Vulnerabilities (CVE)

Filtered by CWE-862
Total 1219 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-24438 1 Jenkins 1 Jira Pipeline Steps 2023-02-04 N/A 6.5 MEDIUM
A missing permission check in Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2019-13748 4 Debian, Fedoraproject, Google and 1 more 7 Debian Linux, Fedora, Chrome and 4 more 2023-02-03 4.3 MEDIUM 6.5 MEDIUM
Insufficient policy enforcement in developer tools in Google Chrome prior to 79.0.3945.79 allowed a local attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
CVE-2022-3999 1 Dpdgroup 1 Woocommerce Shipping 2023-02-03 N/A 8.1 HIGH
The DPD Baltic Shipping WordPress plugin before 1.2.57 does not have authorisation and CSRF in an AJAX action, which could allow any authenticated users, such as subscriber to delete arbitrary options from the blog, which could make the blog unavailable.
CVE-2021-26732 1 Lannerinc 2 Iac-ast2500a, Iac-ast2500a Firmware 2023-02-03 N/A 5.3 MEDIUM
A broken access control vulnerability in the First_network_func function of spx_restservice allows an attacker to arbitrarily change the network configuration of the BMC. This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0.
CVE-2019-3886 3 Fedoraproject, Opensuse, Redhat 3 Fedora, Leap, Libvirt 2023-02-02 4.8 MEDIUM 5.4 MEDIUM
An incorrect permissions check was discovered in libvirt 4.8.0 and above. The readonly permission was allowed to invoke APIs depending on the guest agent which could lead to potentially disclosing unintended information or denial of service by causing libvirt to block.
CVE-2023-24451 1 Jenkins 1 Cisco Spark 2023-02-02 N/A 4.3 MEDIUM
A missing permission check in Jenkins Cisco Spark Notifier Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
CVE-2023-24453 1 Jenkins 1 Testquality Updater 2023-02-02 N/A 6.5 MEDIUM
A missing check in Jenkins TestQuality Updater Plugin 1.3 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password.
CVE-2023-24459 1 Jenkins 1 Bearychat 2023-02-02 N/A 6.5 MEDIUM
A missing permission check in Jenkins BearyChat Plugin 3.0.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.
CVE-2023-24448 1 Jenkins 1 Rabbitmq Consumer 2023-02-02 N/A 6.5 MEDIUM
A missing permission check in Jenkins RabbitMQ Consumer Plugin 2.8 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified AMQP(S) URL using attacker-specified username and password.
CVE-2023-24431 1 Jenkins 1 Orka By Macstadium 2023-02-02 N/A 4.3 MEDIUM
A missing permission check in Jenkins Orka by MacStadium Plugin 1.31 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
CVE-2023-24433 1 Jenkins 1 Orka By Macstadium 2023-02-02 N/A 6.5 MEDIUM
Missing permission checks in Jenkins Orka by MacStadium Plugin 1.31 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2023-20912 1 Google 1 Android 2023-02-02 N/A 7.8 HIGH
In onActivityResult of AvatarPickerActivity.java, there is a possible way to access images belonging to other users due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-246301995
CVE-2023-24436 1 Jenkins 1 Github Pull Request Builder 2023-02-02 N/A 4.3 MEDIUM
A missing permission check in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
CVE-2023-24435 1 Jenkins 1 Github Pull Request Builder 2023-02-02 N/A 6.5 MEDIUM
A missing permission check in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2023-0619 2023-02-01 N/A N/A
The Kraken.io Image Optimizer plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on its AJAX actions in versions up to, and including, 2.6.8. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to reset image optimizations.
CVE-2023-20916 1 Google 1 Android 2023-02-01 N/A 7.8 HIGH
In getMainActivityLaunchIntent of LauncherAppsService.java, there is a possible way to bypass the restrictions on starting activities from the background due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12 Android-12LAndroid ID: A-229256049
CVE-2019-11761 2 Canonical, Mozilla 4 Ubuntu Linux, Firefox, Firefox Esr and 1 more 2023-02-01 5.8 MEDIUM 5.4 MEDIUM
By using a form with a data URI it was possible to gain access to the privileged JSONView object that had been cloned into content. Impact from exposing this object appears to be minimal, however it was a bypass of existing defense in depth mechanisms. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2.
CVE-2023-0447 1 My Youtube Channel Project 1 My Youtube Channel 2023-02-01 N/A 4.3 MEDIUM
The My YouTube Channel plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the clear_all_cache function in versions up to, and including, 3.0.12.1. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to clear the plugin's cache.
CVE-2022-41505 1 Tp-link 2 Tapo C200 V1, Tapo C200 V1 Firmware 2023-01-31 N/A 6.4 MEDIUM
An access control issue on TP-LInk Tapo C200 V1 devices allows physically proximate attackers to obtain root access by connecting to the UART pins, interrupting the boot process, and setting an init=/bin/sh value.
CVE-2022-4872 2023-01-31 N/A N/A
The Chained Products WordPress plugin before 2.12.0 does not have authorisation and CSRF checks, as well as does not ensure that the option to be updated belong to the plugin, allowing unauthenticated attackers to set arbitrary options to 'no'