Total
1299 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-45760 | 1 Sens Project | 1 Sens | 2022-12-14 | N/A | 8.8 HIGH |
| SENS v1.0 is vulnerable to Incorrect Access Control vulnerability. | |||||
| CVE-2013-0543 | 4 Hp, Ibm, Linux and 1 more | 4 Hp-ux, Websphere Application Server, Linux Kernel and 1 more | 2022-12-13 | 6.8 MEDIUM | N/A |
| IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.47, 7.0 before 7.0.0.29, 8.0 before 8.0.0.6, and 8.5 before 8.5.0.2 on Linux, Solaris, and HP-UX, when a Local OS registry is used, does not properly validate user accounts, which allows remote attackers to bypass intended access restrictions via unspecified vectors. | |||||
| CVE-2021-29439 | 1 Getgrav | 1 Grav Admin | 2022-12-13 | 6.5 MEDIUM | 7.2 HIGH |
| The Grav admin plugin prior to version 1.10.11 does not correctly verify caller's privileges. As a consequence, users with the permission `admin.login` can install third-party plugins and their dependencies. By installing the right plugin, an attacker can obtain an arbitrary code execution primitive and elevate their privileges on the instance. The vulnerability has been addressed in version 1.10.11. As a mitigation blocking access to the `/admin` path from untrusted sources will reduce the probability of exploitation. | |||||
| CVE-2019-4311 | 1 Ibm | 1 Security Guardium Big Data Intelligence | 2022-12-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBM Security Guardium Big Data Intelligence (SonarG) 4.0 discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM X-Force ID: 161037. | |||||
| CVE-2022-41918 | 1 Amazon | 1 Opensearch | 2022-12-12 | N/A | 6.3 MEDIUM |
| OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. There is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the indices that back data streams potentially leading to incorrect access authorization. OpenSearch 1.3.7 and 2.4.0 contain a fix for this issue. Users are advised to update. There are no known workarounds for this issue. | |||||
| CVE-2022-39913 | 1 Google | 1 Android | 2022-12-12 | N/A | 3.3 LOW |
| Exposure of Sensitive Information to an Unauthorized Actor in Persona Manager prior to Android T(13) allows local attacker to access user profiles information. | |||||
| CVE-2022-39914 | 1 Google | 1 Android | 2022-12-12 | N/A | 3.3 LOW |
| Exposure of Sensitive Information from an Unauthorized Actor vulnerability in Samsung DisplayManagerService prior to Android T(13) allows local attacker to access connected DLNA device information. | |||||
| CVE-2022-39903 | 1 Google | 1 Android | 2022-12-12 | N/A | 3.3 LOW |
| Improper access control vulnerability in RCS call prior to SMR Dec-2022 Release 1 allows local attackers to access RCS incoming call number. | |||||
| CVE-2022-39902 | 1 Samsung | 2 Exynos, Exynos Firmware | 2022-12-09 | N/A | 7.5 HIGH |
| Improper authorization in Exynos baseband prior to SMR DEC-2022 Release 1 allows remote attacker to get sensitive information including IMEI via emergency call. | |||||
| CVE-2020-36610 | 1 Duxcms Project | 1 Duxcms | 2022-12-09 | N/A | 8.0 HIGH |
| A vulnerability was found in annyshow DuxCMS 2.1. It has been declared as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-215116. | |||||
| CVE-2022-4349 | 1 Pwn Project | 1 Pwn | 2022-12-09 | N/A | 6.8 MEDIUM |
| A vulnerability classified as problematic has been found in CTF-hacker pwn. This affects an unknown part of the file delete.html. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-215109 was assigned to this vulnerability. | |||||
| CVE-2022-3024 | 1 Simple Bitcoin Faucets Project | 1 Simple Bitcoin Faucets | 2022-12-09 | N/A | 5.4 MEDIUM |
| The Simple Bitcoin Faucets WordPress plugin through 1.7.0 does not have any authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscribers to call it and add/delete/edit Bonds. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues | |||||
| CVE-2021-25097 | 1 Creativityjuice | 1 Labtools | 2022-12-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| The LabTools WordPress plugin through 1.0 does not have proper authorisation and CSRF check in place when deleting publications, allowing any authenticated users, such as subscriber to delete arbitrary publication | |||||
| CVE-2021-38503 | 2 Debian, Mozilla | 4 Debian Linux, Firefox, Firefox Esr and 1 more | 2022-12-09 | 7.5 HIGH | 10.0 CRITICAL |
| The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3. | |||||
| CVE-2020-14321 | 1 Moodle | 1 Moodle | 2022-12-07 | N/A | 8.8 HIGH |
| In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, teachers of a course were able to assign themselves the manager role within that course. | |||||
| CVE-2021-21693 | 1 Jenkins | 1 Jenkins | 2022-12-07 | 7.5 HIGH | 9.8 CRITICAL |
| When creating temporary files, agent-to-controller access to create those files is only checked after they've been created in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. | |||||
| CVE-2022-44039 | 1 Franklinfueling | 1 Colibri Firmware | 2022-12-06 | N/A | 9.8 CRITICAL |
| Franklin Fueling System FFS Colibri 1.9.22.8925 is affected by: File system overwrite. The impact is: File system rewrite (remote). ΒΆΒΆ An attacker can overwrite system files like [system.conf] and [passwd], this occurs because the insecure usage of "fopen" system function with the mode "wb" which allows overwriting file if exists. Overwriting files such as passwd, allows an attacker to escalate his privileges by planting backdoor user with root privilege or change root password. | |||||
| CVE-2020-9492 | 2 Apache, Oracle | 3 Hadoop, Solr, Financial Services Crime And Compliance Management Studio | 2022-12-06 | 6.5 MEDIUM | 8.8 HIGH |
| In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification. | |||||
| CVE-2022-41970 | 1 Nextcloud | 1 Nextcloud Server | 2022-12-06 | N/A | 5.3 MEDIUM |
| Nextcloud Server is an open source personal cloud server. Prior to versions 24.0.7 and 25.0.1, disabled download shares still allow download through preview images. Images could be downloaded and previews of documents (first page) can be downloaded without being watermarked. Versions 24.0.7 and 25.0.1 contain a fix for this issue. No known workarounds are available. | |||||
| CVE-2022-46167 | 1 Clastix | 1 Capsule | 2022-12-06 | N/A | 8.8 HIGH |
| Capsule is a multi-tenancy and policy-based framework for Kubernetes. Prior to version 0.1.3, a ServiceAccount deployed in a Tenant Namespace, when granted with `PATCH` capabilities on its own Namespace, is able to edit it and remove the Owner Reference, breaking the reconciliation of the Capsule Operator and removing all the enforcement like Pod Security annotations, Network Policies, Limit Range and Resource Quota items. An attacker could detach the Namespace from a Tenant that is forbidding starting privileged Pods using the Pod Security labels by removing the OwnerReference, removing the enforcement labels, and being able to start privileged containers that would be able to start a generic Kubernetes privilege escalation. Patches have been released for version 0.1.3. No known workarounds are available. | |||||