Total
1368 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-21660 | 1 Gin-vue-admin Project | 1 Gin-vue-admin | 2022-02-15 | 5.5 MEDIUM | 8.1 HIGH |
| Gin-vue-admin is a backstage management system based on vue and gin. In versions prior to 2.4.7 low privilege users are able to modify higher privilege users. Authentication is missing on the `setUserInfo` function. Users are advised to update as soon as possible. There are no known workarounds. | |||||
| CVE-2022-20043 | 2 Google, Mediatek | 7 Android, Mt8167, Mt8175 and 4 more | 2022-02-14 | 4.6 MEDIUM | 7.8 HIGH |
| In Bluetooth, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06148177; Issue ID: ALPS06148177. | |||||
| CVE-2022-20041 | 2 Google, Mediatek | 7 Android, Mt8167, Mt8175 and 4 more | 2022-02-14 | 4.6 MEDIUM | 7.8 HIGH |
| In Bluetooth, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06108596; Issue ID: ALPS06108596. | |||||
| CVE-2022-20024 | 2 Google, Mediatek | 28 Android, Mt6580, Mt6739 and 25 more | 2022-02-14 | 4.6 MEDIUM | 7.8 HIGH |
| In system service, there is a possible permission bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06219064; Issue ID: ALPS06219064. | |||||
| CVE-2021-24831 | 1 Rich-web | 1 Tab | 2022-02-10 | 5.0 MEDIUM | 7.5 HIGH |
| All AJAX actions of the Tab WordPress plugin before 1.3.2 are available to both unauthenticated and authenticated users, allowing unauthenticated attackers to modify various data in the plugin, such as add/edit/delete arbitrary tabs. | |||||
| CVE-2012-4245 | 1 Gimp | 1 Gimp | 2022-02-07 | 6.8 MEDIUM | N/A |
| The scriptfu network server in GIMP 2.6 does not require authentication, which allows remote attackers to execute arbitrary commands via the python-fu-eval command. | |||||
| CVE-2021-25093 | 1 Link Library Project | 1 Link Library | 2022-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| The Link Library WordPress plugin before 7.2.8 does not have authorisation in place when deleting links, allowing unauthenticated users to delete arbitrary links via a crafted request | |||||
| CVE-2018-7792 | 1 Schneider-electric | 2 Modicon M221, Modicon M221 Firmware | 2022-02-03 | 5.0 MEDIUM | 7.5 HIGH |
| A Permissions, Privileges, and Access Control vulnerability exists in Schneider Electric's Modicon M221 product (all references, all versions prior to firmware V1.6.2.0). The vulnerability allows unauthorized users to decode the password using rainbow table. | |||||
| CVE-2021-44795 | 1 Krontech | 1 Single Connect | 2022-02-02 | 5.0 MEDIUM | 7.5 HIGH |
| Single Connect does not perform an authorization check when using the "sc-assigned-credential-ui" module. A remote attacker could exploit this vulnerability to modify users permissions. The exploitation of this vulnerability might allow a remote attacker to delete permissions from other users without authenticating. | |||||
| CVE-2021-44794 | 1 Krontech | 1 Single Connect | 2022-02-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| Single Connect does not perform an authorization check when using the "sc-diagnostic-ui" module. A remote attacker could exploit this vulnerability to access the device information page. The exploitation of this vulnerability might allow a remote attacker to obtain sensitive information. | |||||
| CVE-2021-44793 | 1 Krontech | 1 Single Connect | 2022-02-02 | 5.0 MEDIUM | 7.5 HIGH |
| Single Connect does not perform an authorization check when using the sc-reports-ui" module. A remote attacker could exploit this vulnerability to access the device configuration page and export the data to an external file. The exploitation of this vulnerability might allow a remote attacker to obtain sensitive information including the database credentials. Since the database runs with high privileges it is possible to execute commands with the attained credentials. | |||||
| CVE-2021-44792 | 1 Krontech | 1 Single Connect | 2022-02-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| Single Connect does not perform an authorization check when using the "log-monitor" module. A remote attacker could exploit this vulnerability to access the logging interface. The exploitation of this vulnerability might allow a remote attacker to obtain sensitive information. | |||||
| CVE-2022-0203 | 1 Craterapp | 1 Crater | 2022-02-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| Improper Access Control in GitHub repository crater-invoice/crater prior to 6.0.2. | |||||
| CVE-2022-0152 | 1 Gitlab | 1 Gitlab | 2022-01-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 13.10 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was vulnerable to unauthorized access to some particular fields through the GraphQL API. | |||||
| CVE-2021-40327 | 1 Trustedfirmware | 1 Trusted Firmware-m | 2022-01-25 | 2.6 LOW | 5.9 MEDIUM |
| Trusted Firmware-M (TF-M) 1.4.0, when Profile Small is used, has incorrect access control. NSPE can access a secure key (held by the Crypto service) based solely on knowledge of its key ID. For example, there is no authorization check associated with the relationship between a caller and a key owner. | |||||
| CVE-2022-0236 | 1 Vjinfotech | 2 Wp Import Export, Wp Import Export Lite | 2022-01-24 | 5.0 MEDIUM | 7.5 HIGH |
| The WP Import Export WordPress plugin (both free and premium versions) is vulnerable to unauthenticated sensitive data disclosure due to a missing capability check on the download function wpie_process_file_download found in the ~/includes/classes/class-wpie-general.php file. This made it possible for unauthenticated attackers to download any imported or exported information from a vulnerable site which can contain sensitive information like user data. This affects versions up to, and including, 3.9.15. | |||||
| CVE-2020-9457 | 1 Metagauss | 1 Registrationmagic | 2022-01-21 | 6.5 MEDIUM | 8.8 HIGH |
| The RegistrationMagic plugin through 4.6.0.3 for WordPress allows remote authenticated users (with minimal privileges) to import custom vulnerable forms and change form settings via class_rm_form_settings_controller.php, resulting in privilege escalation. | |||||
| CVE-2020-9456 | 1 Metagauss | 1 Registrationmagic | 2022-01-21 | 6.5 MEDIUM | 8.8 HIGH |
| In the RegistrationMagic plugin through 4.6.0.3 for WordPress, the user controller allows remote authenticated users (with minimal privileges) to elevate their privileges to administrator via class_rm_user_controller.php rm_user_edit. | |||||
| CVE-2020-9455 | 1 Metagauss | 1 Registrationmagic | 2022-01-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The RegistrationMagic plugin through 4.6.0.3 for WordPress allows remote authenticated users (with minimal privileges) to send arbitrary emails on behalf of the site via class_rm_user_services.php send_email_user_view. | |||||
| CVE-2020-9458 | 1 Metagauss | 1 Registrationmagic | 2022-01-21 | 6.5 MEDIUM | 8.8 HIGH |
| In the RegistrationMagic plugin through 4.6.0.3 for WordPress, the export function allows remote authenticated users (with minimal privileges) to export submitted form data and settings via class_rm_form_controller.php rm_form_export. | |||||