Total
2747 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-25075 | 1 Wpdevart | 1 Duplicate Page Or Post | 2022-02-28 | 3.5 LOW | 3.5 LOW |
| The Duplicate Page or Post WordPress plugin before 1.5.1 does not have any authorisation and has a flawed CSRF check in the wpdevart_duplicate_post_parametrs_save_in_db AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings, or perform such attack via CSRF. Furthermore, due to the lack of escaping, this could lead to Stored Cross-Site Scripting issues | |||||
| CVE-2021-25014 | 1 Vowelweb | 1 Ibtana | 2022-02-22 | 3.5 LOW | 3.5 LOW |
| The Ibtana WordPress plugin before 1.1.4.9 does not have authorisation and CSRF checks in the ive_save_general_settings AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings which could lead to Stored Cross-Site Scripting issue. | |||||
| CVE-2019-10184 | 2 Netapp, Redhat | 7 Active Iq Unified Manager, Enterprise Linux, Jboss Data Grid and 4 more | 2022-02-20 | 5.0 MEDIUM | 7.5 HIGH |
| undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api. | |||||
| CVE-2021-25018 | 1 Najeebmedia | 1 Ppom For Woocommerce | 2022-02-19 | 3.5 LOW | 5.4 MEDIUM |
| The PPOM for WooCommerce WordPress plugin before 24.0 does not have authorisation and CSRF checks in the ppom_settings_panel_action AJAX action, allowing any authenticated to call it and set arbitrary settings. Furthermore, due to the lack of sanitisation and escaping, it could lead to Stored XSS issues | |||||
| CVE-2022-24317 | 1 Schneider-electric | 1 Interactive Graphical Scada System Data Server | 2022-02-17 | 5.0 MEDIUM | 7.5 HIGH |
| A CWE-862: Missing Authorization vulnerability exists that could cause information exposure when an attacker sends a specific message. Affected Product: Interactive Graphical SCADA System Data Server (V15.0.0.22020 and prior) | |||||
| CVE-2022-23617 | 1 Xwiki | 1 Xwiki | 2022-02-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit right can copy the content of a page it does not have access to by using it as template of a new page. This issue has been patched in XWiki 13.2CR1 and 12.10.6. Users are advised to update. There are no known workarounds for this issue. | |||||
| CVE-2022-21660 | 1 Gin-vue-admin Project | 1 Gin-vue-admin | 2022-02-15 | 5.5 MEDIUM | 8.1 HIGH |
| Gin-vue-admin is a backstage management system based on vue and gin. In versions prior to 2.4.7 low privilege users are able to modify higher privilege users. Authentication is missing on the `setUserInfo` function. Users are advised to update as soon as possible. There are no known workarounds. | |||||
| CVE-2022-20043 | 2 Google, Mediatek | 7 Android, Mt8167, Mt8175 and 4 more | 2022-02-14 | 4.6 MEDIUM | 7.8 HIGH |
| In Bluetooth, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06148177; Issue ID: ALPS06148177. | |||||
| CVE-2022-20041 | 2 Google, Mediatek | 7 Android, Mt8167, Mt8175 and 4 more | 2022-02-14 | 4.6 MEDIUM | 7.8 HIGH |
| In Bluetooth, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06108596; Issue ID: ALPS06108596. | |||||
| CVE-2022-20024 | 2 Google, Mediatek | 28 Android, Mt6580, Mt6739 and 25 more | 2022-02-14 | 4.6 MEDIUM | 7.8 HIGH |
| In system service, there is a possible permission bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06219064; Issue ID: ALPS06219064. | |||||
| CVE-2022-0218 | 1 Codemiq | 1 Wordpress Email Template Designer | 2022-02-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP HTML Mail WordPress plugin is vulnerable to unauthorized access which allows unauthenticated attackers to retrieve and modify theme settings due to a missing capability check on the /themesettings REST-API endpoint found in the ~/includes/class-template-designer.php file, in versions up to and including 3.0.9. This makes it possible for attackers with no privileges to execute the endpoint and add malicious JavaScript to a vulnerable WordPress site. | |||||
| CVE-2012-4245 | 1 Gimp | 1 Gimp | 2022-02-07 | 6.8 MEDIUM | N/A |
| The scriptfu network server in GIMP 2.6 does not require authentication, which allows remote attackers to execute arbitrary commands via the python-fu-eval command. | |||||
| CVE-2021-25093 | 1 Link Library Project | 1 Link Library | 2022-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| The Link Library WordPress plugin before 7.2.8 does not have authorisation in place when deleting links, allowing unauthenticated users to delete arbitrary links via a crafted request | |||||
| CVE-2018-7792 | 1 Schneider-electric | 2 Modicon M221, Modicon M221 Firmware | 2022-02-03 | 5.0 MEDIUM | 7.5 HIGH |
| A Permissions, Privileges, and Access Control vulnerability exists in Schneider Electric's Modicon M221 product (all references, all versions prior to firmware V1.6.2.0). The vulnerability allows unauthorized users to decode the password using rainbow table. | |||||
| CVE-2022-0203 | 1 Craterapp | 1 Crater | 2022-02-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| Improper Access Control in GitHub repository crater-invoice/crater prior to 6.0.2. | |||||
| CVE-2022-23945 | 1 Apache | 1 Shenyu | 2022-02-01 | 5.0 MEDIUM | 7.5 HIGH |
| Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1. | |||||
| CVE-2022-23944 | 1 Apache | 1 Shenyu | 2022-02-01 | 6.4 MEDIUM | 9.1 CRITICAL |
| User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1. | |||||
| CVE-2022-0152 | 1 Gitlab | 1 Gitlab | 2022-01-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 13.10 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was vulnerable to unauthorized access to some particular fields through the GraphQL API. | |||||
| CVE-2021-40327 | 1 Trustedfirmware | 1 Trusted Firmware-m | 2022-01-25 | 2.6 LOW | 5.9 MEDIUM |
| Trusted Firmware-M (TF-M) 1.4.0, when Profile Small is used, has incorrect access control. NSPE can access a secure key (held by the Crypto service) based solely on knowledge of its key ID. For example, there is no authorization check associated with the relationship between a caller and a key owner. | |||||
| CVE-2021-4074 | 1 I-plugins | 1 Whmcs Bridge | 2022-01-24 | 3.5 LOW | 5.4 MEDIUM |
| The WHMCS Bridge WordPress plugin is vulnerable to Stored Cross-Site Scripting via the cc_whmcs_bridge_url parameter found in the ~/whmcs-bridge/bridge_cp.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 6.1. Due to missing authorization checks on the cc_whmcs_bridge_add_admin function, low-level authenticated users such as subscribers can exploit this vulnerability. | |||||