Total
139 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-22738 | 1 Vantage6 | 1 Vantage6 | 2023-03-10 | N/A | 6.5 MEDIUM |
vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Assigning existing users to a different organizations is currently possible. It may lead to unintended access: if a user from organization A is accidentally assigned to organization B, they will retain their permissions and therefore might be able to access stuff they should not be allowed to access. This issue is patched in version 3.8.0. | |||||
CVE-2018-3762 | 1 Nextcloud | 1 Nextcloud Server | 2023-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
Nextcloud Server before 12.0.8 and 13.0.3 suffers from improper checks of dropped permissions for incoming shares allowing a user to still request previews for files it should not have access to. | |||||
CVE-2022-48295 | 1 Huawei | 2 Emui, Harmonyos | 2023-02-17 | N/A | 7.5 HIGH |
The IHwAntiMalPlugin interface lacks permission verification. Successful exploitation of this vulnerability can lead to filling problems (batch installation of applications). | |||||
CVE-2022-48296 | 1 Huawei | 2 Emui, Harmonyos | 2023-02-17 | N/A | 5.3 MEDIUM |
The SystemUI has a vulnerability in permission management. Successful exploitation of this vulnerability may cause users to receive broadcasts from malicious apps, conveying false alarm information about external storage devices. | |||||
CVE-2022-48301 | 1 Huawei | 2 Emui, Harmonyos | 2023-02-17 | N/A | 7.5 HIGH |
The bundle management module lacks permission verification in some APIs. Successful exploitation of this vulnerability may restore the pre-installed apps that have been uninstalled. | |||||
CVE-2022-36062 | 1 Grafana | 1 Grafana | 2023-02-15 | N/A | 3.8 LOW |
Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually. | |||||
CVE-2022-44020 | 2 Fedoraproject, Opendev | 3 Fedora, Sushy-tools, Virtualbmc | 2023-02-08 | N/A | 5.5 MEDIUM |
An issue was discovered in OpenStack Sushy-Tools through 0.21.0 and VirtualBMC through 2.2.2. Changing the boot device configuration with these packages removes password protection from the managed libvirt XML domain. NOTE: this only affects an "unsupported, production-like configuration." | |||||
CVE-2020-18329 | 1 Carel | 3 Pcoweb Card Bios, Pcoweb Card Boot, Pcoweb Card Web | 2023-02-03 | N/A | 7.5 HIGH |
An issue was discovered in Rehau devices that use a pCOWeb card BIOS v6.27, BOOT v5.00, web version v2.2, allows attackers to gain full unauthenticated access to the configuration and service interface. | |||||
CVE-2019-13727 | 4 Debian, Fedoraproject, Google and 1 more | 7 Debian Linux, Fedora, Chrome and 4 more | 2023-01-30 | 6.8 MEDIUM | 8.8 HIGH |
Insufficient policy enforcement in WebSockets in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to bypass same origin policy via a crafted HTML page. | |||||
CVE-2022-47547 | 1 Protocol | 1 Gossipsub | 2023-01-04 | N/A | 5.3 MEDIUM |
GossipSub 1.1, as used for Ethereum 2.0, allows a peer to maintain a positive score (and thus not be pruned from the network) even though it continuously misbehaves by never forwarding topic messages. | |||||
CVE-2022-38473 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2023-01-03 | N/A | 8.8 HIGH |
A cross-origin iframe referencing an XSLT document would inherit the parent domain's permissions (such as microphone or camera access). This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104. | |||||
CVE-2022-4326 | 2 Microsoft, Trellix | 2 Windows, Endpoint Security | 2022-12-21 | N/A | 6.0 MEDIUM |
Improper preservation of permissions vulnerability in Trellix Endpoint Agent (xAgent) prior to V35.31.22 on Windows allows a local user with administrator privileges to bypass the product protection to uninstall the agent via incorrectly applied permissions in the removal protection functionality. | |||||
CVE-2022-41963 | 1 Bigbluebutton | 1 Bigbluebutton | 2022-12-20 | N/A | 3.1 LOW |
BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3 contain a whiteboard grace period that exists to handle delayed messages, but this grace period could be used by attackers to take actions in the few seconds after their access is revoked. The attacker must be a meeting participant. This issue is patched in version 2.4.3 an version 2.5-alpha-1 | |||||
CVE-2022-0330 | 4 Fedoraproject, Linux, Netapp and 1 more | 46 Fedora, Linux Kernel, H300e and 43 more | 2022-12-07 | 4.6 MEDIUM | 7.8 HIGH |
A random memory access flaw was found in the Linux kernel's GPU i915 kernel driver functionality in the way a user may run malicious code on the GPU. This flaw allows a local user to crash the system or escalate their privileges on the system. | |||||
CVE-2020-15113 | 2 Etcd, Fedoraproject | 2 Etcd, Fedora | 2022-11-28 | 3.6 LOW | 7.1 HIGH |
In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients) with restricted access permissions (700) by using the os.MkdirAll. This function does not perform any permission checks when a given directory path exists already. A possible workaround is to ensure the directories have the desired permission (700). | |||||
CVE-2022-31608 | 1 Nvidia | 4 Geforce, Gpu Display Driver, Rtx and 1 more | 2022-11-28 | N/A | 7.8 HIGH |
NVIDIA GPU Display Driver for Linux contains a vulnerability in an optional D-Bus configuration file, where a local user with basic capabilities can impact protected D-Bus endpoints, which may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. | |||||
CVE-2022-2787 | 1 Debian | 2 Debian Linux, Schroot | 2022-11-16 | N/A | 4.3 MEDIUM |
Schroot before 1.6.13 had too permissive rules on chroot or session names, allowing a denial of service on the schroot service for all users that may start a schroot session. | |||||
CVE-2022-38577 | 1 Processmaker | 1 Processmaker | 2022-11-15 | N/A | 8.8 HIGH |
ProcessMaker before v3.5.4 was discovered to contain insecure permissions in the user profile page. This vulnerability allows attackers to escalate normal users to Administrators. | |||||
CVE-2021-22137 | 1 Elastic | 1 Elasticsearch | 2022-11-04 | 4.3 MEDIUM | 5.3 MEDIUM |
In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices. | |||||
CVE-2022-22650 | 1 Apple | 2 Mac Os X, Macos | 2022-11-02 | 2.1 LOW | 5.5 MEDIUM |
This issue was addressed with improved checks. This issue is fixed in macOS Big Sur 11.6.5, macOS Monterey 12.3, Security Update 2022-003 Catalina. A plug-in may be able to inherit the application's permissions and access user data. |