Total
1368 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-2276 | 1 Wp Edit Menu Project | 1 Wp Edit Menu | 2022-08-24 | N/A | 4.3 MEDIUM |
| The WP Edit Menu WordPress plugin before 1.5.0 does not have authorisation and CSRF in an AJAX action, which could allow unauthenticated attackers to delete arbitrary posts/pages from the blog | |||||
| CVE-2022-32769 | 1 Wwbn | 1 Avideo | 2022-08-24 | N/A | 5.0 MEDIUM |
| Multiple authentication bypass vulnerabilities exist in the objects id handling functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request by an authenticated user can lead to unauthorized access and takeover of resources. An attacker can send an HTTP request to trigger this vulnerability.This vulnerability exists in the Playlists plugin, allowing an attacker to bypass authentication by guessing a sequential ID, allowing them to take over the another user's playlists. | |||||
| CVE-2022-32768 | 1 Wwbn | 1 Avideo | 2022-08-24 | N/A | 4.2 MEDIUM |
| Multiple authentication bypass vulnerabilities exist in the objects id handling functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request by an authenticated user can lead to unauthorized access and takeover of resources. An attacker can send an HTTP request to trigger this vulnerability.This vulnerability exists in the Live Schedules plugin, allowing an attacker to bypass authentication by guessing a sequential ID, allowing them to take over the another user's streams. | |||||
| CVE-2022-2379 | 1 Easy Student Results Project | 1 Easy Student Results | 2022-08-16 | N/A | 7.5 HIGH |
| The Easy Student Results WordPress plugin through 2.2.8 lacks authorisation in its REST API, allowing unauthenticated users to retrieve information related to the courses, exams, departments as well as student's grades and PII such as email address, physical address, phone number etc | |||||
| CVE-2022-20336 | 1 Google | 1 Android | 2022-08-16 | N/A | 3.3 LOW |
| In Settings, there is a possible installed application disclosure due to a missing permission check. This could lead to local information disclosure of applications allow-listed to use the network during VPN lockdown mode with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-177239688 | |||||
| CVE-2022-20335 | 1 Google | 1 Android | 2022-08-16 | N/A | 3.3 LOW |
| In Wifi Slice, there is a possible way to adjust Wi-Fi settings even when the permission has been disabled due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-178014725 | |||||
| CVE-2022-20340 | 1 Google | 1 Android | 2022-08-16 | N/A | 3.3 LOW |
| In SELinux policy, there is a possible way of inferring which websites are being opened in the browser due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-166269532 | |||||
| CVE-2022-35293 | 1 Sap | 1 Enable Now Manager | 2022-08-15 | N/A | 9.1 CRITICAL |
| Due to insecure session management, SAP Enable Now allows an unauthenticated attacker to gain access to user's account. On successful exploitation, an attacker can view or modify user data causing limited impact on confidentiality and integrity of the application. | |||||
| CVE-2021-21432 | 1 Go-vela | 1 Vela | 2022-08-12 | 3.5 LOW | 6.5 MEDIUM |
| Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. An authentication mechanism added in version 0.7.0 enables some malicious user to obtain secrets utilizing the injected credentials within the `~/.netrc` file. Refer to the referenced GitHub Security Advisory for complete details. This is fixed in version 0.7.5. | |||||
| CVE-2021-42331 | 1 Xinheinformation | 1 Xinhe Teaching Platform System | 2022-08-12 | 5.5 MEDIUM | 5.4 MEDIUM |
| The “Study Edit” function of ShinHer StudyOnline System does not perform permission control. After logging in with user’s privilege, remote attackers can access and edit other users’ tutorial schedule by crafting URL parameters. | |||||
| CVE-2021-43847 | 1 Humhub | 1 Humhub | 2022-08-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| HumHub is an open-source social network kit written in PHP. Prior to HumHub version 1.10.3 or 1.9.3, it could be possible for registered users to become unauthorized members of private Spaces. Versions 1.10.3 and 1.9.3 contain a patch for this issue. | |||||
| CVE-2021-42367 | 1 Variation Swatches For Woocommerce Project | 1 Variation Swatches For Woocommerce | 2022-08-09 | 3.5 LOW | 5.4 MEDIUM |
| The Variation Swatches for WooCommerce WordPress plugin is vulnerable to Stored Cross-Site Scripting via several parameters found in the ~/includes/class-menu-page.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.1. Due to missing authorization checks on the tawcvs_save_settings function, low-level authenticated users such as subscribers can exploit this vulnerability. | |||||
| CVE-2021-4089 | 1 Snipeitapp | 1 Snipe-it | 2022-08-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| snipe-it is vulnerable to Improper Access Control | |||||
| CVE-2022-31128 | 1 Enalean | 1 Tuleap | 2022-08-05 | N/A | 5.4 MEDIUM |
| Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In affected versions Tuleap does not properly verify permissions when creating branches with the REST API in Git repositories using the fine grained permissions. Users can create branches via the REST endpoint `POST git/:id/branches` regardless of the permissions set on the repository. This issue has been fixed in version 13.10.99.82 Tuleap Community Edition as well as in version 13.10-3 of Tuleap Enterprise Edition. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2021-1143 | 1 Cisco | 1 Connected Mobile Experiences | 2022-08-05 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability in Cisco Connected Mobile Experiences (CMX) API authorizations could allow an authenticated, remote attacker to enumerate what users exist on the system. The vulnerability is due to a lack of authorization checks for certain API GET requests. An attacker could exploit this vulnerability by sending specific API GET requests to an affected device. A successful exploit could allow the attacker to enumerate users of the CMX system. | |||||
| CVE-2021-20283 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2022-08-05 | 4.0 MEDIUM | 4.3 MEDIUM |
| The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. | |||||
| CVE-2021-1505 | 1 Cisco | 1 Sd-wan Vmanage | 2022-08-05 | 6.5 MEDIUM | 8.8 HIGH |
| Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or gain access to sensitive information, or allow an authenticated, local attacker to gain escalated privileges or gain unauthorized access to the application. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2022-2369 | 1 Yaycommerce | 1 Yaysmtp | 2022-08-05 | N/A | 4.3 MEDIUM |
| The YaySMTP WordPress plugin before 2.2.1 does not have capability check in an AJAX action, allowing any logged in users, such as subscriber to view the Logs of the plugin | |||||
| CVE-2021-39184 | 1 Electronjs | 1 Electron | 2022-08-05 | 5.0 MEDIUM | 8.6 HIGH |
| Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 11.5.0, 12.1.0, and 13.3.0 allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases. Versions 15.0.0-alpha.10, 14.0.0, 13.3.0, 12.1.0, and 11.5.0 all contain a fix for the vulnerability. Two workarounds aside from upgrading are available. One may make the vulnerability significantly more difficult for an attacker to exploit by enabling `contextIsolation` in one's app. One may also disable the functionality of the `createThumbnailFromPath` API if one does not need it. | |||||
| CVE-2021-24836 | 1 Storeapps | 1 Temporary Login Without Password | 2022-08-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Temporary Login Without Password WordPress plugin before 1.7.1 does not have authorisation and CSRF checks when updating its settings, which could allows any logged-in users, such as subscribers to update them | |||||