Total
2377 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-36024 | 1 Pycord Development | 1 Pycord | 2022-12-09 | N/A | 6.5 MEDIUM |
| py-cord is a an API wrapper for Discord written in Python. Bots creating using py-cord version 2.0.0 are vulnerable to remote shutdown if they are added to the server with the `application.commands` scope without the `bot` scope. Currently, it appears that all public bots that use slash commands are affected. This issue has been patched in version 2.0.1. There are currently no recommended workarounds - please upgrade to a patched version. | |||||
| CVE-2019-3928 | 1 Crestron | 4 Am-100, Am-100 Firmware, Am-101 and 1 more | 2022-12-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allow any user to obtain the presentation passcode via the iso.3.6.1.4.1.3212.100.3.2.7.4 OIDs. A remote, unauthenticated attacker can use this vulnerability to access a restricted presentation or to become the presenter. | |||||
| CVE-2021-4037 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2022-12-08 | N/A | 7.8 HIGH |
| A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel that allows local users to create files for the XFS file-system with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group and is writable by a user who is not a member of this group. This can lead to excessive permissions granted in case when they should not. This vulnerability is similar to the previous CVE-2018-13405 and adds the missed fix for the XFS. | |||||
| CVE-2019-3935 | 1 Crestron | 4 Am-100, Am-100 Firmware, Am-101 and 1 more | 2022-12-06 | 6.4 MEDIUM | 9.1 CRITICAL |
| Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allows anyone to act as a moderator to a slide show via crafted HTTP POST requests to conference.cgi. A remote, unauthenticated attacker can use this vulnerability to start, stop, and disconnect active slideshows. | |||||
| CVE-2022-41970 | 1 Nextcloud | 1 Nextcloud Server | 2022-12-06 | N/A | 5.3 MEDIUM |
| Nextcloud Server is an open source personal cloud server. Prior to versions 24.0.7 and 25.0.1, disabled download shares still allow download through preview images. Images could be downloaded and previews of documents (first page) can be downloaded without being watermarked. Versions 24.0.7 and 25.0.1 contain a fix for this issue. No known workarounds are available. | |||||
| CVE-2021-25463 | 1 Samsung | 1 Penup | 2022-12-02 | 2.1 LOW | 3.3 LOW |
| Improper access control vulnerability in PENUP prior to version 3.8.00.18 allows arbitrary webpage loading in webview. | |||||
| CVE-2022-41135 | 1 Wpchill | 1 Customizable Wordpress Gallery Plugin - Modula Image Gallery | 2022-11-23 | N/A | 5.3 MEDIUM |
| Unauth. Plugin Settings Change vulnerability in Modula plugin <= 2.6.9 on WordPress. | |||||
| CVE-2022-0824 | 1 Webmin | 1 Webmin | 2022-11-21 | 9.0 HIGH | 8.8 HIGH |
| Improper Access Control to Remote Code Execution in GitHub repository webmin/webmin prior to 1.990. | |||||
| CVE-2022-0731 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0. | |||||
| CVE-2021-25956 | 1 Dolibarr | 2 Dolibarr, Dolibarr Erp\/crm | 2022-11-17 | 6.5 MEDIUM | 7.2 HIGH |
| In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of the victim user. This happens since the password gets overwritten for the victim user having a similar login name. | |||||
| CVE-2022-25932 | 1 Inhandnetworks | 2 Inrouter302, Inrouter302 Firmware | 2022-11-15 | N/A | 9.8 CRITICAL |
| The firmware of InHand Networks InRouter302 V3.5.45 introduces fixes for TALOS-2022-1472 and TALOS-2022-1474. The fixes are incomplete. An attacker can still perform, respectively, a privilege escalation and an information disclosure vulnerability. | |||||
| CVE-2022-39889 | 1 Samsung | 1 Galaxywatch4plugin | 2022-11-11 | N/A | 3.3 LOW |
| Improper access control vulnerability in GalaxyWatch4Plugin prior to versions 2.2.11.22101351 and 2.2.12.22101351 allows attackers to access wearable device information. | |||||
| CVE-2022-39884 | 1 Google | 1 Android | 2022-11-10 | N/A | 3.3 LOW |
| Improper access control vulnerability in IImsService prior to SMR Nov-2022 Release 1 allows local attacker to access to Call information. | |||||
| CVE-2019-2729 | 1 Oracle | 9 Communications Diameter Signaling Router, Communications Network Integrity, Hyperion Infrastructure Technology and 6 more | 2022-11-10 | 7.5 HIGH | 9.8 CRITICAL |
| Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | |||||
| CVE-2022-44622 | 1 Jetbrains | 1 Teamcity | 2022-11-04 | N/A | 5.3 MEDIUM |
| In JetBrains TeamCity version between 2021.2 and 2022.10 access permissions for secure token health items were excessive | |||||
| CVE-2021-36888 | 1 Blocksera | 1 Image Hover Effects | 2022-10-27 | 7.5 HIGH | 9.8 CRITICAL |
| Unauthenticated Arbitrary Options Update vulnerability leading to full website compromise discovered in Image Hover Effects Ultimate (versions <= 9.6.1) WordPress plugin. | |||||
| CVE-2021-35245 | 2 Microsoft, Solarwinds | 2 Windows, Serv-u | 2022-10-27 | 6.8 MEDIUM | 6.8 MEDIUM |
| When a user has admin rights in Serv-U Console, the user can move, create and delete any files are able to be accessed on the Serv-U host machine. | |||||
| CVE-2021-36917 | 1 Wpwave | 1 Hide My Wp | 2022-10-27 | 5.0 MEDIUM | 7.5 HIGH |
| WordPress Hide My WP plugin (versions <= 6.2.3) can be deactivated by any unauthenticated user. It is possible to retrieve a reset token which can then be used to deactivate the plugin. | |||||
| CVE-2021-36909 | 1 Webfactoryltd | 1 Wp Reset Pro | 2022-10-27 | 5.5 MEDIUM | 8.1 HIGH |
| Authenticated Database Reset vulnerability in WordPress WP Reset PRO Premium plugin (versions <= 5.98) allows any authenticated user to wipe the entire database regardless of their authorization. It leads to a complete website reset and takeover. | |||||
| CVE-2021-34864 | 1 Parallels | 1 Parallels Desktop | 2022-10-27 | 4.6 MEDIUM | 8.8 HIGH |
| This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.3 (49160). An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the WinAppHelper component. The issue results from the lack of proper access control. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-13543. | |||||