Total
1299 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-39329 | 1 Nextcloud | 2 Nextcloud Enterprise Server, Nextcloud Server | 2022-10-31 | N/A | 5.3 MEDIUM |
| Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 23.0.9 and 24.0.5 are vulnerable to exposure of information that cannot be controlled by administrators without direct database access. Versions 23.0.9 and 24.0.5 contains patches for this issue. No known workarounds are available. | |||||
| CVE-2022-3057 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2022-10-27 | N/A | 6.5 MEDIUM |
| Inappropriate implementation in iframe Sandbox in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2022-3056 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2022-10-27 | N/A | 6.5 MEDIUM |
| Insufficient policy enforcement in Content Security Policy in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to bypass content security policy via a crafted HTML page. | |||||
| CVE-2022-2861 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2022-10-27 | N/A | 6.5 MEDIUM |
| Inappropriate implementation in Extensions API in Google Chrome prior to 104.0.5112.101 allowed an attacker who convinced a user to install a malicious extension to inject arbitrary scripts into WebUI via a crafted HTML page. | |||||
| CVE-2022-3047 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2022-10-27 | N/A | 6.5 MEDIUM |
| Insufficient policy enforcement in Extensions API in Google Chrome prior to 105.0.5195.52 allowed an attacker who convinced a user to install a malicious extension to bypass downloads policy via a crafted HTML page. | |||||
| CVE-2022-3045 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2022-10-27 | N/A | 8.8 HIGH |
| Insufficient validation of untrusted input in V8 in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||||
| CVE-2022-3044 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2022-10-27 | N/A | 6.5 MEDIUM |
| Inappropriate implementation in Site Isolation in Google Chrome prior to 105.0.5195.52 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. | |||||
| CVE-2022-27668 | 1 Sap | 4 Netweaver As Abap, Netweaver As Abap Krnl64nuc, Netweaver As Abap Krnl64uc and 1 more | 2022-10-27 | 7.5 HIGH | 9.8 CRITICAL |
| Depending on the configuration of the route permission table in file 'saprouttab', it is possible for an unauthenticated attacker to execute SAProuter administration commands in SAP NetWeaver and ABAP Platform - versions KERNEL 7.49, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, KRNL64NUC 7.49, KRNL64UC 7.49, SAP_ROUTER 7.53, 7.22, from a remote client, for example stopping the SAProuter, that could highly impact systems availability. | |||||
| CVE-2021-38345 | 1 Brizy | 1 Brizy-page Builder | 2022-10-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Brizy Page Builder plugin <= 2.3.11 for WordPress used an incorrect authorization check that allowed any logged-in user accessing any endpoint in the wp-admin directory to modify the content of any existing post or page created with the Brizy editor. An identical issue was found by another researcher in Brizy <= 1.0.125 and fixed in version 1.0.126, but the vulnerability was reintroduced in version 1.0.127. | |||||
| CVE-2021-38312 | 1 Redux | 1 Gutenberg Template Library \& Redux Framework | 2022-10-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress used an incorrect authorization check in the REST API endpoints registered under the “redux/v1/templates/” REST Route in “redux-templates/classes/class-api.php”. The `permissions_callback` used in this file only checked for the `edit_posts` capability which is granted to lower-privileged users such as contributors, allowing such users to install arbitrary plugins from the WordPress repository and edit arbitrary posts. | |||||
| CVE-2021-34434 | 2 Eclipse, Fedoraproject | 2 Mosquitto, Fedora | 2022-10-27 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked. | |||||
| CVE-2021-37705 | 1 Microsoft | 1 Onefuzz | 2022-10-27 | 6.8 MEDIUM | 10.0 CRITICAL |
| OneFuzz is an open source self-hosted Fuzzing-As-A-Service platform. Starting with OneFuzz 2.12.0 or greater, an incomplete authorization check allows an authenticated user from any Azure Active Directory tenant to make authorized API calls to a vulnerable OneFuzz instance. To be vulnerable, a OneFuzz deployment must be both version 2.12.0 or greater and deployed with the non-default --multi_tenant_domain option. This can result in read/write access to private data such as software vulnerability and crash information, security testing tools and proprietary code and symbols. Via authorized API calls, this also enables tampering with existing data and unauthorized code execution on Azure compute resources. This issue is resolved starting in release 2.31.0, via the addition of application-level check of the bearer token's `issuer` against an administrator-configured allowlist. As a workaround users can restrict access to the tenant of a deployed OneFuzz instance < 2.31.0 by redeploying in the default configuration, which omits the `--multi_tenant_domain` option. | |||||
| CVE-2021-30638 | 1 Apache | 1 Tapestry | 2022-10-27 | 5.0 MEDIUM | 7.5 HIGH |
| Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-13953. This issue affects Apache Tapestry Apache Tapestry 5.4.0 version to Apache Tapestry 5.6.3; Apache Tapestry 5.7.0 version and Apache Tapestry 5.7.1. | |||||
| CVE-2021-37864 | 1 Mattermost | 1 Mattermost | 2022-10-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| Mattermost 6.1 and earlier fails to sufficiently validate permissions while viewing archived channels, which allows authenticated users to view contents of archived channels even when this is denied by system administrators by directly accessing the APIs. | |||||
| CVE-2022-28774 | 1 Sap | 1 Host Agent | 2022-10-26 | 1.9 LOW | 5.5 MEDIUM |
| Under certain conditions, the SAP Host Agent logfile shows information which would otherwise be restricted. | |||||
| CVE-2022-1499 | 1 Google | 1 Chrome | 2022-10-26 | N/A | 6.3 MEDIUM |
| Inappropriate implementation in WebAuthentication in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to bypass same origin policy via a crafted HTML page. | |||||
| CVE-2020-18701 | 1 Talelin | 1 Lin-cms-flask | 2022-10-26 | 7.5 HIGH | 9.8 CRITICAL |
| Incorrect Access Control in Lin-CMS-Flask v0.1.1 allows remote attackers to obtain sensitive information and/or gain privileges due to the application not invalidating a user's authentication token upon logout, which allows for replaying packets. | |||||
| CVE-2020-19301 | 1 Vaethink | 1 Vaethink | 2022-10-26 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability in the vae_admin_rule database table of vaeThink v1.0.1 allows attackers to execute arbitrary code via a crafted payload in the condition parameter. | |||||
| CVE-2022-1874 | 2 Apple, Google | 2 Macos, Chrome | 2022-10-26 | N/A | 8.8 HIGH |
| Insufficient policy enforcement in Safe Browsing in Google Chrome on Mac prior to 102.0.5005.61 allowed a remote attacker to bypass downloads protection policy via a crafted HTML page. | |||||
| CVE-2022-39342 | 1 Openfga | 1 Openfga | 2022-10-25 | N/A | 9.8 CRITICAL |
| OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users whose model has a relation defined as a tupleset (the right hand side of a ‘from’ statement) that involves anything other than a direct relationship (e.g. ‘as self’) are vulnerable. Version 0.2.4 contains a patch for this issue. | |||||