Total
1466 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-33174 | 1 Powertekpdus | 14 Basic Pdu, Basic Pdu Firmware, Piml Pdu and 11 more | 2022-06-27 | 5.0 MEDIUM | 7.5 HIGH |
| Power Distribution Units running on Powertek firmware (multiple brands) before 3.30.30 allows remote authorization bypass in the web interface. To exploit the vulnerability, an attacker must send an HTTP packet to the data retrieval interface (/cgi/get_param.cgi) with the tmpToken cookie set to an empty string followed by a semicolon. This bypasses an active session authorization check. This can be then used to fetch the values of protected sys.passwd and sys.su.name fields that contain the username and password in cleartext. | |||||
| CVE-2021-32777 | 1 Envoyproxy | 1 Envoy | 2022-06-15 | 7.5 HIGH | 8.3 HIGH |
| Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions when ext-authz extension is sending request headers to the external authorization service it must merge multiple value headers according to the HTTP spec. However, only the last header value is sent. This may allow specifically crafted requests to bypass authorization. Attackers may be able to escalate privileges when using ext-authz extension or back end service that uses multiple value headers for authorization. A specifically constructed request may be delivered by an untrusted downstream peer in the presence of ext-authz extension. Envoy versions 1.19.1, 1.18.4, 1.17.4, 1.16.5 contain fixes to the ext-authz extension to correctly merge multiple request header values, when sending request for authorization. | |||||
| CVE-2018-1999003 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2022-06-13 | 4.0 MEDIUM | 4.3 MEDIUM |
| A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds. | |||||
| CVE-2018-1999004 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2022-06-13 | 4.0 MEDIUM | 4.3 MEDIUM |
| A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches. | |||||
| CVE-2022-1944 | 1 Gitlab | 1 Gitlab | 2022-06-13 | 4.9 MEDIUM | 7.1 HIGH |
| When the feature is configured, improper authorization in the Interactive Web Terminal in GitLab CE/EE affecting all versions from 11.3 prior to 14.9.5, 14.10 prior to 14.10.4, and 15.0 prior to 15.0.1 allows users with the Developer role to open terminals on other Developers' running jobs | |||||
| CVE-2022-1935 | 1 Gitlab | 1 Gitlab | 2022-06-13 | 4.0 MEDIUM | 6.5 MEDIUM |
| Incorrect authorization in GitLab EE affecting all versions from 12.0 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1 allowed an attacker already in possession of a valid Project Trigger Token to misuse it from any location even when IP address restrictions were configured | |||||
| CVE-2022-1936 | 1 Gitlab | 1 Gitlab | 2022-06-13 | 4.0 MEDIUM | 6.5 MEDIUM |
| Incorrect authorization in GitLab EE affecting all versions from 12.0 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1 allowed an attacker already in possession of a valid Project Deploy Token to misuse it from any location even when IP address restrictions were configured | |||||
| CVE-2022-26767 | 1 Apple | 1 Macos | 2022-06-08 | 4.3 MEDIUM | 5.5 MEDIUM |
| The issue was addressed with additional permissions checks. This issue is fixed in macOS Monterey 12.4, macOS Big Sur 11.6.6. A malicious application may be able to bypass Privacy preferences. | |||||
| CVE-2021-3956 | 1 Lenovo | 46 Thinkagile Hx1320, Thinkagile Hx1321, Thinkagile Hx1520-r and 43 more | 2022-06-06 | 4.3 MEDIUM | 5.3 MEDIUM |
| A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports “unauthenticated bind”, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only “authenticated bind” and/or “anonymous bind” are not affected. | |||||
| CVE-2022-0482 | 1 Easyappointments | 1 Easyappointments | 2022-06-03 | 6.4 MEDIUM | 9.1 CRITICAL |
| Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository alextselegidis/easyappointments prior to 1.4.3. | |||||
| CVE-2021-3658 | 2 Bluez, Fedoraproject | 2 Bluez, Fedora | 2022-06-03 | 3.3 LOW | 6.5 MEDIUM |
| bluetoothd from bluez incorrectly saves adapters' Discoverable status when a device is powered down, and restores it when powered up. If a device is powered down while discoverable, it will be discoverable when powered on again. This could lead to inadvertent exposure of the bluetooth stack to physically nearby attackers. | |||||
| CVE-2022-0825 | 1 Tms-outsource | 1 Amelia | 2022-06-03 | 5.5 MEDIUM | 5.4 MEDIUM |
| The Amelia WordPress plugin before 1.0.49 does not have proper authorisation when managing appointments, allowing any customer to update other's booking status, as well as retrieve sensitive information about the bookings, such as the full name and phone number of the person who booked it. | |||||
| CVE-2022-30016 | 1 Rescue Dispatch Management System Project | 1 Rescue Dispatch Management System | 2022-05-30 | 6.5 MEDIUM | 8.8 HIGH |
| Rescue Dispatch Management System 1.0 is vulnerable to Incorrect Access Control via http://localhost/rdms/admin/?page=system_info. | |||||
| CVE-2022-1753 | 1 Wowonder | 1 Wowonder | 2022-05-25 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability, which was classified as critical, was found in WoWonder. Affected is the file /requests.php which is responsible to handle group messages. The manipulation of the argument group_id allows posting messages in other groups. It is possible to launch the attack remotely but it might require authentication. A video explaining the attack has been disclosed to the public. | |||||
| CVE-2022-1553 | 1 Publify Project | 1 Publify | 2022-05-25 | 4.0 MEDIUM | 4.9 MEDIUM |
| Leaking password protected articles content due to improper access control in GitHub repository publify/publify prior to 9.2.8. Attackers can leverage this vulnerability to view the contents of any password-protected article present on the publify website, compromising confidentiality and integrity of users. | |||||
| CVE-2022-0574 | 1 Publify Project | 1 Publify | 2022-05-24 | 6.4 MEDIUM | 6.5 MEDIUM |
| Improper Access Control in GitHub repository publify/publify prior to 9.2.8. | |||||
| CVE-2022-27134 | 1 B1 | 1 Eosio Batdappboomx | 2022-05-24 | 5.0 MEDIUM | 7.5 HIGH |
| EOSIO batdappboomx v327c04cf has an Access-control vulnerability in the `transfer` function of the smart contract which allows remote attackers to win the cryptocurrency without paying ticket fee via the `std::string memo` parameter. | |||||
| CVE-2022-23139 | 1 Zte | 2 Zxmp M721, Zxmp M721 Firmware | 2022-05-23 | 6.5 MEDIUM | 8.8 HIGH |
| ZTE's ZXMP M721 product has a permission and access control vulnerability. Since the folder permission viewed by sftp is 666, which is inconsistent with the actual permission. It’s easy for?users to?ignore the modification?of?the file permission configuration, so that low-authority accounts could actually obtain higher operating permissions on key files. | |||||
| CVE-2022-28601 | 1 Lmsdoctor | 1 2 Factor Authentication | 2022-05-23 | 4.0 MEDIUM | 6.5 MEDIUM |
| A Two-Factor Authentication (2FA) bypass vulnerability in "Simple 2FA Plugin for Moodle" by LMS Doctor allows remote attackers to overwrite the phone number used for confirmation via the profile.php file. Therefore, allowing them to bypass the phone verification mechanism. | |||||
| CVE-2022-1124 | 1 Gitlab | 1 Gitlab | 2022-05-18 | 3.5 LOW | 4.3 MEDIUM |
| An improper authorization issue has been discovered in GitLab CE/EE affecting all versions prior to 14.8.6, all versions from 14.9.0 prior to 14.9.4, and 14.10.0, allowing Guest project members to access trace log of jobs when it is enabled | |||||