Total
1421 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-20290 | 1 Theforeman | 1 Openscap | 2024-02-28 | 3.6 LOW | 6.1 MEDIUM |
An improper authorization handling flaw was found in Foreman. The OpenSCAP plugin for the smart-proxy allows foreman clients to execute actions that should be limited to the Foreman Server. This flaw allows an authenticated local attacker to access and delete limited resources and also causes a denial of service on the Foreman server. The highest threat from this vulnerability is to integrity and system availability. | |||||
CVE-2021-41233 | 1 Nextcloud | 1 Nextcloud Server | 2024-02-28 | 4.3 MEDIUM | 5.3 MEDIUM |
Nextcloud text is a collaborative document editing using Markdown built for the nextcloud server. Due to an issue with the Nextcloud Text application, which is by default shipped with Nextcloud Server, an attacker is able to access the folder names of "File Drop". For successful exploitation an attacker requires knowledge of the sharing link. It is recommended that users upgrade their Nextcloud Server to 20.0.14, 21.0.6 or 22.2.1. Users unable to upgrade should disable the Nextcloud Text application in the application settings. | |||||
CVE-2022-1417 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
Improper access control in GitLab CE/EE affecting all versions starting from 8.12 before 14.8.6, all versions starting from 14.9 before 14.9.4, and all versions starting from 14.10 before 14.10.1 allows non-project members to access contents of Project Members-only Wikis via malicious CI jobs | |||||
CVE-2022-1944 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.9 MEDIUM | 7.1 HIGH |
When the feature is configured, improper authorization in the Interactive Web Terminal in GitLab CE/EE affecting all versions from 11.3 prior to 14.9.5, 14.10 prior to 14.10.4, and 15.0 prior to 15.0.1 allows users with the Developer role to open terminals on other Developers' running jobs | |||||
CVE-2022-27609 | 1 Forcepoint | 1 One Endpoint | 2024-02-28 | 3.6 LOW | 6.0 MEDIUM |
Forcepoint One Endpoint prior to version 22.01 installed on Microsoft Windows does not provide sufficient anti-tampering protection of services by users with Administrator privileges. This could result in a user disabling Forcepoint One Endpoint and the protection offered by it. | |||||
CVE-2021-32986 | 1 Automationdirect | 40 C0-10are-d, C0-10are-d Firmware, C0-10dd1e-d and 37 more | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
After Automation Direct CLICK PLC CPU Modules: C0-1x CPUs with firmware prior to v3.00 is unlocked by an authorized user, the unlocked state does not timeout. If the programming software is interrupted, the PLC remains unlocked. All subsequent programming connections are allowed without authorization. The PLC is only relocked by a power cycle, or when the programming software disconnects correctly. | |||||
CVE-2022-23822 | 1 Xilinx | 4 Zynq-7000, Zynq-7000 Firmware, Zynq-7000s and 1 more | 2024-02-28 | 4.4 MEDIUM | 6.8 MEDIUM |
In this physical attack, an attacker may potentially exploit the Zynq-7000 SoC First Stage Boot Loader (FSBL) by bypassing authentication and loading a malicious image onto the device. This in turn may further allow the attacker to perform additional attacks such as such as using the device as a decryption oracle. An anticipated mitigation via a 2022.1 patch will resolve the issue. | |||||
CVE-2021-36778 | 1 Suse | 1 Rancher | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
A Incorrect Authorization vulnerability in SUSE Rancher allows administrators of third-party repositories to gather credentials that are sent to their servers. This issue affects: SUSE Rancher Rancher versions prior to 2.5.12; Rancher versions prior to 2.6.3. | |||||
CVE-2022-1553 | 1 Publify Project | 1 Publify | 2024-02-28 | 4.0 MEDIUM | 4.9 MEDIUM |
Leaking password protected articles content due to improper access control in GitHub repository publify/publify prior to 9.2.8. Attackers can leverage this vulnerability to view the contents of any password-protected article present on the publify website, compromising confidentiality and integrity of users. | |||||
CVE-2022-0580 | 1 Librenms | 1 Librenms | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
Incorrect Authorization in Packagist librenms/librenms prior to 22.2.0. | |||||
CVE-2022-1124 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 3.5 LOW | 4.3 MEDIUM |
An improper authorization issue has been discovered in GitLab CE/EE affecting all versions prior to 14.8.6, all versions from 14.9.0 prior to 14.9.4, and 14.10.0, allowing Guest project members to access trace log of jobs when it is enabled | |||||
CVE-2022-29271 | 1 Nagios | 1 Nagios Xi | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
In Nagios XI through 5.8.5, a read-only Nagios user (due to an incorrect permission check) is able to schedule downtime for any host/services. This allows an attacker to permanently disable all monitoring checks. | |||||
CVE-2022-28542 | 1 Samsung | 1 Galaxy Store | 2024-02-28 | 2.1 LOW | 5.5 MEDIUM |
Improper sanitization of incoming intent in Galaxy Store prior to version 4.5.40.5 allows local attackers to access privileged content providers as Galaxy Store permission. | |||||
CVE-2022-27134 | 1 B1 | 1 Eosio Batdappboomx | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
EOSIO batdappboomx v327c04cf has an Access-control vulnerability in the `transfer` function of the smart contract which allows remote attackers to win the cryptocurrency without paying ticket fee via the `std::string memo` parameter. | |||||
CVE-2022-0117 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2024-02-28 | 4.3 MEDIUM | 6.5 MEDIUM |
Policy bypass in Blink in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
CVE-2022-34180 | 1 Jenkins | 1 Embeddable Build Status | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Jenkins Embeddable Build Status Plugin 2.0.3 and earlier does not correctly perform the ViewStatus permission check in the HTTP endpoint it provides for "unprotected" status badge access, allowing attackers without any permissions to obtain the build status badge icon for any attacker-specified job and/or build. | |||||
CVE-2021-3456 | 1 Theforeman | 1 Smart Proxy Salt | 2024-02-28 | 3.6 LOW | 7.1 HIGH |
An improper authorization handling flaw was found in Foreman. The Salt plugin for the smart-proxy allows foreman clients to execute actions that should be limited to the Foreman Server. This flaw allows an authenticated local attacker to access and delete limited resources and also causes a denial of service on the Foreman server. The highest threat from this vulnerability is to integrity and system availability. | |||||
CVE-2022-24306 | 1 Zohocorp | 1 Manageengine Sharepoint Manager Plus | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Zoho ManageEngine SharePoint Manager Plus before 4329 allows account takeover because authorization is mishandled. | |||||
CVE-2020-25722 | 4 Canonical, Debian, Fedoraproject and 1 more | 4 Ubuntu Linux, Debian Linux, Fedora and 1 more | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
Multiple flaws were found in the way samba AD DC implemented access and conformance checking of stored data. An attacker could use this flaw to cause total domain compromise. | |||||
CVE-2022-24841 | 1 Fleetdm | 1 Fleet | 2024-02-28 | 5.5 MEDIUM | 8.1 HIGH |
fleetdm/fleet is an open source device management, built on osquery. All versions of fleet making use of the teams feature are affected by this authorization bypass issue. Fleet instances without teams, or with teams but without restricted team accounts are not affected. In affected versions a team admin can erroneously add themselves as admin, maintainer or observer on other teams. Users are advised to upgrade to version 4.13. There are no known workarounds for this issue. |