Total
2641 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-1054 | 1 Wpchill | 1 Rsvp And Event Management | 2022-04-27 | 5.0 MEDIUM | 5.3 MEDIUM |
| The RSVP and Event Management Plugin WordPress plugin before 2.7.8 does not have any authorisation checks when exporting its entries, and has the export function hooked to the init action. As a result, unauthenticated attackers could call it and retrieve PII such as first name, last name and email address of user registered for events | |||||
| CVE-2019-19985 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2022-04-26 | 5.0 MEDIUM | 5.3 MEDIUM |
| The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed unauthenticated file download with user information disclosure. | |||||
| CVE-2020-13144 | 1 Edx | 1 Open Edx Platform | 2022-04-26 | 6.5 MEDIUM | 8.8 HIGH |
| Studio in Open edX Ironwood 2.5, when CodeJail is not used, allows a user to go to the "Create New course>New section>New subsection>New unit>Add new component>Problem button>Advanced tab>Custom Python evaluated code" screen, edit the problem, and execute Python code. This leads to arbitrary code execution. | |||||
| CVE-2020-0454 | 1 Google | 1 Android | 2022-04-26 | 2.1 LOW | 5.5 MEDIUM |
| In callCallbackForRequest of ConnectivityService.java, there is a possible permission bypass due to a missing permission check. This could lead to local information disclosure of the current SSID with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9Android ID: A-161370134 | |||||
| CVE-2021-39225 | 1 Nextcloud | 1 Deck | 2022-04-25 | 5.5 MEDIUM | 8.1 HIGH |
| Nextcloud is an open-source, self-hosted productivity platform. A missing permission check in Nextcloud Deck before 1.2.9, 1.4.5 and 1.5.3 allows another authenticated users to access Deck cards of another user. It is recommended that the Nextcloud Deck App is upgraded to 1.2.9, 1.4.5 or 1.5.3. There are no known workarounds aside from upgrading. | |||||
| CVE-2017-18101 | 1 Atlassian | 2 Jira, Jira Server | 2022-04-22 | 6.4 MEDIUM | 6.5 MEDIUM |
| Various administrative external system import resources in Atlassian JIRA Server (including JIRA Core) before version 7.6.5, from version 7.7.0 before version 7.7.3, from version 7.8.0 before version 7.8.3 and before version 7.9.0 allow remote attackers to run import operations and to determine if an internal service exists through missing permission checks. | |||||
| CVE-2019-14995 | 1 Atlassian | 1 Jira Server | 2022-04-22 | 5.0 MEDIUM | 5.3 MEDIUM |
| The /rest/api/1.0/render resource in Jira before version 8.4.0 allows remote anonymous attackers to determine if an attachment with a specific name exists and if an issue key is valid via a missing permissions check. | |||||
| CVE-2020-10955 | 2 Debian, Gitlab | 2 Debian Linux, Gitlab | 2022-04-22 | 4.0 MEDIUM | 6.5 MEDIUM |
| GitLab EE/CE 11.1 through 12.9 is vulnerable to parameter tampering on an upload feature that allows an unauthorized user to read content available under specific folders. | |||||
| CVE-2022-27669 | 1 Sap | 1 Netweaver Application Server For Java | 2022-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| An unauthenticated user can use functions of XML Data Archiving Service of SAP NetWeaver Application Server for Java - version 7.50, to which access should be restricted. This may result in an escalation of privileges. | |||||
| CVE-2017-12084 | 1 Meetcircle | 2 Circle With Disney, Circle With Disney Firmware | 2022-04-19 | 6.0 MEDIUM | 6.6 MEDIUM |
| A backdoor vulnerability exists in remote control functionality of Circle with Disney running firmware 2.0.1. A specific set of network packets can remotely start an SSH server on the device, resulting in a persistent backdoor. An attacker can send an API call to enable the SSH server. | |||||
| CVE-2022-0919 | 1 Salonbookingsystem | 1 Salon Booking System | 2022-04-15 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Salon booking system Free and pro WordPress plugins before 7.6.3 do not have proper authorisation when searching bookings, allowing any unauthenticated users to search other's booking, as well as retrieve sensitive information about the bookings, such as the full name, email and phone number of the person who booked it. | |||||
| CVE-2019-12274 | 1 Suse | 1 Rancher | 2022-04-13 | 4.0 MEDIUM | 8.8 HIGH |
| In Rancher 1 and 2 through 2.2.3, unprivileged users (if allowed to deploy nodes) can gain admin access to the Rancher management plane because node driver options intentionally allow posting certain data to the cloud. The problem is that a user could choose to post a sensitive file such as /root/.kube/config or /var/lib/rancher/management-state/cred/kubeconfig-system.yaml. | |||||
| CVE-2021-25087 | 1 Wpdownloadmanager | 1 Wordpress Download Manager | 2022-04-12 | 5.0 MEDIUM | 7.5 HIGH |
| The Download Manager WordPress plugin before 3.2.35 does not have any authorisation checks in some of the REST API endpoints, allowing unauthenticated attackers to call them, which could lead to sensitive information disclosure, such as posts passwords (fixed in 3.2.24) and files Master Keys (fixed in 3.2.25). | |||||
| CVE-2022-23183 | 1 Advancedcustomfields | 1 Advanced Custom Fields | 2022-04-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| Missing authorization vulnerability in Advanced Custom Fields versions prior to 5.12.1 and Advanced Custom Fields Pro versions prior to 5.12.1 allows a remote authenticated attacker to view the information on the database without the access permission. | |||||
| CVE-2021-3814 | 1 Redhat | 1 3scale | 2022-04-07 | 5.0 MEDIUM | 7.5 HIGH |
| It was found that 3scale's APIdocs does not validate the access token, in the case of invalid token, it uses session auth instead. This conceivably bypasses access controls and permits unauthorized information disclosure. | |||||
| CVE-2019-9924 | 5 Canonical, Debian, Gnu and 2 more | 6 Ubuntu Linux, Debian Linux, Bash and 3 more | 2022-04-05 | 7.2 HIGH | 7.8 HIGH |
| rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell. | |||||
| CVE-2021-39768 | 1 Google | 1 Android | 2022-04-05 | 4.4 MEDIUM | 7.8 HIGH |
| In Settings, there is a possible way to add an auto-connect WiFi network without the user's consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-202017876 | |||||
| CVE-2021-39758 | 1 Google | 1 Android | 2022-04-05 | 4.6 MEDIUM | 7.8 HIGH |
| In WindowManager, there is a possible way to start a foreground activity from the background due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-205130886 | |||||
| CVE-2022-27658 | 1 Sap | 1 Innovation Management | 2022-04-04 | 4.3 MEDIUM | 7.5 HIGH |
| Under certain conditions, SAP Innovation management - version 2.0, allows an attacker to access information which could lead to information gathering for further exploits and attacks. | |||||
| CVE-2022-22854 | 1 Hospital\'s Patient Records Management System Project | 1 Hospital\'s Patient Records Management System | 2022-03-30 | 6.5 MEDIUM | 8.8 HIGH |
| An access control issue in hprms/admin/?page=user/list of Hospital Patient Record Management System v1.0 allows attackers to escalate privileges via accessing and editing the user list. | |||||