Total
1117 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-41272 | 1 Sap | 1 Netweaver Process Integration | 2023-11-07 | N/A | 8.6 HIGH |
| An unauthenticated attacker over the network can attach to an open interface exposed through JNDI by the User Defined Search (UDS) of SAP NetWeaver Process Integration (PI) - version 7.50 and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data across the entire system. This allows the attacker to have full read access to user data, make limited modifications to user data, and degrade the performance of the system, leading to a high impact on confidentiality and a limited impact on the availability and integrity of the application. | |||||
| CVE-2022-41271 | 1 Sap | 1 Netweaver Process Integration | 2023-11-07 | N/A | 9.4 CRITICAL |
| An unauthenticated user can attach to an open interface exposed through JNDI by the Messaging System of SAP NetWeaver Process Integration (PI) - version 7.50. This user can make use of an open naming and directory API to access services that could perform unauthorized operations. The vulnerability affects local users and data, leading to a considerable impact on confidentiality as well as availability and a limited impact on the integrity of the application. These operations can be used to: * Read any information * Modify sensitive information * Denial of Service attacks (DoS) * SQL Injection | |||||
| CVE-2022-40202 | 1 Deltaww | 1 Infrasuite Device Master | 2023-11-07 | N/A | 9.8 CRITICAL |
| The database backup function in Delta Electronics InfraSuite Device Master Versions 00.00.01a and prior lacks proper authentication. An attacker could provide malicious serialized objects which, when deserialized, could activate an opcode for a backup scheduling function without authentication. This function allows the user to designate all function arguments and the file to be executed. This could allow the attacker to start any new process and achieve remote code execution. | |||||
| CVE-2022-3675 | 1 Redhat | 1 Fedora Coreos | 2023-11-07 | N/A | 5.5 MEDIUM |
| Fedora CoreOS supports setting a GRUB bootloader password using a Butane config. When this feature is enabled, GRUB requires a password to access the GRUB command-line, modify kernel command-line arguments, or boot non-default OSTree deployments. Recent Fedora CoreOS releases have a misconfiguration which allows booting non-default OSTree deployments without entering a password. This allows someone with access to the GRUB menu to boot into an older version of Fedora CoreOS, reverting any security fixes that have recently been applied to the machine. A password is still required to modify kernel command-line arguments and to access the GRUB command line. | |||||
| CVE-2022-3674 | 1 Sanitization Management System Project | 1 Sanitization Management System | 2023-11-07 | N/A | 9.8 CRITICAL |
| A vulnerability has been found in SourceCodester Sanitization Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to missing authentication. The attack can be launched remotely. The identifier VDB-212017 was assigned to this vulnerability. | |||||
| CVE-2022-3188 | 1 Dataprobe | 24 Iboot-pdu4-n20, Iboot-pdu4-n20 Firmware, Iboot-pdu4a-n15 and 21 more | 2023-11-07 | N/A | 5.3 MEDIUM |
| Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where unauthenticated users could open PHP index pages without authentication and download the history file from the device; the history file includes the latest actions completed by specific users. | |||||
| CVE-2022-37680 | 1 Hitachi | 2 Hc-ip9100hd, Hc-ip9100hd Firmware | 2023-11-07 | N/A | 7.5 HIGH |
| An improper authentication for critical function issue in Hitachi Kokusai Electric Network products for monitoring system (Camera, Decoder and Encoder) and bellow allows attckers to remotely reboot the device via a crafted POST request to the endpoint /ptipupgrade.cgi. Security information ID hitachi-sec-2022-001 contains fixes for the issue. | |||||
| CVE-2022-2552 | 1 Snapcreek | 1 Duplicator | 2023-11-07 | N/A | 5.3 MEDIUM |
| The Duplicator WordPress plugin before 1.4.7 does not authenticate or authorize visitors before displaying information about the system such as server software, php version and full file system path to the site. | |||||
| CVE-2022-24562 | 1 Iobit | 1 Iotransfer | 2023-11-07 | 10.0 HIGH | 9.8 CRITICAL |
| In IOBit IOTransfer 4.3.1.1561, an unauthenticated attacker can send GET and POST requests to Airserv and gain arbitrary read/write access to the entire file-system (with admin privileges) on the victim's endpoint, which can result in data theft and remote code execution. | |||||
| CVE-2022-24396 | 1 Sap | 1 Simple Diagnostics Agent | 2023-11-07 | 7.2 HIGH | 7.8 HIGH |
| The Simple Diagnostics Agent - versions 1.0 up to version 1.57, does not perform any authentication checks for functionalities that can be accessed via localhost on http port 3005. Due to lack of authentication checks, an attacker could access administrative or other privileged functionalities and read, modify, or delete sensitive information and configurations. | |||||
| CVE-2022-20861 | 1 Cisco | 1 Nexus Dashboard | 2023-11-07 | N/A | 8.8 HIGH |
| Multiple vulnerabilities in Cisco Nexus Dashboard could allow an unauthenticated, remote attacker to execute arbitrary commands, read or upload container image files, or perform a cross-site request forgery attack. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2022-20858 | 1 Cisco | 1 Nexus Dashboard | 2023-11-07 | N/A | 9.8 CRITICAL |
| Multiple vulnerabilities in Cisco Nexus Dashboard could allow an unauthenticated, remote attacker to execute arbitrary commands, read or upload container image files, or perform a cross-site request forgery attack. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2022-20857 | 1 Cisco | 1 Nexus Dashboard | 2023-11-07 | N/A | 9.8 CRITICAL |
| Multiple vulnerabilities in Cisco Nexus Dashboard could allow an unauthenticated, remote attacker to execute arbitrary commands, read or upload container image files, or perform a cross-site request forgery attack. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2022-20830 | 1 Cisco | 2 Catalyst Sd-wan Manager, Sd-wan Vmanage | 2023-11-07 | N/A | 5.3 MEDIUM |
| A vulnerability in authentication mechanism of Cisco Software-Defined Application Visibility and Control (SD-AVC) on Cisco vManage could allow an unauthenticated, remote attacker to access the GUI of Cisco SD-AVC without authentication. This vulnerability exists because the GUI is accessible on self-managed cloud installations or local server installations of Cisco vManage. An attacker could exploit this vulnerability by accessing the exposed GUI of Cisco SD-AVC. A successful exploit could allow the attacker to view managed device names, SD-AVC logs, and SD-AVC DNS server IP addresses. | |||||
| CVE-2022-1598 | 1 2code | 1 Wpqa Builder | 2023-11-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| The WPQA Builder WordPress plugin before 5.5 which is a companion to the Discy and Himer , lacks authentication in a REST API endpoint, allowing unauthenticated users to discover private questions sent between users on the site. | |||||
| CVE-2022-1521 | 1 Illumina | 8 Iseq 100, Local Run Manager, Miniseq and 5 more | 2023-11-07 | 6.4 MEDIUM | 9.1 CRITICAL |
| LRM does not implement authentication or authorization by default. A malicious actor can inject, replay, modify, and/or intercept sensitive data. | |||||
| CVE-2022-0992 | 1 Siteground | 1 Security Optimizer | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated users to log in as administrative users due to missing identity verification on initial 2FA set-up that allows unauthenticated and unauthorized users to configure 2FA for pending accounts. Upon successful configuration, the attacker is logged in as that user without access to a username/password pair which is the expected first form of authentication. This affects versions up to, and including, 1.2.5. | |||||
| CVE-2022-0188 | 1 Niteothemes | 1 Cmp | 2023-11-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| The CMP WordPress plugin before 4.0.19 allows any user, even not logged in, to arbitrarily change the coming soon page layout. | |||||
| CVE-2022-0140 | 1 Vfbpro | 1 Visual Form Builder | 2023-11-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Visual Form Builder WordPress plugin before 3.0.6 does not perform access control on entry form export, allowing unauthenticated users to see the form entries or export it as a CSV File using the vfb-export endpoint. | |||||
| CVE-2021-39233 | 1 Apache | 1 Ozone | 2023-11-07 | 6.4 MEDIUM | 9.1 CRITICAL |
| In Apache Ozone versions prior to 1.2.0, Container related Datanode requests of Ozone Datanode were not properly authorized and can be called by any client. | |||||