Total
2641 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-0588 | 1 Librenms | 1 Librenms | 2023-08-02 | 4.0 MEDIUM | 6.5 MEDIUM |
| Missing Authorization in Packagist librenms/librenms prior to 22.2.0. | |||||
| CVE-2022-0579 | 1 Snipeitapp | 1 Snipe-it | 2023-08-02 | 4.0 MEDIUM | 6.5 MEDIUM |
| Missing Authorization in Packagist snipe/snipe-it prior to 5.3.9. | |||||
| CVE-2022-0178 | 1 Snipeitapp | 1 Snipe-it | 2023-08-02 | 5.5 MEDIUM | 5.4 MEDIUM |
| Missing Authorization vulnerability in snipe snipe/snipe-it.This issue affects snipe/snipe-i before 5.3.8. | |||||
| CVE-2023-37049 | 1 Emlog | 1 Emlog | 2023-07-31 | N/A | 6.5 MEDIUM |
| emlog 2.1.9 is vulnerable to Arbitrary file deletion via admin\template.php. | |||||
| CVE-2023-26301 | 1 Hp | 38 Color Laserjet Pro 4201-4203 4ra87f, Color Laserjet Pro 4201-4203 4ra87f Firmware, Color Laserjet Pro 4201-4203 4ra88f and 35 more | 2023-07-31 | N/A | 9.8 CRITICAL |
| Certain HP LaserJet Pro print products are potentially vulnerable to an Elevation of Privilege and/or Information Disclosure related to a lack of authentication with certain endpoints. | |||||
| CVE-2023-33265 | 1 Hazelcast | 2 Hazelcast, Imdg | 2023-07-28 | N/A | 8.8 HIGH |
| In Hazelcast through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, executor services don't check client permissions properly, allowing authenticated users to execute tasks on members without the required permissions granted. | |||||
| CVE-2023-3072 | 1 Hashicorp | 1 Nomad | 2023-07-27 | N/A | 3.8 LOW |
| HashiCorp Nomad and Nomad Enterprise 0.7.0 up to 1.5.6 and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and 1.4.11. | |||||
| CVE-2023-3587 | 1 Mattermost | 1 Mattermost Server | 2023-07-27 | N/A | 2.7 LOW |
| Mattermost fails to properly show information in the UI, allowing a system admin to modify a board state allowing any user with a valid sharing link to join the board with editor access, without the UI showing the updated permissions. | |||||
| CVE-2023-3300 | 1 Hashicorp | 1 Nomad | 2023-07-27 | N/A | 5.3 MEDIUM |
| HashiCorp Nomad and Nomad Enterprise 0.11.0 up to 1.5.6 and 1.4.1 HTTP search API can reveal names of available CSI plugins to unauthenticated users or users without the plugin:read policy. Fixed in 1.6.0, 1.5.7, and 1.4.1. | |||||
| CVE-2023-2268 | 1 Plane | 1 Plane | 2023-07-26 | N/A | 7.5 HIGH |
| Plane version 0.7.1 allows an unauthenticated attacker to view all stored server files of all users. | |||||
| CVE-2023-21247 | 1 Google | 1 Android | 2023-07-25 | N/A | 7.8 HIGH |
| In getAvailabilityStatus of BluetoothScanningMainSwitchPreferenceController.java, there is a possible way to bypass a device policy restriction due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-21248 | 1 Google | 1 Android | 2023-07-25 | N/A | 7.8 HIGH |
| In getAvailabilityStatus of WifiScanningMainSwitchPreferenceController.java, there is a possible way to bypass a device policy restriction due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2022-21707 | 1 Wasmcloud | 1 Host Runtime | 2023-07-24 | 5.5 MEDIUM | 8.1 HIGH |
| wasmCloud Host Runtime is a server process that securely hosts and provides dispatch for web assembly (WASM) actors and capability providers. In versions prior to 0.52.2 actors can bypass capability authorization. Actors are normally required to declare their capabilities for inbound invocations, but with this vulnerability actor capability claims are not verified upon receiving invocations. This compromises the security model for actors as they can receive unauthorized invocations from linked capability providers. The problem has been patched in versions `0.52.2` and greater. There is no workaround and users are advised to upgrade to an unaffected version as soon as possible. | |||||
| CVE-2022-21718 | 1 Electronjs | 1 Electron | 2023-07-24 | 4.0 MEDIUM | 5.0 MEDIUM |
| Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` allows renderers to obtain access to a bluetooth device via the web bluetooth API if the app has not configured a custom `select-bluetooth-device` event handler. This has been patched and Electron versions `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` contain the fix. Code from the GitHub Security Advisory can be added to the app to work around the issue. | |||||
| CVE-2022-31095 | 1 Discourse | 1 Discourse-chat | 2023-07-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| discourse-chat is a chat plugin for the Discourse application. Versions prior to 0.4 are vulnerable to an exposure of sensitive information, where an attacker who knows the message ID for a channel they do not have access to can view that message using the chat message lookup endpoint, primarily affecting direct message channels. There are no known workarounds for this issue, and users are advised to update the plugin. | |||||
| CVE-2022-2276 | 1 Wp Edit Menu Project | 1 Wp Edit Menu | 2023-07-24 | N/A | 4.3 MEDIUM |
| The WP Edit Menu WordPress plugin before 1.5.0 does not have authorisation and CSRF in an AJAX action, which could allow unauthenticated attackers to delete arbitrary posts/pages from the blog | |||||
| CVE-2022-3538 | 1 Webmaster Tools Verification Project | 1 Webmaster Tools Verification | 2023-07-21 | N/A | 6.5 MEDIUM |
| The Webmaster Tools Verification WordPress plugin through 1.2 does not have authorisation and CSRF checks when disabling plugins, allowing unauthenticated users to disable arbitrary plugins | |||||
| CVE-2022-3489 | 1 Weberge | 1 Wp Hide | 2023-07-21 | N/A | 5.3 MEDIUM |
| The WP Hide WordPress plugin through 0.0.2 does not have authorisation and CSRF checks in place when updating the custom_wpadmin_slug settings, allowing unauthenticated attackers to update it with a crafted request | |||||
| CVE-2022-35249 | 1 Rocket.chat | 1 Rocket.chat | 2023-07-21 | N/A | 4.3 MEDIUM |
| A information disclosure vulnerability exists in Rocket.Chat <v5 where the getUserMentionsByChannel meteor server method discloses messages from private channels and direct messages regardless of the users access permission to the room. | |||||
| CVE-2022-36091 | 1 Xwiki | 1 Xwiki | 2023-07-21 | N/A | 7.5 HIGH |
| XWiki Platform Web Templates are templates for XWiki Platform, a generic wiki platform. Through the suggestion feature, string and list properties of objects the user shouldn't have access to can be accessed in versions prior to 13.10.4 and 14.2. This includes private personal information like email addresses and salted password hashes of registered users but also other information stored in properties of objects. Sensitive configuration fields like passwords for LDAP or SMTP servers could be accessed. By exploiting an additional vulnerability, this issue can even be exploited on private wikis at least for string properties. The issue is patched in version 13.10.4 and 14.2. Password properties are no longer displayed and rights are checked for other properties. A workaround is available. The template file `suggest.vm` can be replaced by a patched version without upgrading or restarting XWiki unless it has been overridden, in which case the overridden template should be patched, too. This might need adjustments for older versions, though. | |||||