Total
1368 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-3653 | 3 Debian, Linux, Redhat | 3 Debian Linux, Linux Kernel, Enterprise Linux | 2022-03-31 | 6.1 MEDIUM | 8.8 HIGH |
| A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the "int_ctl" field, this issue could allow a malicious L1 to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to 5.14-rc7. | |||||
| CVE-2019-17055 | 6 Canonical, Debian, Fedoraproject and 3 more | 8 Ubuntu Linux, Debian Linux, Fedora and 5 more | 2022-03-31 | 2.1 LOW | 3.3 LOW |
| base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-b91ee4aa2a21. | |||||
| CVE-2019-16738 | 3 Debian, Fedoraproject, Mediawiki | 3 Debian Linux, Fedora, Mediawiki | 2022-03-31 | 5.0 MEDIUM | 5.3 MEDIUM |
| In MediaWiki through 1.33.0, Special:Redirect allows information disclosure of suppressed usernames via a User ID Lookup. | |||||
| CVE-2022-22854 | 1 Hospital\'s Patient Records Management System Project | 1 Hospital\'s Patient Records Management System | 2022-03-30 | 6.5 MEDIUM | 8.8 HIGH |
| An access control issue in hprms/admin/?page=user/list of Hospital Patient Record Management System v1.0 allows attackers to escalate privileges via accessing and editing the user list. | |||||
| CVE-2019-20407 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2022-03-30 | 4.0 MEDIUM | 4.3 MEDIUM |
| The ConfigureBambooRelease resource in Jira Software and Jira Software Data Center before version 8.6.1 allows authenticated remote attackers to view release version information in projects that they do not have access to through an missing authorisation check. | |||||
| CVE-2022-27333 | 1 Idccms Project | 1 Idccms | 2022-03-29 | 5.0 MEDIUM | 7.5 HIGH |
| idcCMS v1.10 was discovered to contain an issue which allows attackers to arbitrarily delete the install.lock file, resulting in a reset of the CMS settings and data. | |||||
| CVE-2022-0229 | 1 Miniorange | 1 Google Authenticator | 2022-03-28 | 5.8 MEDIUM | 8.1 HIGH |
| The miniOrange's Google Authenticator WordPress plugin before 5.5 does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog, making it unusable. | |||||
| CVE-2022-24595 | 1 Automotivelinux | 1 Kooky Koi | 2022-03-28 | 7.5 HIGH | 9.8 CRITICAL |
| Automotive Grade Linux Kooky Koi 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, and 11.0.5 is affected by Incorrect Access Control in usr/bin/afb-daemon. To exploit the vulnerability, an attacker should send a well-crafted HTTP (or WebSocket) request to the socket listened by the afb-daemon process. No credentials nor user interactions are required. | |||||
| CVE-2020-14185 | 1 Atlassian | 2 Jira, Jira Server | 2022-03-25 | 5.0 MEDIUM | 5.3 MEDIUM |
| Affected versions of Jira Server allow remote unauthenticated attackers to enumerate issue keys via a missing permissions check in the ActionsAndOperations resource. The affected versions are before 7.13.18, from version 8.0.0 before 8.5.9, and from version 8.6.0 before version 8.12.2. | |||||
| CVE-2019-3399 | 1 Atlassian | 2 Jira, Jira Server | 2022-03-25 | 5.0 MEDIUM | 7.5 HIGH |
| The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check. | |||||
| CVE-2019-8445 | 1 Atlassian | 1 Jira Server | 2022-03-25 | 5.0 MEDIUM | 5.3 MEDIUM |
| Several worklog rest resources in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.2 allow remote attackers to view worklog time information via a missing permissions check. | |||||
| CVE-2019-15013 | 1 Atlassian | 2 Jira, Jira Server | 2022-03-25 | 4.0 MEDIUM | 4.3 MEDIUM |
| The WorkflowResource class removeStatus method in Jira before version 7.13.12, from version 8.0.0 before version 8.4.3, and from version 8.5.0 before version 8.5.2 allows authenticated remote attackers who do not have project administration access to remove a configured issue status from a project via a missing authorisation check. | |||||
| CVE-2022-27209 | 1 Kubernetes | 1 Continuous Deploy | 2022-03-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||||
| CVE-2022-27211 | 1 Jenkins | 1 Kubernetes Continuous Deploy | 2022-03-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing/An incorrect permission check in Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2021-24950 | 1 Thememove | 1 Insight Core | 2022-03-19 | 3.5 LOW | 5.4 MEDIUM |
| The Insight Core WordPress plugin through 1.0 does not have any authorisation and CSRF checks in the insight_customizer_options_import (available to any authenticated user), does not validate user input before passing it to unserialize(), nor sanitise and escape it before outputting it in the response. As a result, it could allow users with a role as low as Subscriber to perform PHP Object Injection, as well as Stored Cross-Site Scripting attacks | |||||
| CVE-2022-26104 | 1 Sap | 1 Financial Consolidation | 2022-03-17 | 5.0 MEDIUM | 5.3 MEDIUM |
| SAP Financial Consolidation - version 10.1, does not perform necessary authorization checks for updating homepage messages, resulting for an unauthorized user to alter the maintenance system message. | |||||
| CVE-2022-23709 | 1 Elastic | 1 Kibana | 2022-03-16 | 4.0 MEDIUM | 4.3 MEDIUM |
| A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. A user with this privilege would be able to create new alerting rules or overwrite existing ones. However, any new or modified rules would not be enabled, and a user with this privilege could not modify alerting connectors. This effectively means that Read users could disable existing alerting rules. | |||||
| CVE-2022-0163 | 1 Rednao | 1 Smart Forms | 2022-03-11 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Smart Forms WordPress plugin before 2.6.71 does not have authorisation in its rednao_smart_forms_entries_list AJAX action, allowing any authenticated users, such as subscriber, to download arbitrary form's data, which could include sensitive information such as PII depending on the form. | |||||
| CVE-2021-41112 | 1 Pagerduty | 1 Rundeck | 2022-03-10 | 5.5 MEDIUM | 8.1 HIGH |
| Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In versions prior to 3.4.5, authenticated users could craft a request to modify or delete System or Project level Calendars, without appropriate authorization. Modifying or removing calendars could cause Scheduled Jobs to execute, or not execute on desired calendar days. Severity depends on trust level of authenticated users and impact of running or not running scheduled jobs on days governed by calendar definitions. Version 3.4.5 contains a patch for this issue. There are currently no known workarounds. | |||||
| CVE-2022-24986 | 1 Kde | 1 Kcron | 2022-03-08 | 4.6 MEDIUM | 7.8 HIGH |
| KDE KCron through 21.12.2 uses a temporary file in /tmp when saving, but reuses the filename during an editing session. Thus, someone watching it be created the first time could potentially intercept the file the following time, enabling that person to run unauthorized commands. | |||||