Total
150 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-4804 | 1 Usememos | 1 Memos | 2023-12-10 | N/A | 5.3 MEDIUM |
Improper Authorization in GitHub repository usememos/memos prior to 0.9.1. | |||||
CVE-2022-2901 | 1 Chatwoot | 1 Chatwoot | 2023-12-10 | N/A | 7.1 HIGH |
Improper Authorization in GitHub repository chatwoot/chatwoot prior to 2.8. | |||||
CVE-2022-2595 | 1 Kromit | 1 Titra | 2023-12-10 | N/A | 10.0 CRITICAL |
Improper Authorization in GitHub repository kromitgmbh/titra prior to 0.79.1. | |||||
CVE-2022-32170 | 1 Bytebase | 1 Bytebase | 2023-12-10 | N/A | N/A |
The “Bytebase” application does not restrict low privilege user to access admin “projects“ for which an unauthorized user can view the “projects“ created by “Admin” and the affected endpoint is “/api/project?user=${userId}”. | |||||
CVE-2022-31168 | 1 Zulip | 1 Zulip | 2023-12-10 | N/A | 8.8 HIGH |
Zulip is an open source team chat tool. Due to an incorrect authorization check in Zulip Server 5.4 and earlier, a member of an organization could craft an API call that grants organization administrator privileges to one of their bots. The vulnerability is fixed in Zulip Server 5.5. Members who don’t own any bots, and lack permission to create them, can’t exploit the vulnerability. As a workaround for the vulnerability, an organization administrator can restrict the `Who can create bots` permission to administrators only, and change the ownership of existing bots. | |||||
CVE-2022-29233 | 1 Bigbluebutton | 1 Bigbluebutton | 2023-12-10 | 5.0 MEDIUM | 4.3 MEDIUM |
BigBlueButton is an open source web conferencing system. In BigBlueButton starting with 2.2 but before 2.3.18 and 2.4-rc-1, an attacker can circumvent access controls to gain access to all breakout rooms of the meeting they are in. The permission checks rely on knowledge of internal ids rather than on verification of the role of the user. Versions 2.3.18 and 2.4-rc-1 contain a patch for this issue. There are currently no known workarounds. | |||||
CVE-2022-0829 | 1 Webmin | 1 Webmin | 2023-12-10 | 5.5 MEDIUM | 8.1 HIGH |
Improper Authorization in GitHub repository webmin/webmin prior to 1.990. | |||||
CVE-2022-0587 | 1 Librenms | 1 Librenms | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
Improper Authorization in Packagist librenms/librenms prior to 22.2.0. | |||||
CVE-2022-0860 | 2 Cobbler Project, Fedoraproject | 2 Cobbler, Fedora | 2023-12-10 | 6.4 MEDIUM | 9.1 CRITICAL |
Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2. | |||||
CVE-2022-30670 | 2 Adobe, Microsoft | 2 Robohelp Server, Windows | 2023-12-10 | 9.0 HIGH | 8.8 HIGH |
RoboHelp Server earlier versions than RHS 11 Update 3 are affected by an Improper Authorization vulnerability which could lead to privilege escalation. An authenticated attacker could leverage this vulnerability to achieve full administrator privileges. Exploitation of this issue does not require user interaction. | |||||
CVE-2021-42338 | 1 4mosan | 1 Gcb Doctor | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
4MOSAn GCB Doctor’s login page has improper validation of Cookie, which allows an unauthenticated remote attacker to bypass authentication by code injection in cookie, and arbitrarily manipulate the system or interrupt services by upload and execution of arbitrary files. | |||||
CVE-2021-32688 | 2 Fedoraproject, Nextcloud | 2 Fedora, Nextcloud Server | 2023-12-10 | 7.5 HIGH | 8.8 HIGH |
Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user to not have any filesystem access. Due to a lacking permission check, the tokens were able to change their own permissions in versions prior to 19.0.13, 20.0.11, and 21.0.3. Thus fileystem limited tokens were able to grant themselves access to the filesystem. The issue is patched in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds aside from upgrading. | |||||
CVE-2020-24431 | 3 Adobe, Apple, Microsoft | 6 Acrobat, Acrobat Dc, Acrobat Reader and 3 more | 2023-12-10 | 5.8 MEDIUM | 4.4 MEDIUM |
Acrobat Reader DC versions 2020.012.20048 (and earlier), 2020.001.30005 (and earlier) and 2017.011.30175 (and earlier) for macOS are affected by a security feature bypass that could result in dynamic library code injection by the Adobe Reader process. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | |||||
CVE-2019-14828 | 1 Moodle | 1 Moodle | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
A vulnerability was found in Moodle affecting 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where users with the capability to create courses were assigned as a teacher in those courses, regardless of whether they had the capability to be automatically assigned that role. | |||||
CVE-2020-6311 | 1 Sap | 2 Bank Analyzer, S\/4hana For Financial Products Subledger | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
Banking services from SAP 9.0 (Bank Analyzer), version - 500, and SAP S/4HANA for financial products subledger, version ? 100, does not correctly perform necessary authorization checks for an authenticated user due to Improper Authorization checks, that may cause a system administrator to create incorrect authorization proposals. This may result in privilege escalation and may expose restricted banking data. | |||||
CVE-2018-13908 | 1 Qualcomm | 94 Ipq8074, Ipq8074 Firmware, Mdm9150 and 91 more | 2023-12-10 | 4.6 MEDIUM | 7.8 HIGH |
Truncated access authentication token leads to weakened access control for stored secure application data in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in IPQ8074, MDM9150, MDM9206, MDM9607, MDM9650, MDM9655, MSM8909W, MSM8996AU, QCA8081, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130 | |||||
CVE-2017-8777 | 1 Open-xchange | 1 Ox Cloud | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
Open-Xchange GmbH OX Cloud Plugins 1.4.0 and earlier is affected by: Missing Authorization. | |||||
CVE-2017-8409 | 1 Dlink | 2 Dcs-1130, Dcs-1130 Firmware | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered on D-Link DCS-1130 devices. The device requires that a user logging to the device to provide a username and password. However, the device does not enforce the same restriction on a specific URL thereby allowing any attacker in possession of that to view the live video feed. The severity of this attack is enlarged by the fact that there more than 100,000 D-Link devices out there. | |||||
CVE-2017-8252 | 1 Qualcomm | 110 Ipq4019, Ipq4019 Firmware, Ipq8074 and 107 more | 2023-12-10 | 4.9 MEDIUM | 5.5 MEDIUM |
Kernel can inject faults in computations during the execution of TrustZone leading to information disclosure in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in IPQ4019, IPQ8074, MDM9150, MDM9206, MDM9607, MDM9615, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8909W, MSM8996AU, QCA8081, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 675, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24, SM7150, Snapdragon_High_Med_2016, SXR1130 | |||||
CVE-2018-16086 | 1 Google | 1 Chrome | 2023-12-10 | 5.8 MEDIUM | 5.4 MEDIUM |
Insufficient policy enforcement in extensions API in Google Chrome prior to 69.0.3497.81 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. |