Total
688 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-23488 | 1 Bigbluebutton | 1 Bigbluebutton | 2022-12-22 | N/A | 7.5 HIGH |
BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are vulnerable to Insertion of Sensitive Information Into Sent Data. The moderators-only webcams lock setting is not enforced on the backend, which allows an attacker to subscribe to viewers' webcams, even when the lock setting is applied. (The required streamId was being sent to all users even with lock setting applied). This issue is fixed in version 2.4-rc-6. There are no workarounds. | |||||
CVE-2022-31708 | 1 Vmware | 1 Vrealize Operations | 2022-12-21 | N/A | 4.9 MEDIUM |
vRealize Operations (vROps) contains a broken access control vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.4. | |||||
CVE-2022-20562 | 1 Google | 1 Android | 2022-12-20 | N/A | 3.3 LOW |
In various functions of ap_input_processor.c, there is a possible way to record audio during a phone call due to a logic error in the code. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-231630423References: N/A | |||||
CVE-2022-20529 | 1 Google | 1 Android | 2022-12-20 | N/A | 2.4 LOW |
In multiple locations of WifiDialogActivity.java, there is a possible limited lockscreen bypass due to a logic error in the code. This could lead to local escalation of privilege in wifi settings with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-231583603 | |||||
CVE-2022-20525 | 1 Google | 1 Android | 2022-12-20 | N/A | 3.3 LOW |
In enforceVisualVoicemailPackage of PhoneInterfaceManager.java, there is a possible leak of visual voicemail package name due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-229742768 | |||||
CVE-2022-4390 | 1 Netgear | 2 Ax2400, Ax2400 Firmware | 2022-12-19 | N/A | 10.0 CRITICAL |
A network misconfiguration is present in versions prior to 1.0.9.90 of the NETGEAR RAX30 AX2400 series of routers. IPv6 is enabled for the WAN interface by default on these devices. While there are firewall restrictions in place that define access restrictions for IPv4 traffic, these restrictions do not appear to be applied to the WAN interface for IPv6. This allows arbitrary access to any services running on the device that may be inadvertently listening via IPv6, such as the SSH and Telnet servers spawned on ports 22 and 23 by default. This misconfiguration could allow an attacker to interact with services only intended to be accessible by clients on the local network. | |||||
CVE-2022-47411 | 1 Fp Newsletter Project | 1 Fp Newsletter | 2022-12-16 | N/A | 7.5 HIGH |
An issue was discovered in the fp_newsletter (aka Newsletter subscriber management) extension before 1.1.1, 1.2.0, 2.x before 2.1.2, 2.2.1 through 2.4.0, and 3.x before 3.2.6 for TYPO3. Data about subscribers may be obtained via unsubscribeAction operations. | |||||
CVE-2022-47410 | 1 Fp Newsletter Project | 1 Fp Newsletter | 2022-12-16 | N/A | 7.5 HIGH |
An issue was discovered in the fp_newsletter (aka Newsletter subscriber management) extension before 1.1.1, 1.2.0, 2.x before 2.1.2, 2.2.1 through 2.4.0, and 3.x before 3.2.6 for TYPO3. Data about subscribers may be obtained via createAction operations. | |||||
CVE-2021-40012 | 1 Huawei | 3 Emui, Harmonyos, Magic Ui | 2022-12-12 | 5.0 MEDIUM | 7.5 HIGH |
Vulnerability of pointers being incorrectly used during data transmission in the video framework. Successful exploitation of this vulnerability may affect confidentiality. | |||||
CVE-2022-38599 | 1 Goteleport | 1 Teleport | 2022-12-12 | N/A | 6.5 MEDIUM |
Teleport v3.2.2, Teleport v3.5.6-rc6, and Teleport v3.6.3-b2 was discovered to contain an information leak via the /user/get-role-list web interface. | |||||
CVE-2022-4366 | 1 Daloradius | 1 Daloradius | 2022-12-12 | N/A | 7.5 HIGH |
Exposure of Sensitive System Information to an Unauthorized Control Sphere in GitHub repository lirantal/daloradius prior to master branch. | |||||
CVE-2021-43536 | 2 Debian, Mozilla | 4 Debian Linux, Firefox, Firefox Esr and 1 more | 2022-12-09 | 4.3 MEDIUM | 6.5 MEDIUM |
Under certain circumstances, asynchronous functions could have caused a navigation to fail but expose the target URL. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95. | |||||
CVE-2022-42782 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2022-12-07 | N/A | 5.5 MEDIUM |
In wlan driver, there is a possible missing permission check, This could lead to local information disclosure. | |||||
CVE-2022-42766 | 2 Google, Unisoc | 14 Android, S8011, Sc7731e and 11 more | 2022-12-07 | N/A | 5.5 MEDIUM |
In wlan driver, there is a possible missing permission check, This could lead to local information disclosure. | |||||
CVE-2022-46338 | 2 Debian, G810-led Project | 2 Debian Linux, G810-led | 2022-12-06 | N/A | 6.5 MEDIUM |
g810-led 0.4.2, a LED configuration tool for Logitech Gx10 keyboards, contained a udev rule to make supported device nodes world-readable and writable, allowing any process on the system to read traffic from keyboards, including sensitive data. | |||||
CVE-2022-43901 | 1 Ibm | 1 Websphere Automation For Ibm Cloud Pak For Watson Aiops | 2022-12-06 | N/A | 5.5 MEDIUM |
IBM WebSphere Automation for IBM Cloud Pak for Watson AIOps 1.4.3 could disclose sensitive information. An authenticated local attacker could exploit this vulnerability to possibly gain information to other IBM WebSphere Automation for IBM Cloud Pak for Watson AIOps components. IBM X-Force ID: 240829. | |||||
CVE-2022-41971 | 1 Nextcloud | 1 Nextcloud Talk | 2022-12-06 | N/A | 6.5 MEDIUM |
Nextcould Talk android is a video and audio conferencing app for Nextcloud. Prior to versions 12.2.8, 13.0.10, 14.0.6, and 15.0.0, guests can continue to receive video streams from a call after being removed from a conversation. An attacker would be able to see videos on a call in a public conversation after being removed from that conversation, provided that they were removed while being in the call. Versions 12.2.8, 13.0.10, 14.0.6, and 15.0.0 contain patches for the issue. No known workarounds are available. | |||||
CVE-2020-13946 | 2 Apache, Netapp | 2 Cassandra, Oncommand Insight | 2022-12-03 | 4.3 MEDIUM | 5.9 MEDIUM |
In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorised operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely. | |||||
CVE-2022-24823 | 3 Netapp, Netty, Oracle | 5 Active Iq Unified Manager, Oncommand Workflow Automation, Snapcenter and 2 more | 2022-12-03 | 1.9 LOW | 5.5 MEDIUM |
Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user. | |||||
CVE-2022-1911 | 1 M-files | 1 M-files Server | 2022-12-02 | N/A | 5.3 MEDIUM |
Error in parser function in M-Files Server versions before 22.6.11534.1 and before 22.6.11505.0 allowed unauthenticated access to some information of the underlying operating system. |