Total
2747 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-32768 | 1 Wwbn | 1 Avideo | 2022-08-24 | N/A | 4.2 MEDIUM |
| Multiple authentication bypass vulnerabilities exist in the objects id handling functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request by an authenticated user can lead to unauthorized access and takeover of resources. An attacker can send an HTTP request to trigger this vulnerability.This vulnerability exists in the Live Schedules plugin, allowing an attacker to bypass authentication by guessing a sequential ID, allowing them to take over the another user's streams. | |||||
| CVE-2022-2379 | 1 Easy Student Results Project | 1 Easy Student Results | 2022-08-16 | N/A | 7.5 HIGH |
| The Easy Student Results WordPress plugin through 2.2.8 lacks authorisation in its REST API, allowing unauthenticated users to retrieve information related to the courses, exams, departments as well as student's grades and PII such as email address, physical address, phone number etc | |||||
| CVE-2022-20336 | 1 Google | 1 Android | 2022-08-16 | N/A | 3.3 LOW |
| In Settings, there is a possible installed application disclosure due to a missing permission check. This could lead to local information disclosure of applications allow-listed to use the network during VPN lockdown mode with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-177239688 | |||||
| CVE-2022-20335 | 1 Google | 1 Android | 2022-08-16 | N/A | 3.3 LOW |
| In Wifi Slice, there is a possible way to adjust Wi-Fi settings even when the permission has been disabled due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-178014725 | |||||
| CVE-2022-20340 | 1 Google | 1 Android | 2022-08-16 | N/A | 3.3 LOW |
| In SELinux policy, there is a possible way of inferring which websites are being opened in the browser due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-166269532 | |||||
| CVE-2022-35293 | 1 Sap | 1 Enable Now Manager | 2022-08-15 | N/A | 9.1 CRITICAL |
| Due to insecure session management, SAP Enable Now allows an unauthenticated attacker to gain access to user's account. On successful exploitation, an attacker can view or modify user data causing limited impact on confidentiality and integrity of the application. | |||||
| CVE-2021-21432 | 1 Go-vela | 1 Vela | 2022-08-12 | 3.5 LOW | 6.5 MEDIUM |
| Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. An authentication mechanism added in version 0.7.0 enables some malicious user to obtain secrets utilizing the injected credentials within the `~/.netrc` file. Refer to the referenced GitHub Security Advisory for complete details. This is fixed in version 0.7.5. | |||||
| CVE-2021-42331 | 1 Xinheinformation | 1 Xinhe Teaching Platform System | 2022-08-12 | 5.5 MEDIUM | 5.4 MEDIUM |
| The “Study Edit” function of ShinHer StudyOnline System does not perform permission control. After logging in with user’s privilege, remote attackers can access and edit other users’ tutorial schedule by crafting URL parameters. | |||||
| CVE-2021-43847 | 1 Humhub | 1 Humhub | 2022-08-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| HumHub is an open-source social network kit written in PHP. Prior to HumHub version 1.10.3 or 1.9.3, it could be possible for registered users to become unauthorized members of private Spaces. Versions 1.10.3 and 1.9.3 contain a patch for this issue. | |||||
| CVE-2021-42367 | 1 Variation Swatches For Woocommerce Project | 1 Variation Swatches For Woocommerce | 2022-08-09 | 3.5 LOW | 5.4 MEDIUM |
| The Variation Swatches for WooCommerce WordPress plugin is vulnerable to Stored Cross-Site Scripting via several parameters found in the ~/includes/class-menu-page.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.1. Due to missing authorization checks on the tawcvs_save_settings function, low-level authenticated users such as subscribers can exploit this vulnerability. | |||||
| CVE-2021-4089 | 1 Snipeitapp | 1 Snipe-it | 2022-08-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| snipe-it is vulnerable to Improper Access Control | |||||
| CVE-2021-42851 | 1 Lenovo | 10 A1, A1 Firmware, T1 and 7 more | 2022-08-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an unauthenticated user to create a standard user account. | |||||
| CVE-2022-31128 | 1 Enalean | 1 Tuleap | 2022-08-06 | N/A | 5.4 MEDIUM |
| Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In affected versions Tuleap does not properly verify permissions when creating branches with the REST API in Git repositories using the fine grained permissions. Users can create branches via the REST endpoint `POST git/:id/branches` regardless of the permissions set on the repository. This issue has been fixed in version 13.10.99.82 Tuleap Community Edition as well as in version 13.10-3 of Tuleap Enterprise Edition. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-2369 | 1 Yaycommerce | 1 Yaysmtp | 2022-08-05 | N/A | 4.3 MEDIUM |
| The YaySMTP WordPress plugin before 2.2.1 does not have capability check in an AJAX action, allowing any logged in users, such as subscriber to view the Logs of the plugin | |||||
| CVE-2021-39184 | 1 Electronjs | 1 Electron | 2022-08-05 | 5.0 MEDIUM | 8.6 HIGH |
| Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 11.5.0, 12.1.0, and 13.3.0 allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases. Versions 15.0.0-alpha.10, 14.0.0, 13.3.0, 12.1.0, and 11.5.0 all contain a fix for the vulnerability. Two workarounds aside from upgrading are available. One may make the vulnerability significantly more difficult for an attacker to exploit by enabling `contextIsolation` in one's app. One may also disable the functionality of the `createThumbnailFromPath` API if one does not need it. | |||||
| CVE-2021-24836 | 1 Storeapps | 1 Temporary Login Without Password | 2022-08-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Temporary Login Without Password WordPress plugin before 1.7.1 does not have authorisation and CSRF checks when updating its settings, which could allows any logged-in users, such as subscribers to update them | |||||
| CVE-2021-33057 | 1 Tencent | 1 Qq | 2022-08-04 | N/A | 7.5 HIGH |
| The QQ application 8.7.1 for Android and iOS does not enforce the permission requirements (e.g., android.permission.ACCESS_FINE_LOCATION) for determining the device's physical location. An attacker can use qq.createMapContext to create a MapContext object, use MapContext.moveToLocation to move the center of the map to the device's location, and use MapContext.getCenterLocation to get the latitude and longitude of the current map center. | |||||
| CVE-2020-36239 | 1 Atlassian | 3 Jira Data Center, Jira Service Desk, Jira Service Management | 2022-08-01 | 7.5 HIGH | 9.8 CRITICAL |
| Jira Data Center, Jira Core Data Center, Jira Software Data Center from version 6.3.0 before 8.5.16, from 8.6.0 before 8.13.8, from 8.14.0 before 8.17.0 and Jira Service Management Data Center from version 2.0.2 before 4.5.16, from version 4.6.0 before 4.13.8, and from version 4.14.0 before 4.17.0 exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011[0][1], could execute arbitrary code of their choice in Jira through deserialization due to a missing authentication vulnerability. While Atlassian strongly suggests restricting access to the Ehcache ports to only Data Center instances, fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service. [0] In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions prior to 7.13.1, the Ehcache object port can be randomly allocated. [1] In Jira Service Management Data Center versions prior to 3.16.1, the Ehcache object port can be randomly allocated. | |||||
| CVE-2021-25409 | 1 Google | 1 Android | 2022-07-30 | 2.1 LOW | 2.4 LOW |
| Improper access in Notification setting prior to SMR JUN-2021 Release 1 allows physically proximate attackers to set arbitrary notification via physically configuring device. | |||||
| CVE-2021-32504 | 1 Sick | 2 Ftmg, Ftmg Firmware | 2022-07-27 | N/A | 5.3 MEDIUM |
| Unauthenticated users can access sensitive web URLs through GET request, which should be restricted to maintenance users only. A malicious attacker could use this sensitive information’s to launch further attacks on the system. | |||||