Total
3184 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-30955 | 1 Jenkins | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||||
| CVE-2022-30954 | 1 Jenkins | 1 Blue Ocean | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server. | |||||
| CVE-2022-30951 | 1 Jenkins | 1 Wmi Windows Agents | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins WMI Windows Agents Plugin 1.8 and earlier includes the Windows Remote Command library does not implement access control, potentially allowing users to start processes even if they're not allowed to log in. | |||||
| CVE-2022-30746 | 1 Samsung | 1 Smartthings | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Missing caller check in Smart Things prior to version 1.7.85.12 allows attacker to access senstive information remotely using javascript interface API. | |||||
| CVE-2022-30594 | 3 Debian, Linux, Netapp | 21 Debian Linux, Linux Kernel, 8300 and 18 more | 2024-11-21 | 4.4 MEDIUM | 7.8 HIGH |
| The Linux kernel before 5.17.2 mishandles seccomp permissions. The PTRACE_SEIZE code path allows attackers to bypass intended restrictions on setting the PT_SUSPEND_SECCOMP flag. | |||||
| CVE-2022-2987 | 1 Ldap Wp Login \/ Active Directory Integration Project | 1 Ldap Wp Login \/ Active Directory Integration | 2024-11-21 | N/A | 7.5 HIGH |
| The Ldap WP Login / Active Directory Integration WordPress plugin before 3.0.2 does not have any authorisation and CSRF checks when updating it's settings (which are hooked to the init action), allowing unauthenticated attackers to update them. Attackers could set their own LDAP server to be used to authenticated users, therefore bypassing the current authentication | |||||
| CVE-2022-2985 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2024-11-21 | N/A | 7.8 HIGH |
| In music service, there is a missing permission check. This could lead to elevation of privilege in contacts service with no additional execution privileges needed. | |||||
| CVE-2022-2846 | 1 Dwbooster | 1 Calendar Event Multi View | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Calendar Event Multi View WordPress plugin before 1.4.07 does not have any authorisation and CSRF checks in place when creating an event, and is also lacking sanitisation as well as escaping in some of the event fields. This could allow unauthenticated attackers to create arbitrary events and put Cross-Site Scripting payloads in it. | |||||
| CVE-2022-2732 | 1 Open-emr | 1 Openemr | 2024-11-21 | N/A | 8.3 HIGH |
| Missing Authorization in GitHub repository openemr/openemr prior to 7.0.0.1. | |||||
| CVE-2022-2657 | 1 Wc-marketplace | 1 Multivendor Marketplace Solution For Woocommerce - Wc Marketplace | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Multivendor Marketplace Solution for WooCommerce WordPress plugin before 3.8.12 is lacking authorisation and CSRF in multiple AJAX actions, which could allow any authenticated users, such as subscriber to call them and suspend vendors (reporter by the submitter) or update arbitrary order status (identified by WPScan when verifying the issue) for example. Other unauthenticated attacks are also possible, either directly or via CSRF | |||||
| CVE-2022-2543 | 1 Visualportfolio | 1 Visual Portfolio\, Photo Gallery \& Post Grid | 2024-11-21 | N/A | 6.1 MEDIUM |
| The Visual Portfolio, Photo Gallery & Post Grid WordPress plugin before 2.18.0 does not have proper authorisation checks in some of its REST endpoints, allowing unauthenticated users to call them and inject arbitrary CSS in arbitrary saved layouts | |||||
| CVE-2022-2459 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 2.7 LOW |
| An issue has been discovered in GitLab EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible for email invited members to join a project even after the Group Owner has enabled the setting to prevent members from being added to projects in a group, if the invite was sent before the setting was enabled. | |||||
| CVE-2022-2450 | 1 Resmush.it | 1 Resmush.it Image Optimizer | 2024-11-21 | N/A | 4.3 MEDIUM |
| The reSmush.it : the only free Image Optimizer & compress plugin WordPress plugin before 0.4.4 lacks authorization in various AJAX actions, allowing any logged-in users, such as subscribers to call them. | |||||
| CVE-2022-2405 | 1 Themehunk | 1 Wp Popup Builder | 2024-11-21 | N/A | 4.3 MEDIUM |
| The WP Popup Builder WordPress plugin before 1.2.9 does not have authorisation and CSRF check in an AJAX action, allowing any authenticated users, such as subscribers to delete arbitrary Popup | |||||
| CVE-2022-2389 | 1 Funnelkit | 1 Funnelkit Automations | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Abandoned Cart Recovery for WooCommerce, Follow Up Emails, Newsletter Builder & Marketing Automation By Autonami WordPress plugin before 2.1.2 does not have authorisation and CSRF checks in one of its AJAX action, allowing any authenticated users, such as subscriber to create automations | |||||
| CVE-2022-2382 | 1 Shapedplugin | 1 Product Slider For Woocommerce | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Product Slider for WooCommerce WordPress plugin before 2.5.7 has flawed CSRF checks and lack authorisation in some of its AJAX actions, allowing any authenticated users, such as subscriber to call them. One in particular could allow them to delete arbitrary blog options. | |||||
| CVE-2022-2379 | 1 Easy Student Results Project | 1 Easy Student Results | 2024-11-21 | N/A | 7.5 HIGH |
| The Easy Student Results WordPress plugin through 2.2.8 lacks authorisation in its REST API, allowing unauthenticated users to retrieve information related to the courses, exams, departments as well as student's grades and PII such as email address, physical address, phone number etc | |||||
| CVE-2022-2377 | 1 Wpwax | 1 Directorist | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Directorist WordPress plugin before 7.3.0 does not have authorisation and CSRF checks in an AJAX action, allowing any authenticated users to send arbitrary emails on behalf of the blog | |||||
| CVE-2022-2376 | 1 Wpwax | 1 Directorist | 2024-11-21 | N/A | 5.3 MEDIUM |
| The Directorist WordPress plugin before 7.3.1 discloses the email address of all users in an AJAX action available to both unauthenticated and any authenticated users | |||||
| CVE-2022-2373 | 1 Nsqua | 1 Simply Schedule Appointments | 2024-11-21 | N/A | 5.3 MEDIUM |
| The Simply Schedule Appointments WordPress plugin before 1.5.7.7 is missing authorisation in a REST endpoint, allowing unauthenticated users to retrieve WordPress users details such as name and email address | |||||