Total
1466 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-24306 | 1 Zohocorp | 1 Manageengine Sharepoint Manager Plus | 2022-03-09 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine SharePoint Manager Plus before 4329 allows account takeover because authorization is mishandled. | |||||
| CVE-2022-0727 | 1 Framasoft | 1 Peertube | 2022-03-02 | 5.5 MEDIUM | 5.4 MEDIUM |
| Improper Access Control in GitHub repository chocobozzz/peertube prior to 4.1.0. | |||||
| CVE-2022-21141 | 1 Airspan | 9 A5x, A5x Firmware, C5c and 6 more | 2022-02-26 | 10.0 HIGH | 9.8 CRITICAL |
| MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 does not perform proper authorization checks on multiple API functions. An attacker may gain access to these functions and achieve remote code execution, create a denial-of-service condition, and obtain sensitive information. | |||||
| CVE-2022-0451 | 1 Dart | 1 Dart Software Development Kit | 2022-02-26 | 4.0 MEDIUM | 6.5 MEDIUM |
| Dart SDK contains the HTTPClient in dart:io library whcih includes authorization headers when handling cross origin redirects. These headers may be explicitly set and contain sensitive information. By default, HttpClient handles redirection logic. If a request is sent to example.com with authorization header and it redirects to an attackers site, they might not expect attacker site to receive authorization header. We recommend updating the Dart SDK to version 2.16.0 or beyond. | |||||
| CVE-2021-22042 | 1 Vmware | 2 Cloud Foundation, Esxi | 2022-02-25 | 4.6 MEDIUM | 7.8 HIGH |
| VMware ESXi contains an unauthorized access vulnerability due to VMX having access to settingsd authorization tickets. A malicious actor with privileges within the VMX process only, may be able to access settingsd service running as a high privileged user. | |||||
| CVE-2022-25270 | 1 Drupal | 1 Drupal | 2022-02-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. | |||||
| CVE-2022-0309 | 1 Google | 1 Chrome | 2022-02-22 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inappropriate implementation in Autofill in Google Chrome prior to 97.0.4692.99 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |||||
| CVE-2022-23998 | 2 Google, Samsung | 2 Android, Camera | 2022-02-22 | 4.3 MEDIUM | 5.5 MEDIUM |
| Improper access control vulnerability in Camera prior to versions 11.1.02.16 in Android R(11), 10.5.03.77 in Android Q(10) and 9.0.6.68 in Android P(9) allows untrusted applications to take a picture in screenlock status. | |||||
| CVE-2020-35948 | 1 Xcloner | 1 Xcloner | 2022-02-22 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in the XCloner Backup and Restore plugin before 4.2.13 for WordPress. It gave authenticated attackers the ability to modify arbitrary files, including PHP files. Doing so would allow an attacker to achieve remote code execution. The xcloner_restore.php write_file_action could overwrite wp-config.php, for example. Alternatively, an attacker could create an exploit chain to obtain a database dump. | |||||
| CVE-2022-0633 | 1 Updraftplus | 1 Updraftplus | 2022-02-18 | 4.0 MEDIUM | 6.5 MEDIUM |
| The UpdraftPlus WordPress plugin Free before 1.22.3 and Premium before 2.22.3 do not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site (such as subscriber) to download the most recent site & database backup. | |||||
| CVE-2022-23627 | 1 Archisteamfarm Project | 1 Archisteamfarm | 2022-02-16 | 4.0 MEDIUM | 6.8 MEDIUM |
| ArchiSteamFarm (ASF) is a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Due to a bug in ASF code, introduced in version V5.2.2.2, the program didn't adequately verify effective access of the user sending proxy (i.e. `[Bots]`) commands. In particular, a proxy-like command sent to bot `A` targeting bot `B` has incorrectly verified user's access against bot `A` - instead of bot `B`, to which the command was originally designated. This in result allowed access to resources beyond those configured, being a security threat affecting confidentiality of other bot instances. A successful attack exploiting this bug requires a significant access granted explicitly by original owner of the ASF process prior to that, as attacker has to control at least a single bot in the process to make use of this inadequate access verification loophole. The issue is patched in ASF V5.2.2.5, V5.2.3.2 and future versions. Users are advised to update as soon as possible. | |||||
| CVE-2022-23615 | 1 Xwiki | 1 Xwiki | 2022-02-16 | 5.5 MEDIUM | 5.4 MEDIUM |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can save a document with the right of the current user which allow accessing API requiring programming right if the current user has programming right. This has been patched in XWiki 13.0. Users are advised to update to resolve this issue. The only known workaround is to limit SCRIPT access. | |||||
| CVE-2021-39943 | 1 Gitlab | 1 Gitlab | 2022-02-16 | 4.0 MEDIUM | 4.3 MEDIUM |
| An authorization logic error in the External Status Check API in GitLab EE affecting all versions starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allowed a user to update the status of the check via an API call | |||||
| CVE-2022-24307 | 1 Joinmastodon | 1 Mastodon | 2022-02-09 | 7.5 HIGH | 9.8 CRITICAL |
| Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.) | |||||
| CVE-2021-29394 | 1 Globalnorthstar | 1 Northstar Club Management | 2022-02-08 | 4.0 MEDIUM | 6.5 MEDIUM |
| Account Hijacking in /northstar/Admin/changePassword.jsp in Northstar Technologies Inc NorthStar Club Management 6.3 allows remote authenticated users to change the password of any targeted user accounts via lack of proper authorization in the user-controlled "userID" parameter of the HTTP POST request. | |||||
| CVE-2021-24733 | 1 Wp Post Page Clone Project | 1 Wp Post Page Clone | 2022-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| The WP Post Page Clone WordPress plugin before 1.2 allows users with a role as low as Contributor to clone and view other users' draft and password-protected posts which they cannot view normally. | |||||
| CVE-2020-7499 | 1 Schneider-electric | 12 Mtn6260-0310, Mtn6260-0310 Firmware, Mtn6260-0315 and 9 more | 2022-02-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| A CWE-863: Incorrect Authorization vulnerability exists in U.motion Servers and Touch Panels (affected versions listed in the security notification) which could cause unauthorized access when a low privileged user makes unauthorized changes. | |||||
| CVE-2022-23009 | 1 F5 | 1 Big-iq Centralized Management | 2022-02-01 | 9.0 HIGH | 7.2 HIGH |
| On BIG-IQ Centralized Management 8.x before 8.1.0, an authenticated administrative role user on a BIG-IQ managed BIG-IP device can access other BIG-IP devices managed by the same BIG-IQ system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2013-6926 | 1 Siemens | 1 Ruggedcom Rugged Operating System | 2022-02-01 | 8.0 HIGH | N/A |
| The integrated HTTPS server in Siemens RuggedCom ROS before 3.12.2 allows remote authenticated users to bypass intended restrictions on administrative actions by leveraging access to a (1) guest or (2) operator account. | |||||
| CVE-2019-6855 | 1 Schneider-electric | 44 Ecostruxure Control Expert, Modicon M340 Bmxp341000, Modicon M340 Bmxp341000 Firmware and 41 more | 2022-01-31 | 7.5 HIGH | 7.3 HIGH |
| Incorrect Authorization vulnerability exists in EcoStruxure Control Expert (all versions prior to 14.1 Hot Fix), Unity Pro (all versions), Modicon M340 (all versions prior to V3.20) , and Modicon M580 (all versions prior to V3.10), which could cause a bypass of the authentication process between EcoStruxure Control Expert and the M340 and M580 controllers. | |||||