Total
29869 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-38380 | 1 Fortinet | 1 Fortios | 2024-11-21 | N/A | 4.3 MEDIUM |
|
An improper access control [CWE-284] vulnerability in FortiOS version 7.2.0 and versions 7.0.0 through 7.0.7 may allow a remote authenticated read-only user to modify the interface settings via the API.
|
|||||
| CVE-2022-38377 | 1 Fortinet | 2 Fortianalyzer, Fortimanager | 2024-11-21 | N/A | 4.3 MEDIUM |
|
An improper access control vulnerability [CWE-284] in FortiManager 7.2.0, 7.0.0 through 7.0.3, 6.4.0 through 6.4.7, 6.2.0 through 6.2.9, 6.0.0 through 6.0.11 and FortiAnalyzer 7.2.0, 7.0.0 through 7.0.3, 6.4.0 through 6.4.8, 6.2.0 through 6.2.10, 6.0.0 through 6.0.12 may allow a remote and authenticated admin user assigned to a specific ADOM to access other ADOMs information such as device information and dashboard information.
|
|||||
| CVE-2022-38375 | 1 Fortinet | 2 Fortinac, Fortinac-f | 2024-11-21 | N/A | 9.1 CRITICAL |
|
An improper authorization vulnerability [CWE-285] in Fortinet FortiNAC version 9.4.0 through 9.4.1 and before 9.2.6 allows an unauthenticated user to perform some administrative operations over the FortiNAC instance via crafted HTTP POST requests.
|
|||||
| CVE-2022-38372 | 1 Fortinet | 1 Fortitester | 2024-11-21 | N/A | 6.7 MEDIUM |
|
A hidden functionality vulnerability [CWE-1242] in FortiTester CLI 2.3.0 through 3.9.1, 4.0.0 through 4.2.0, 7.0.0 through 7.1.0 may allow a local, privileged user to obtain a root shell on the device via an undocumented command.
|
|||||
| CVE-2022-38355 | 1 Daikinlatam | 2 Svmpc1, Svmpc2 | 2024-11-21 | N/A | 7.5 HIGH |
|
Daikin SVMPC1 version 2.1.22 and prior and SVMPC2 version 1.2.3 and prior are vulnerable to
attackers with access to the local area network (LAN) to disclose sensitive information stored by the affected product without requiring authentication.
|
|||||
| CVE-2022-38341 | 1 Safe | 1 Fme Server | 2024-11-21 | N/A | 7.1 HIGH |
|
Safe Software FME Server v2021.2.5 and below does not employ server-side validation.
|
|||||
| CVE-2022-38184 | 1 Esri | 1 Portal For Arcgis | 2024-11-21 | N/A | 7.5 HIGH |
|
There is an improper access control vulnerability in Portal for ArcGIS versions 10.8.1 and below which could allow a remote, unauthenticated attacker to access an API that may induce Esri Portal for ArcGIS to read arbitrary URLs.
|
|||||
| CVE-2022-38135 | 1 Photospace Gallery Project | 1 Photospace Gallery | 2024-11-21 | N/A | 5.4 MEDIUM |
|
Broken Access Control vulnerability in Dean Oakley's Photospace Gallery plugin <= 2.3.5 at WordPress allows users with subscriber or higher role to change plugin settings.
|
|||||
| CVE-2022-38134 | 1 Cusrev | 1 Customer Reviews For Woocommerce | 2024-11-21 | N/A | 4.3 MEDIUM |
|
Authenticated (subscriber+) Broken Access Control vulnerability in Customer Reviews for WooCommerce plugin <= 5.3.5 at WordPress.
|
|||||
| CVE-2022-38104 | 1 Oxilab | 1 Accordions | 2024-11-21 | N/A | 7.2 HIGH |
|
Auth. WordPress Options Change (siteurl, users_can_register, default_role, admin_email and new_admin_email) vulnerability in Biplob Adhikari's Accordions – Multiple Accordions or FAQs Builder plugin (versions <= 2.0.3 on WordPress.
|
|||||
| CVE-2022-38100 | 1 Contechealth | 2 Cms8000, Cms8000 Firmware | 2024-11-21 | N/A | 7.5 HIGH |
|
The CMS800 device fails while attempting to parse malformed network data sent by a threat actor. A threat actor with network access can remotely issue a specially formatted UDP request that will cause the entire device to crash and require a physical reboot. A UDP broadcast request could be sent that causes a mass denial-of-service attack on all CME8000 devices connected to the same network.
|
|||||
| CVE-2022-38070 | 1 Mypopups | 1 Pop-up | 2024-11-21 | N/A | 5.4 MEDIUM |
|
Privilege Escalation (subscriber+) vulnerability in Pop-up plugin <= 1.1.5 at WordPress.
|
|||||
| CVE-2022-38058 | 1 Wpvar | 1 Wp Shamsi | 2024-11-21 | N/A | 4.3 MEDIUM |
|
Authenticated (subscriber+) Plugin Setting change vulnerability in WP Shamsi plugin <= 4.1.1 at WordPress.
|
|||||
| CVE-2022-37959 | 1 Microsoft | 4 Windows Server 2012, Windows Server 2016, Windows Server 2019 and 1 more | 2024-11-21 | N/A | 6.5 MEDIUM |
|
Network Device Enrollment Service (NDES) Security Feature Bypass Vulnerability
|
|||||
| CVE-2022-37953 | 1 Ge | 1 Workstationst | 2024-11-21 | N/A | 4.7 MEDIUM |
|
An HTTP response splitting vulnerability exists in the AM Gateway Challenge-Response dialog of WorkstationST (<v07.09.15) and could allow an attacker to compromise a victim's browser/session. WorkstationST is only deployed in specific, controlled environments rendering attack complexity significantly higher than if the attack were conducted on the software in isolation. WorkstationST v07.09.15 can be found in ControlST v07.09.07 SP8 and greater.
|
|||||
| CVE-2022-37843 | 1 Totolink | 2 A860r, A860r Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
|
In TOTOLINK A860R V4.1.2cu.5182_B20201027 in cstecgi.cgi, the acquired parameters are directly put into the system for execution without filtering, resulting in a command injection vulnerability.
|
|||||
| CVE-2022-37734 | 1 Graphql-java Project | 1 Graphql-java | 2024-11-21 | N/A | 7.5 HIGH |
|
graphql-java before19.0 is vulnerable to Denial of Service. An attacker can send a malicious GraphQL query that consumes CPU resources. The fixed versions are 19.0 and later, 18.3, and 17.4, and 0.0.0-2022-07-26T05-45-04-226aabd9.
|
|||||
| CVE-2022-37458 | 1 Discourse | 1 Discourse | 2024-11-21 | N/A | 7.2 HIGH |
|
Discourse through 2.8.7 allows admins to send invitations to arbitrary email addresses at an unlimited rate.
|
|||||
| CVE-2022-37409 | 1 Intel | 1 Integrated Performance Primitives Cryptography | 2024-11-21 | N/A | 4.7 MEDIUM |
|
Insufficient control flow management for the Intel(R) IPP Cryptography software before version 2021.6 may allow an authenticated user to potentially enable information disclosure via local access.
|
|||||
| CVE-2022-37344 | 1 Accommodation-system Project | 1 Accommodation-system | 2024-11-21 | N/A | 7.6 HIGH |
|
Missing Access Control vulnerability in PHP Crafts Accommodation System plugin <= 1.0.1 at WordPress.
|
|||||
| CVE-2022-37343 | 1 Intel | 228 Atom C3308, Atom C3308 Firmware, Atom C3336 and 225 more | 2024-11-21 | N/A | 7.2 HIGH |
|
Improper access control in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.
|
|||||
| CVE-2022-37316 | 1 Rsa | 1 Archer | 2024-11-21 | N/A | 6.5 MEDIUM |
|
Archer Platform 6.8 before 6.11 P3 (6.11.0.3) contains an improper API access control vulnerability in a multi-instance system that could potentially present unauthorized metadata to an authenticated user of the affected system. 6.10 P3 HF1 (6.10.0.3.1) is also a fixed release.
|
|||||
| CVE-2022-37190 | 1 Cuppacms | 1 Cuppacms | 2024-11-21 | N/A | 8.8 HIGH |
|
CuppaCMS 1.0 is vulnerable to Remote Code Execution (RCE). An authenticated user can control both parameters (action and function) from "/api/index.php.
|
|||||
| CVE-2022-37172 | 1 Msys2 | 1 Msys2 | 2024-11-21 | N/A | 7.8 HIGH |
|
Incorrect access control in the install directory (C:\msys64) of Msys2 v20220603 and below allows authenticated attackers to execute arbitrary code via overwriting binaries located in the directory.
|
|||||
| CVE-2022-37151 | 1 Online Diagnostic Lab Management System Project | 1 Online Diagnostic Lab Management System | 2024-11-21 | N/A | 7.5 HIGH |
|
There is an unauthorized access vulnerability in Online Diagnostic Lab Management System 1.0.
|
|||||
| CVE-2022-36956 | 1 Veritas | 1 Netbackup | 2024-11-21 | N/A | 9.0 CRITICAL |
|
In Veritas NetBackup, the NetBackup Client allows arbitrary command execution from any remote host that has access to a valid host-id NetBackup certificate/private key from the same domain. The affects 9.0.x through 9.0.0.1 and 9.1.x through 9.1.0.1.
|
|||||
| CVE-2022-36900 | 1 Jenkins | 2 Compuware Zadviser Api, Jenkins | 2024-11-21 | N/A | 8.2 HIGH |
|
Jenkins Compuware zAdviser API Plugin 1.0.3 and earlier does not restrict execution of a controller/agent message to agents, allowing attackers able to control agent processes to retrieve Java system properties.
|
|||||
| CVE-2022-36899 | 1 Jenkins | 2 Compuware Ispw Operations, Jenkins | 2024-11-21 | N/A | 8.2 HIGH |
|
Jenkins Compuware ISPW Operations Plugin 1.0.8 and earlier does not restrict execution of a controller/agent message to agents, allowing attackers able to control agent processes to retrieve Java system properties.
|
|||||
| CVE-2022-36876 | 1 Samsung | 1 Samsung Pass | 2024-11-21 | N/A | 1.8 LOW |
|
Improper authorization in UPI payment in Samsung Pass prior to version 4.0.04.10 allows physical attackers to access account list without authentication.
|
|||||
| CVE-2022-36875 | 1 Samsung | 1 Galaxy Watch Plugin | 2024-11-21 | N/A | 6.6 MEDIUM |
|
Improper restriction of broadcasting Intent in SaWebViewRelayActivity of?Waterplugin prior to version 2.2.11.22081151 allows attacker to access the file without permission.
|
|||||
| CVE-2022-36869 | 1 Samsung | 1 Contacts Provider | 2024-11-21 | N/A | 6.6 MEDIUM |
|
Improper access control vulnerability in ContactsDumpActivity of?Contacts Provider prior to version 12.7.59 allows attacker to access the file without permission.
|
|||||
| CVE-2022-36868 | 1 Google | 1 Android | 2024-11-21 | N/A | 5.9 MEDIUM |
|
Improper restriction of broadcasting Intent in MouseNKeyHidDevice prior to SMR Oct-2022 Release 1 leaks MAC address of the connected Bluetooth device.
|
|||||
| CVE-2022-36867 | 1 Samsung | 1 Editor Lite | 2024-11-21 | N/A | 5.9 MEDIUM |
|
Improper access control vulnerability in Editor Lite prior to version 4.0.40.14 allows attackers to access sensitive information.
|
|||||
| CVE-2022-36866 | 2 Google, Samsung | 2 Android, Group Sharing | 2024-11-21 | N/A | 4.0 MEDIUM |
|
Improper access control vulnerability in Broadcaster in Group Sharing prior to versions 13.0.6.15 in Android S(12), 13.0.6.14 in Android R(11) and below allows attackers to identify the device.
|
|||||
| CVE-2022-36865 | 2 Google, Samsung | 2 Android, Group Sharing | 2024-11-21 | N/A | 4.0 MEDIUM |
|
Improper access control in Group Sharing prior to versions 13.0.6.15 in Android S(12), 13.0.6.14 in Android R(11) and below allows attackers to access device information.
|
|||||
| CVE-2022-36864 | 1 Samsung | 1 Samsung Email | 2024-11-21 | N/A | 4.0 MEDIUM |
|
Improper access control and intent redirection in Samsung Email prior to 6.1.70.20 allows attacker to access specific formatted file and execute privileged behavior.
|
|||||
| CVE-2022-36857 | 2 Google, Samsung | 2 Android, Photo Editor | 2024-11-21 | N/A | 1.9 LOW |
|
Improper Authorization vulnerability in Photo Editor prior to SMR Sep-2022 Release 1 allows physical attackers to read internal application data.
|
|||||
| CVE-2022-36852 | 1 Google | 1 Android | 2024-11-21 | N/A | 1.9 LOW |
|
Improper Authorization vulnerability in Video Editor prior to SMR Sep-2022 Release 1 allows local attacker to access internal application data.
|
|||||
| CVE-2022-36851 | 1 Samsung | 1 Samsung Pass | 2024-11-21 | N/A | 3.9 LOW |
|
Improper access control vulnerability in Samsung pass prior to version 4.0.03.1 allow physical attackers to access data of Samsung pass on a certain state of an unlocked device.
|
|||||
| CVE-2022-36848 | 1 Google | 1 Android | 2024-11-21 | N/A | 5.1 MEDIUM |
|
Improper Authorization vulnerability in setDualDARPolicyCmd prior to SMR Sep-2022 Release 1 allows local attackers to cause local permanent denial of service.
|
|||||