Total
1299 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-40692 | 1 Moodle | 1 Moodle | 2022-10-03 | N/A | 4.3 MEDIUM |
| Insufficient capability checks made it possible for teachers to download users outside of their courses. | |||||
| CVE-2022-36109 | 2 Fedoraproject, Mobyproject | 2 Fedora, Moby | 2022-09-30 | N/A | 6.3 MEDIUM |
| Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. This bug is fixed in Moby (Docker Engine) 20.10.18. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade, this problem can be worked around by not using the `"USER $USERNAME"` Dockerfile instruction. Instead by calling `ENTRYPOINT ["su", "-", "user"]` the supplementary groups will be set up properly. | |||||
| CVE-2022-1193 | 1 Gitlab | 1 Gitlab | 2022-09-30 | 3.5 LOW | 4.3 MEDIUM |
| Improper access control in GitLab CE/EE versions 10.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allows a malicious actor to obtain details of the latest commit in a private project via Merge Requests under certain circumstances | |||||
| CVE-2021-22262 | 1 Gitlab | 1 Gitlab | 2022-09-29 | 4.0 MEDIUM | 4.3 MEDIUM |
| Missing access control in all GitLab versions starting from 13.12 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 with Jira Cloud integration enabled allows Jira users without administrative privileges to add and remove Jira Connect Namespaces via the GitLab.com for Jira Cloud application configuration page | |||||
| CVE-2022-39029 | 1 Lcnet | 1 Smart Evision | 2022-09-29 | N/A | 6.5 MEDIUM |
| Smart eVision has inadequate authorization for the database query function. A remote attacker with general user privilege, who is not explicitly authorized to access the information, can access sensitive information. | |||||
| CVE-2022-39030 | 1 Lcnet | 1 Smart Evision | 2022-09-29 | N/A | 7.5 HIGH |
| smart eVision has inadequate authorization for system information query function. An unauthenticated remote attacker, who is not explicitly authorized to access the information, can access sensitive information. | |||||
| CVE-2022-39031 | 1 Lcnet | 1 Smart Evision | 2022-09-28 | N/A | 5.3 MEDIUM |
| Smart eVision has insufficient authorization for task acquisition function. An unauthorized remote attacker can exploit this vulnerability to acquire the Session IDs of other general users only. | |||||
| CVE-2021-28696 | 3 Debian, Fedoraproject, Xen | 3 Debian Linux, Fedora, Xen | 2022-09-28 | 4.6 MEDIUM | 6.8 MEDIUM |
| IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Both AMD and Intel allow ACPI tables to specify regions of memory which should be left untranslated, which typically means these addresses should pass the translation phase unaltered. While these are typically device specific ACPI properties, they can also be specified to apply to a range of devices, or even all devices. On all systems with such regions Xen failed to prevent guests from undoing/replacing such mappings (CVE-2021-28694). On AMD systems, where a discontinuous range is specified by firmware, the supposedly-excluded middle range will also be identity-mapped (CVE-2021-28695). Further, on AMD systems, upon de-assigment of a physical device from a guest, the identity mappings would be left in place, allowing a guest continued access to ranges of memory which it shouldn't have access to anymore (CVE-2021-28696). | |||||
| CVE-2017-0894 | 1 Nextcloud | 1 Nextcloud Server | 2022-09-27 | 4.3 MEDIUM | 4.3 MEDIUM |
| Nextcloud Server before 11.0.3 is vulnerable to disclosure of valid share tokens for public calendars due to a logical error. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token. | |||||
| CVE-2021-41233 | 1 Nextcloud | 1 Nextcloud Server | 2022-09-27 | 4.3 MEDIUM | 5.3 MEDIUM |
| Nextcloud text is a collaborative document editing using Markdown built for the nextcloud server. Due to an issue with the Nextcloud Text application, which is by default shipped with Nextcloud Server, an attacker is able to access the folder names of "File Drop". For successful exploitation an attacker requires knowledge of the sharing link. It is recommended that users upgrade their Nextcloud Server to 20.0.14, 21.0.6 or 22.2.1. Users unable to upgrade should disable the Nextcloud Text application in the application settings. | |||||
| CVE-2022-30164 | 1 Microsoft | 10 Windows 10, Windows 11, Windows 7 and 7 more | 2022-09-22 | 4.6 MEDIUM | 7.8 HIGH |
| Kerberos AppContainer Security Feature Bypass Vulnerability. | |||||
| CVE-2022-41230 | 1 Jenkins | 1 Build-publisher | 2022-09-22 | N/A | 4.3 MEDIUM |
| Jenkins Build-Publisher Plugin 1.22 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain names and URLs of Jenkins servers that the plugin is configured to publish builds to, as well as builds pending for publication to those Jenkins servers. | |||||
| CVE-2022-28321 | 2 Linux-pam, Opensuse | 2 Linux-pam, Tumbleweed | 2022-09-22 | N/A | 9.8 CRITICAL |
| The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows authentication bypass for SSH logins. The pam_access.so module doesn't correctly restrict login if a user tries to connect from an IP address that is not resolvable via DNS. In such conditions, a user with denied access to a machine can still get access. NOTE: the relevance of this issue is largely limited to openSUSE Tumbleweed and openSUSE Factory; it does not affect Linux-PAM upstream. | |||||
| CVE-2022-36876 | 1 Samsung | 1 Samsung Pass | 2022-09-21 | N/A | 2.4 LOW |
| Improper authorization in UPI payment in Samsung Pass prior to version 4.0.04.10 allows physical attackers to access account list without authentication. | |||||
| CVE-2022-0143 | 1 Forgerock | 1 Ldap Connector | 2022-09-21 | N/A | 9.8 CRITICAL |
| When the LDAP connector is started with StartTLS configured, unauthenticated access is granted. This issue affects: all versions of the LDAP connector prior to 1.5.20.9. The LDAP connector is bundled with Identity Management (IDM) and Remote Connector Server (RCS) | |||||
| CVE-2021-1305 | 1 Cisco | 12 Ios Xe Sd-wan, Sd-wan Firmware, Sd-wan Vbond Orchestrator and 9 more | 2022-09-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to bypass authorization and modify the configuration of an affected system, gain access to sensitive information, and view information that they are not authorized to access. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2022-22091 | 1 Qualcomm | 258 Apq8017, Apq8017 Firmware, Apq8053 and 255 more | 2022-09-20 | N/A | 7.5 HIGH |
| Improper authorization of a replayed LTE security mode command can lead to a denial of service in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables | |||||
| CVE-2022-35582 | 1 Pentasecurity | 1 Wapples | 2022-09-19 | N/A | 8.8 HIGH |
| Penta Security Systems Inc WAPPLES 4.0.*, 5.0.0.*, 5.0.12.* are vulnerable to Incorrect Access Control. The operating system that WAPPLES runs on has a built-in non-privileged user penta with a predefined password. The password for this user, as well as its existence, is not disclosed in the documentation. Knowing the credentials, attackers can use this feature to gain uncontrolled access to the device and therefore are considered an undocumented possibility for remote control. | |||||
| CVE-2022-38769 | 1 Transtek | 1 Mojodat Fixed Asset Management | 2022-09-16 | N/A | 7.5 HIGH |
| The mobile application in Transtek Mojodat FAM (Fixed Asset Management) 2.4.6 allows remote attackers to fetch cleartext passwords upon a successful login request. | |||||
| CVE-2022-38768 | 1 Transtek | 1 Mojodat Fixed Asset Management | 2022-09-16 | N/A | 9.8 CRITICAL |
| The mobile application in Transtek Mojodat FAM (Fixed Asset Management) 2.4.6 allows remote attackers to bypass authorization. | |||||