Total
537 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-22272 | 1 Google | 1 Android | 2023-06-27 | 2.1 LOW | 3.3 LOW |
| Improper authorization in TelephonyManager prior to SMR Jan-2022 Release 1 allows attackers to get IMSI without READ_PRIVILEGED_PHONE_STATE permission | |||||
| CVE-2022-22288 | 1 Samsung | 1 Galaxy Store | 2023-06-27 | 5.0 MEDIUM | 7.5 HIGH |
| Improper authorization vulnerability in Galaxy Store prior to 4.5.36.5 allows remote app installation of the allowlist. | |||||
| CVE-2022-36876 | 1 Samsung | 1 Samsung Pass | 2023-06-27 | N/A | 2.4 LOW |
| Improper authorization in UPI payment in Samsung Pass prior to version 4.0.04.10 allows physical attackers to access account list without authentication. | |||||
| CVE-2022-36857 | 2 Google, Samsung | 2 Android, Photo Editor | 2023-06-27 | N/A | 2.4 LOW |
| Improper Authorization vulnerability in Photo Editor prior to SMR Sep-2022 Release 1 allows physical attackers to read internal application data. | |||||
| CVE-2022-36852 | 1 Google | 1 Android | 2023-06-27 | N/A | 3.3 LOW |
| Improper Authorization vulnerability in Video Editor prior to SMR Sep-2022 Release 1 allows local attacker to access internal application data. | |||||
| CVE-2022-36848 | 1 Google | 1 Android | 2023-06-27 | N/A | 5.5 MEDIUM |
| Improper Authorization vulnerability in setDualDARPolicyCmd prior to SMR Sep-2022 Release 1 allows local attackers to cause local permanent denial of service. | |||||
| CVE-2022-39356 | 1 Discourse | 1 Discourse | 2023-06-27 | N/A | 8.8 HIGH |
| Discourse is a platform for community discussion. Users who receive an invitation link that is not scoped to a single email address can enter any non-admin user's email and gain access to their account when accepting the invitation. All users should upgrade to the latest version. A workaround is temporarily disabling invitations with `SiteSetting.max_invites_per_day = 0` or scope them to individual email addresses. | |||||
| CVE-2022-39341 | 1 Openfga | 1 Openfga | 2023-06-27 | N/A | 9.8 CRITICAL |
| OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users who have wildcard (`*`) defined on tupleset relations in their authorization model are vulnerable. Version 0.2.4 contains a patch for this issue. | |||||
| CVE-2022-39340 | 1 Openfga | 1 Openfga | 2023-06-27 | N/A | 5.3 MEDIUM |
| OpenFGA is an authorization/permission engine. Prior to version 0.2.4, the `streamed-list-objects` endpoint was not validating the authorization header, resulting in disclosure of objects in the store. Users `openfga/openfga` versions 0.2.3 and prior who are exposing the OpenFGA service to the internet are vulnerable. Version 0.2.4 contains a patch for this issue. | |||||
| CVE-2022-39902 | 1 Samsung | 2 Exynos, Exynos Firmware | 2023-06-27 | N/A | 7.5 HIGH |
| Improper authorization in Exynos baseband prior to SMR DEC-2022 Release 1 allows remote attacker to get sensitive information including IMEI via emergency call. | |||||
| CVE-2022-39879 | 1 Google | 1 Android | 2023-06-27 | N/A | 3.3 LOW |
| Improper authorization vulnerability in?CallBGProvider prior to SMR Nov-2022 Release 1 allows local attacker to grant permission for accessing information with phone uid. | |||||
| CVE-2022-39862 | 2 Google, Samsung | 2 Android, Dynamic Lockscreen | 2023-06-27 | N/A | 9.8 CRITICAL |
| Improper authorization in Dynamic Lockscreen prior to SMR Sep-2022 Release 1 in Android R(11) and 3.3.03.66 in Android S(12) allows unauthorized use of javascript interface api. | |||||
| CVE-2022-2019 | 1 Prison Management System Project | 1 Prison Management System | 2023-06-27 | 4.3 MEDIUM | 7.5 HIGH |
| A vulnerability classified as critical was found in SourceCodester Prison Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /classes/Users.php?f=save of the component New User Creation. The manipulation leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-0027 | 1 Paloaltonetworks | 1 Cortex Xsoar | 2023-06-26 | 4.0 MEDIUM | 4.3 MEDIUM |
| An improper authorization vulnerability in Palo Alto Network Cortex XSOAR software enables authenticated users in non-Read-Only groups to generate an email report that contains summary information about all incidents in the Cortex XSOAR instance, including incidents to which the user does not have access. This issue impacts: All versions of Cortex XSOAR 6.1; All versions of Cortex XSOAR 6.2; All versions of Cortex XSOAR 6.5; Cortex XSOAR 6.6 versions earlier than Cortex XSOAR 6.6.0 build 6.6.0.2585049. | |||||
| CVE-2022-24002 | 1 Samsung | 1 Link Sharing | 2023-06-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| Improper Authorization vulnerability in Link Sharing prior to version 12.4.00.3 allows attackers to open protected activity via PreconditionActivity. | |||||
| CVE-2023-0837 | 3 Apple, Microsoft, Teamviewer | 3 Macos, Windows, Remote | 2023-06-22 | N/A | 5.5 MEDIUM |
| An improper authorization check of local device settings in TeamViewer Remote between version 15.41 and 15.42.7 for Windows and macOS allows an unprivileged user to change basic local device settings even though the options were locked. This can result in unwanted changes to the configuration. | |||||
| CVE-2023-29152 | 1 Ptc | 1 Vuforia Studio | 2023-06-15 | N/A | 8.1 HIGH |
| By changing the filename parameter in the request, an attacker could delete any file with the permissions of the Vuforia server account. | |||||
| CVE-2023-24476 | 1 Ptc | 1 Vuforia Studio | 2023-06-15 | N/A | 3.3 LOW |
| An attacker with local access to the machine could record the traffic, which could allow them to resend requests without the server authenticating that the user or session are valid. | |||||
| CVE-2023-34091 | 1 Nirmata | 1 Kyverno | 2023-06-09 | N/A | 6.5 MEDIUM |
| Kyverno is a policy engine designed for Kubernetes. In versions of Kyverno prior to 1.10.0, resources which have the `deletionTimestamp` field defined can bypass validate, generate, or mutate-existing policies, even in cases where the `validationFailureAction` field is set to `Enforce`. This situation occurs as resources pending deletion were being consciously exempted by Kyverno, as a way to reduce processing load as policies are typically not applied to objects which are being deleted. However, this could potentially result in allowing a malicious user to leverage the Kubernetes finalizers feature by setting a finalizer which causes the Kubernetes API server to set the `deletionTimestamp` and then not completing the delete operation as a way to explicitly to bypass a Kyverno policy. Note that this is not applicable to Kubernetes Pods but, as an example, a Kubernetes Service resource can be manipulated using an indefinite finalizer to bypass policies. This is resolved in Kyverno 1.10.0. There is no known workaround. | |||||
| CVE-2023-33183 | 1 Nextcloud | 1 Calendar | 2023-06-05 | N/A | 4.3 MEDIUM |
| Calendar app for Nextcloud easily sync events from various devices with your Nextcloud. Some internal paths of the website are disclosed when the SMTP server is unavailable. It is recommended that the Calendar app is updated to 3.5.5 or 4.2.3 | |||||