Total
1438 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-22326 | 1 Ibm | 5 Datapower Gateway, Mq Appliance M2001, Mq Appliance M2001 Firmware and 2 more | 2022-08-04 | N/A | 3.3 LOW |
| IBM Datapower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.5, and 2018.4.1.0 through 2018.4.1.18 could allow unauthorized viewing of logs and files due to insufficient authorization checks. IBM X-Force ID: 218856. | |||||
| CVE-2021-24788 | 1 Batch Cat Project | 1 Batch Cat | 2022-07-30 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Batch Cat WordPress plugin through 0.3 defines 3 custom AJAX actions, which both require authentication but are available for all roles. As a result, any authenticated user (including simple subscribers) can add/set/delete arbitrary categories to posts. | |||||
| CVE-2021-24207 | 1 Themeum | 1 Wp Page Builder | 2022-07-29 | 4.0 MEDIUM | 4.3 MEDIUM |
| By default, the WP Page Builder WordPress plugin before 1.2.4 allows subscriber-level users to edit and make changes to any and all posts pages - user roles must be specifically blocked from editing posts and pages. | |||||
| CVE-2021-24405 | 1 Izsoft | 1 Easy Cookies Policy | 2022-07-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Easy Cookies Policy WordPress plugin through 1.6.2 is lacking any capability and CSRF check when saving its settings, allowing any authenticated users (such as subscriber) to change them. If users can't register, this can be done through CSRF. Furthermore, the cookie banner setting is not sanitised or validated before being output in all pages of the frontend and the backend settings one, leading to a Stored Cross-Site Scripting issue. | |||||
| CVE-2021-43781 | 1 Inveniosoftware | 1 Invenio-drafts-resources | 2022-07-25 | 4.0 MEDIUM | 4.3 MEDIUM |
| Invenio-Drafts-Resources is a submission/deposit module for Invenio, a software framework for research data management. Invenio-Drafts-Resources prior to versions 0.13.7 and 0.14.6 does not properly check permissions when a record is published. The vulnerability is exploitable in a default installation of InvenioRDM. An authenticated a user is able via REST API calls to publish draft records of other users if they know the record identifier and the draft validates (e.g. all require fields filled out). An attacker is not able to modify the data in the record, and thus e.g. *cannot* change a record from restricted to public. The problem is patched in Invenio-Drafts-Resources v0.13.7 and 0.14.6, which is part of InvenioRDM v6.0.1 and InvenioRDM v7.0 respectively. | |||||
| CVE-2021-4194 | 1 Bookstackapp | 1 Bookstack | 2022-07-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| bookstack is vulnerable to Improper Access Control | |||||
| CVE-2022-36126 | 1 Inductiveautomation | 1 Ignition | 2022-07-22 | N/A | 7.2 HIGH |
| An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. The ScriptInvoke function allows remote attackers to execute arbitrary code by supplying a Python script. | |||||
| CVE-2022-31153 | 1 Openzeppelin | 1 Contracts | 2022-07-22 | N/A | 6.5 MEDIUM |
| OpenZeppelin Contracts for Cairo is a library for contract development written in Cairo for StarkNet, a decentralized ZK Rollup. Version 0.2.0 is vulnerable to an error that renders account contracts unusable on live networks. This issue affects all accounts (vanilla and ethereum flavors) in the v0.2.0 release of OpenZeppelin Contracts for Cairo, which are not whitelisted on StarkNet mainnet. Only goerli deployments of v0.2.0 accounts are affected. This faulty behavior is not observed in StarkNet's testing framework. This bug has been patched in v0.2.1. | |||||
| CVE-2022-26479 | 1 Poly | 2 Eagleeye Director Ii, Eagleeye Director Ii Firmware | 2022-07-22 | N/A | 9.8 CRITICAL |
| An issue was discovered in Poly EagleEye Director II before 2.2.2.1. Existence of a certain file (which can be created via an rsync backdoor) causes all API calls to execute as admin without authentication. | |||||
| CVE-2022-35890 | 1 Inductiveautomation | 1 Ignition | 2022-07-21 | N/A | 9.8 CRITICAL |
| An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. Designer and Vision Client Session IDs are mishandled. An attacker can determine which session IDs were generated in the past and then hijack sessions assigned to these IDs via Randy. | |||||
| CVE-2017-10379 | 5 Debian, Mariadb, Netapp and 2 more | 17 Debian Linux, Mariadb, Active Iq Unified Manager and 14 more | 2022-07-19 | 4.0 MEDIUM | 6.5 MEDIUM |
| Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.19 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.0 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). | |||||
| CVE-2022-32290 | 1 Northern.tech | 1 Mender | 2022-07-14 | 3.3 LOW | 4.3 MEDIUM |
| The client in Northern.tech Mender 3.2.0, 3.2.1, and 3.2.2 has Incorrect Access Control. It listens on a random, unprivileged TCP port and exposes an HTTP proxy to facilitate API calls from additional client components running on the device. However, it listens on all network interfaces instead of only the localhost interface. Therefore, any client on the same network can connect to this TCP port and send HTTP requests. The Mender Client will forward these requests to the Mender Server. Additionally, if mTLS is set up, the Mender Client will connect to the Mender Server using the device's client certificate, making it possible for the attacker to bypass mTLS authentication and send requests to the Mender Server without direct access to the client certificate and related private key. Accessing the HTTP proxy from the local network doesn't represent a direct threat, because it doesn't expose any device or server-specific data. However, it increases the attack surface and can be a potential vector to exploit other vulnerabilities both on the Client and the Server. | |||||
| CVE-2022-1981 | 1 Gitlab | 1 Gitlab | 2022-07-13 | 3.5 LOW | 2.7 LOW |
| An issue has been discovered in GitLab EE affecting all versions starting from 12.2 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1. In GitLab, if a group enables the setting to restrict access to users belonging to specific domains, that allow-list may be bypassed if a Maintainer uses the 'Invite a group' feature to invite a group that has members that don't comply with domain allow-list. | |||||
| CVE-2021-42137 | 1 Zammad | 1 Zammad | 2022-07-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Zammad before 5.0.1. In some cases, there is improper enforcement of the privilege requirement for viewing a list of tickets that shows title, state, etc. | |||||
| CVE-2021-46561 | 1 Mitre | 1 Cve Services | 2022-07-12 | 6.5 MEDIUM | 7.2 HIGH |
| controller/org.controller/org.controller.js in the CVE Services API 1.1.1 before 5c50baf3bda28133a3bc90b854765a64fb538304 allows an organizational administrator to transfer a user account to an arbitrary new organization, and thereby achieve unintended access within the context of that new organization. | |||||
| CVE-2020-12391 | 1 Mozilla | 1 Firefox | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| Documents formed using data: URLs in an OBJECT element failed to inherit the CSP of the creating context. This allowed the execution of scripts that should have been blocked, albeit with a unique opaque origin. This vulnerability affects Firefox < 76. | |||||
| CVE-2021-27195 | 2 Microsoft, Netop | 2 Windows, Vision Pro | 2022-07-12 | 5.0 MEDIUM | 5.9 MEDIUM |
| Improper Authorization vulnerability in Netop Vision Pro up to and including to 9.7.1 allows an attacker to replay network traffic. | |||||
| CVE-2021-0649 | 1 Google | 1 Android | 2022-07-12 | 7.2 HIGH | 7.8 HIGH |
| In stopVpnProfile of Vpn.java, there is a possible VPN profile reset due to a permissions bypass. This could lead to local escalation of privilege CONTROL_ALWAYS_ON_VPN with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-191382886 | |||||
| CVE-2021-39119 | 1 Atlassian | 2 Data Center, Jira | 2022-07-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow users who have watched an issue to continue receiving updates on the issue even after their Jira account is revoked, via a Broken Access Control vulnerability in the issue notification feature. The affected versions are before version 8.19.0. | |||||
| CVE-2020-27362 | 1 Akkadianlabs | 1 Akkadian Provisioning Manager | 2022-07-12 | 9.0 HIGH | 8.8 HIGH |
| An issue exists within the SSH console of Akkadian Provisioning Manager 4.50.02 which allows a low-level privileged user to escape the web configuration file editor and escalate privileges. | |||||