Total
2209 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-48247 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-12-10 | N/A | 7.8 HIGH |
In audio service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges. | |||||
CVE-2023-30522 | 1 Jenkins | 1 Fogbugz | 2023-12-10 | N/A | 4.3 MEDIUM |
A missing permission check in Jenkins Fogbugz Plugin 2.2.17 and earlier allows attackers with Item/Read permission to trigger builds of jobs specified in a 'jobname' request parameter. | |||||
CVE-2019-25143 | 1 Mooveagency | 1 Gdpr Cookie Compliance | 2023-12-10 | N/A | 4.3 MEDIUM |
The GDPR Cookie Compliance plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the gdpr_cookie_compliance_reset_settings AJAX action in versions up to, and including, 4.0.2. This makes it possible for authenticated attackers to reset all of the settings. | |||||
CVE-2023-21185 | 1 Google | 1 Android | 2023-12-10 | N/A | 7.8 HIGH |
In multiple functions of WifiNetworkFactory.java, there is a missing permission check. This could lead to local escalation of privilege from the guest user with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-266700762 | |||||
CVE-2022-48491 | 1 Huawei | 1 Emui | 2023-12-10 | N/A | 5.3 MEDIUM |
Vulnerability of missing authentication on certain HUAWEI phones.Successful exploitation of this vulnerability can lead to ads and other windows to display at any time. | |||||
CVE-2021-4347 | 1 Zorem | 1 Advanced Shipment Tracking For Woocommerce | 2023-12-10 | N/A | 6.5 MEDIUM |
The function update_shipment_status_email_status_fun in the plugin Advanced Shipment Tracking for WooCommerce in versions up to 3.2.6 is vulnerable to authenticated arbitrary options update. The function allows attackers (including those at customer level) to update any WordPress option in the database. Version 3.2.5 was initially released as a fix, but doesn't fully address the issue. | |||||
CVE-2022-48375 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-12-10 | N/A | 5.5 MEDIUM |
In contacts service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges. | |||||
CVE-2023-1414 | 1 Coderex | 1 Wp Vr | 2023-12-10 | N/A | 4.3 MEDIUM |
The WP VR WordPress plugin before 8.3.0 does not have authorisation and CSRF checks in various AJAX actions, one in particular could allow any authenticated users, such as subscriber to update arbitrary tours | |||||
CVE-2023-2786 | 1 Mattermost | 1 Mattermost | 2023-12-10 | N/A | 4.3 MEDIUM |
Mattermost fails to properly check the permissions when executing commands allowing a member with no permissions to post a message in a channel to actually post it by executing channel commands. | |||||
CVE-2022-38685 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-12-10 | N/A | 5.5 MEDIUM |
In bluetooth service, there is a possible missing permission check. This could lead to local denial of service in bluetooth service with no additional execution privileges needed. | |||||
CVE-2022-48248 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-12-10 | N/A | 7.8 HIGH |
In audio service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges. | |||||
CVE-2023-2299 | 1 Vcita | 1 Online Booking \& Scheduling Calendar For Wordpress | 2023-12-10 | N/A | 5.3 MEDIUM |
The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized medication of data via the /wp-json/vcita-wordpress/v1/actions/auth REST-API endpoint in versions up to, and including, 4.2.10 due to a missing capability check on the processAction function. This makes it possible for unauthenticated attackers modify the plugin's settings. | |||||
CVE-2020-36715 | 1 Xootix | 1 Login\/signup Popup | 2023-12-10 | N/A | 4.6 MEDIUM |
The Login/Signup Popup plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on several functions in versions up to, and including, 1.4. This makes it possible for authenticated attackers to inject arbitrary web scripts into the plugin settings that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
CVE-2023-30924 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-12-10 | N/A | 5.5 MEDIUM |
In messaging service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. | |||||
CVE-2023-21004 | 1 Google | 1 Android | 2023-12-10 | N/A | 7.8 HIGH |
In getAvailabilityStatus of several Transcode Permission Controllers, there is a possible permission bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-261193664 | |||||
CVE-2022-48384 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-12-10 | N/A | 7.8 HIGH |
In srtd service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges. | |||||
CVE-2021-4341 | 1 Stylemixthemes | 1 Ulisting | 2023-12-10 | N/A | 9.8 CRITICAL |
The uListing plugin for WordPress is vulnerable to authorization bypass via Ajax due to missing capability checks, missing input validation, and a missing security nonce in the stm_update_email_data AJAX action in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to change any WordPress option in the database. | |||||
CVE-2022-48391 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-12-10 | N/A | 5.5 MEDIUM |
In telephony service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges. | |||||
CVE-2021-4355 | 1 Collne | 1 Welcart E-commerce | 2023-12-10 | N/A | 5.3 MEDIUM |
The Welcart e-Commerce plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the download_orderdetail_list(), change_orderlist(), and download_member_list() functions called via admin_init hooks in versions up to, and including, 2.2.7. This makes it possible for unauthenticated attackers to download lists of members, products and orders. | |||||
CVE-2023-28623 | 1 Zulip | 1 Zulip | 2023-12-10 | N/A | 3.7 LOW |
Zulip is an open-source team collaboration tool with unique topic-based threading. In the event that 1: `ZulipLDAPAuthBackend` and an external authentication backend (any aside of `ZulipLDAPAuthBackend` and `EmailAuthBackend`) are the only ones enabled in `AUTHENTICATION_BACKENDS` in `/etc/zulip/settings.py` and 2: The organization permissions don't require invitations to join. An attacker can create a new account in the organization with an arbitrary email address in their control that's not in the organization's LDAP directory. The impact is limited to installations which have this specific combination of authentication backends as described above in addition to having `Invitations are required for joining this organization` organization permission disabled. This issue has been addressed in version 6.2. Users are advised to upgrade. Users unable to upgrade may enable the `Invitations are required for joining this organization` organization permission to prevent this issue. |