Total
1368 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-4349 | 1 Pwn Project | 1 Pwn | 2022-12-09 | N/A | 6.8 MEDIUM |
| A vulnerability classified as problematic has been found in CTF-hacker pwn. This affects an unknown part of the file delete.html. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-215109 was assigned to this vulnerability. | |||||
| CVE-2020-36610 | 1 Duxcms Project | 1 Duxcms | 2022-12-09 | N/A | 8.0 HIGH |
| A vulnerability was found in annyshow DuxCMS 2.1. It has been declared as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-215116. | |||||
| CVE-2021-25095 | 1 Ip2location | 1 Country Blocker | 2022-12-09 | 5.5 MEDIUM | 7.1 HIGH |
| The IP2Location Country Blocker WordPress plugin before 2.26.5 does not have authorisation and CSRF checks in the ip2location_country_blocker_save_rules AJAX action, allowing any authenticated users, such as subscriber to call it and block arbitrary country, or block all of them at once, preventing users from accessing the frontend. | |||||
| CVE-2022-36024 | 1 Pycord Development | 1 Pycord | 2022-12-09 | N/A | 6.5 MEDIUM |
| py-cord is a an API wrapper for Discord written in Python. Bots creating using py-cord version 2.0.0 are vulnerable to remote shutdown if they are added to the server with the `application.commands` scope without the `bot` scope. Currently, it appears that all public bots that use slash commands are affected. This issue has been patched in version 2.0.1. There are currently no recommended workarounds - please upgrade to a patched version. | |||||
| CVE-2021-25032 | 1 Publishpress | 1 Capabilities | 2022-12-09 | 7.5 HIGH | 9.8 CRITICAL |
| The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPress Capabilities Pro WordPress plugin before 2.3.1 does not have authorisation and CSRF checks when updating the plugin's settings via the init hook, and does not ensure that the options to be updated belong to the plugin. As a result, unauthenticated attackers could update arbitrary blog options, such as the default role and make any new registered user with an administrator role. | |||||
| CVE-2021-25025 | 1 Theeventscalendar | 1 Eventcalendar | 2022-12-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| The EventCalendar WordPress plugin before 1.1.51 does not have proper authorisation and CSRF checks in the add_calendar_event AJAX actions, allowing users with a role as low as subscriber to create events | |||||
| CVE-2020-11511 | 1 Thimpress | 1 Learnpress | 2022-12-09 | 6.8 MEDIUM | 8.1 HIGH |
| The LearnPress plugin before 3.2.6.9 for WordPress allows remote attackers to escalate the privileges of any user to LP Instructor via the accept-to-be-teacher action parameter. | |||||
| CVE-2021-24355 | 1 Wpdeveloper | 1 Simple 301 Redirects | 2022-12-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| In the Simple 301 Redirects by BetterLinks WordPress plugin before 2.0.4, the lack of capability checks and insufficient nonce check on the AJAX actions, simple301redirects/admin/get_wildcard and simple301redirects/admin/wildcard, made it possible for authenticated users to retrieve and update the wildcard value for redirects. | |||||
| CVE-2021-24356 | 1 Wpdeveloper | 1 Simple 301 Redirects | 2022-12-09 | 6.5 MEDIUM | 8.8 HIGH |
| In the Simple 301 Redirects by BetterLinks WordPress plugin before 2.0.4, a lack of capability checks and insufficient nonce check on the AJAX action, simple301redirects/admin/activate_plugin, made it possible for authenticated users to activate arbitrary plugins installed on vulnerable sites. | |||||
| CVE-2022-42778 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2022-12-07 | N/A | 7.8 HIGH |
| In windows manager service, there is a missing permission check. This could lead to set up windows manager service with no additional execution privileges needed. | |||||
| CVE-2022-42776 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2022-12-07 | N/A | 7.8 HIGH |
| In UscAIEngine service, there is a missing permission check. This could lead to set up UscAIEngine service with no additional execution privileges needed. | |||||
| CVE-2022-39092 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2022-12-07 | N/A | 7.8 HIGH |
| In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed. | |||||
| CVE-2022-39093 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2022-12-07 | N/A | 7.8 HIGH |
| In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed. | |||||
| CVE-2022-39091 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2022-12-07 | N/A | 7.8 HIGH |
| In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed. | |||||
| CVE-2022-39090 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2022-12-07 | N/A | 7.8 HIGH |
| In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed. | |||||
| CVE-2022-44009 | 1 Stackstorm | 1 Stackstorm | 2022-12-07 | N/A | 7.5 HIGH |
| Improper access control in Key-Value RBAC in StackStorm version 3.7.0 didn't check the permissions in Jinja filters, allowing attackers to access K/V pairs of other users, potentially leading to the exposure of sensitive Information. | |||||
| CVE-2022-41807 | 1 Kyocera | 80 Ecosys M2535dn, Ecosys M2535dn Firmware, Ecosys M6526cdn and 77 more | 2022-12-06 | N/A | 6.5 MEDIUM |
| Missing authorization vulnerability exists in Kyocera Document Solutions MFPs and printers, which may allow a network-adjacent attacker to alter the product settings without authentication by sending a specially crafted request. Affected products/versions are as follows: TASKalfa 7550ci/6550ci, TASKalfa 5550ci/4550ci/3550ci/3050ci, TASKalfa 255c/205c, TASKalfa 256ci/206ci, ECOSYS M6526cdn/M6526cidn, FS-C2126MFP/C2126MFP+/C2026MFP/C2026MFP+, TASKalfa 8000i/6500i, TASKalfa 5500i/4500i/3500i, TASKalfa 305/255, TASKalfa 306i/256i, LS-3140MFP/3140MFP+/3640MFP, ECOSYS M2535dn, LS-1135MFP/1035MFP, LS-C8650DN/C8600DN, ECOSYS P6026cdn, FS-C5250DN, LS-4300DN/4200DN/2100DN, ECOSYS P4040dn, ECOSYS P2135dn, and FS-1370DN. | |||||
| CVE-2019-4158 | 1 Ibm | 1 Security Access Manager | 2022-12-03 | 5.5 MEDIUM | 5.4 MEDIUM |
| IBM Security Access Manager 9.0.1 through 9.0.6 does not prove that a user's identity is correct which can lead to the exposure of resources or functionality to unintended actors. IBM X-Force ID: 158574. | |||||
| CVE-2021-32472 | 1 Moodle | 1 Moodle | 2022-12-02 | 2.6 LOW | 4.3 MEDIUM |
| Teachers exporting a forum in CSV format could receive a CSV of forums from all courses in some circumstances. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6 and 3.8 to 3.8.8 are affected. | |||||
| CVE-2022-24190 | 1 Sz-fujia | 1 Ourphoto | 2022-12-01 | N/A | 7.5 HIGH |
| The /device/acceptBind end-point for Ourphoto App version 1.4.1 does not require authentication or authorization. The user_token header is not implemented or present on this end-point. An attacker can send a request to bind their account to any users picture frame, then send a POST request to accept their own bind request, without the end-users approval or interaction. | |||||