Total
1299 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-24755 | 1 Bareos | 1 Bareos | 2022-03-23 | 6.8 MEDIUM | 9.8 CRITICAL |
| Bareos is open source software for backup, archiving, and recovery of data for operating systems. When Bareos Director >= 18.2 >= 18.2 but prior to 21.1.0, 20.0.6, and 19.2.12 is built and configured for PAM authentication, it will skip authorization checks completely. Expired accounts and accounts with expired passwords can still login. This problem will affect users that have PAM enabled. Currently there is no authorization (e.g. check for expired or disabled accounts), but only plain authentication (i.e. check if username and password match). Bareos Director versions 21.1.0, 20.0.6 and 19.2.12 implement the authorization check that was previously missing. The only workaround is to make sure that authentication fails if the user is not authorized. | |||||
| CVE-2022-0871 | 1 Gogs | 1 Gogs | 2022-03-22 | 5.8 MEDIUM | 9.1 CRITICAL |
| Improper Authorization in GitHub repository gogs/gogs prior to 0.12.5. | |||||
| CVE-2022-0905 | 1 Gitea | 1 Gitea | 2022-03-21 | 5.5 MEDIUM | 7.1 HIGH |
| Improper Authorization in GitHub repository go-gitea/gitea prior to 1.16.4. | |||||
| CVE-2022-24128 | 1 Timescale | 1 Timescaledb | 2022-03-18 | 6.0 MEDIUM | 8.0 HIGH |
| Timescale TimescaleDB 1.x and 2.x before 2.5.2 may allow privilege escalation during extension installation. The installation process uses commands such as CREATE x IF NOT EXIST that allow an unprivileged user to precreate objects. These objects will be used by the installer (which executes as Superuser), leading to privilege escalation. In order to be able to take advantage of this, an unprivileged user would need to be able to create objects in a database and then get a Superuser to install TimescaleDB into their database. (In the fixed versions, the installation aborts when it finds that an object already exists.) | |||||
| CVE-2022-23730 | 1 Lg | 1 Webos | 2022-03-18 | 7.5 HIGH | 9.8 CRITICAL |
| The public API error causes for the attacker to be able to bypass API access control. | |||||
| CVE-2022-26143 | 1 Mitel | 2 Micollab, Mivoice Business Express | 2022-03-18 | 9.0 HIGH | 9.8 CRITICAL |
| The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through 8.1 allows remote attackers to obtain sensitive information and cause a denial of service (performance degradation and excessive outbound traffic). This was exploited in the wild in February and March 2022 for the TP240PhoneHome DDoS attack. | |||||
| CVE-2022-0821 | 1 Orchardcore | 1 Orchardcore | 2022-03-18 | 4.0 MEDIUM | 6.5 MEDIUM |
| Improper Authorization in GitHub repository orchardcms/orchardcore prior to 1.3.0. | |||||
| CVE-2022-0932 | 1 Saleor | 1 Saleor | 2022-03-18 | 4.0 MEDIUM | 6.5 MEDIUM |
| Improper Authorization in GitHub repository saleor/saleor prior to 3.1.2. | |||||
| CVE-2022-25214 | 1 Phicomm | 10 K2, K2 Firmware, K2g and 7 more | 2022-03-17 | 5.8 MEDIUM | 7.4 HIGH |
| Improper access control on the LocalClientList.asp interface allows an unauthenticated remote attacker to obtain sensitive information concerning devices on the local area network, including IP and MAC addresses. Improper access control on the wirelesssetup.asp interface allows an unauthenticated remote attacker to obtain the WPA passphrases for the 2.4GHz and 5.0GHz wireless networks. This is particularly dangerous given that the K2G setup wizard presents the user with the option of using the same password for the 2.4Ghz network and the administrative interface, by clicking a checkbox. When Remote Managment is enabled, these endpoints are exposed to the WAN. | |||||
| CVE-2022-25215 | 1 Phicomm | 10 K2, K2 Firmware, K2g and 7 more | 2022-03-17 | 5.0 MEDIUM | 5.3 MEDIUM |
| Improper access control on the LocalMACConfig.asp interface allows an unauthenticated remote attacker to add (or remove) client MAC addresses to (or from) a list of banned hosts. Clients with those MAC addresses are then prevented from accessing either the WAN or the router itself. | |||||
| CVE-2021-24917 | 1 Wpserveur | 1 Wps Hide Login | 2022-03-17 | 5.0 MEDIUM | 7.5 HIGH |
| The WPS Hide Login WordPress plugin before 1.9.1 has a bug which allows to get the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user. | |||||
| CVE-2022-24609 | 1 Luocms Project | 1 Luocms | 2022-03-17 | 10.0 HIGH | 9.8 CRITICAL |
| Luocms v2.0 is affected by an incorrect access control vulnerability. Through /admin/templates/template_manage.php, an attacker can write an arbitrary shell file. | |||||
| CVE-2022-24931 | 1 Google | 1 Android | 2022-03-16 | 4.6 MEDIUM | 7.8 HIGH |
| Improper access control vulnerability in dynamic receiver in ApkInstaller prior to SMR MAR-2022 Release allows unauthorized attackers to execute arbitrary activity without a proper permission | |||||
| CVE-2022-24930 | 1 Samsung | 1 Wear Os | 2022-03-16 | 4.3 MEDIUM | 3.3 LOW |
| An Improper access control vulnerability in StRetailModeReceiver in Wear OS 3.0 prior to Firmware update MAR-2022 Release allows untrusted applications to reset default app settings without a proper permission | |||||
| CVE-2022-0756 | 1 Salesagility | 1 Suitecrm | 2022-03-11 | 4.0 MEDIUM | 6.5 MEDIUM |
| Improper Authorization in GitHub repository salesagility/suitecrm prior to 7.12.5. | |||||
| CVE-2022-0442 | 1 Ayecode | 1 Userswp | 2022-03-11 | 4.0 MEDIUM | 4.3 MEDIUM |
| The UsersWP WordPress plugin before 1.2.3.1 is missing access controls when updating a user avatar, and does not make sure file names for user avatars are unique, allowing a logged in user to overwrite another users avatar. | |||||
| CVE-2022-0528 | 1 Transloadit | 1 Uppy | 2022-03-09 | 5.0 MEDIUM | 7.5 HIGH |
| Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository transloadit/uppy prior to 3.3.1. | |||||
| CVE-2022-24306 | 1 Zohocorp | 1 Manageengine Sharepoint Manager Plus | 2022-03-09 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine SharePoint Manager Plus before 4329 allows account takeover because authorization is mishandled. | |||||
| CVE-2022-22300 | 1 Fortinet | 2 Fortianalyzer, Fortimanager | 2022-03-09 | 6.5 MEDIUM | 8.8 HIGH |
| A improper handling of insufficient permissions or privileges in Fortinet FortiAnalyzer version 5.6.0 through 5.6.11, FortiAnalyzer version 6.0.0 through 6.0.11, FortiAnalyzer version 6.2.0 through 6.2.9, FortiAnalyzer version 6.4.0 through 6.4.7, FortiAnalyzer version 7.0.0 through 7 .0.2, FortiManager version 5.6.0 through 5.6.11, FortiManager version 6.0.0 through 6.0.11, FortiManager version 6.2.0 through 6.2.9, FortiManager version 6.4.0 through 6.4.7, FortiManager version 7.0.0 through 7.0.2 allows attacker to bypass the device policy and force the password-change action for its user. | |||||
| CVE-2022-0732 | 1 1byte | 9 Copy9, Exactspy, Fonetracker and 6 more | 2022-03-08 | 5.0 MEDIUM | 7.5 HIGH |
| The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability. | |||||