Total
1299 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-45353 | 1 Muffingroup | 1 Betheme | 2023-01-24 | N/A | 8.1 HIGH |
Broken Access Control in Betheme theme <= 26.6.1 on WordPress. | |||||
CVE-2021-45466 | 1 Control-webpanel | 1 Webpanel | 2023-01-24 | N/A | 9.8 CRITICAL |
In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, attackers can make a crafted request to api/?api=add_server&DHCP= to add an authorized_keys text file in the /resources/ folder. | |||||
CVE-2023-22480 | 1 Fit2cloud | 1 Kubeoperator | 2023-01-24 | N/A | 9.8 CRITICAL |
KubeOperator is an open source Kubernetes distribution focused on helping enterprises plan, deploy and operate production-level K8s clusters. In KubeOperator versions 3.16.3 and below, API interfaces with unauthorized entities and can leak sensitive information. This vulnerability could be used to take over the cluster under certain conditions. This issue has been patched in version 3.16.4. | |||||
CVE-2022-39275 | 1 Saleor | 1 Saleor | 2023-01-23 | N/A | 4.3 MEDIUM |
Saleor is a headless, GraphQL commerce platform. In affected versions some GraphQL mutations were not properly checking the ID type input which allowed to access database objects that the authenticated user may not be allowed to access. This vulnerability can be used to expose the following information: Estimating database row counts from tables with a sequential primary key or Exposing staff user and customer email addresses and full name through the `assignNavigation()` mutation. This issue has been patched in main and backported to multiple releases (3.7.17, 3.6.18, 3.5.23, 3.4.24, 3.3.26, 3.2.14, 3.1.24). Users are advised to upgrade. There are no known workarounds for this issue. | |||||
CVE-2019-4343 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2023-01-20 | 4.0 MEDIUM | 6.5 MEDIUM |
IBM Cognos Analytics 11.0 and 11.1 allows overly permissive cross-origin resource sharing which could allow an attacker to transfer private information. An attacker could exploit this vulnerability to access content that should be restricted. IBM X-Force ID: 161422. | |||||
CVE-2022-2155 | 1 Hitachienergy | 1 Lumada Asset Performance Management | 2023-01-20 | N/A | 7.1 HIGH |
A vulnerability exists in the affected versions of Lumada APM’s User Asset Group feature due to a flaw in access control mechanism implementation on the “Limited Engineer” role, granting it access to the embedded Power BI reports feature. An attacker that manages to exploit the vulnerability on a customer’s Lumada APM could access unauthorized information by gaining unauthorized access to any Power BI reports installed by the customer. Furthermore, the vulnerability enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker. Affected versions * Lumada APM on-premises version 6.0.0.0 - 6.4.0.* List of CPEs: * cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:*:*:*:*:*:*:* | |||||
CVE-2016-4178 | 5 Adobe, Apple, Google and 2 more | 8 Flash Player, Flash Player Desktop Runtime, Mac Os X and 5 more | 2023-01-19 | 4.3 MEDIUM | 4.3 MEDIUM |
Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0.0.209 on Windows and OS X and before 11.2.202.632 on Linux allows attackers to bypass intended access restrictions and obtain sensitive information via unspecified vectors. | |||||
CVE-2022-4167 | 1 Gitlab | 1 Gitlab | 2023-01-18 | N/A | 7.5 HIGH |
Incorrect Authorization check affecting all versions of GitLab EE from 13.11 prior to 15.5.7, 15.6 prior to 15.6.4, and 15.7 prior to 15.7.2 allows group access tokens to continue working even after the group owner loses the ability to revoke them. | |||||
CVE-2023-21560 | 1 Microsoft | 15 Windows 10 1607, Windows 10 1809, Windows 10 20h2 and 12 more | 2023-01-17 | N/A | 6.6 MEDIUM |
Windows Boot Manager Security Feature Bypass Vulnerability. | |||||
CVE-2022-32294 | 1 Zimbra | 1 Collaboration | 2023-01-13 | 7.5 HIGH | 9.8 CRITICAL |
** DISPUTED ** Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-login randomly created password (from the "zmprove ca" command). It is visible in cleartext on port UDP 514 (aka the syslog port). NOTE: a third party reports that this cannot be reproduced. | |||||
CVE-2022-46258 | 1 Github | 1 Enterprise Server | 2023-01-13 | N/A | 6.5 MEDIUM |
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a repository-scoped token with read/write access to modify Action Workflow files without a Workflow scope. The Create or Update file contents API should enforce workflow scope. This vulnerability affected all versions of GitHub Enterprise Server prior to version 3.7 and was fixed in versions 3.3.16, 3.4.11, 3.5.8, and 3.6.4. This vulnerability was reported via the GitHub Bug Bounty program. | |||||
CVE-2015-10033 | 1 Merlinsboard Project | 1 Merlinsboard | 2023-01-13 | N/A | 6.5 MEDIUM |
A vulnerability, which was classified as problematic, was found in jvvlee MerlinsBoard. This affects an unknown part of the component Grade Handler. The manipulation leads to improper authorization. The name of the patch is 134f5481e2914b7f096cd92a22b1e6bcb8e6dfe5. It is recommended to apply a patch to fix this issue. The identifier VDB-217713 was assigned to this vulnerability. | |||||
CVE-2022-48216 | 1 Uniswap | 2 Universal Router, Universal Router Firmware | 2023-01-11 | N/A | 7.5 HIGH |
Uniswap Universal Router before 1.1.0 mishandles reentrancy. This would have allowed theft of funds. | |||||
CVE-2022-41274 | 1 Sap | 1 Disclosure Management | 2023-01-10 | N/A | 6.5 MEDIUM |
SAP Disclosure Management - version 10.1, allows an authenticated attacker to exploit certain misconfigured application endpoints to read sensitive data. These endpoints are normally exposed over the network and successful exploitation can lead to the exposure of data like financial reports. | |||||
CVE-2022-43438 | 1 Easy Test Project | 1 Easy Test | 2023-01-09 | N/A | 8.8 HIGH |
The Administrator function of EasyTest has an Incorrect Authorization vulnerability. A remote attacker authenticated as a general user can exploit this vulnerability to bypass the intended access restrictions, to make API functions calls, manipulate system and terminate service. | |||||
CVE-2022-3911 | 1 Iubenda | 1 Iubenda-cookie-law-solution | 2023-01-09 | N/A | 8.8 HIGH |
The iubenda | All-in-one Compliance for GDPR / CCPA Cookie Consent + more WordPress plugin before 3.3.3 does does not have authorisation and CSRF in an AJAX action, and does not ensure that the options to be updated belong to the plugin as long as they are arrays. As a result, any authenticated users, such as subscriber can grant themselves any privileges, such as edit_plugins etc | |||||
CVE-2022-32945 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2023-01-09 | N/A | 4.3 MEDIUM |
An access issue was addressed with additional sandbox restrictions on third-party apps. This issue is fixed in macOS Ventura 13. An app may be able to record audio with paired AirPods. | |||||
CVE-2022-42849 | 1 Apple | 4 Ipados, Iphone Os, Tvos and 1 more | 2023-01-09 | N/A | 7.8 HIGH |
An access issue existed with privileged API calls. This issue was addressed with additional restrictions. This issue is fixed in iOS 16.2 and iPadOS 16.2, tvOS 16.2, watchOS 9.2. A user may be able to elevate privileges. | |||||
CVE-2021-31001 | 1 Apple | 2 Ipados, Iphone Os | 2023-01-09 | 4.0 MEDIUM | 6.5 MEDIUM |
An access issue was addressed with improved access restrictions. This issue is fixed in iOS 15 and iPadOS 15. An attacker in a privileged network position may be able to leak sensitive user information. | |||||
CVE-2022-23553 | 1 Alpine Project | 1 Alpine | 2023-01-06 | N/A | 7.5 HIGH |
Alpine is a scaffolding library in Java. Alpine prior to version 1.10.4 allows URL access filter bypass. This issue has been fixed in version 1.10.4. There are no known workarounds. |