Total
2641 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-20407 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2022-03-30 | 4.0 MEDIUM | 4.3 MEDIUM |
| The ConfigureBambooRelease resource in Jira Software and Jira Software Data Center before version 8.6.1 allows authenticated remote attackers to view release version information in projects that they do not have access to through an missing authorisation check. | |||||
| CVE-2020-14185 | 1 Atlassian | 2 Jira, Jira Server | 2022-03-25 | 5.0 MEDIUM | 5.3 MEDIUM |
| Affected versions of Jira Server allow remote unauthenticated attackers to enumerate issue keys via a missing permissions check in the ActionsAndOperations resource. The affected versions are before 7.13.18, from version 8.0.0 before 8.5.9, and from version 8.6.0 before version 8.12.2. | |||||
| CVE-2019-15013 | 1 Atlassian | 2 Jira, Jira Server | 2022-03-25 | 4.0 MEDIUM | 4.3 MEDIUM |
| The WorkflowResource class removeStatus method in Jira before version 7.13.12, from version 8.0.0 before version 8.4.3, and from version 8.5.0 before version 8.5.2 allows authenticated remote attackers who do not have project administration access to remove a configured issue status from a project via a missing authorisation check. | |||||
| CVE-2019-8445 | 1 Atlassian | 1 Jira Server | 2022-03-25 | 5.0 MEDIUM | 5.3 MEDIUM |
| Several worklog rest resources in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.2 allow remote attackers to view worklog time information via a missing permissions check. | |||||
| CVE-2019-3399 | 1 Atlassian | 2 Jira, Jira Server | 2022-03-25 | 5.0 MEDIUM | 7.5 HIGH |
| The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check. | |||||
| CVE-2021-24950 | 1 Thememove | 1 Insight Core | 2022-03-20 | 3.5 LOW | 5.4 MEDIUM |
| The Insight Core WordPress plugin through 1.0 does not have any authorisation and CSRF checks in the insight_customizer_options_import (available to any authenticated user), does not validate user input before passing it to unserialize(), nor sanitise and escape it before outputting it in the response. As a result, it could allow users with a role as low as Subscriber to perform PHP Object Injection, as well as Stored Cross-Site Scripting attacks | |||||
| CVE-2022-26104 | 1 Sap | 1 Financial Consolidation | 2022-03-18 | 5.0 MEDIUM | 5.3 MEDIUM |
| SAP Financial Consolidation - version 10.1, does not perform necessary authorization checks for updating homepage messages, resulting for an unauthorized user to alter the maintenance system message. | |||||
| CVE-2022-26103 | 1 Sap | 1 Netweaver Application Server Java | 2022-03-18 | 4.3 MEDIUM | 5.3 MEDIUM |
| Under certain conditions, SAP NetWeaver (Real Time Messaging Framework) - version 7.50, allows an attacker to access information which could lead to information gathering for further exploits and attacks. | |||||
| CVE-2022-23709 | 1 Elastic | 1 Kibana | 2022-03-16 | 4.0 MEDIUM | 4.3 MEDIUM |
| A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. A user with this privilege would be able to create new alerting rules or overwrite existing ones. However, any new or modified rules would not be enabled, and a user with this privilege could not modify alerting connectors. This effectively means that Read users could disable existing alerting rules. | |||||
| CVE-2022-0163 | 1 Rednao | 1 Smart Forms | 2022-03-11 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Smart Forms WordPress plugin before 2.6.71 does not have authorisation in its rednao_smart_forms_entries_list AJAX action, allowing any authenticated users, such as subscriber, to download arbitrary form's data, which could include sensitive information such as PII depending on the form. | |||||
| CVE-2021-41112 | 1 Pagerduty | 1 Rundeck | 2022-03-10 | 5.5 MEDIUM | 8.1 HIGH |
| Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In versions prior to 3.4.5, authenticated users could craft a request to modify or delete System or Project level Calendars, without appropriate authorization. Modifying or removing calendars could cause Scheduled Jobs to execute, or not execute on desired calendar days. Severity depends on trust level of authenticated users and impact of running or not running scheduled jobs on days governed by calendar definitions. Version 3.4.5 contains a patch for this issue. There are currently no known workarounds. | |||||
| CVE-2021-25042 | 1 Plugins-market | 1 Wp Visitor Statistics \(real Time Traffic\) | 2022-03-08 | 3.5 LOW | 5.4 MEDIUM |
| The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 5.5 does not have authorisation and CSRF checks in the updateIpAddress AJAX action, allowing any authenticated user to call it, or make a logged in user do it via a CSRF attack and add an arbitrary IP address to exclude. Furthermore, due to the lack of validation, sanitisation and escaping, users could set a malicious value and perform Cross-Site Scripting attacks against logged in admin | |||||
| CVE-2022-24594 | 1 Waline | 1 Waline | 2022-03-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| In waline 1.6.1, an attacker can submit messages using X-Forwarded-For to forge any IP address. | |||||
| CVE-2021-25084 | 1 Bracketspace | 1 Advanced Cron Manager | 2022-03-01 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Advanced Cron Manager WordPress plugin before 2.4.2 and Advanced Cron Manager Pro WordPress plugin before 2.5.3 do not have authorisation checks in some of their AJAX actions, allowing any authenticated users, such as subscriber to call them and add or remove events as well as schedules for example | |||||
| CVE-2021-25075 | 1 Wpdevart | 1 Duplicate Page Or Post | 2022-02-28 | 3.5 LOW | 3.5 LOW |
| The Duplicate Page or Post WordPress plugin before 1.5.1 does not have any authorisation and has a flawed CSRF check in the wpdevart_duplicate_post_parametrs_save_in_db AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings, or perform such attack via CSRF. Furthermore, due to the lack of escaping, this could lead to Stored Cross-Site Scripting issues | |||||
| CVE-2021-25014 | 1 Vowelweb | 1 Ibtana | 2022-02-22 | 3.5 LOW | 3.5 LOW |
| The Ibtana WordPress plugin before 1.1.4.9 does not have authorisation and CSRF checks in the ive_save_general_settings AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings which could lead to Stored Cross-Site Scripting issue. | |||||
| CVE-2019-10184 | 2 Netapp, Redhat | 7 Active Iq Unified Manager, Enterprise Linux, Jboss Data Grid and 4 more | 2022-02-20 | 5.0 MEDIUM | 7.5 HIGH |
| undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api. | |||||
| CVE-2021-25018 | 1 Najeebmedia | 1 Ppom For Woocommerce | 2022-02-19 | 3.5 LOW | 5.4 MEDIUM |
| The PPOM for WooCommerce WordPress plugin before 24.0 does not have authorisation and CSRF checks in the ppom_settings_panel_action AJAX action, allowing any authenticated to call it and set arbitrary settings. Furthermore, due to the lack of sanitisation and escaping, it could lead to Stored XSS issues | |||||
| CVE-2022-24317 | 1 Schneider-electric | 1 Interactive Graphical Scada System Data Server | 2022-02-17 | 5.0 MEDIUM | 7.5 HIGH |
| A CWE-862: Missing Authorization vulnerability exists that could cause information exposure when an attacker sends a specific message. Affected Product: Interactive Graphical SCADA System Data Server (V15.0.0.22020 and prior) | |||||
| CVE-2022-23617 | 1 Xwiki | 1 Xwiki | 2022-02-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit right can copy the content of a page it does not have access to by using it as template of a new page. This issue has been patched in XWiki 13.2CR1 and 12.10.6. Users are advised to update. There are no known workarounds for this issue. | |||||