Total
537 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-0829 | 1 Webmin | 1 Webmin | 2022-05-13 | 5.5 MEDIUM | 8.1 HIGH |
| Improper Authorization in GitHub repository webmin/webmin prior to 1.990. | |||||
| CVE-2021-21511 | 1 Dell | 2 Emc Avamar Server, Emc Integrated Data Protection Appliance | 2022-04-26 | 5.5 MEDIUM | 8.1 HIGH |
| Dell EMC Avamar Server, versions 19.3 and 19.4 contain an Improper Authorization vulnerability in the web UI. A remote low privileged attacker could potentially exploit this vulnerability, to gain unauthorized read or modification access to other users' backup data. | |||||
| CVE-2021-23140 | 1 Gallagher | 1 Command Centre | 2022-04-26 | 6.5 MEDIUM | 8.8 HIGH |
| Improper Authorization vulnerability in Gallagher Command Centre Server allows command line macros to be modified by an unauthorised Command Centre Operator. This issue affects: Gallagher Command Centre 8.40 versions prior to 8.40.1888 (MR3); 8.30 versions prior to 8.30.1359 (MR3); 8.20 versions prior to 8.20.1259 (MR5); version 8.10 and prior versions. | |||||
| CVE-2021-23136 | 1 Gallagher | 1 Command Centre | 2022-04-26 | 4.0 MEDIUM | 6.5 MEDIUM |
| Improper Authorization vulnerability in Gallagher Command Centre Server allows macro overrides to be performed by an unprivileged Command Centre Operator. This issue affects: Gallagher Command Centre 8.40 versions prior to 8.40.1888 (MR3); 8.30 versions prior to 8.30.1359 (MR3); 8.20 versions prior to 8.20.1259 (MR5); version 8.10 and prior versions. | |||||
| CVE-2021-36276 | 1 Dell | 1 Dbutildrv2.sys Firmware | 2022-04-25 | 4.6 MEDIUM | 7.8 HIGH |
| Dell DBUtilDrv2.sys driver (versions 2.5 and 2.6) contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is required. | |||||
| CVE-2021-36037 | 1 Adobe | 2 Adobe Commerce, Magento Open Source | 2022-04-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper improper authorization vulnerability. An authenticated attacker could leverage this vulnerability to achieve sensitive information disclosure. | |||||
| CVE-2021-28626 | 1 Adobe | 1 Experience Manager | 2022-04-25 | 5.0 MEDIUM | 7.5 HIGH |
| Adobe Experience Manager Cloud Service offering, as well as versions 6.5.8.0 (and below) is affected by an Improper Authorization vulnerability allowing users to create nodes under a location. An unauthenticated attacker could leverage this vulnerability to cause an application denial-of-service. Exploitation of this issue does not require user interaction. | |||||
| CVE-2021-36311 | 1 Dell | 1 Emc Networker | 2022-04-25 | 4.6 MEDIUM | 7.8 HIGH |
| Dell EMC Networker versions prior to 19.5 contain an Improper Authorization vulnerability. Any local malicious user with networker user privileges may exploit this vulnerability to upload malicious file to unauthorized locations and execute it. | |||||
| CVE-2018-14662 | 4 Canonical, Debian, Opensuse and 1 more | 6 Ubuntu Linux, Debian Linux, Leap and 3 more | 2022-04-19 | 2.7 LOW | 5.7 MEDIUM |
| It was found Ceph versions before 13.2.4 that authenticated ceph users with read only permissions could steal dm-crypt encryption keys used in ceph disk encryption. | |||||
| CVE-2022-1224 | 1 Phpipam | 1 Phpipam | 2022-04-11 | 4.0 MEDIUM | 6.5 MEDIUM |
| Improper Authorization in GitHub repository phpipam/phpipam prior to 1.4.6. | |||||
| CVE-2022-0406 | 1 Calibre-web Project | 1 Calibre-web | 2022-04-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| Improper Authorization in GitHub repository janeczku/calibre-web prior to 0.6.16. | |||||
| CVE-2022-0587 | 1 Librenms | 1 Librenms | 2022-02-22 | 4.0 MEDIUM | 6.5 MEDIUM |
| Improper Authorization in Packagist librenms/librenms prior to 22.2.0. | |||||
| CVE-2020-9061 | 4 Aeotec, Samsung, Silabs and 1 more | 6 Zw090-a, Sth-eth-200, 500 Series Firmware and 3 more | 2022-01-18 | 3.3 LOW | 6.5 MEDIUM |
| Z-Wave devices using Silicon Labs 500 and 700 series chipsets, including but not likely limited to the SiLabs UZB-7 version 7.00, ZooZ ZST10 version 6.04, Aeon Labs ZW090-A version 3.95, and Samsung STH-ETH-200 version 6.04, are susceptible to denial of service via malformed routing messages. | |||||
| CVE-2022-22269 | 1 Google | 1 Android | 2022-01-15 | 2.1 LOW | 3.3 LOW |
| Keeping sensitive data in unprotected BluetoothSettingsProvider prior to SMR Jan-2022 Release 1 allows untrusted applications to get a local Bluetooth MAC address. | |||||
| CVE-2022-22268 | 1 Google | 1 Android | 2022-01-14 | 3.6 LOW | 6.1 MEDIUM |
| Incorrect implementation of Knox Guard prior to SMR Jan-2022 Release 1 allows physically proximate attackers to temporary unlock the Knox Guard via Samsung DeX mode. | |||||
| CVE-2022-22267 | 1 Google | 1 Android | 2022-01-14 | 2.1 LOW | 3.3 LOW |
| Implicit Intent hijacking vulnerability in ActivityMetricsLogger prior to SMR Jan-2022 Release 1 allows attackers to get running application information. | |||||
| CVE-2021-25521 | 1 Samsung | 1 Internet | 2021-12-13 | 2.1 LOW | 3.3 LOW |
| Insecure caller check in sharevia deeplink logic prior to Samsung Internet 16.0.2 allows unstrusted applications to get current tab URL in Samsung Internet. | |||||
| CVE-2021-31384 | 1 Juniper | 10 Junos, Srx1500, Srx300 and 7 more | 2021-10-25 | 7.5 HIGH | 10.0 CRITICAL |
| Due to a Missing Authorization weakness and Insufficient Granularity of Access Control in a specific device configuration, a vulnerability exists in Juniper Networks Junos OS on SRX Series whereby an attacker who attempts to access J-Web administrative interfaces can successfully do so from any device interface regardless of the web-management configuration and filter rules which may otherwise protect access to J-Web. This issue affects: Juniper Networks Junos OS SRX Series 20.4 version 20.4R1 and later versions prior to 20.4R2-S1, 20.4R3; 21.1 versions prior to 21.1R1-S1, 21.1R2. This issue does not affect Juniper Networks Junos OS versions prior to 20.4R1. | |||||
| CVE-2021-25499 | 1 Samsung | 1 Galaxy Store | 2021-10-14 | 2.1 LOW | 5.5 MEDIUM |
| Intent redirection vulnerability in SamsungAccountSDKSigninActivity of Galaxy Store prior to version 4.5.32.4 allows attacker to access content provider of Galaxy Store. | |||||
| CVE-2021-41100 | 1 Wire | 1 Wire-server | 2021-10-12 | 7.5 HIGH | 9.8 CRITICAL |
| Wire-server is the backing server for the open source wire secure messaging application. In affected versions it is possible to trigger email address change of a user with only the short-lived session token in the `Authorization` header. As the short-lived token is only meant as means of authentication by the client for less critical requests to the backend, the ability to change the email address with a short-lived token constitutes a privilege escalation attack. Since the attacker can change the password after setting the email address to one that they control, changing the email address can result in an account takeover by the attacker. Short-lived tokens can be requested from the backend by Wire clients using the long lived tokens, after which the long lived tokens can be stored securely, for example on the devices key chain. The short lived tokens can then be used to authenticate the client towards the backend for frequently performed actions such as sending and receiving messages. While short-lived tokens should not be available to an attacker per-se, they are used more often and in the shape of an HTTP header, increasing the risk of exposure to an attacker relative to the long-lived tokens, which are stored and transmitted in cookies. If you are running an on-prem instance and provision all users with SCIM, you are not affected by this issue (changing email is blocked for SCIM users). SAML single-sign-on is unaffected by this issue, and behaves identically before and after this update. The reason is that the email address used as SAML NameID is stored in a different location in the databse from the one used to contact the user outside wire. Version 2021-08-16 and later provide a new end-point that requires both the long-lived client cookie and `Authorization` header. The old end-point has been removed. If you are running an on-prem instance with at least some of the users invited or provisioned via SAML SSO and you cannot update then you can block `/self/email` on nginz (or in any other proxies or firewalls you may have set up). You don't need to discriminate by verb: `/self/email` only accepts `PUT` and `DELETE`, and `DELETE` is almost never used. | |||||