | 1 Rancher | 2024-11-21 | N/A | 7.4 HIGH |
|
A Missing Authorization vulnerability in of SUSE Rancher allows authenticated user to create an unauthorized shell pod and kubectl access in the local cluster This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10; Rancher versions prior to 2.7.1.
|
|||||
| CVE-2022-21777 | 2 Google, Mediatek | 42 Android, Mt6580, Mt6735 and 39 more | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
In Autoboot, there is a possible permission bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06713894; Issue ID: ALPS06713894.
|
|||||
| CVE-2022-21764 | 2 Google, Mediatek | 45 Android, Mt6739, Mt6761 and 42 more | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
In telecom service, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07044717; Issue ID: ALPS07044717.
|
|||||
| CVE-2022-21763 | 2 Google, Mediatek | 45 Android, Mt6739, Mt6761 and 42 more | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
In telecom service, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07044717; Issue ID: ALPS07044708.
|
|||||
| CVE-2022-21749 | 2 Google, Mediatek | 55 Android, Mt6739, Mt6750 and 52 more | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
In telephony, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06511058; Issue ID: ALPS06511058.
|
|||||
| CVE-2022-21748 | 2 Google, Mediatek | 35 Android, Mt6580, Mt6735 and 32 more | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
In telephony, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS06511030; Issue ID: ALPS06511030.
|
|||||
| CVE-2022-21718 | 1 Electronjs | 1 Electron | 2024-11-21 | 4.0 MEDIUM | 3.4 LOW |
|
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` allows renderers to obtain access to a bluetooth device via the web bluetooth API if the app has not configured a custom `select-bluetooth-device` event handler. This has been patched and Electron versions `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` contain the fix. Code from the ...
Show More |
|||||
| CVE-2022-21707 | 1 Wasmcloud | 1 Host Runtime | 2024-11-21 | 5.5 MEDIUM | 6.3 MEDIUM |
|
wasmCloud Host Runtime is a server process that securely hosts and provides dispatch for web assembly (WASM) actors and capability providers. In versions prior to 0.52.2 actors can bypass capability authorization. Actors are normally required to declare their capabilities for inbound invocations, but with this vulnerability actor capability claims are not verified upon receiving invocations. This compromises the security model for actors as they can receive unauthorized invocations from linked c ...
Show More |
|||||
| CVE-2022-21660 | 1 Gin-vue-admin Project | 1 Gin-vue-admin | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
|
Gin-vue-admin is a backstage management system based on vue and gin. In versions prior to 2.4.7 low privilege users are able to modify higher privilege users. Authentication is missing on the `setUserInfo` function. Users are advised to update as soon as possible. There are no known workarounds.
|
|||||
| CVE-2022-20736 | 1 Cisco | 1 Appdynamics Controller | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A vulnerability in the web-based management interface of Cisco AppDynamics Controller Software could allow an unauthenticated, remote attacker to access a configuration file and the login page for an administrative console that they would not normally have authorization to access. This vulnerability is due to improper authorization checking for HTTP requests that are submitted to the affected web-based management interface. An attacker could exploit this vulnerability by sending a crafted HTTP r ...
Show More |
|||||
| CVE-2022-20620 | 1 Jenkins | 1 Ssh Agent | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Missing permission checks in Jenkins SSH Agent Plugin 1.23 and earlier allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins.
|
|||||
| CVE-2022-20618 | 1 Jenkins | 1 Bitbucket Branch Source | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A missing permission check in Jenkins Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins.
|
|||||
| CVE-2022-20616 | 1 Jenkins | 1 Credentials Binding | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Jenkins Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it's a zip file.
|
|||||
| CVE-2022-20614 | 2 Jenkins, Oracle | 2 Mailer, Communications Cloud Native Core Automated Test Suite | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A missing permission check in Jenkins Mailer Plugin 391.ve4a_38c1b_cf4b_ and earlier allows attackers with Overall/Read access to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname.
|
|||||
| CVE-2022-20434 | 1 Google | 1 Android | 2024-11-21 | N/A | 7.8 HIGH |
|
There is an missing authorization issue in the system service. Since the component does not have permission check , resulting in Local Elevation of privilege.Product: AndroidVersions: Android SoCAndroid ID: A-242244028
|
|||||
| CVE-2022-20433 | 1 Google | 1 Android | 2024-11-21 | N/A | 7.8 HIGH |
|
There is an missing authorization issue in the system service. Since the component does not have permission check , resulting in Local Elevation of privilege.Product: AndroidVersions: Android SoCAndroid ID: A-242221901
|
|||||
| CVE-2022-20432 | 1 Google | 1 Android | 2024-11-21 | N/A | 7.8 HIGH |
|
There is an missing authorization issue in the system service. Since the component does not have permission check and permission protection,, resulting in Local Elevation of privilege.Product: AndroidVersions: Android SoCAndroid ID: A-242221899
|
|||||
| CVE-2022-20431 | 1 Google | 1 Android | 2024-11-21 | N/A | 7.8 HIGH |
|
There is an missing authorization issue in the system service. Since the component does not have permission check , resulting in Local Elevation of privilege.Product: AndroidVersions: Android SoCAndroid ID: A-242221238
|
|||||
| CVE-2022-20430 | 1 Google | 1 Android | 2024-11-21 | N/A | 7.8 HIGH |
|
There is an missing authorization issue in the system service. Since the component does not have permission check , resulting in Local Elevation of privilege.Product: AndroidVersions: Android SoCAndroid ID: A-242221233
|
|||||
| CVE-2022-20394 | 1 Google | 1 Android | 2024-11-21 | N/A | 5.0 MEDIUM |
|
In getInputMethodWindowVisibleHeight of InputMethodManagerService.java, there is a possible way to determine when another app is showing an IME due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-204906124
|
|||||
| CVE-2022-20352 | 1 Google | 1 Android | 2024-11-21 | N/A | 5.5 MEDIUM |
|
In addProviderRequestListener of LocationManagerService.java, there is a possible way to learn which packages request location information due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12 Android-12LAndroid ID: A-222473855
|
|||||
| CVE-2022-20349 | 1 Google | 1 Android | 2024-11-21 | N/A | 7.8 HIGH |
|
In WifiScanningPreferenceController and BluetoothScanningPreferenceController, there is a possible admin restriction bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-228315522
|
|||||
| CVE-2022-20348 | 1 Google | 1 Android | 2024-11-21 | N/A | 7.8 HIGH |
|
In updateState of LocationServicesWifiScanningPreferenceController.java, there is a possible admin restriction bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-228315529
|
|||||
| CVE-2022-20341 | 1 Google | 1 Android | 2024-11-21 | N/A | 5.5 MEDIUM |
|
In ConnectivityService, there is a possible bypass of network permissions due to a missing permission check. This could lead to local information disclosure of tethering interfaces with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-162952629
|
|||||
| CVE-2022-20340 | 1 Google | 1 Android | 2024-11-21 | N/A | 3.3 LOW |
|
In SELinux policy, there is a possible way of inferring which websites are being opened in the browser due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-166269532
|
|||||