Total
537 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-0260 | 1 Juniper | 1 Junos | 2022-09-20 | 7.5 HIGH | 7.3 HIGH |
| An improper authorization vulnerability in the Simple Network Management Protocol daemon (snmpd) service of Juniper Networks Junos OS leads an unauthenticated attacker being able to perform SNMP read actions, an Exposure of System Data to an Unauthorized Control Sphere, or write actions to OIDs that support write operations, against the device without authentication. This issue affects: Juniper Networks Junos OS: 17.2 version 17.2R1 and later versions; 17.3 versions prior to 17.3R3-S9; 17.4 versions prior to 17.4R2-S12, 17.4R3-S5; 18.1 versions prior to 18.1R3-S13; 18.2 versions prior to 18.2R3-S8; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R1-S8, 18.4R2-S5, 18.4R3; 19.1 versions prior to 19.1R2; 19.2 versions prior to 19.2R1-S6, 19.2R2; 19.3 versions prior to 19.3R2. This issue does not affect Juniper Networks Junos OS versions prior to 17.2R1. | |||||
| CVE-2022-31167 | 1 Xwiki | 1 Xwiki | 2022-09-14 | N/A | 6.5 MEDIUM |
| XWiki Platform Security Parent POM contains the security APIs for XWiki Platform, a generic wiki platform. Starting with version 5.0 and prior to 12.10.11, 13.10.1, and 13.4.6, a bug in the security cache stores rules associated to document Page1.Page2 and space Page1.Page2 in the same cache entry. That means that it's possible to overwrite the rights of a space or a document by creating the page of the space with the same name and checking the right of the new one first so that they end up in the security cache and are used for the other too. The problem has been patched in XWiki 12.10.11, 13.10.1, and 13.4.6. There are no known workarounds. | |||||
| CVE-2022-36090 | 1 Xwiki | 1 Xwiki | 2022-09-13 | N/A | 8.1 HIGH |
| XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to versions 13.1.0.5 and 14.3-rc-1, some resources are missing a check for inactive (not yet activated or disabled) users in XWiki, including the REST service. This means a disabled user can enable themselves using a REST call. On the same way some resources handler created by extensions are not protected by default, so an inactive user could perform actions for such extensions. This issue has existed since at least version 1.1 of XWiki for instance configured with the email activation required for new users. Now it's more critical for versions 11.3-rc-1 and later since the maintainers provided the capability to disable user without deleting them and encouraged using that feature. XWiki 14.3-rc-1 and XWiki 13.10.5 contain a patch. There is no workaround for this other than upgrading XWiki. | |||||
| CVE-2022-2901 | 1 Chatwoot | 1 Chatwoot | 2022-09-13 | N/A | 7.1 HIGH |
| Improper Authorization in GitHub repository chatwoot/chatwoot prior to 2.8. | |||||
| CVE-2020-7530 | 1 Schneider-electric | 1 Scadapack 7x Remote Connect | 2022-09-03 | 6.5 MEDIUM | 8.8 HIGH |
| A CWE-285 Improper Authorization vulnerability exists in SCADAPack 7x Remote Connect (V3.6.3.574 and prior) which allows improper access to executable code folders. | |||||
| CVE-2022-34256 | 2 Adobe, Magento | 2 Commerce, Magento | 2022-08-31 | N/A | 9.8 CRITICAL |
| Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to access other user's data. Exploitation of this issue does not require user interaction. | |||||
| CVE-2021-24188 | 1 Wp-buy | 1 Wp Content Copy Protection \& No Right Click | 2022-08-30 | 6.5 MEDIUM | 8.8 HIGH |
| Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the WP Content Copy Protection & No Right Click WordPress plugin before 3.1.5, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE. | |||||
| CVE-2021-25352 | 1 Samsung | 1 Bixby Voice | 2022-08-12 | 4.6 MEDIUM | 7.8 HIGH |
| Using PendingIntent with implicit intent in Bixby Voice prior to version 3.0.52.14 allows attackers to execute privileged action by hijacking and modifying the intent. | |||||
| CVE-2021-21432 | 1 Go-vela | 1 Vela | 2022-08-12 | 3.5 LOW | 6.5 MEDIUM |
| Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. An authentication mechanism added in version 0.7.0 enables some malicious user to obtain secrets utilizing the injected credentials within the `~/.netrc` file. Refer to the referenced GitHub Security Advisory for complete details. This is fixed in version 0.7.5. | |||||
| CVE-2021-25373 | 2 Google, Samsung | 2 Android, Customization Service | 2022-08-12 | 4.6 MEDIUM | 7.8 HIGH |
| Using unsafe PendingIntent in Customization Service prior to version 2.2.02.1 in Android O(8.x), 2.4.03.0 in Android P(9.0), 2.7.02.1 in Android Q(10.0) and 2.9.01.1 in Android R(11.0) allows local attackers to perform unauthorized action without permission via hijacking the PendingIntent. | |||||
| CVE-2021-41093 | 1 Wire | 1 Wire | 2022-08-12 | 7.5 HIGH | 9.8 CRITICAL |
| Wire is an open source secure messenger. In affected versions if the an attacker gets an old but valid access token they can take over an account by changing the email. This issue has been resolved in version 3.86 which uses a new endpoint which additionally requires an authentication cookie. See wire-ios-sync-engine and wire-ios-transport references. This is the root advisory that pulls the changes together. | |||||
| CVE-2021-41568 | 1 Tad Web Project | 1 Tad Web | 2022-08-12 | 6.4 MEDIUM | 6.5 MEDIUM |
| Tad Web is vulnerable to authorization bypass, thus remote attackers can exploit the vulnerability to use the original function of viewing bulletin boards and uploading files in the system. | |||||
| CVE-2021-41975 | 1 Tadtools Project | 1 Tadtools | 2022-08-12 | 6.4 MEDIUM | 9.1 CRITICAL |
| TadTools special page is vulnerable to authorization bypass, thus remote attackers can use the specific parameter to delete arbitrary files in the system without logging in. | |||||
| CVE-2021-41976 | 1 Tad Uploader Project | 1 Tad Uploader | 2022-08-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| Tad Uploader edit book list function is vulnerable to authorization bypass, thus remote attackers can use the function to amend the folder names in the book list without logging in. | |||||
| CVE-2021-41137 | 1 Minio | 1 Minio | 2022-08-12 | 6.5 MEDIUM | 8.8 HIGH |
| Minio is a Kubernetes native application for cloud storage. All users on release `RELEASE.2021-10-10T16-53-30Z` are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in `RELEASE.2021-10-13T00-23-17Z`. A downgrade back to release `RELEASE.2021-10-08T23-58-24Z` is available as a workaround. | |||||
| CVE-2021-42330 | 1 Xinheinformation | 1 Xinhe Teaching Platform System | 2022-08-12 | 5.5 MEDIUM | 8.8 HIGH |
| The “Teacher Edit” function of ShinHer StudyOnline System does not perform authority control. After logging in with user’s privilege, remote attackers can access and edit other users’ credential and personal information by crafting URL parameters. | |||||
| CVE-2021-42331 | 1 Xinheinformation | 1 Xinhe Teaching Platform System | 2022-08-12 | 5.5 MEDIUM | 5.4 MEDIUM |
| The “Study Edit” function of ShinHer StudyOnline System does not perform permission control. After logging in with user’s privilege, remote attackers can access and edit other users’ tutorial schedule by crafting URL parameters. | |||||
| CVE-2021-42332 | 1 Xinheinformation | 1 Xinhe Teaching Platform System | 2022-08-12 | 4.0 MEDIUM | 4.3 MEDIUM |
| The “List View” function of ShinHer StudyOnline System is not under authority control. After logging in with user’s privilege, remote attackers can access the content of other users’ message boards by crafting URL parameters. | |||||
| CVE-2021-42336 | 1 Huaju | 1 Easytest Online Learning Test Platform | 2022-08-12 | 4.0 MEDIUM | 4.3 MEDIUM |
| The learning history page of the Easytest is vulnerable by permission bypass. After obtaining a user’s permission, remote attackers can access other users’ and administrator’s account information except password by crafting URL parameters. | |||||
| CVE-2022-33722 | 1 Google | 1 Android | 2022-08-11 | N/A | 3.3 LOW |
| Implicit Intent hijacking vulnerability in Smart View prior to SMR Aug-2022 Release 1 allows attacker to access connected device MAC address. | |||||