Vulnerabilities (CVE)

Filtered by CWE-863
Total 1271 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-3563 3 Debian, Openstack, Redhat 3 Debian Linux, Keystone, Openstack Platform 2022-11-28 N/A 7.4 HIGH
A flaw was found in openstack-keystone. Only the first 72 characters of an application secret are verified allowing attackers bypass some password complexity which administrators may be counting on. The highest threat from this vulnerability is to data confidentiality and integrity.
CVE-2022-41326 1 Mitel 1 Micollab 2022-11-26 N/A 9.8 CRITICAL
The web conferencing component of Mitel MiCollab through could allow an unauthenticated attacker to upload arbitrary scripts due to improper authorization controls. A successful exploit could allow remote code execution within the context of the application.
CVE-2022-34827 1 Carel 2 Boss Mini, Boss Mini Firmware 2022-11-24 N/A 9.9 CRITICAL
Carel Boss Mini 1.5.0 has Improper Access Control.
CVE-2022-40216 1 Wordplus 1 Better Messages 2022-11-23 N/A 6.5 MEDIUM
Auth. (subscriber+) Messaging Block Bypass vulnerability in Better Messages plugin <= on WordPress.
CVE-2021-26360 1 Amd 36 Enterprise Driver, Radeon Pro Software, Radeon Pro W6300m and 33 more 2022-11-23 N/A 7.8 HIGH
An attacker with local access to the system can make unauthorized modifications of the security configuration of the SOC registers. This could allow potential corruption of AMD secure processor’s encrypted memory contents which may lead to arbitrary code execution in ASP.
CVE-2022-41155 1 Webence 1 Iq Block Country 2022-11-23 N/A 9.8 CRITICAL
Block BYPASS vulnerability in iQ Block Country plugin <= 1.2.18 on WordPress.
CVE-2022-1365 1 Cross-fetch Project 1 Cross-fetch 2022-11-22 4.0 MEDIUM 6.5 MEDIUM
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository lquixada/cross-fetch prior to 3.1.5.
CVE-2022-42903 1 Zohocorp 1 Manageengine Supportcenter Plus 2022-11-22 N/A 3.3 LOW
Zoho ManageEngine SupportCenter Plus through 11024 allows low-privileged users to view the organization users list.
CVE-2022-36785 1 Dlink 2 G Integrated Access Device4, G Integrated Access Device4 Firmware 2022-11-22 N/A 7.5 HIGH
D-Link – G integrated Access Device4 Information Disclosure & Authorization Bypass. *Information Disclosure – file contains a URL with private IP at line 15 "login.asp" A. The window.location.href ="" ; "admin" – contains default username value "login.asp" B. While accessing the web interface, the login form at *Authorization Bypass – URL by "setupWizard.asp' while it blocks direct access to – the web interface does not properly validate user identity variables values located at the client side, it is available to access it without a "login_glag" and "login_status" checking browser and to read the admin user credentials for the web interface.
CVE-2022-20928 1 Cisco 2 Adaptive Security Appliance, Firepower Threat Defense 2022-11-21 N/A 5.8 MEDIUM
A vulnerability in the authentication and authorization flows for VPN connections in Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to establish a connection as a different user. This vulnerability is due to a flaw in the authorization verifications during the VPN authentication flow. An attacker could exploit this vulnerability by sending a crafted packet during a VPN authentication. The attacker must have valid credentials to establish a VPN connection. A successful exploit could allow the attacker to establish a VPN connection with access privileges from a different user.
CVE-2021-36778 1 Suse 1 Rancher 2022-11-21 5.0 MEDIUM 7.5 HIGH
A Incorrect Authorization vulnerability in SUSE Rancher allows administrators of third-party repositories to gather credentials that are sent to their servers. This issue affects: SUSE Rancher Rancher versions prior to 2.5.12; Rancher versions prior to 2.6.3.
CVE-2022-45383 1 Jenkins 1 Support Core 2022-11-21 N/A 6.5 MEDIUM
An incorrect permission check in Jenkins Support Core Plugin 1206.v14049fa_b_d860 and earlier allows attackers with Support/DownloadBundle permission to download a previously created support bundle containing information limited to users with Overall/Administer permission.
CVE-2022-4014 1 Feehi 1 Feehicms 2022-11-18 N/A 4.3 MEDIUM
A vulnerability, which was classified as problematic, has been found in FeehiCMS. Affected by this issue is some unknown functionality of the component Post My Comment Tab. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The identifier of this vulnerability is VDB-213788.
CVE-2022-41918 1 Amazon 1 Opensearch 2022-11-18 N/A 9.8 CRITICAL
OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. There is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the indices that back data streams potentially leading to incorrect access authorization. OpenSearch 1.3.7 and 2.4.0 contain a fix for this issue. Users are advised to update. There are no known workarounds for this issue.
CVE-2013-0889 5 Apple, Google, Linux and 2 more 5 Mac Os X, Chrome, Linux Kernel and 2 more 2022-11-18 6.8 MEDIUM N/A
Google Chrome before 25.0.1364.97 on Windows and Linux, and before 25.0.1364.99 on Mac OS X, does not properly enforce a user gesture requirement before proceeding with a file download, which might make it easier for remote attackers to execute arbitrary code via a crafted file.
CVE-2022-40843 1 Tenda 2 Ac1200 V-w15ev2, Ac1200 V-w15ev2 Firmware 2022-11-18 N/A 4.9 MEDIUM
The Tenda AC1200 V-W15Ev2 V15.11.0.10(1576) router is vulnerable to improper authorization / improper session management that allows the router login page to be bypassed. This leads to authenticated attackers having the ability to read the routers syslog.log file which contains the MD5 password of the Administrator's user account.
CVE-2022-39385 1 Discourse 1 Discourse 2022-11-17 N/A 6.5 MEDIUM
Discourse is the an open source discussion platform. In some rare cases users redeeming an invitation can be added as a participant to several private message topics that they should not be added to. They are not notified of this, it happens transparently in the background. This issue has been resolved in commit `a414520742` and will be included in future releases. Users are advised to upgrade. Users are also advised to set `SiteSetting.max_invites_per_day` to 0 until the patch is installed.
CVE-2022-42978 1 Atlassian 1 Confluence Data Center 2022-11-17 N/A 7.5 HIGH
In the Netic User Export add-on before 1.3.5 for Atlassian Confluence, authorization is mishandled. An unauthenticated attacker could access files on the remote system.
CVE-2022-40773 1 Zohocorp 2 Manageengine Servicedesk Plus Msp, Manageengine Supportcenter Plus 2022-11-16 N/A 8.8 HIGH
Zoho ManageEngine ServiceDesk Plus MSP before 10609 and SupportCenter Plus before 11025 are vulnerable to privilege escalation. This allows users to obtain sensitive data during an exportMickeyList export of requests from the list view.
CVE-2022-32854 1 Apple 4 Ipados, Iphone Os, Macos and 1 more 2022-11-16 N/A 5.5 MEDIUM
This issue was addressed with improved checks. This issue is fixed in iOS 15.7 and iPadOS 15.7, iOS 16, macOS Big Sur 11.7. An app may be able to bypass Privacy preferences.