Total
1004 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-27483 | 1 Zoll | 1 Defibrillator Dashboard | 2022-04-25 | 4.6 MEDIUM | 7.8 HIGH |
| ZOLL Defibrillator Dashboard, v prior to 2.2,The affected products contain insecure filesystem permissions that could allow a lower privilege user to escalate privileges to an administrative level user. | |||||
| CVE-2022-22958 | 2 Linux, Vmware | 6 Linux Kernel, Cloud Foundation, Identity Manager and 3 more | 2022-04-21 | 6.5 MEDIUM | 7.2 HIGH |
| VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities (CVE-2022-22957 & CVE-2022-22958). A malicious actor with administrative access can trigger deserialization of untrusted data through malicious JDBC URI which may result in remote code execution. | |||||
| CVE-2022-23448 | 1 Siemens | 2 Simatic Energy Manager Basic, Simatic Energy Manager Pro | 2022-04-19 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability has been identified in SIMATIC Energy Manager Basic (All versions < V7.3 Update 1), SIMATIC Energy Manager PRO (All versions < V7.3 Update 1). Affected applications improperly assign permissions to critical directories and files used by the application processes. This could allow a local unprivileged attacker to achieve code execution with ADMINISTRATOR or even NT AUTHORITY/SYSTEM privileges. | |||||
| CVE-2018-5546 | 3 Apple, F5, Linux | 4 Macos, Big-ip Access Policy Manager, Big-ip Access Policy Manager Client and 1 more | 2022-04-18 | 7.2 HIGH | 7.8 HIGH |
| The svpn and policyserver components of the F5 BIG-IP APM client prior to version 7.1.7.1 for Linux and macOS runs as a privileged process and can allow an unprivileged user to get ownership of files owned by root on the local client host. A malicious local unprivileged user may gain knowledge of sensitive information, manipulate certain data, or assume super-user privileges on the local client host. | |||||
| CVE-2022-26982 | 1 Simplemachines | 1 Simple Machines Forum | 2022-04-13 | 6.5 MEDIUM | 7.2 HIGH |
| SimpleMachinesForum 2.1.1 and earlier allows remote authenticated administrators to execute arbitrary code by inserting a vulnerable php code because the themes can be modified by an administrator. | |||||
| CVE-2022-26250 | 1 Synametrics | 1 Synaman | 2022-04-13 | 4.6 MEDIUM | 7.8 HIGH |
| Synaman v5.1 and below was discovered to contain weak file permissions which allows authenticated attackers to escalate privileges. | |||||
| CVE-2022-22941 | 1 Saltstack | 1 Salt | 2022-04-06 | 6.0 MEDIUM | 8.8 HIGH |
| An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. When configured as a Master-of-Masters, with a publisher_acl, if a user configured in the publisher_acl targets any minion connected to the Syndic, the Salt Master incorrectly interpreted no valid targets as valid, allowing configured users to target any of the minions connected to the syndic with their configured commands. This requires a syndic master combined with publisher_acl configured on the Master-of-Masters, allowing users specified in the publisher_acl to bypass permissions, publishing authorized commands to any configured minion. | |||||
| CVE-2017-5118 | 6 Apple, Debian, Google and 3 more | 9 Macos, Debian Linux, Android and 6 more | 2022-04-06 | 4.3 MEDIUM | 4.3 MEDIUM |
| Blink in Google Chrome prior to 61.0.3163.79 for Mac, Windows, and Linux, and 61.0.3163.81 for Android, failed to correctly propagate CSP restrictions to javascript scheme pages, which allowed a remote attacker to bypass content security policy via a crafted HTML page. | |||||
| CVE-2021-22921 | 3 Microsoft, Nodejs, Siemens | 3 Windows, Node.js, Sinec Infrastructure Network Services | 2022-04-06 | 4.4 MEDIUM | 7.8 HIGH |
| Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking. | |||||
| CVE-2020-28169 | 3 Debian, Microsoft, Td-agent-builder Project | 3 Debian Linux, Windows, Td-agent-builder | 2022-04-05 | 6.9 MEDIUM | 7.0 HIGH |
| The td-agent-builder plugin before 2020-12-18 for Fluentd allows attackers to gain privileges because the bin directory is writable by a user account, but a file in bin is executed as NT AUTHORITY\SYSTEM. | |||||
| CVE-2020-1736 | 2 Fedoraproject, Redhat | 5 Fedora, Ansible, Ansible Tower and 2 more | 2022-04-05 | 2.1 LOW | 3.3 LOW |
| A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified. This sets the destination files world-readable if the destination file does not exist and if the file exists, the file could be changed to have less restrictive permissions before the move. This could lead to the disclosure of sensitive data. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable. | |||||
| CVE-2022-23869 | 1 Ruoyi | 1 Ruoyi | 2022-04-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| In RuoYi v4.7.2 through the WebUI, user test1 does not have permission to reset the password of user test3, but the password of user test3 can be reset through the /system/user/resetPwd request. | |||||
| CVE-2021-0904 | 2 Google, Mediatek | 5 Android, Mt6771, Mt8183 and 2 more | 2022-04-01 | 7.2 HIGH | 6.7 MEDIUM |
| In SRAMROM, there is a possible permission bypass due to an insecure permission setting. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06076938; Issue ID: ALPS06076938. | |||||
| CVE-2020-17522 | 1 Apache | 1 Traffic Control | 2022-04-01 | 5.0 MEDIUM | 5.8 MEDIUM |
| When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these permissions are potentially extended to IP addresses outside the desired range, resulting in them being granted to clients possibly outside the CDN arcitechture. | |||||
| CVE-2021-32056 | 2 Cyrus, Fedoraproject | 2 Imap, Fedora | 2022-04-01 | 4.0 MEDIUM | 4.3 MEDIUM |
| Cyrus IMAP before 3.2.7, and 3.3.x and 3.4.x before 3.4.1, allows remote authenticated users to bypass intended access restrictions on server annotations and consequently cause replication to stall. | |||||
| CVE-2022-24236 | 1 Snapt | 1 Aria | 2022-03-29 | 3.5 LOW | 3.5 LOW |
| An insecure permissions vulnerability in Snapt Aria v12.8 allows unauthenticated attackers to send e-mails from spoofed users' accounts. | |||||
| CVE-2022-26247 | 1 Teamwork Management System Project | 1 Teamwork Management System | 2022-03-28 | 4.3 MEDIUM | 5.9 MEDIUM |
| TMS v2.28.0 contains an insecure permissions vulnerability via the component /TMS/admin/user/Update2. This vulnerability allows attackers to modify the administrator account and password. | |||||
| CVE-2022-24125 | 1 Fromsoftware | 1 Dark Souls Iii | 2022-03-28 | 6.5 MEDIUM | 8.8 HIGH |
| The matchmaking servers of Bandai Namco FromSoftware Dark Souls III through 2022-03-19 allow remote attackers to send arbitrary push requests to clients via a RequestSendMessageToPlayers request. For example, ability to send a push message to hundreds of thousands of machines is only restricted on the client side, and can thus be bypassed with a modified client. | |||||
| CVE-2022-22599 | 1 Apple | 4 Ipados, Iphone Os, Macos and 1 more | 2022-03-28 | 2.1 LOW | 2.4 LOW |
| Description: A permissions issue was addressed with improved validation. This issue is fixed in watchOS 8.5, iOS 15.4 and iPadOS 15.4, macOS Big Sur 11.6.5, macOS Monterey 12.3. A person with physical access to a device may be able to use Siri to obtain some location information from the lock screen. | |||||
| CVE-2022-24074 | 1 Navercorp | 1 Whale | 2022-03-23 | 7.5 HIGH | 9.8 CRITICAL |
| Whale Bridge, a default extension in Whale browser before 3.12.129.18, allowed to receive any SendMessage request from the content script itself that could lead to controlling Whale Bridge if the rendering process compromises. | |||||