Total
2148 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-36910 | 1 Jenkins | 1 Lucene-search | 2023-12-10 | N/A | 5.4 MEDIUM |
Jenkins Lucene-Search Plugin 370.v62a5f618cd3a and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to reindex the database and to obtain information about jobs otherwise inaccessible to them. | |||||
CVE-2022-2276 | 1 Wp Edit Menu Project | 1 Wp Edit Menu | 2023-12-10 | N/A | 4.3 MEDIUM |
The WP Edit Menu WordPress plugin before 1.5.0 does not have authorisation and CSRF in an AJAX action, which could allow unauthenticated attackers to delete arbitrary posts/pages from the blog | |||||
CVE-2022-2382 | 1 Shapedplugin | 1 Product Slider For Woocommerce | 2023-12-10 | N/A | 4.3 MEDIUM |
The Product Slider for WooCommerce WordPress plugin before 2.5.7 has flawed CSRF checks and lack authorisation in some of its AJAX actions, allowing any authenticated users, such as subscriber to call them. One in particular could allow them to delete arbitrary blog options. | |||||
CVE-2021-32504 | 1 Sick | 2 Ftmg, Ftmg Firmware | 2023-12-10 | N/A | 5.3 MEDIUM |
Unauthenticated users can access sensitive web URLs through GET request, which should be restricted to maintenance users only. A malicious attacker could use this sensitive information’s to launch further attacks on the system. | |||||
CVE-2022-36892 | 1 Jenkins | 1 Rhnpush-plugin | 2023-12-10 | N/A | 4.3 MEDIUM |
Jenkins rhnpush-plugin Plugin 0.5.1 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Item/Read permission but without Item/Workspace or Item/Configure permission to check whether attacker-specified file patterns match workspace contents. | |||||
CVE-2022-20312 | 1 Google | 1 Android | 2023-12-10 | N/A | 5.5 MEDIUM |
In WifiP2pManager, there is a possible toobtain WiFi P2P MAC address without user consent due to missing permission check. This could lead to local information disclosure without additional execution privileges needed. User interaction is not needed forexploitationProduct: AndroidVersions: Android-13Android ID: A-192244925 | |||||
CVE-2022-2108 | 1 Wbcomdesigns | 1 Buddypress Group Reviews | 2023-12-10 | N/A | 5.3 MEDIUM |
The plugin Wbcom Designs – BuddyPress Group Reviews for WordPress is vulnerable to unauthorized settings changes and review modification due to missing capability checks and improper nonce checks in several functions related to said actions in versions up to, and including, 2.8.3. This makes it possible for unauthenticated attackers to modify reviews and plugin settings on the affected site. | |||||
CVE-2022-20360 | 1 Google | 1 Android | 2023-12-10 | N/A | 7.8 HIGH |
In setChecked of SecureNfcPreferenceController.java, there is a missing permission check. This could lead to local escalation of privilege from the guest user with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-228314987 | |||||
CVE-2022-26423 | 1 Aethon | 1 Tug Home Base Server | 2023-12-10 | N/A | 7.5 HIGH |
Aethon TUG Home Base Server versions prior to version 24 are affected by un unauthenticated attacker who can freely access hashed user credentials. | |||||
CVE-2022-36836 | 1 Samsung | 2 Charm, Charm Firmware | 2023-12-10 | N/A | 5.5 MEDIUM |
Unprotected provider vulnerability in Charm by Samsung prior to version 1.2.3 allows attackers to read connection state without permission. | |||||
CVE-2022-20328 | 1 Google | 1 Android | 2023-12-10 | N/A | 3.3 LOW |
In PackageManager, there is a possible way to determine whether an app is installed due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-184948501 | |||||
CVE-2022-20311 | 1 Google | 1 Android | 2023-12-10 | N/A | 3.3 LOW |
In Telecomm, there is a possible disclosure of registered self managed phone accounts due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-192663553 | |||||
CVE-2022-3489 | 1 Weberge | 1 Wp Hide | 2023-12-10 | N/A | 5.3 MEDIUM |
The WP Hide WordPress plugin through 0.0.2 does not have authorisation and CSRF checks in place when updating the custom_wpadmin_slug settings, allowing unauthenticated attackers to update it with a crafted request | |||||
CVE-2022-2379 | 1 Easy Student Results Project | 1 Easy Student Results | 2023-12-10 | N/A | 7.5 HIGH |
The Easy Student Results WordPress plugin through 2.2.8 lacks authorisation in its REST API, allowing unauthenticated users to retrieve information related to the courses, exams, departments as well as student's grades and PII such as email address, physical address, phone number etc | |||||
CVE-2021-3814 | 1 Redhat | 1 3scale | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
It was found that 3scale's APIdocs does not validate the access token, in the case of invalid token, it uses session auth instead. This conceivably bypasses access controls and permits unauthorized information disclosure. | |||||
CVE-2022-1423 | 1 Gitlab | 1 Gitlab | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
Improper access control in the CI/CD cache mechanism in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 allows a malicious actor with Developer privileges to perform cache poisoning leading to arbitrary code execution in protected branches | |||||
CVE-2021-39750 | 1 Google | 1 Android | 2023-12-10 | 4.6 MEDIUM | 7.8 HIGH |
In PackageManager, there is a possible way to change the splash screen theme of other apps due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-206474016 | |||||
CVE-2022-0871 | 1 Gogs | 1 Gogs | 2023-12-10 | 5.8 MEDIUM | 9.1 CRITICAL |
Missing Authorization in GitHub repository gogs/gogs prior to 0.12.5. | |||||
CVE-2022-28144 | 1 Jenkins | 1 Proxmox | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
Jenkins Proxmox Plugin 0.7.0 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified host using attacker-specified username and password (perform a connection test), disable SSL/TLS validation for the entire Jenkins controller JVM as part of the connection test (see CVE-2022-28142), and test a rollback with attacker-specified parameters. | |||||
CVE-2021-3656 | 3 Fedoraproject, Linux, Redhat | 26 Fedora, Linux Kernel, 3scale Api Management and 23 more | 2023-12-10 | 7.2 HIGH | 8.8 HIGH |
A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the "virt_ext" field, this issue could allow a malicious L1 to disable both VMLOAD/VMSAVE intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. |