Total
2209 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-39114 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-12-10 | N/A | 5.5 MEDIUM |
In Music service, there is a missing permission check. This could lead to local denial of service in Music service with no additional execution privileges needed. | |||||
CVE-2022-38688 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-12-10 | N/A | 5.5 MEDIUM |
In telephony service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. | |||||
CVE-2022-3501 | 1 Otrs | 1 Otrs | 2023-12-10 | N/A | 7.5 HIGH |
Article template contents with sensitive data could be accessed from agents without permissions. | |||||
CVE-2022-39109 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-12-10 | N/A | 7.8 HIGH |
In Music service, there is a missing permission check. This could lead to elevation of privilege in Music service with no additional execution privileges needed. | |||||
CVE-2022-36091 | 1 Xwiki | 1 Xwiki | 2023-12-10 | N/A | 7.5 HIGH |
XWiki Platform Web Templates are templates for XWiki Platform, a generic wiki platform. Through the suggestion feature, string and list properties of objects the user shouldn't have access to can be accessed in versions prior to 13.10.4 and 14.2. This includes private personal information like email addresses and salted password hashes of registered users but also other information stored in properties of objects. Sensitive configuration fields like passwords for LDAP or SMTP servers could be accessed. By exploiting an additional vulnerability, this issue can even be exploited on private wikis at least for string properties. The issue is patched in version 13.10.4 and 14.2. Password properties are no longer displayed and rights are checked for other properties. A workaround is available. The template file `suggest.vm` can be replaced by a patched version without upgrading or restarting XWiki unless it has been overridden, in which case the overridden template should be patched, too. This might need adjustments for older versions, though. | |||||
CVE-2021-39190 | 1 Teclib-edition | 1 System Center Configuration Manager | 2023-12-10 | N/A | 5.3 MEDIUM |
The SCCM plugin for GLPI is a plugin to synchronize computers from SCCM (version 1802) to GLPI. In versions prior to 2.3.0, the Configuration page is publicly accessible in read-only mode. This issue is patched in version 2.3.0. No known workarounds exist. | |||||
CVE-2022-20329 | 1 Google | 1 Android | 2023-12-10 | N/A | 7.8 HIGH |
In Wifi, there is a possible way to enable Wifi without permissions due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-183410556 | |||||
CVE-2022-2369 | 1 Yaycommerce | 1 Yaysmtp | 2023-12-10 | N/A | 4.3 MEDIUM |
The YaySMTP WordPress plugin before 2.2.1 does not have capability check in an AJAX action, allowing any logged in users, such as subscriber to view the Logs of the plugin | |||||
CVE-2022-38677 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-12-10 | N/A | 5.5 MEDIUM |
In cell service, there is a missing permission check. This could lead to local denial of service in cell service with no additional execution privileges needed. | |||||
CVE-2022-21777 | 2 Google, Mediatek | 42 Android, Mt6580, Mt6735 and 39 more | 2023-12-10 | 4.6 MEDIUM | 7.8 HIGH |
In Autoboot, there is a possible permission bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06713894; Issue ID: ALPS06713894. | |||||
CVE-2020-15338 | 1 Zyxel | 1 Cloudcnm Secumanager | 2023-12-10 | N/A | 5.3 MEDIUM |
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a "Use of GET Request Method With Sensitive Query Strings" issue for /cnr requests. | |||||
CVE-2022-39960 | 1 Netic | 1 Group Export | 2023-12-10 | N/A | 5.3 MEDIUM |
The Netic Group Export add-on before 1.0.3 for Atlassian Jira does not perform authorization checks. This might allow an unauthenticated user to export all groups from the Jira instance by making a groupexport_download=true request to a plugins/servlet/groupexportforjira/admin/ URI. | |||||
CVE-2022-40316 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2023-12-10 | N/A | 4.3 MEDIUM |
The H5P activity attempts report did not filter by groups, which in separate groups mode could reveal information to non-editing teachers about attempts/users in groups they should not have access to. | |||||
CVE-2022-20323 | 1 Google | 1 Android | 2023-12-10 | N/A | 5.5 MEDIUM |
In PackageManager, there is a possible package installation disclosure due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-187176203 | |||||
CVE-2022-20358 | 1 Google | 1 Android | 2023-12-10 | N/A | 3.3 LOW |
In startSync of AbstractThreadedSyncAdapter.java, there is a possible way to access protected content of content providers due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-203229608 | |||||
CVE-2022-25810 | 1 Transposh | 1 Transposh Wordpress Translation | 2023-12-10 | N/A | 6.5 MEDIUM |
The Transposh WordPress Translation WordPress plugin through 1.0.8 exposes a couple of sensitive actions such has “tp_reset” under the Utilities tab (/wp-admin/admin.php?page=tp_utils), which can be used/executed as the lowest-privileged user. Basically all Utilities functionalities are vulnerable this way, which involves resetting configurations and backup/restore operations. | |||||
CVE-2022-43431 | 1 Jenkins | 1 Compuware Strobe Measurement | 2023-12-10 | N/A | 4.3 MEDIUM |
Jenkins Compuware Strobe Measurement Plugin 1.0.1 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||||
CVE-2022-3451 | 1 Addify | 1 Product Stock Manager | 2023-12-10 | N/A | 4.3 MEDIUM |
The Product Stock Manager WordPress plugin before 1.0.5 does not have authorisation and proper CSRF checks in multiple AJAX actions, allowing users with a role as low as subscriber to call them. One action in particular could allow to update arbitrary options | |||||
CVE-2022-20352 | 1 Google | 1 Android | 2023-12-10 | N/A | 5.5 MEDIUM |
In addProviderRequestListener of LocationManagerService.java, there is a possible way to learn which packages request location information due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12 Android-12LAndroid ID: A-222473855 | |||||
CVE-2022-39111 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-12-10 | N/A | 7.8 HIGH |
In Music service, there is a missing permission check. This could lead to elevation of privilege in Music service with no additional execution privileges needed. |