Vulnerabilities (CVE)

Filtered by CWE-862
Total 670 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-25025 2022-01-17 N/A N/A
The EventCalendar WordPress plugin before 1.1.51 does not have proper authorisation and CSRF checks in the add_calendar_event AJAX actions, allowing users with a role as low as subscriber to create events
CVE-2021-0643 1 Google 1 Android 2022-01-14 2.1 LOW 5.5 MEDIUM
In getAllSubInfoList of SubscriptionController.java, there is a possible way to retrieve a long term identifier without the correct permissions due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-183612370
CVE-2021-43333 1 Datalogic 1 Dxu 2022-01-12 5.8 MEDIUM 6.5 MEDIUM
The Datalogic DXU service on (for example) DL-Axist devices does not require authentication for configuration changes or disclosure of configuration settings.
CVE-2021-20873 1 Yappli 1 Yappli 2022-01-12 5.8 MEDIUM 8.1 HIGH
Yappli is an application development platform which provides the function to access a requested URL using Custom URL Scheme. When Android apps are developed with Yappli versions since v7.3.6 and prior to v9.30.0, they are vulnerable to improper authorization in Custom URL Scheme handler, and may be directed to unintended sites via a specially crafted URL.
CVE-2021-24831 1 Rich-web 1 Tab 2022-01-11 5.0 MEDIUM 7.5 HIGH
All AJAX actions of the Tab WordPress plugin before 1.3.2 are available to both unauthenticated and authenticated users, allowing unauthenticated attackers to modify various data in the plugin, such as add/edit/delete arbitrary tabs.
CVE-2021-25032 2022-01-10 N/A N/A
The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPress Capabilities Pro WordPress plugin before 2.3.1 does not have authorisation and CSRF checks when updating the plugin's settings via the init hook, and does not ensure that the options to be updated belong to the plugin. As a result, unauthenticated attackers could update arbitrary blog options, such as the default role and make any new registered user with an administrator role.
CVE-2022-22111 1 Daybydaycrm 1 Daybyday Crm 2022-01-08 6.5 MEDIUM 8.8 HIGH
In DayByDay CRM, version 2.2.0 is vulnerable to missing authorization. Any application user in the application who has update user permission enabled is able to change the password of other users, including the administrator’s. This allows the attacker to gain access to the highest privileged user in the application.
CVE-2022-22107 1 Daybydaycrm 1 Daybyday Crm 2022-01-08 4.0 MEDIUM 4.3 MEDIUM
In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. However, this type of user is not authorized to view the calendar at all.
CVE-2022-22108 1 Daybydaycrm 1 Daybyday Crm 2022-01-08 4.0 MEDIUM 4.3 MEDIUM
In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the absences of all users in the system including administrators. This type of user is not authorized to view this kind of information.
CVE-2021-24997 1 Wp-guppy 1 Wp Guppy 2022-01-07 6.4 MEDIUM 6.5 MEDIUM
The WP Guppy WordPress plugin before 1.3 does not have any authorisation in some of the REST API endpoints, allowing any user to call them and could lead to sensitive information disclosure, such as usernames and chats between users, as well as be able to send messages as an arbitrary user
CVE-2021-3653 2 Linux, Redhat 2 Linux Kernel, Enterprise Linux 2022-01-06 6.1 MEDIUM 8.8 HIGH
A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the "int_ctl" field, this issue could allow a malicious L1 to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to 5.14-rc7.
CVE-2020-20944 1 Qibosoft 1 Qibosoft 2022-01-06 6.4 MEDIUM 9.1 CRITICAL
An issue in /admin/index.php?lfj=mysql&action=del of Qibosoft v7 allows attackers to arbitrarily delete files.
CVE-2021-37572 1 Mediatek 14 Mt7603e, Mt7603e Firmware, Mt7613 and 11 more 2022-01-06 5.0 MEDIUM 7.5 HIGH
MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols. (Affected Chipsets MT7603E, MT7613, MT7615, MT7622, MT7628, MT7629, MT7915; Affected Software Versions 2.0.2; Missing authorization).
CVE-2021-44233 1 Sap 1 Access Control 2022-01-03 6.5 MEDIUM 8.8 HIGH
SAP GRC Access Control - versions V1100_700, V1100_731, V1200_750, does not perform necessary authorization checks for an authenticated user, which could lead to escalation of privileges.
CVE-2019-15954 1 Totaljs 1 Total.js Cms 2022-01-01 9.0 HIGH 9.9 CRITICAL
An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the widgets privilege can gain achieve Remote Command Execution (RCE) on the remote server by creating a malicious widget with a special tag containing JavaScript code that will be evaluated server side. In the process of evaluating the tag by the back-end, it is possible to escape the sandbox object by using the following payload: <script total>global.process.mainModule.require(child_process).exec(RCE);</script>
CVE-2019-7272 1 Optergy 2 Enterprise, Proton 2022-01-01 5.0 MEDIUM 5.3 MEDIUM
Optergy Proton/Enterprise devices allow Username Disclosure.
CVE-2020-24718 4 Freebsd, Netapp, Omniosce and 1 more 4 Freebsd, Clustered Data Ontap, Omnios and 1 more 2022-01-01 7.2 HIGH 8.2 HIGH
bhyve, as used in FreeBSD through 12.1 and illumos (e.g., OmniOS CE through r151034 and OpenIndiana through Hipster 2020.04), does not properly restrict VMCS and VMCB read/write operations, as demonstrated by a root user in a container on an Intel system, who can gain privileges by modifying VMCS_HOST_RIP.
CVE-2020-28368 3 Debian, Fedoraproject, Xen 3 Debian Linux, Fedora, Xen 2022-01-01 2.1 LOW 4.4 MEDIUM
Xen through 4.14.x allows guest OS administrators to obtain sensitive information (such as AES keys from outside the guest) via a side-channel attack on a power/energy monitoring interface, aka a "Platypus" attack. NOTE: there is only one logically independent fix: to change the access control for each such interface in Xen.
CVE-2021-26085 1 Atlassian 1 Confluence 2022-01-01 5.0 MEDIUM 5.3 MEDIUM
Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint. The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3.
CVE-2021-40853 1 Tcman 1 Gim 2021-12-21 6.4 MEDIUM 7.2 HIGH
TCMAN GIM does not perform an authorization check when trying to access determined resources. A remote attacker could exploit this vulnerability to access URL that require privileges without having them. The exploitation of this vulnerability might allow a remote attacker to obtain sensible information.