Total
1628 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-1417 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
Improper access control in GitLab CE/EE affecting all versions starting from 8.12 before 14.8.6, all versions starting from 14.9 before 14.9.4, and all versions starting from 14.10 before 14.10.1 allows non-project members to access contents of Project Members-only Wikis via malicious CI jobs | |||||
CVE-2022-1401 | 1 Device42 | 1 Cmdb | 2024-11-21 | N/A | 6.9 MEDIUM |
Improper Access Control vulnerability in the /Exago/WrImageResource.adx route as used in Device42 Asset Management Appliance allows an unauthenticated attacker to read sensitive server files with root permissions. This issue affects: Device42 CMDB versions prior to 18.01.00. | |||||
CVE-2022-1365 | 1 Cross-fetch Project | 1 Cross-fetch | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository lquixada/cross-fetch prior to 3.1.5. | |||||
CVE-2022-1309 | 1 Google | 1 Chrome | 2024-11-21 | N/A | 9.6 CRITICAL |
Insufficient policy enforcement in developer tools in Google Chrome prior to 100.0.4896.88 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. | |||||
CVE-2022-1224 | 1 Phpipam | 1 Phpipam | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
Improper Authorization in GitHub repository phpipam/phpipam prior to 1.4.6. | |||||
CVE-2022-1223 | 1 Phpipam | 1 Phpipam | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
Incorrect Authorization in GitHub repository phpipam/phpipam prior to 1.4.6. | |||||
CVE-2022-1193 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 3.5 LOW | 4.3 MEDIUM |
Improper access control in GitLab CE/EE versions 10.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allows a malicious actor to obtain details of the latest commit in a private project via Merge Requests under certain circumstances | |||||
CVE-2022-1177 | 1 Open-emr | 1 Openemr | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
Accounting User Can Download Patient Reports in openemr in GitHub repository openemr/openemr prior to 6.1.0. | |||||
CVE-2022-1132 | 1 Google | 2 Chrome, Chrome Os | 2024-11-21 | N/A | 6.1 MEDIUM |
Inappropriate implementation in Virtual Keyboard in Google Chrome on Chrome OS prior to 100.0.4896.60 allowed a local attacker to bypass navigation restrictions via physical access to the device. | |||||
CVE-2022-1124 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 3.5 LOW | 4.3 MEDIUM |
An improper authorization issue has been discovered in GitLab CE/EE affecting all versions prior to 14.8.6, all versions from 14.9.0 prior to 14.9.4, and 14.10.0, allowing Guest project members to access trace log of jobs when it is enabled | |||||
CVE-2022-0985 | 1 Moodle | 1 Moodle | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability. | |||||
CVE-2022-0984 | 3 Fedoraproject, Moodle, Redhat | 3 Fedora, Moodle, Enterprise Linux | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges. | |||||
CVE-2022-0981 | 1 Quarkus | 1 Quarkus | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
A flaw was found in Quarkus. The state and potentially associated permissions can leak from one web request to another in RestEasy Reactive. This flaw allows a low-privileged user to perform operations on the database with a different set of privileges than intended. | |||||
CVE-2022-0920 | 1 Salonbookingsystem | 1 Salon Booking System | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
The Salon booking system Free and Pro WordPress plugins before 7.6.3 do not have proper authorisation in some of its endpoints, which could allow customers to access all bookings and other customer's data | |||||
CVE-2022-0866 | 1 Redhat | 3 Jboss Enterprise Application Platform, Openstack Platform, Wildfly | 2024-11-21 | 4.3 MEDIUM | 5.3 MEDIUM |
This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. In particular, the org.jboss.as.ejb3.component.EJBComponent class has an incomingRunAsIdentity field. This field is used by the org.jboss.as.ejb3.security.RunAsPrincipalInterceptor to keep track of the current identity prior to switching to a new identity created using the RunAs principal. The exploit consist that the EJBComponent#incomingRunAsIdentity field is currently just a SecurityIdentity. This means in a concurrent environment, where multiple users are repeatedly invoking an EJB that is configured with a RunAs principal, it's possible for the wrong the caller principal to be returned from EJBComponent#getCallerPrincipal. Similarly, it's also possible for EJBComponent#isCallerInRole to return the wrong value. Both of these methods rely on incomingRunAsIdentity. Affects all versions of JBoss EAP from 7.1.0 and all versions of WildFly 11+ when Elytron is enabled. | |||||
CVE-2022-0825 | 1 Tms-outsource | 1 Amelia | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
The Amelia WordPress plugin before 1.0.49 does not have proper authorisation when managing appointments, allowing any customer to update other's booking status, as well as retrieve sensitive information about the bookings, such as the full name and phone number of the person who booked it. | |||||
CVE-2022-0775 | 1 Woocommerce | 1 Woocommerce | 2024-11-21 | N/A | 4.3 MEDIUM |
The WooCommerce WordPress plugin before 6.2.1 does not have proper authorisation check when deleting reviews, which could allow any authenticated users, such as subscriber to delete arbitrary comment | |||||
CVE-2022-0762 | 1 Microweber | 1 Microweber | 2024-11-21 | 4.0 MEDIUM | 5.5 MEDIUM |
Incorrect Authorization in GitHub repository microweber/microweber prior to 1.3. | |||||
CVE-2022-0740 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 3.1 LOW |
Incorrect authorization in the Asana integration's branch restriction feature in all versions of GitLab CE/EE starting from version 7.8.0 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 makes it possible to close Asana tasks from unrestricted branches. | |||||
CVE-2022-0727 | 1 Framasoft | 1 Peertube | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
Improper Access Control in GitHub repository chocobozzz/peertube prior to 4.1.0. |