Total
1421 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-42192 | 1 Konga Project | 1 Konga | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
Konga v0.14.9 is affected by an incorrect access control vulnerability where a specially crafted request can lead to privilege escalation. | |||||
CVE-2022-1936 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
Incorrect authorization in GitLab EE affecting all versions from 12.0 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1 allowed an attacker already in possession of a valid Project Deploy Token to misuse it from any location even when IP address restrictions were configured | |||||
CVE-2019-25058 | 3 Debian, Fedoraproject, Usbguard Project | 3 Debian Linux, Fedora, Usbguard | 2024-02-28 | 4.4 MEDIUM | 7.8 HIGH |
An issue was discovered in USBGuard before 1.1.0. On systems with the usbguard-dbus daemon running, an unprivileged user could make USBGuard allow all USB devices to be connected in the future. | |||||
CVE-2021-39802 | 1 Google | 1 Android | 2024-02-28 | 7.2 HIGH | 7.8 HIGH |
In change_pte_range of mprotect.c , there is a possible way to make a shared mmap writable due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-213339151References: Upstream kernel | |||||
CVE-2022-1466 | 1 Redhat | 2 Keycloak, Single Sign-on | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted. | |||||
CVE-2021-28505 | 1 Arista | 18 Ccs-710p-12, Ccs-710p-16p, Ccs-720xp-24y6 and 15 more | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
On affected Arista EOS platforms, if a VXLAN match rule exists in an IPv4 access-list that is applied to the ingress of an L2 or an L3 port/SVI, the VXLAN rule and subsequent ACL rules in that access list will ignore the specified IP protocol. | |||||
CVE-2022-1746 | 1 Dominionvoting | 2 Democracy Suite, Imagecast X | 2024-02-28 | 7.2 HIGH | 7.6 HIGH |
The authentication mechanism used by poll workers to administer voting using the tested version of Dominion Voting Systems ImageCast X can expose cryptographic secrets used to protect election information. An attacker could leverage this vulnerability to gain access to sensitive information and perform privileged actions, potentially affecting other election equipment. | |||||
CVE-2022-27836 | 1 Google | 1 Android | 2024-02-28 | 7.2 HIGH | 7.8 HIGH |
Improper access control and path traversal vulnerability in Storage Manager and Storage Manager Service prior to SMR Apr-2022 Release 1 allow local attackers to access arbitrary system files without a proper permission. The patch adds proper validation logic to prevent arbitrary files access. | |||||
CVE-2022-0451 | 1 Dart | 1 Dart Software Development Kit | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
Dart SDK contains the HTTPClient in dart:io library whcih includes authorization headers when handling cross origin redirects. These headers may be explicitly set and contain sensitive information. By default, HttpClient handles redirection logic. If a request is sent to example.com with authorization header and it redirects to an attackers site, they might not expect attacker site to receive authorization header. We recommend updating the Dart SDK to version 2.16.0 or beyond. | |||||
CVE-2022-28774 | 1 Sap | 1 Host Agent | 2024-02-28 | 1.9 LOW | 5.5 MEDIUM |
Under certain conditions, the SAP Host Agent logfile shows information which would otherwise be restricted. | |||||
CVE-2021-3658 | 2 Bluez, Fedoraproject | 2 Bluez, Fedora | 2024-02-28 | 3.3 LOW | 6.5 MEDIUM |
bluetoothd from bluez incorrectly saves adapters' Discoverable status when a device is powered down, and restores it when powered up. If a device is powered down while discoverable, it will be discoverable when powered on again. This could lead to inadvertent exposure of the bluetooth stack to physically nearby attackers. | |||||
CVE-2022-29047 | 1 Jenkins | 1 Pipeline\ | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the definition of a dynamically retrieved library in their pull request, even if the Pipeline is configured to not trust them. | |||||
CVE-2020-14121 | 1 Mi | 1 Mi App Store | 2024-02-28 | 2.1 LOW | 5.5 MEDIUM |
A business logic vulnerability exists in Mi App Store. The vulnerability is caused by incomplete permission checks of the products being bypassed, and an attacker can exploit the vulnerability to perform a local silent installation. | |||||
CVE-2022-1753 | 1 Wowonder | 1 Wowonder | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
A vulnerability, which was classified as critical, was found in WoWonder. Affected is the file /requests.php which is responsible to handle group messages. The manipulation of the argument group_id allows posting messages in other groups. It is possible to launch the attack remotely but it might require authentication. A video explaining the attack has been disclosed to the public. | |||||
CVE-2022-0981 | 1 Quarkus | 1 Quarkus | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
A flaw was found in Quarkus. The state and potentially associated permissions can leak from one web request to another in RestEasy Reactive. This flaw allows a low-privileged user to perform operations on the database with a different set of privileges than intended. | |||||
CVE-2022-34814 | 1 Jenkins | 1 Request Rename Or Delete | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
Jenkins Request Rename Or Delete Plugin 1.1.0 and earlier does not correctly perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to view an administrative configuration page listing pending requests. | |||||
CVE-2022-0633 | 1 Updraftplus | 1 Updraftplus | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
The UpdraftPlus WordPress plugin Free before 1.22.3 and Premium before 2.22.3 do not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site (such as subscriber) to download the most recent site & database backup. | |||||
CVE-2022-24865 | 1 Humhub | 1 Humhub | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
HumHub is an Open Source Enterprise Social Network. In affected versions users who are forced to change their password by an administrator may retrieve other users' data. This issue has been resolved by commit `eb83de20`. It is recommended that the HumHub is upgraded to 1.11.0, 1.10.4 or 1.9.4. There are no known workarounds for this issue. | |||||
CVE-2020-24771 | 1 Nexusphp | 1 Nexusphp | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Incorrect access control in NexusPHP 1.5.beta5.20120707 allows unauthorized attackers to access published content. | |||||
CVE-2022-0985 | 1 Moodle | 1 Moodle | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability. |