Total
809 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-39902 | 1 Samsung | 2 Exynos, Exynos Firmware | 2024-11-21 | N/A | 6.5 MEDIUM |
| Improper authorization in Exynos baseband prior to SMR DEC-2022 Release 1 allows remote attacker to get sensitive information including IMEI via emergency call. | |||||
| CVE-2022-39890 | 1 Samsung | 1 Billing | 2024-11-21 | N/A | 6.2 MEDIUM |
| Improper Authorization in Samsung Billing prior to version 5.0.56.0 allows attacker to get sensitive information. | |||||
| CVE-2022-39883 | 1 Google | 1 Android | 2024-11-21 | N/A | 4.0 MEDIUM |
| Improper authorization vulnerability in StorageManagerService prior to SMR Nov-2022 Release 1 allows local attacker to call privileged API. | |||||
| CVE-2022-39879 | 1 Google | 1 Android | 2024-11-21 | N/A | 5.9 MEDIUM |
| Improper authorization vulnerability in?CallBGProvider prior to SMR Nov-2022 Release 1 allows local attacker to grant permission for accessing information with phone uid. | |||||
| CVE-2022-39873 | 1 Samsung | 1 Internet | 2024-11-21 | N/A | 4.3 MEDIUM |
| Improper authorization vulnerability in Samsung Internet prior to version 18.0.4.14 allows physical attackers to add bookmarks in secret mode without user authentication. | |||||
| CVE-2022-39862 | 2 Google, Samsung | 2 Android, Dynamic Lockscreen | 2024-11-21 | N/A | 5.3 MEDIUM |
| Improper authorization in Dynamic Lockscreen prior to SMR Sep-2022 Release 1 in Android R(11) and 3.3.03.66 in Android S(12) allows unauthorized use of javascript interface api. | |||||
| CVE-2022-39356 | 1 Discourse | 1 Discourse | 2024-11-21 | N/A | 8.9 HIGH |
| Discourse is a platform for community discussion. Users who receive an invitation link that is not scoped to a single email address can enter any non-admin user's email and gain access to their account when accepting the invitation. All users should upgrade to the latest version. A workaround is temporarily disabling invitations with `SiteSetting.max_invites_per_day = 0` or scope them to individual email addresses. | |||||
| CVE-2022-39342 | 1 Openfga | 1 Openfga | 2024-11-21 | N/A | 5.9 MEDIUM |
| OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users whose model has a relation defined as a tupleset (the right hand side of a ‘from’ statement) that involves anything other than a direct relationship (e.g. ‘as self’) are vulnerable. Version 0.2.4 contains a patch for this issue. | |||||
| CVE-2022-39341 | 1 Openfga | 1 Openfga | 2024-11-21 | N/A | 5.9 MEDIUM |
| OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users who have wildcard (`*`) defined on tupleset relations in their authorization model are vulnerable. Version 0.2.4 contains a patch for this issue. | |||||
| CVE-2022-39340 | 1 Openfga | 1 Openfga | 2024-11-21 | N/A | 5.3 MEDIUM |
| OpenFGA is an authorization/permission engine. Prior to version 0.2.4, the `streamed-list-objects` endpoint was not validating the authorization header, resulting in disclosure of objects in the store. Users `openfga/openfga` versions 0.2.3 and prior who are exposing the OpenFGA service to the internet are vulnerable. Version 0.2.4 contains a patch for this issue. | |||||
| CVE-2022-39329 | 1 Nextcloud | 2 Nextcloud Enterprise Server, Nextcloud Server | 2024-11-21 | N/A | 3.5 LOW |
| Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 23.0.9 and 24.0.5 are vulnerable to exposure of information that cannot be controlled by administrators without direct database access. Versions 23.0.9 and 24.0.5 contains patches for this issue. No known workarounds are available. | |||||
| CVE-2022-39322 | 1 Keystonejs | 1 Keystone | 2024-11-21 | N/A | 9.1 CRITICAL |
| @keystone-6/core is a core package for Keystone 6, a content management system for Node.js. Starting with version 2.2.0 and prior to version 2.3.1, users who expected their `multiselect` fields to use the field-level access control - if configured - are vulnerable to their field-level access control not being used. List-level access control is not affected. Field-level access control for fields other than `multiselect` are not affected. Version 2.3.1 contains a fix for this issue. As a workaround, stop using the `multiselect` field. | |||||
| CVE-2022-38375 | 1 Fortinet | 2 Fortinac, Fortinac-f | 2024-11-21 | N/A | 9.1 CRITICAL |
| An improper authorization vulnerability [CWE-285] in Fortinet FortiNAC version 9.4.0 through 9.4.1 and before 9.2.6 allows an unauthenticated user to perform some administrative operations over the FortiNAC instance via crafted HTTP POST requests. | |||||
| CVE-2022-36876 | 1 Samsung | 1 Samsung Pass | 2024-11-21 | N/A | 1.8 LOW |
| Improper authorization in UPI payment in Samsung Pass prior to version 4.0.04.10 allows physical attackers to access account list without authentication. | |||||
| CVE-2022-36872 | 1 Samsung | 2 Samsung Pay, Samsung Pay Kr | 2024-11-21 | N/A | 5.0 MEDIUM |
| Pending Intent hijacking vulnerability in SpayNotification in Samsung Pay prior to version 5.0.63 for KR and 5.1.47 for Global allows attackers to access files without permission via implicit Intent. | |||||
| CVE-2022-36871 | 1 Samsung | 2 Samsung Pay, Samsung Pay Kr | 2024-11-21 | N/A | 5.0 MEDIUM |
| Pending Intent hijacking vulnerability in NotiCenterUtils in Samsung Pay prior to version 5.0.63 for KR and 5.1.47 for Global allows attackers to access files without permission via implicit Intent. | |||||
| CVE-2022-36870 | 1 Samsung | 2 Samsung Pay, Samsung Pay Kr | 2024-11-21 | N/A | 5.0 MEDIUM |
| Pending Intent hijacking vulnerability in MTransferNotificationManager in Samsung Pay prior to version 5.0.63 for KR and 5.1.47 for Global allows attackers to access files without permission via implicit Intent. | |||||
| CVE-2022-36857 | 2 Google, Samsung | 2 Android, Photo Editor | 2024-11-21 | N/A | 1.9 LOW |
| Improper Authorization vulnerability in Photo Editor prior to SMR Sep-2022 Release 1 allows physical attackers to read internal application data. | |||||
| CVE-2022-36852 | 1 Google | 1 Android | 2024-11-21 | N/A | 1.9 LOW |
| Improper Authorization vulnerability in Video Editor prior to SMR Sep-2022 Release 1 allows local attacker to access internal application data. | |||||
| CVE-2022-36848 | 1 Google | 1 Android | 2024-11-21 | N/A | 5.1 MEDIUM |
| Improper Authorization vulnerability in setDualDARPolicyCmd prior to SMR Sep-2022 Release 1 allows local attackers to cause local permanent denial of service. | |||||