Total
28988 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-20696 | 1 Cisco | 2 Catalyst Sd-wan Manager, Sd-wan Vmanage | 2024-02-28 | N/A | 8.8 HIGH |
A vulnerability in the binding configuration of Cisco SD-WAN vManage Software containers could allow an unauthenticated, adjacent attacker who has access to the VPN0 logical network to also access the messaging service ports on an affected system. This vulnerability exists because the messaging server container ports on an affected system lack sufficient protection mechanisms. An attacker could exploit this vulnerability by connecting to the messaging service ports of the affected system. To exploit this vulnerability, the attacker must be able to send network traffic to interfaces within the VPN0 logical network. This network may be restricted to protect logical or physical adjacent networks, depending on device deployment configuration. A successful exploit could allow the attacker to view and inject messages into the messaging service, which can cause configuration changes or cause the system to reload. | |||||
CVE-2022-28718 | 1 Cybozu | 1 Garoon | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
Operation restriction bypass vulnerability in Bulletin of Cybozu Garoon 4.0.0 to 5.5.1 allow a remote authenticated attacker to alter the data of Bulletin. | |||||
CVE-2022-21165 | 1 Font Converter Project | 1 Font Converter | 2024-02-28 | N/A | 9.8 CRITICAL |
All versions of package font-converter are vulnerable to Arbitrary Command Injection due to missing sanitization of input that potentially flows into the child_process.exec() function. | |||||
CVE-2022-36090 | 1 Xwiki | 1 Xwiki | 2024-02-28 | N/A | 8.1 HIGH |
XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to versions 13.1.0.5 and 14.3-rc-1, some resources are missing a check for inactive (not yet activated or disabled) users in XWiki, including the REST service. This means a disabled user can enable themselves using a REST call. On the same way some resources handler created by extensions are not protected by default, so an inactive user could perform actions for such extensions. This issue has existed since at least version 1.1 of XWiki for instance configured with the email activation required for new users. Now it's more critical for versions 11.3-rc-1 and later since the maintainers provided the capability to disable user without deleting them and encouraged using that feature. XWiki 14.3-rc-1 and XWiki 13.10.5 contain a patch. There is no workaround for this other than upgrading XWiki. | |||||
CVE-2022-2630 | 1 Gitlab | 1 Gitlab | 2024-02-28 | N/A | 4.3 MEDIUM |
An improper access control issue in GitLab CE/EE affecting all versions starting from 15.2 before 15.2.4, all versions from 15.3 before 15.3.2 allows disclosure of confidential information via the Incident timeline events. | |||||
CVE-2022-20332 | 1 Google | 1 Android | 2024-02-28 | N/A | 5.5 MEDIUM |
In PackageManager, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-180019130 | |||||
CVE-2022-1874 | 2 Apple, Google | 2 Macos, Chrome | 2024-02-28 | N/A | 8.8 HIGH |
Insufficient policy enforcement in Safe Browsing in Google Chrome on Mac prior to 102.0.5005.61 allowed a remote attacker to bypass downloads protection policy via a crafted HTML page. | |||||
CVE-2022-25679 | 1 Qualcomm | 134 Aqt1000, Aqt1000 Firmware, Qca6390 and 131 more | 2024-02-28 | N/A | 5.5 MEDIUM |
Denial of service in video due to improper access control in broadcast receivers in Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables | |||||
CVE-2022-2675 | 1 Unitree | 2 Go 1, Go 1 Firmware | 2024-02-28 | N/A | 6.5 MEDIUM |
Using off-the-shelf commodity hardware, the Unitree Go 1 robotics platform version H0.1.7 and H0.1.9 (using firmware version 0.1.35) can be powered down by an attacker within normal RF range without authentication. Other versions may be affected, such as the A1. | |||||
CVE-2022-36454 | 1 Mitel | 1 Micollab | 2024-02-28 | N/A | 6.5 MEDIUM |
A vulnerability in the MiCollab Client API of Mitel MiCollab through 9.5.0.101 could allow an authenticated attacker to modify their profile parameters due to improper authorization controls. A successful exploit could allow the authenticated attacker to impersonate another user's name. | |||||
CVE-2022-38743 | 1 Rockwellautomation | 1 Factorytalk Vantagepoint | 2024-02-28 | N/A | 8.8 HIGH |
Rockwell Automation FactoryTalk VantagePoint versions 8.0, 8.10, 8.20, 8.30, 8.31 are vulnerable to an improper access control vulnerability. The FactoryTalk VantagePoint SQL Server account could allow a malicious user with read-only privileges to execute SQL statements in the back-end database. If successfully exploited, this could allow the attacker to execute arbitrary code and gain access to restricted data. | |||||
CVE-2022-20859 | 1 Cisco | 3 Unified Communications Manager, Unified Communications Manager Im And Presence Service, Unity Connection | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
A vulnerability in the Disaster Recovery framework of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), and Cisco Unity Connection could allow an authenticated, remote attacker to perform certain administrative actions they should not be able to. This vulnerability is due to insufficient access control checks on the affected device. An attacker with read-only privileges could exploit this vulnerability by executing a specific vulnerable command on an affected device. A successful exploit could allow the attacker to perform a set of administrative actions they should not be able to. | |||||
CVE-2022-25765 | 2 Fedoraproject, Pdfkit Project | 2 Fedora, Pdfkit | 2024-02-28 | N/A | 9.8 CRITICAL |
The package pdfkit from 0.0.0 are vulnerable to Command Injection where the URL is not properly sanitized. | |||||
CVE-2022-40798 | 1 Ocomon Project | 1 Ocomon | 2024-02-28 | N/A | 7.5 HIGH |
OcoMon 4.0RC1 is vulnerable to Incorrect Access Control. Through a request the user can obtain the real email, sending the same request with correct email its possible to account takeover. | |||||
CVE-2022-42975 | 1 Phoenixframework | 1 Phoenix | 2024-02-28 | N/A | 7.5 HIGH |
socket/transport.ex in Phoenix before 1.6.14 mishandles check_origin wildcarding. NOTE: LiveView applications are unaffected by default because of the presence of a LiveView CSRF token. | |||||
CVE-2022-3182 | 1 Devolutions | 1 Remote Desktop Manager | 2024-02-28 | N/A | 7.0 HIGH |
Improper Access Control vulnerability in the Duo SMS two-factor of Devolutions Remote Desktop Manager 2022.2.14 and earlier allows attackers to bypass the application lock. This issue affects: Devolutions Remote Desktop Manager version 2022.2.14 and prior versions. | |||||
CVE-2022-3363 | 1 Ikus-soft | 1 Rdiffweb | 2024-02-28 | N/A | 9.8 CRITICAL |
Business Logic Errors in GitHub repository ikus060/rdiffweb prior to 2.5.0a7. | |||||
CVE-2022-23000 | 1 Westerndigital | 18 My Cloud, My Cloud Dl2100, My Cloud Dl2100 Firmware and 15 more | 2024-02-28 | N/A | 7.8 HIGH |
The Western Digital My Cloud Web App [https://os5.mycloud.com/] uses a weak SSLContext when attempting to configure port forwarding rules. This was enabled to maintain compatibility with old or outdated home routers. By using an "SSL" context instead of "TLS" or specifying stronger validation, deprecated or insecure protocols are permitted. As a result, a local user with no privileges can exploit this vulnerability and jeopardize the integrity, confidentiality and authenticity of information transmitted. The scope of impact cannot extend to other components and no user input is required to exploit this vulnerability. | |||||
CVE-2022-34431 | 1 Dell | 1 Hybrid Client | 2024-02-28 | N/A | 6.5 MEDIUM |
Dell Hybrid Client below 1.8 version contains a guest user profile corruption vulnerability. A WMS privilege attacker could potentially exploit this vulnerability, leading to DHC system not being accessible. | |||||
CVE-2022-38381 | 1 Fortinet | 1 Fortiadc | 2024-02-28 | N/A | 9.8 CRITICAL |
An improper handling of malformed request vulnerability [CWE-228] exists in FortiADC 5.0 all versions, 6.0.0 all versions, 6.1.0 all versions, 6.2.0 through 6.2.3, and 7.0.0 through 7.0.2. This may allow a remote attacker without privileges to bypass some Web Application Firewall (WAF) protection such as the SQL Injection and XSS filters via a malformed HTTP request. |