Total
549 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-39905 | 1 Google | 1 Android | 2022-12-10 | N/A | 5.5 MEDIUM |
| Implicit intent hijacking vulnerability in Telecom application prior to SMR Dec-2022 Release 1 allows attacker to access sensitive information via implicit intent. | |||||
| CVE-2021-39317 | 1 Accesspressthemes | 43 Access Demo Importer, Accesspress-lite, Accesspress-mag and 40 more | 2022-12-09 | 6.5 MEDIUM | 8.8 HIGH |
| A WordPress plugin and several WordPress themes developed by AccessPress Themes are vulnerable to malicious file uploads via the plugin_offline_installer AJAX action due to a missing capability check in the plugin_offline_installer_callback function found in the /demo-functions.php file or /welcome.php file of the affected products. The complete list of affected products and their versions are below: WordPress Plugin: AccessPress Demo Importer <=1.0.6 WordPress Themes: accesspress-basic <= 3.2.1 accesspress-lite <= 2.92 accesspress-mag <= 2.6.5 accesspress-parallax <= 4.5 accesspress-root <= 2.5 accesspress-store <= 2.4.9 agency-lite <= 1.1.6 arrival <= 1.4.2 bingle <= 1.0.4 bloger <= 1.2.6 brovy <= 1.3 construction-lite <= 1.2.5 doko <= 1.0.27 edict-lite <= 1.1.4 eightlaw-lite <= 2.1.5 eightmedi-lite <= 2.1.8 eight-sec <= 1.1.4 eightstore-lite <= 1.2.5 enlighten <= 1.3.5 fotography <= 2.4.0 opstore <= 1.4.3 parallaxsome <= 1.3.6 punte <= 1.1.2 revolve <= 1.3.1 ripple <= 1.2.0 sakala <= 1.0.4 scrollme <= 2.1.0 storevilla <= 1.4.1 swing-lite <= 1.1.9 the100 <= 1.1.2 the-launcher <= 1.3.2 the-monday <= 1.4.1 ultra-seven <= 1.2.8 uncode-lite <= 1.3.3 vmag <= 1.2.7 vmagazine-lite <= 1.3.5 vmagazine-news <= 1.0.5 wpparallax <= 2.0.6 wp-store <= 1.1.9 zigcy-baby <= 1.0.6 zigcy-cosmetics <= 1.0.5 zigcy-lite <= 2.0.9 | |||||
| CVE-2021-41313 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2022-11-16 | 4.0 MEDIUM | 4.3 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow authenticated but non-admin remote attackers to edit email batch configurations via an Improper Authorization vulnerability in the /secure/admin/ConfigureBatching!default.jspa endpoint. The affected versions are before version 8.20.7. | |||||
| CVE-2022-39890 | 1 Samsung | 1 Billing | 2022-11-10 | N/A | 7.5 HIGH |
| Improper Authorization in Samsung Billing prior to version 5.0.56.0 allows attacker to get sensitive information. | |||||
| CVE-2020-9048 | 2 Johnsoncontrols, Tyco | 2 Victor Web Client, C-cure Web Client | 2022-10-29 | 7.8 HIGH | 8.1 HIGH |
| A vulnerability in specified versions of American Dynamics victor Web Client and Software House CCURE Web Client could allow a remote unauthenticated attacker on the network to delete arbitrary files on the system or render the system unusable by conducting a Denial of Service attack. | |||||
| CVE-2022-39322 | 1 Keystonejs | 1 Keystone | 2022-10-28 | N/A | 9.8 CRITICAL |
| @keystone-6/core is a core package for Keystone 6, a content management system for Node.js. Starting with version 2.2.0 and prior to version 2.3.1, users who expected their `multiselect` fields to use the field-level access control - if configured - are vulnerable to their field-level access control not being used. List-level access control is not affected. Field-level access control for fields other than `multiselect` are not affected. Version 2.3.1 contains a fix for this issue. As a workaround, stop using the `multiselect` field. | |||||
| CVE-2022-36838 | 1 Samsung | 1 Galaxy Wearable | 2022-10-27 | N/A | 4.6 MEDIUM |
| Implicit Intent hijacking vulnerability in Galaxy Wearable prior to version 2.2.50 allows attacker to get sensitive information. | |||||
| CVE-2022-36837 | 1 Samsung | 1 Samsung Email | 2022-10-27 | N/A | 5.5 MEDIUM |
| Intent redirection vulnerability using implicit intent in Samsung email prior to version 6.1.70.20 allows attacker to get sensitive information. | |||||
| CVE-2021-38486 | 1 Inhandnetworks | 2 Ir615, Ir615 Firmware | 2022-10-27 | 6.0 MEDIUM | 8.5 HIGH |
| InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 cloud portal allows for self-registration of the affected product without any requirements to create an account, which may allow an attacker to have full control over the product and execute code within the internal network to which the product is connected. | |||||
| CVE-2021-33723 | 1 Siemens | 1 Sinec Nms | 2022-10-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). An authenticated attacker could change the user profile of any user without proper authorization. With this, the attacker could change the password of any user in the affected system. | |||||
| CVE-2021-36029 | 1 Adobe | 2 Adobe Commerce, Magento Open Source | 2022-10-27 | 6.5 MEDIUM | 7.2 HIGH |
| Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper improper authorization vulnerability. An attacker with admin privileges could leverage this vulnerability to achieve remote code execution. | |||||
| CVE-2021-37705 | 1 Microsoft | 1 Onefuzz | 2022-10-27 | 6.8 MEDIUM | 10.0 CRITICAL |
| OneFuzz is an open source self-hosted Fuzzing-As-A-Service platform. Starting with OneFuzz 2.12.0 or greater, an incomplete authorization check allows an authenticated user from any Azure Active Directory tenant to make authorized API calls to a vulnerable OneFuzz instance. To be vulnerable, a OneFuzz deployment must be both version 2.12.0 or greater and deployed with the non-default --multi_tenant_domain option. This can result in read/write access to private data such as software vulnerability and crash information, security testing tools and proprietary code and symbols. Via authorized API calls, this also enables tampering with existing data and unauthorized code execution on Azure compute resources. This issue is resolved starting in release 2.31.0, via the addition of application-level check of the bearer token's `issuer` against an administrator-configured allowlist. As a workaround users can restrict access to the tenant of a deployed OneFuzz instance < 2.31.0 by redeploying in the default configuration, which omits the `--multi_tenant_domain` option. | |||||
| CVE-2021-35964 | 1 Learningdigital | 1 Orca Hcm | 2022-10-27 | 7.5 HIGH | 9.8 CRITICAL |
| The management page of the Orca HCM digital learning platform does not perform identity verification, which allows remote attackers to execute the management function without logging in, access members’ information, modify and delete the courses in system, thus causing users fail to access the learning content. | |||||
| CVE-2021-3837 | 1 Openwhyd | 1 Openwhyd | 2022-10-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| openwhyd is vulnerable to Improper Authorization | |||||
| CVE-2021-25399 | 1 Samsung | 1 Smart Manager | 2022-10-25 | 3.6 LOW | 7.1 HIGH |
| Improper configuration in Smart Manager prior to version 11.0.05.0 allows attacker to access the file with system privilege. | |||||
| CVE-2021-25382 | 1 Google | 1 Android | 2022-10-25 | 3.6 LOW | 5.5 MEDIUM |
| An improper authorization of using debugging command in Secure Folder prior to SMR Oct-2020 Release 1 allows unauthorized access to contents in Secure Folder via debugging command. | |||||
| CVE-2021-27663 | 1 Johnsoncontrols | 2 Ac2000, Ac2000 Firmware | 2022-10-25 | 9.3 HIGH | 9.8 CRITICAL |
| A vulnerability in versions 10.1 through 10.5 of Johnson Controls CEM Systems AC2000 allows a remote attacker to access to the system without adequate authorization. This issue affects: Johnson Controls CEM Systems AC2000 10.1; 10.2; 10.3; 10.4; 10.5. | |||||
| CVE-2021-21362 | 1 Minio | 1 Minio | 2022-10-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary 'mc share upload' URL. Everyone is impacted who uses MinIO multi-users. This is fixed in version RELEASE.2021-03-04T00-53-13Z. As a workaround, one can disable uploads with `Content-Type: multipart/form-data` as mentioned in the S3 API RESTObjectPOST docs by using a proxy in front of MinIO. | |||||
| CVE-2020-24403 | 1 Magento | 1 Magento | 2022-10-21 | 4.0 MEDIUM | 2.7 LOW |
| Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect user permissions vulnerability within the Inventory component. This vulnerability could be abused by authenticated users with Inventory and Source permissions to make unauthorized changes to inventory source data via the REST API. | |||||
| CVE-2020-24404 | 1 Magento | 1 Magento | 2022-10-21 | 5.5 MEDIUM | 2.7 LOW |
| Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability within the Integrations component. This vulnerability could be abused by users with permissions to the Pages resource to delete cms pages via the REST API without authorization. | |||||