Vulnerabilities (CVE)

Filtered by CWE-281
Total 218 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-48296 1 Huawei 2 Emui, Harmonyos 2024-11-21 N/A 5.3 MEDIUM
The SystemUI has a vulnerability in permission management. Successful exploitation of this vulnerability may cause users to receive broadcasts from malicious apps, conveying false alarm information about external storage devices.
CVE-2022-48295 1 Huawei 2 Emui, Harmonyos 2024-11-21 N/A 7.5 HIGH
The IHwAntiMalPlugin interface lacks permission verification. Successful exploitation of this vulnerability can lead to filling problems (batch installation of applications).
CVE-2022-47637 2 Apachefriends, Microsoft 2 Xampp, Windows 2024-11-21 N/A 6.7 MEDIUM
The installer in XAMPP through 8.1.12 allows local users to write to the C:\xampp directory. Common use cases execute files under C:\xampp with administrative privileges.
CVE-2022-47547 1 Protocol 1 Gossipsub 2024-11-21 N/A 5.3 MEDIUM
GossipSub 1.1, as used for Ethereum 2.0, allows a peer to maintain a positive score (and thus not be pruned from the network) even though it continuously misbehaves by never forwarding topic messages.
CVE-2022-44020 2 Fedoraproject, Opendev 3 Fedora, Sushy-tools, Virtualbmc 2024-11-21 N/A 5.5 MEDIUM
An issue was discovered in OpenStack Sushy-Tools through 0.21.0 and VirtualBMC through 2.2.2. Changing the boot device configuration with these packages removes password protection from the managed libvirt XML domain. NOTE: this only affects an "unsupported, production-like configuration."
CVE-2022-43910 2 Ibm, Linux 2 Security Guardium, Linux Kernel 2024-11-21 N/A 8.4 HIGH
IBM Security Guardium 11.3 could allow a local user to escalate their privileges due to improper permission controls. IBM X-Force ID: 240908.
CVE-2022-41963 1 Bigbluebutton 1 Bigbluebutton 2024-11-21 N/A 2.7 LOW
BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3 contain a whiteboard grace period that exists to handle delayed messages, but this grace period could be used by attackers to take actions in the few seconds after their access is revoked. The attacker must be a meeting participant. This issue is patched in version 2.4.3 an version 2.5-alpha-1
CVE-2022-41708 1 Relatedcode 1 Messenger 2024-11-21 N/A 4.3 MEDIUM
Relatedcode's Messenger version 7bcd20b allows an authenticated external attacker to access existing chats in the workspaces of any user of the application. This is possible because the application does not validate permissions correctly.
CVE-2022-38577 1 Processmaker 1 Processmaker 2024-11-21 N/A 8.8 HIGH
ProcessMaker before v3.5.4 was discovered to contain insecure permissions in the user profile page. This vulnerability allows attackers to escalate normal users to Administrators.
CVE-2022-38473 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2024-11-21 N/A 8.8 HIGH
A cross-origin iframe referencing an XSLT document would inherit the parent domain's permissions (such as microphone or camera access). This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.
CVE-2022-36102 1 Shopware 1 Shopware 2024-11-21 N/A 6.3 MEDIUM
Shopware is an open source e-commerce software. In affected versions if backend admin controllers are called with a certain notation, the ACL could be bypassed. Users could execute actions, which they are normally not able to do. Users are advised to update to the current version (5.7.15). Users can get the update via the Auto-Updater or directly via the download overview. There are no known workarounds for this issue.
CVE-2022-36062 1 Grafana 1 Grafana 2024-11-21 N/A 7.6 HIGH
Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually.
CVE-2022-32969 1 Metamask 1 Metamask 2024-11-21 4.3 MEDIUM 5.9 MEDIUM
MetaMask before 10.11.3 might allow an attacker to access a user's secret recovery phrase because an input field is used for a BIP39 mnemonic, and Firefox and Chromium save such fields to disk in order to support the Restore Session feature, aka the Demonic issue.
CVE-2022-31755 1 Huawei 3 Emui, Harmonyos, Magic Ui 2024-11-21 2.1 LOW 5.5 MEDIUM
The communication module has a vulnerability of improper permission preservation. Successful exploitation of this vulnerability may affect system availability.
CVE-2022-31608 1 Nvidia 4 Geforce, Gpu Display Driver, Rtx and 1 more 2024-11-21 N/A 7.8 HIGH
NVIDIA GPU Display Driver for Linux contains a vulnerability in an optional D-Bus configuration file, where a local user with basic capabilities can impact protected D-Bus endpoints, which may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.
CVE-2022-31262 1 Gog 1 Galaxy 2024-11-21 N/A 7.8 HIGH
An exploitable local privilege escalation vulnerability exists in GOG Galaxy 2.0.46. Due to insufficient folder permissions, an attacker can hijack the %ProgramData%\GOG.com folder structure and change the GalaxyCommunication service executable to a malicious file, resulting in code execution as SYSTEM.
CVE-2022-31237 1 Dell 1 Emc Powerscale Onefs 2024-11-21 N/A 3.3 LOW
Dell PowerScale OneFS, versions 9.2.0 up to and including 9.2.1.12 and 9.3.0.5 contain an improper preservation of permissions vulnerability in SyncIQ. A low privileged local attacker may potentially exploit this vulnerability, leading to limited information disclosure.
CVE-2022-31096 1 Discourse 1 Discourse 2024-11-21 2.1 LOW 5.7 MEDIUM
Discourse is an open source discussion platform. Under certain conditions, a logged in user can redeem an invite with an email that either doesn't match the invite's email or does not adhere to the email domain restriction of an invite link. The impact of this flaw is aggravated when the invite has been configured to add the user that accepts the invite into restricted groups. Once a user has been incorrectly added to a restricted group, the user may then be able to view content which that are restricted to the respective group. Users are advised to upgrade to the current stable releases. There are no known workarounds to this issue.
CVE-2022-2787 1 Debian 2 Debian Linux, Schroot 2024-11-21 N/A 4.3 MEDIUM
Schroot before 1.6.13 had too permissive rules on chroot or session names, allowing a denial of service on the schroot service for all users that may start a schroot session.
CVE-2022-29594 2 Eginnovations, Microsoft 5 Eg Agent, Eg Manager, Eg Rum Collectors and 2 more 2024-11-21 7.2 HIGH 7.8 HIGH
eG Agent before 7.2 has weak file permissions that enable escalation of privileges to SYSTEM.