Total
3455 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-25667 | 1 Qualcomm | 138 Ar9380, Ar9380 Firmware, Csr8811 and 135 more | 2022-11-18 | N/A | 7.5 HIGH |
| Information disclosure in kernel due to improper handling of ICMP requests in Snapdragon Wired Infrastructure and Networking | |||||
| CVE-2017-8879 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 4.6 MEDIUM | 6.8 MEDIUM |
| Dolibarr ERP/CRM 4.0.4 allows password changes without supplying the current password, which makes it easier for physically proximate attackers to obtain access via an unattended workstation. | |||||
| CVE-2022-21794 | 1 Intel | 10 Nuc 8 Business Nuc8i7hnkqc, Nuc 8 Business Nuc8i7hnkqc Firmware, Nuc 8 Enthusiast Nuc8i7hvkva and 7 more | 2022-11-17 | N/A | 6.7 MEDIUM |
| Improper authentication in BIOS firmware for some Intel(R) NUC Boards, Intel(R) NUC Business, Intel(R) NUC Enthusiast, Intel(R) NUC Kits before version HN0067 may allow a privileged user to potentially enable escalation of privilege via local access. | |||||
| CVE-2022-26508 | 1 Intel | 1 Server Debug And Provisioning Tool | 2022-11-17 | N/A | 7.5 HIGH |
| Improper authentication in the Intel(R) SDP Tool before version 3.0.0 may allow an unauthenticated user to potentially enable information disclosure via network access. | |||||
| CVE-2022-44244 | 1 Lin-cms Project | 1 Lin-cms | 2022-11-17 | N/A | 6.6 MEDIUM |
| An authentication bypass in Lin-CMS v0.2.1 allows attackers to escalate privileges to Super Administrator. | |||||
| CVE-2022-3477 | 3 Newsmag Project, Newspaper Project, Tagdiv Composer Project | 3 Newsmag, Newspaper, Tagdiv Composer | 2022-11-16 | N/A | 9.8 CRITICAL |
| The tagDiv Composer WordPress plugin before 3.5, required by the Newspaper WordPress theme before 12.1 and Newsmag WordPress theme before 5.2.2, does not properly implement the Facebook login feature, allowing unauthenticated attackers to login as any user by just knowing their email address | |||||
| CVE-2022-37345 | 1 Intel | 16 Nuc Kit Nuc5i3ryh, Nuc Kit Nuc5i3ryh Firmware, Nuc Kit Nuc5i3ryhs and 13 more | 2022-11-16 | N/A | 7.8 HIGH |
| Improper authentication in BIOS firmware[A1] for some Intel(R) NUC Kits before version RY0386 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2022-36370 | 1 Intel | 4 Nuc Board Nuc5i3mybe, Nuc Board Nuc5i3mybe Firmware, Nuc Kit Nuc5i3myhe and 1 more | 2022-11-16 | N/A | 7.8 HIGH |
| Improper authentication in BIOS firmware for some Intel(R) NUC Boards and Intel(R) NUC Kits before version MYi30060 may allow a privileged user to potentially enable escalation of privilege via local access. | |||||
| CVE-2022-27874 | 1 Intel | 2 Xmm 7560, Xmm 7560 Firmware | 2022-11-16 | N/A | 7.2 HIGH |
| Improper authentication in some Intel(R) XMM(TM) 7560 Modem software before version M2_7560_R_01.2146.00 may allow a privileged user to potentially enable escalation of privilege via physical access. | |||||
| CVE-2020-15802 | 1 Bluetooth | 1 Bluetooth Core Specification | 2022-11-16 | 4.3 MEDIUM | 5.9 MEDIUM |
| Devices supporting Bluetooth before 5.1 may allow man-in-the-middle attacks, aka BLURtooth. Cross Transport Key Derivation in Bluetooth Core Specification v4.2 and v5.0 may permit an unauthenticated user to establish a bonding with one transport, either LE or BR/EDR, and replace a bonding already established on the opposing transport, BR/EDR or LE, potentially overwriting an authenticated key with an unauthenticated key, or a key with greater entropy with one with less. | |||||
| CVE-2022-38119 | 1 Upspowercom | 1 Upsmon Pro | 2022-11-15 | N/A | 9.8 CRITICAL |
| UPSMON Pro login function has insufficient authentication. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication and get administrator privilege to access, control system or disrupt service. | |||||
| CVE-2022-39038 | 1 Flowring | 1 Agentflow | 2022-11-15 | N/A | 8.8 HIGH |
| Agentflow BPM enterprise management system has improper authentication. A remote attacker with general user privilege can change the name of the user account to acquire arbitrary account privilege, and access, manipulate system or disrupt service. | |||||
| CVE-2022-39387 | 1 Xwiki | 1 Openid Connect | 2022-11-07 | N/A | 7.5 HIGH |
| XWiki OIDC has various tools to manipulate OpenID Connect protocol in XWiki. Prior to version 1.29.1, even if a wiki has an OpenID provider configured through its xwiki.properties, it is possible to provide a third party provider its details through request parameters. One can then bypass the XWiki authentication altogether by specifying its own provider through the oidc.endpoint.* request parameters (or by using an XWiki-based OpenID provider with oidc.xwikiprovider. With the same approach, one could also provide a specific group mapping through oidc.groups.mapping that would make his user automatically part of the XWikiAdminGroup. This issue has been patched, please upgrade to 1.29.1. There is no workaround, an upgrade of the authenticator is required. | |||||
| CVE-2020-24987 | 1 Tendacn | 2 Ac18, Ac18 Firmware | 2022-11-07 | 6.8 MEDIUM | 9.8 CRITICAL |
| Tenda AC18 Router through V15.03.05.05_EN and through V15.03.05.19(6318) CN devices could cause a remote code execution due to incorrect authentication handling of vulnerable logincheck() function in /usr/lib/lua/ngx_authserver/ngx_wdas.lua file if the administrator UI Interface is set to "radius". | |||||
| CVE-2022-43451 | 1 Openharmony | 1 Openharmony | 2022-11-07 | N/A | 6.5 MEDIUM |
| OpenHarmony-v3.1.2 and prior versions had an Multiple path traversal vulnerability in appspawn and nwebspawn services. Local attackers can create arbitrary directories or escape application sandbox.If chained with other vulnerabilities it would allow an unprivileged process to gain full root privileges. | |||||
| CVE-2022-41648 | 1 Heidenhain | 3 Heros, Tnc 640, Tnc 640 Programming Station | 2022-11-03 | N/A | 9.8 CRITICAL |
| The HEIDENHAIN Controller TNC 640, version 340590 07 SP5, running HEROS 5.08.3 controlling the HARTFORD 5A-65E CNC machine is vulnerable to improper authentication, which may allow an attacker to deny service to the production line, steal sensitive data from the production line, and alter any products created by the production line. | |||||
| CVE-2022-22656 | 1 Apple | 2 Mac Os X, Macos | 2022-11-02 | 2.1 LOW | 3.3 LOW |
| An authentication issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.6.5, macOS Monterey 12.3, Security Update 2022-003 Catalina. A local attacker may be able to view the previous logged in user’s desktop from the fast user switching screen. | |||||
| CVE-2022-2572 | 1 Octopus | 1 Octopus Server | 2022-11-01 | N/A | 9.8 CRITICAL |
| In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the access was revoked. | |||||
| CVE-2022-39366 | 1 Datahub Project | 1 Datahub | 2022-10-31 | N/A | 9.8 CRITICAL |
| DataHub is an open-source metadata platform. Prior to version 0.8.45, the `StatelessTokenService` of the DataHub metadata service (GMS) does not verify the signature of JWT tokens. This allows an attacker to connect to DataHub instances as any user if Metadata Service authentication is enabled. This vulnerability occurs because the `StatelessTokenService` of the Metadata service uses the `parse` method of `io.jsonwebtoken.JwtParser`, which does not perform a verification of the cryptographic token signature. This means that JWTs are accepted regardless of the used algorithm. This issue may lead to an authentication bypass. Version 0.8.45 contains a patch for the issue. There are no known workarounds. | |||||
| CVE-2022-39355 | 1 Discourse | 1 Patreon | 2022-10-28 | N/A | 9.8 CRITICAL |
| Discourse Patreon enables syncronization between Discourse Groups and Patreon rewards. On sites with Patreon login enabled, an improper authentication vulnerability could be used to take control of a victim's forum account. This vulnerability is patched in commit number 846d012151514b35ce42a1636c7d70f6dcee879e of the discourse-patreon plugin. Out of an abundance of caution, any Discourse accounts which have logged in with an unverified-email Patreon account will be logged out and asked to verify their email address on their next login. As a workaround, disable the patreon integration and log out all users with associated Patreon accounts. | |||||