Total
1419 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-20942 | 1 Cisco | 4 Asyncos, Secure Email And Web Manager, Secure Email Gateway and 1 more | 2024-02-28 | N/A | 6.5 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Email Security Appliance (ESA), Cisco Secure Email and Web Manager, and Cisco Secure Web Appliance, formerly known as Cisco Web Security Appliance (WSA), could allow an authenticated, remote attacker to retrieve sensitive information from an affected device, including user credentials. This vulnerability is due to weak enforcement of back-end authorization checks. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain confidential data that is stored on the affected device. | |||||
| CVE-2022-39352 | 1 Openfga | 1 Openfga | 2024-02-28 | N/A | 9.8 CRITICAL |
| OpenFGA is a high-performance authorization/permission engine inspired by Google Zanzibar. Versions prior to 0.2.5 are vulnerable to authorization bypass under certain conditions. You are affected by this vulnerability if you added a tuple with a wildcard (*) assigned to a tupleset relation (the right hand side of a ‘from’ statement). This issue has been patched in version v0.2.5. This update is not backward compatible with any authorization model that uses wildcard on a tupleset relation. | |||||
| CVE-2022-35921 | 1 Friendsofflarum | 1 Byobu | 2024-02-28 | N/A | 4.3 MEDIUM |
| fof/byobu is a private discussions extension for Flarum forum. Affected versions were found to not respect private discussion disablement by users. Users of Byobu should update the extension to version 1.1.7, where this has been patched. Users of Byobu with Flarum 1.0 or 1.1 should upgrade to Flarum 1.2 or later, or evaluate the impact this issue has on your forum's users and choose to disable the extension if needed. There are no workarounds for this issue. | |||||
| CVE-2022-45383 | 1 Jenkins | 1 Support Core | 2024-02-28 | N/A | 6.5 MEDIUM |
| An incorrect permission check in Jenkins Support Core Plugin 1206.v14049fa_b_d860 and earlier allows attackers with Support/DownloadBundle permission to download a previously created support bundle containing information limited to users with Overall/Administer permission. | |||||
| CVE-2022-23452 | 2 Openstack, Redhat | 2 Barbican, Openstack Platform | 2024-02-28 | N/A | 4.9 MEDIUM |
| An authorization flaw was found in openstack-barbican, where anyone with an admin role could add secrets to a different project container. This flaw allows an attacker on the network to consume protected resources and cause a denial of service. | |||||
| CVE-2022-39302 | 1 Ree6 | 1 Ree6 | 2024-02-28 | N/A | 5.4 MEDIUM |
| Ree6 is a moderation bot. This vulnerability would allow other server owners to create configurations such as "Better-Audit-Logging" which contain a channel from another server as a target. This would mean you could send log messages to another Guild channel and bypass raid and webhook protections. A specifically crafted log message could allow spamming and mass advertisements. This issue has been patched in version 1.9.9. There are currently no known workarounds. | |||||
| CVE-2022-2408 | 1 Mattermost | 1 Mattermost | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Guest account feature in Mattermost version 6.7.0 and earlier fails to properly restrict the permissions, which allows a guest user to fetch a list of all public channels in the team, in spite of not being part of those channels. | |||||
| CVE-2022-3048 | 2 Fedoraproject, Google | 3 Fedora, Chrome, Chrome Os | 2024-02-28 | N/A | 6.8 MEDIUM |
| Inappropriate implementation in Chrome OS lockscreen in Google Chrome on Chrome OS prior to 105.0.5195.52 allowed a local attacker to bypass lockscreen navigation restrictions via physical access to the device. | |||||
| CVE-2022-39388 | 1 Istio | 1 Istio | 2024-02-28 | N/A | 3.5 LOW |
| Istio is an open platform to connect, manage, and secure microservices. In versions on the 1.15.x branch prior to 1.15.3, a user can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane. Version 1.15.3 contains a patch for this issue. There are no known workarounds. | |||||
| CVE-2022-0594 | 1 Shareaholic | 1 Shareaholic | 2024-02-28 | N/A | 5.3 MEDIUM |
| The Professional Social Sharing Buttons, Icons & Related Posts WordPress plugin before 9.7.6 does not have proper authorisation check in one of the AJAX action, available to unauthenticated (in v < 9.7.5) and author+ (in v9.7.5) users, allowing them to call it and retrieve various information such as the list of active plugins, various version like PHP, cURL, WP etc. | |||||
| CVE-2022-31155 | 1 Sourcegraph | 1 Sourcegraph | 2024-02-28 | N/A | 4.3 MEDIUM |
| Sourcegraph is an opensource code search and navigation engine. In Sourcegraph versions before 3.41.0, it is possible for an attacker to delete other users’ saved searches due to a bug in the authorization check. The vulnerability does not allow the reading of other users’ saved searches, only overwriting them with attacker-controlled searches. The issue is patched in Sourcegraph version 3.41.0. There is no workaround for this issue and updating to a secure version is highly recommended. | |||||
| CVE-2022-23451 | 2 Openstack, Redhat | 2 Barbican, Openstack Platform | 2024-02-28 | N/A | 8.1 HIGH |
| An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete protected data, causing a denial of service by consuming protected resources. | |||||
| CVE-2022-36634 | 1 Zkteco | 1 Zkbiosecurity V5000 | 2024-02-28 | N/A | 8.8 HIGH |
| An access control issue in ZKTeco ZKBioSecurity V5000 3.0.5_r allows attackers to arbitrarily create admin users via a crafted HTTP request. | |||||
| CVE-2022-35890 | 1 Inductiveautomation | 1 Ignition | 2024-02-28 | N/A | 9.8 CRITICAL |
| An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. Designer and Vision Client Session IDs are mishandled. An attacker can determine which session IDs were generated in the past and then hijack sessions assigned to these IDs via Randy. | |||||
| CVE-2022-35716 | 1 Ibm | 1 Urbancode Deploy | 2024-02-28 | N/A | 6.5 MEDIUM |
| IBM UrbanCode Deploy (UCD) 6.2.0.0 through 6.2.7.16, 7.0.0.0 through 7.0.5.11, 7.1.0.0 through 7.1.2.7, and 7.2.0.0 through 7.2.3.0 could allow an authenticated user to obtain sensitive information in some instances due to improper security checking. IBM X-Force ID: 231360. | |||||
| CVE-2022-31178 | 1 Elabftw | 1 Elabftw | 2024-02-28 | N/A | 4.3 MEDIUM |
| eLabFTW is an electronic lab notebook manager for research teams. A vulnerability was discovered which allows a logged in user to read a template without being authorized to do so. This vulnerability has been patched in 4.3.4. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-1309 | 1 Google | 1 Chrome | 2024-02-28 | N/A | 9.6 CRITICAL |
| Insufficient policy enforcement in developer tools in Google Chrome prior to 100.0.4896.88 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. | |||||
| CVE-2022-2326 | 1 Gitlab | 1 Gitlab | 2024-02-28 | N/A | 8.1 HIGH |
| An issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible to gain access to a private project through an email invite by using other user's email address as an unverified secondary email. | |||||
| CVE-2020-14321 | 1 Moodle | 1 Moodle | 2024-02-28 | N/A | 8.8 HIGH |
| In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, teachers of a course were able to assign themselves the manager role within that course. | |||||
| CVE-2022-26479 | 1 Poly | 2 Eagleeye Director Ii, Eagleeye Director Ii Firmware | 2024-02-28 | N/A | 9.8 CRITICAL |
| An issue was discovered in Poly EagleEye Director II before 2.2.2.1. Existence of a certain file (which can be created via an rsync backdoor) causes all API calls to execute as admin without authentication. | |||||