Total
1299 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-39789 | 1 Google | 1 Android | 2022-04-05 | 4.6 MEDIUM | 7.8 HIGH |
| In Telecom, there is a possible leak of TTY mode change due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-203880906 | |||||
| CVE-2022-1177 | 1 Open-emr | 1 Openemr | 2022-04-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| Accounting User Can Download Patient Reports in openemr in GitHub repository openemr/openemr prior to 6.1.0. | |||||
| CVE-2022-0735 | 1 Gitlab | 1 Gitlab | 2022-04-04 | 7.5 HIGH | 9.8 CRITICAL |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2. An unauthorised user was able to steal runner registration tokens through an information disclosure vulnerability using quick actions commands. | |||||
| CVE-2022-0720 | 1 Tms-outsource | 1 Amelia | 2022-04-04 | 5.5 MEDIUM | 5.4 MEDIUM |
| The Amelia WordPress plugin before 1.0.47 does not have proper authorisation when managing appointments, allowing any customer to update other's booking, as well as retrieve sensitive information about the bookings, such as the full name and phone number of the person who booked it. | |||||
| CVE-2021-39876 | 1 Gitlab | 1 Gitlab | 2022-04-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| In all versions of GitLab CE/EE since version 11.3, the endpoint for auto-completing Assignee discloses the members of private groups. | |||||
| CVE-2021-20290 | 1 Theforeman | 1 Openscap | 2022-04-04 | 3.6 LOW | 6.1 MEDIUM |
| An improper authorization handling flaw was found in Foreman. The OpenSCAP plugin for the smart-proxy allows foreman clients to execute actions that should be limited to the Foreman Server. This flaw allows an authenticated local attacker to access and delete limited resources and also causes a denial of service on the Foreman server. The highest threat from this vulnerability is to integrity and system availability. | |||||
| CVE-2022-26629 | 3 Linux, Microsoft, Splus | 3 Linux Kernel, Windows, Soroushplus | 2022-03-31 | 6.4 MEDIUM | 9.1 CRITICAL |
| An Access Control vulnerability exists in SoroushPlus+ Messenger 1.0.30 in the Lock Screen Security Feature function due to insufficient permissions and privileges, which allows a malicious attacker bypass the lock screen function. | |||||
| CVE-2019-6144 | 1 Forcepoint | 1 One Endpoint | 2022-03-31 | 4.0 MEDIUM | 6.5 MEDIUM |
| This vulnerability allows a normal (non-admin) user to disable the Forcepoint One Endpoint (versions 19.04 through 19.08) and bypass DLP and Web protection. | |||||
| CVE-2021-41805 | 1 Hashicorp | 1 Consul | 2022-03-31 | 6.5 MEDIUM | 8.8 HIGH |
| HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with the default operator:write permissions) in one namespace can be used for unintended privilege escalation in a different namespace. | |||||
| CVE-2021-41244 | 1 Grafana | 1 Grafana | 2022-03-31 | 6.5 MEDIUM | 7.2 HIGH |
| Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin. With fine-grained access control enabled, organization admins can list, add, remove and update users' roles in another organization, where they do not have organization admin role. All installations between v8.0 and v8.2.3 that have fine-grained access control beta enabled and more than one organization should be upgraded as soon as possible. If you cannot upgrade, you should turn off the fine-grained access control using a feature flag. | |||||
| CVE-2022-26279 | 1 Eyoucms | 1 Eyoucms | 2022-03-30 | 7.5 HIGH | 9.8 CRITICAL |
| EyouCMS v1.5.5 was discovered to have no access control in the component /data/sqldata. | |||||
| CVE-2022-0981 | 1 Quarkus | 1 Quarkus | 2022-03-29 | 6.5 MEDIUM | 8.8 HIGH |
| A flaw was found in Quarkus. The state and potentially associated permissions can leak from one web request to another in RestEasy Reactive. This flaw allows a low-privileged user to perform operations on the database with a different set of privileges than intended. | |||||
| CVE-2022-22618 | 1 Apple | 3 Ipados, Iphone Os, Watchos | 2022-03-28 | 4.6 MEDIUM | 7.8 HIGH |
| This issue was addressed with improved checks. This issue is fixed in watchOS 8.5, iOS 15.4 and iPadOS 15.4. A user may be able to bypass the Emergency SOS passcode prompt. | |||||
| CVE-2019-8446 | 1 Atlassian | 1 Jira Server | 2022-03-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| The /rest/issueNav/1/issueTable resource in Jira before version 8.3.2 allows remote attackers to enumerate usernames via an incorrect authorisation check. | |||||
| CVE-2019-3401 | 1 Atlassian | 2 Jira, Jira Server | 2022-03-25 | 5.0 MEDIUM | 5.3 MEDIUM |
| The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check. | |||||
| CVE-2019-3403 | 1 Atlassian | 2 Jira, Jira Server | 2022-03-25 | 5.0 MEDIUM | 5.3 MEDIUM |
| The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check. | |||||
| CVE-2021-30925 | 1 Apple | 4 Ipados, Iphone Os, Macos and 1 more | 2022-03-25 | 6.4 MEDIUM | 9.1 CRITICAL |
| The issue was addressed with improved permissions logic. This issue is fixed in watchOS 8, macOS Big Sur 11.6, iOS 15 and iPadOS 15. A malicious application may be able to bypass Privacy preferences. | |||||
| CVE-2021-30856 | 1 Apple | 1 Macos | 2022-03-25 | 5.8 MEDIUM | 9.1 CRITICAL |
| This issue was addressed by adding a new Remote Login option for opting into Full Disk Access for Secure Shell sessions. This issue is fixed in macOS Big Sur 11.3. A malicious unsandboxed app on a system with Remote Login enabled may bypass Privacy preferences. | |||||
| CVE-2022-24721 | 1 Cometd | 1 Cometd | 2022-03-25 | 5.5 MEDIUM | 8.1 HIGH |
| CometD is a scalable comet implementation for web messaging. In any version prior to 5.0.11, 6.0.6, and 7.0.6, internal usage of Oort and Seti channels is improperly authorized, so any remote user could subscribe and publish to those channels. By subscribing to those channels, a remote user may be able to watch cluster-internal traffic that contains other users' (possibly sensitive) data. By publishing to those channels, a remote user may be able to create/modify/delete other user's data and modify the cluster structure. A fix is available in versions 5.0.11, 6.0.6, and 7.0.6. As a workaround, install a custom `SecurityPolicy` that forbids subscription and publishing to remote, non-Oort, sessions on Oort and Seti channels. | |||||
| CVE-2022-0577 | 2 Debian, Scrapy | 2 Debian Linux, Scrapy | 2022-03-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1. | |||||