Total
1603 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-3883 | 1 Stopbadbots Project | 1 Stopbadbots | 2024-02-28 | N/A | 6.5 MEDIUM |
The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection WordPress plugin before 7.24 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org | |||||
CVE-2023-0091 | 1 Redhat | 2 Keycloak, Single Sign-on | 2024-02-28 | N/A | 3.8 LOW |
A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information. | |||||
CVE-2022-45353 | 1 Muffingroup | 1 Betheme | 2024-02-28 | N/A | 8.1 HIGH |
Broken Access Control in Betheme theme <= 26.6.1 on WordPress. | |||||
CVE-2021-45466 | 1 Control-webpanel | 1 Webpanel | 2024-02-28 | N/A | 9.8 CRITICAL |
In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, attackers can make a crafted request to api/?api=add_server&DHCP= to add an authorized_keys text file in the /resources/ folder. | |||||
CVE-2023-22945 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2024-02-28 | N/A | 4.3 MEDIUM |
In the GrowthExperiments extension for MediaWiki through 1.39, the growthmanagementorlist API allows blocked users (blocked in ApiManageMentorList) to enroll as mentors or edit any of their mentorship-related properties. | |||||
CVE-2023-24829 | 1 Apache | 1 Iotdb | 2024-02-28 | N/A | 8.8 HIGH |
Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.This issue affects the iotdb-web-workbench component from 0.13.0 before 0.13.3. iotdb-web-workbench is an optional component of IoTDB, providing a web console of the database. This problem is fixed from version 0.13.3 of iotdb-web-workbench onwards. | |||||
CVE-2022-46160 | 1 Enalean | 1 Tuleap | 2024-02-28 | N/A | 4.3 MEDIUM |
Tuleap is an Open Source Suite to improve management of software developments and collaboration. In versions prior to 14.2.99.104, project level authorizations are not properly verified when accessing the project "homepage"/dashboards. Users not authorized to access a project may still be able to get some information provided by the widgets (e.g. number of members, content of the Notes widget...). This issue has been patched in Tuleap Community Edition 14.2.99.104, Tuleap Enterprise Edition 14.2-4, and Tuleap Enterprise Edition 14.1-5. | |||||
CVE-2022-45435 | 1 Sailpoint | 1 Identityiq | 2024-02-28 | N/A | 6.5 MEDIUM |
IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6, and all prior versions allow authenticated users assigned the Identity Administrator capability or any custom capability that contains the SetIdentityForwarding right to modify the work item forwarding configuration for identities other than the ones that should be allowed by Lifecycle Manager Quicklink Population configuration. | |||||
CVE-2022-44039 | 1 Franklinfueling | 1 Colibri Firmware | 2024-02-28 | N/A | 9.8 CRITICAL |
Franklin Fueling System FFS Colibri 1.9.22.8925 is affected by: File system overwrite. The impact is: File system rewrite (remote). ¶¶ An attacker can overwrite system files like [system.conf] and [passwd], this occurs because the insecure usage of "fopen" system function with the mode "wb" which allows overwriting file if exists. Overwriting files such as passwd, allows an attacker to escalate his privileges by planting backdoor user with root privilege or change root password. | |||||
CVE-2022-39903 | 1 Google | 1 Android | 2024-02-28 | N/A | 3.3 LOW |
Improper access control vulnerability in RCS call prior to SMR Dec-2022 Release 1 allows local attackers to access RCS incoming call number. | |||||
CVE-2022-46076 | 1 Dlink | 4 Dir-869, Dir-869 Firmware, Dir-869ax and 1 more | 2024-02-28 | N/A | 7.5 HIGH |
D-Link DIR-869 DIR869Ax_FW102B15 is vulnerable to Authentication Bypass via phpcgi. | |||||
CVE-2023-26056 | 1 Xwiki | 1 Xwiki | 2024-02-28 | N/A | 5.4 MEDIUM |
XWiki Platform is a generic wiki platform. Starting in version 3.0-milestone-1, it's possible to execute a script with the right of another user, provided the target user does not have programming right. The problem has been patched in XWiki 14.8-rc-1, 14.4.5, and 13.10.10. There are no known workarounds for this issue. | |||||
CVE-2022-32310 | 1 Ingredient Stock Management System Project | 1 Ingredient Stock Management System | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
An access control issue in Ingredient Stock Management System v1.0 allows attackers to take over user accounts via a crafted POST request to /isms/classes/Users.php. | |||||
CVE-2022-31252 | 2 Opensuse, Suse | 3 Leap, Leap Micro, Linux Enterprise Server | 2024-02-28 | N/A | 4.4 MEDIUM |
A Incorrect Authorization vulnerability in chkstat of SUSE Linux Enterprise Server 12-SP5; openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 did not consider group writable path components, allowing local attackers with access to a group what can write to a location included in the path to a privileged binary to influence path resolution. This issue affects: SUSE Linux Enterprise Server 12-SP5 permissions versions prior to 20170707. openSUSE Leap 15.3 permissions versions prior to 20200127. openSUSE Leap 15.4 permissions versions prior to 20201225. openSUSE Leap Micro 5.2 permissions versions prior to 20181225. | |||||
CVE-2022-41574 | 1 Gradle | 1 Enterprise | 2024-02-28 | N/A | 7.5 HIGH |
An access-control vulnerability in Gradle Enterprise 2022.4 through 2022.3.1 allows remote attackers to prevent backups from occurring, and send emails with arbitrary text content to the configured installation-administrator contact address, via HTTP access to an accidentally exposed internal endpoint. This is fixed in 2022.3.2. | |||||
CVE-2021-3763 | 1 Redhat | 1 Amq Broker | 2024-02-28 | N/A | 4.3 MEDIUM |
A flaw was found in the Red Hat AMQ Broker management console in version 7.8 where an existing user is able to access some limited information even when the role the user is assigned to should not be allow access to the management console. The main impact is to confidentiality as this flaw means some role bindings are incorrectly checked, some privileged meta information such as queue names and configuration details are disclosed but the impact is limited as not all information is accessible and there is no affect to integrity. | |||||
CVE-2022-1499 | 1 Google | 1 Chrome | 2024-02-28 | N/A | 6.3 MEDIUM |
Inappropriate implementation in WebAuthentication in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to bypass same origin policy via a crafted HTML page. | |||||
CVE-2022-34046 | 1 Wavlink | 2 Wn533a8, Wn533a8 Firmware | 2024-02-28 | N/A | 7.5 HIGH |
An access control issue in Wavlink WN533A8 M33A8.V5030.190716 allows attackers to obtain usernames and passwords via view-source:http://IP_ADDRESS/sysinit.shtml?r=52300 and searching for [logincheck(user);]. | |||||
CVE-2022-35924 | 1 Nextauth.js | 1 Next-auth | 2024-02-28 | N/A | 9.1 CRITICAL |
NextAuth.js is a complete open source authentication solution for Next.js applications. `next-auth` users who are using the `EmailProvider` either in versions before `4.10.3` or `3.29.10` are affected. If an attacker could forge a request that sent a comma-separated list of emails (eg.: `attacker@attacker.com,victim@victim.com`) to the sign-in endpoint, NextAuth.js would send emails to both the attacker and the victim's e-mail addresses. The attacker could then login as a newly created user with the email being `attacker@attacker.com,victim@victim.com`. This means that basic authorization like `email.endsWith("@victim.com")` in the `signIn` callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an `@attacker.com` address. This vulnerability has been patched in `v4.10.3` and `v3.29.10` by normalizing the email value that is sent to the sign-in endpoint before accessing it anywhere else. We also added a `normalizeIdentifier` callback on the `EmailProvider` configuration, where you can further tweak your requirements for what your system considers a valid e-mail address. (E.g.: strict RFC2821 compliance). Users are advised to upgrade. There are no known workarounds for this vulnerability. If for some reason you cannot upgrade, you can normalize the incoming request using Advanced Initialization. | |||||
CVE-2022-2501 | 1 Gitlab | 1 Gitlab | 2024-02-28 | N/A | 7.5 HIGH |
An improper access control issue in GitLab EE affecting all versions from 12.0 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 allows an attacker to bypass IP allow-listing and download artifacts. This attack only bypasses IP allow-listing, proper permissions are still required. |