Total
27 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-4687 | 1 Usememos | 1 Memos | 2022-12-30 | N/A | 8.1 HIGH |
| Incorrect Use of Privileged APIs in GitHub repository usememos/memos prior to 0.9.0. | |||||
| CVE-2022-23720 | 1 Pingidentity | 1 Pingid Integration For Windows Login | 2022-07-13 | 4.4 MEDIUM | 8.2 HIGH |
| PingID Windows Login prior to 2.8 does not alert or halt operation if it has been provisioned with the full permissions PingID properties file. An IT administrator could mistakenly deploy administrator privileged PingID API credentials, such as those typically used by PingFederate, into PingID Windows Login user endpoints. Using sensitive full permissions properties file outside of a privileged trust boundary leads to an increased risk of exposure or discovery, and an attacker could leverage these credentials to perform administrative actions against PingID APIs or endpoints. | |||||
| CVE-2022-24821 | 1 Xwiki | 1 Xwiki | 2022-04-15 | 5.5 MEDIUM | 8.1 HIGH |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Simple users can create global SSX/JSX without specific rights: in theory only users with Programming Rights should be allowed to create SSX or JSX that are executed everywhere on a wiki. But a bug allow anyone with edit rights to actually create those. This issue has been patched in XWiki 13.10-rc-1, 12.10.11 and 13.4.6. There's no easy workaround for this issue, administrators should upgrade their wiki. | |||||
| CVE-2022-24073 | 1 Navercorp | 1 Whale | 2022-03-23 | 5.8 MEDIUM | 7.1 HIGH |
| The Web Request API in Whale browser before 3.12.129.18 allowed to deny access to the extension store or redirect to any URL when users access the store. | |||||
| CVE-2022-24071 | 1 Navercorp | 1 Whale | 2022-02-02 | 4.3 MEDIUM | 4.3 MEDIUM |
| A Built-in extension in Whale browser before 3.12.129.46 allows attackers to compromise the rendering process which could lead to controlling browser internal APIs. | |||||
| CVE-2019-1010178 | 1 Modx | 1 Fred | 2020-09-30 | 7.5 HIGH | 9.8 CRITICAL |
| Fred MODX Revolution < 1.0.0-beta5 is affected by: Incorrect Access Control - CWE-648. The impact is: Remote Code Execution. The component is: assets/components/fred/web/elfinder/connector.php. The attack vector is: Uploading a PHP file or change data in the database. The fixed version is: https://github.com/modxcms/fred/commit/139cefac83b2ead90da23187d92739dec79d3ccd and https://github.com/modxcms/fred/commit/01f0a3d1ae7f3970639c2a0db1887beba0065246. | |||||
| CVE-2020-5291 | 4 Archlinux, Centos, Debian and 1 more | 4 Arch Linux, Centos, Debian Linux and 1 more | 2020-04-02 | 8.5 HIGH | 7.8 HIGH |
| Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the `bwrap --userns2` option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that this only affects the combination of bubblewrap in setuid mode (which is typically used when unprivileged user namespaces are not supported) and the support of unprivileged user namespaces. Known to be affected are: * Debian testing/unstable, if unprivileged user namespaces enabled (not default) * Debian buster-backports, if unprivileged user namespaces enabled (not default) * Arch if using `linux-hardened`, if unprivileged user namespaces enabled (not default) * Centos 7 flatpak COPR, if unprivileged user namespaces enabled (not default) This has been fixed in the 0.4.1 release, and all affected users should update. | |||||