Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-284
Total 1059 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-4684 1 Usememos 1 Memos 2022-12-30 N/A 8.8 HIGH
Improper Access Control in GitHub repository usememos/memos prior to 0.9.0.
CVE-2022-4689 1 Usememos 1 Memos 2022-12-30 N/A 8.8 HIGH
Improper Access Control in GitHub repository usememos/memos prior to 0.9.0.
CVE-2022-23513 1 Pi-hole 1 Adminlte 2022-12-30 N/A 5.3 MEDIUM
Pi-Hole is a network-wide ad blocking via your own Linux hardware, AdminLTE is a Pi-hole Dashboard for stats and more. In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on `queryads` endpoint. In the case of application, this vulnerability exists because of a lack of validation in code on a root server path: `/admin/scripts/pi-hole/phpqueryads.php.` Potential threat actor(s) are able to perform an unauthorized query search in blocked domain lists. This could lead to the disclosure for any victims' personal blacklists.
CVE-2022-41654 1 Ghost 1 Ghost 2022-12-29 N/A 4.3 MEDIUM
An authentication bypass vulnerability exists in the newsletter subscription functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted HTTP request can lead to increased privileges. An attacker can send an HTTP request to trigger this vulnerability.
CVE-2022-3186 1 Dataprobe 24 Iboot-pdu4-n20, Iboot-pdu4-n20 Firmware, Iboot-pdu4a-n15 and 21 more 2022-12-28 N/A 7.5 HIGH
Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where the affected product allows an attacker to access the device’s main management page from the cloud. This feature enables users to remotely connect devices, however, the current implementation permits users to access other device's information.
CVE-2022-4567 1 Open-emr 1 Openemr 2022-12-21 N/A 8.1 HIGH
Improper Access Control in GitHub repository openemr/openemr prior to 7.0.0.2.
CVE-2022-4505 1 Open-emr 1 Openemr 2022-12-16 N/A 4.3 MEDIUM
Improper Access Control in GitHub repository openemr/openemr prior to 7.0.0.2.
CVE-2022-41261 2 Microsoft, Sap 2 Windows, Solution Manager 2022-12-15 N/A 5.5 MEDIUM
SAP Solution Manager (Diagnostic Agent) - version 7.20, allows an authenticated attacker on Windows system to access a file containing sensitive data which can be used to access a configuration file which contains credentials to access other system files. Successful exploitation can make the attacker access files and systems for which he/she is not authorized.
CVE-2020-7561 1 Schneider-electric 2 Easergy T300, Easergy T300 Firmware 2022-12-12 7.5 HIGH 9.8 CRITICAL
A CWE-306: Missing Authentication for Critical Function vulnerability exists in Easergy T300 (with firmware 2.7 and older) that could cause a wide range of problems, including information exposure, denial of service, and command execution when access to a resource from an attacker is not restricted or incorrectly restricted.
CVE-2022-36024 1 Pycord Development 1 Pycord 2022-12-09 N/A 6.5 MEDIUM
py-cord is a an API wrapper for Discord written in Python. Bots creating using py-cord version 2.0.0 are vulnerable to remote shutdown if they are added to the server with the `application.commands` scope without the `bot` scope. Currently, it appears that all public bots that use slash commands are affected. This issue has been patched in version 2.0.1. There are currently no recommended workarounds - please upgrade to a patched version.
CVE-2021-4037 2 Debian, Linux 2 Debian Linux, Linux Kernel 2022-12-07 N/A 7.8 HIGH
A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel that allows local users to create files for the XFS file-system with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group and is writable by a user who is not a member of this group. This can lead to excessive permissions granted in case when they should not. This vulnerability is similar to the previous CVE-2018-13405 and adds the missed fix for the XFS.
CVE-2022-0824 1 Webmin 1 Webmin 2022-11-21 9.0 HIGH 8.8 HIGH
Improper Access Control to Remote Code Execution in GitHub repository webmin/webmin prior to 1.990.
CVE-2019-2729 1 Oracle 9 Communications Diameter Signaling Router, Communications Network Integrity, Hyperion Infrastructure Technology and 6 more 2022-11-09 7.5 HIGH 9.8 CRITICAL
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
CVE-2022-3826 1 Huaxiaerp 1 Huaxia Erp 2022-11-04 N/A 6.5 MEDIUM
A vulnerability was found in Huaxia ERP. It has been classified as problematic. This affects an unknown part of the file /depotHead/list of the component Retail Management. The manipulation of the argument search leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-212793 was assigned to this vulnerability.
CVE-2022-3770 1 Xjyunjing 1 Yunjing Content Management System 2022-11-01 N/A 8.8 HIGH
A vulnerability classified as critical was found in Yunjing CMS. This vulnerability affects unknown code of the file /index/user/upload_img.html. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-212500.
CVE-2022-3735 1 Ehoney Project 1 Ehoney 2022-10-31 N/A 9.8 CRITICAL
A vulnerability was found in seccome Ehoney. It has been rated as critical. This issue affects some unknown processing of the file /api/public/signup. The manipulation leads to improper access controls. The identifier VDB-212417 was assigned to this vulnerability.
CVE-2022-34255 2 Adobe, Magento 2 Commerce, Magento 2022-10-26 N/A N/A
Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Access Control vulnerability that could result in Privilege escalation. An attacker with a low privilege account could leverage this vulnerability to perform an account takeover for a victim. Exploitation of this issue does not require user interaction.
CVE-2022-27805 1 Goabode 2 Iota All-in-one Security Kit, Iota All-in-one Security Kit Firmware 2022-10-26 N/A 9.8 CRITICAL
An authentication bypass vulnerability exists in the GHOME control functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted network request can lead to arbitrary XCMD execution. An attacker can send a malicious XML payload to trigger this vulnerability.
CVE-2021-32656 1 Nextcloud 1 Nextcloud Server 2022-10-25 5.0 MEDIUM 8.6 HIGH
Nextcloud Server is a Nextcloud package that handles data storage. A vulnerability in federated share exists in versions prior to 19.0.11, 20.0.10, and 21.0.2. An attacker can gain access to basic information about users of a server by accessing a public link that a legitimate server user added as a federated share. This happens because Nextcloud supports sharing registered users with other Nextcloud servers, which can be done automatically when selecting the "Add server automatically once a federated share was created successfully" setting. The vulnerability is patched in versions 19.0.11, 20.0.10, and 21.0.2 As a workaround, disable "Add server automatically once a federated share was created successfully" in the Nextcloud settings.
CVE-2020-25654 2 Clusterlabs, Debian 2 Pacemaker, Debian Linux 2022-10-21 9.0 HIGH 7.2 HIGH
An ACL bypass flaw was found in pacemaker. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration.