Total
2156 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-30924 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-12-10 | N/A | 5.5 MEDIUM |
In messaging service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. | |||||
CVE-2023-21004 | 1 Google | 1 Android | 2023-12-10 | N/A | 7.8 HIGH |
In getAvailabilityStatus of several Transcode Permission Controllers, there is a possible permission bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-261193664 | |||||
CVE-2022-48384 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-12-10 | N/A | 7.8 HIGH |
In srtd service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges. | |||||
CVE-2021-4341 | 1 Stylemixthemes | 1 Ulisting | 2023-12-10 | N/A | 9.8 CRITICAL |
The uListing plugin for WordPress is vulnerable to authorization bypass via Ajax due to missing capability checks, missing input validation, and a missing security nonce in the stm_update_email_data AJAX action in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to change any WordPress option in the database. | |||||
CVE-2022-48391 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-12-10 | N/A | 5.5 MEDIUM |
In telephony service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges. | |||||
CVE-2021-4355 | 1 Collne | 1 Welcart E-commerce | 2023-12-10 | N/A | 5.3 MEDIUM |
The Welcart e-Commerce plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the download_orderdetail_list(), change_orderlist(), and download_member_list() functions called via admin_init hooks in versions up to, and including, 2.2.7. This makes it possible for unauthenticated attackers to download lists of members, products and orders. | |||||
CVE-2023-28623 | 1 Zulip | 1 Zulip | 2023-12-10 | N/A | 3.7 LOW |
Zulip is an open-source team collaboration tool with unique topic-based threading. In the event that 1: `ZulipLDAPAuthBackend` and an external authentication backend (any aside of `ZulipLDAPAuthBackend` and `EmailAuthBackend`) are the only ones enabled in `AUTHENTICATION_BACKENDS` in `/etc/zulip/settings.py` and 2: The organization permissions don't require invitations to join. An attacker can create a new account in the organization with an arbitrary email address in their control that's not in the organization's LDAP directory. The impact is limited to installations which have this specific combination of authentication backends as described above in addition to having `Invitations are required for joining this organization` organization permission disabled. This issue has been addressed in version 6.2. Users are advised to upgrade. Users unable to upgrade may enable the `Invitations are required for joining this organization` organization permission to prevent this issue. | |||||
CVE-2022-48440 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-12-10 | N/A | 5.5 MEDIUM |
In dialer service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges. | |||||
CVE-2023-27701 | 1 Muyucms | 1 Muyucms | 2023-12-10 | N/A | 8.1 HIGH |
MuYuCMS v2.2 was discovered to contain an arbitrary file deletion vulnerability via the component /database/sqldel.html. | |||||
CVE-2022-45636 | 1 Megafeis | 1 Bofei Dbd\+ | 2023-12-10 | N/A | 8.1 HIGH |
An issue discovered in MEGAFEIS, BOFEI DBD+ Application for IOS & Android v1.4.4 allows attacker to unlock model(s) without authorization via arbitrary API requests. | |||||
CVE-2019-25142 | 1 Extendthemes | 2 Materialis, Mesmerize | 2023-12-10 | N/A | 8.8 HIGH |
The Mesmerize & Materialis themes for WordPress are vulnerable to authenticated options change in versions up to, and including,1.6.89 (Mesmerize) and 1.0.172 (Materialis). This is due to 'companion_disable_popup' function only checking the nonce while sending user input to the 'update_option' function. This makes it possible for authenticated attackers to change otherwise restricted options. | |||||
CVE-2022-39091 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-12-10 | N/A | 7.8 HIGH |
In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed. | |||||
CVE-2022-20240 | 1 Google | 1 Android | 2023-12-10 | N/A | 2.3 LOW |
In sOpAllowSystemRestrictionBypass of AppOpsManager.java, there is a possible leak of location information due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12 Android-12LAndroid ID: A-231496105 | |||||
CVE-2022-4102 | 1 Royal-elementor-addons | 1 Royal Elementor Addons | 2023-12-10 | N/A | 3.1 LOW |
The Royal Elementor Addons WordPress plugin before 1.3.56 does not have authorization and CSRF checks when deleting a template and does not ensure that the post to be deleted is a template. This could allow any authenticated users, such as subscribers, to delete arbitrary posts assuming they know the related slug. | |||||
CVE-2022-39096 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-12-10 | N/A | 7.8 HIGH |
In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed. | |||||
CVE-2022-20536 | 1 Google | 1 Android | 2023-12-10 | N/A | 3.3 LOW |
In registerBroadcastReceiver of RcsService.java, there is a possible way to change preferred TTY mode due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-235100180 | |||||
CVE-2022-39097 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-12-10 | N/A | 7.8 HIGH |
In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed. | |||||
CVE-2022-41930 | 1 Xwiki | 1 Xwiki | 2023-12-10 | N/A | 8.2 HIGH |
org.xwiki.platform:xwiki-platform-user-profile-ui is missing authorization to enable or disable users. Any user (logged in or not) with access to the page XWiki.XWikiUserProfileSheet can enable or disable any user profile. This might allow to a disabled user to re-enable themselves, or to an attacker to disable any user of the wiki. The problem has been patched in XWiki 13.10.7, 14.5RC1 and 14.4.2. Workarounds: The problem can be patched immediately by editing the page `XWiki.XWikiUserProfileSheet` in the wiki and by performing the changes contained in https://github.com/xwiki/xwiki-platform/commit/5be1cc0adf917bf10899c47723fa451e950271fa. | |||||
CVE-2022-20522 | 1 Google | 1 Android | 2023-12-10 | N/A | 7.8 HIGH |
In getSlice of ProviderModelSlice.java, there is a missing permission check. This could lead to local escalation of privilege from the guest user with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-227470877 | |||||
CVE-2022-20503 | 1 Google | 1 Android | 2023-12-10 | N/A | 7.8 HIGH |
In onCreate of WifiDppConfiguratorActivity.java, there is a possible way for a guest user to add a WiFi configuration due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-224772890 |