Total
3717 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-0036 | 1 Openatom | 1 Openharmony | 2024-11-21 | N/A | 6.5 MEDIUM |
| platform_callback_stub in misc subsystem within OpenHarmony-v3.0.5 and prior versions has an authentication bypass vulnerability which allows an "SA relay attack".Local attackers can bypass authentication and attack other SAs with high privilege. | |||||
| CVE-2023-0035 | 1 Openatom | 1 Openharmony | 2024-11-21 | N/A | 6.5 MEDIUM |
| softbus_client_stub in communication subsystem within OpenHarmony-v3.0.5 and prior versions has an authentication bypass vulnerability which allows an "SA relay attack".Local attackers can bypass authentication and attack other SAs with high privilege. | |||||
| CVE-2022-4861 | 1 M-files | 1 M-files Client | 2024-11-21 | N/A | 4.8 MEDIUM |
| Incorrect implementation in authentication protocol in M-Files Client before 22.5.11356.0 allows high privileged user to get other users tokens to another resource. | |||||
| CVE-2022-4722 | 1 Ikus-soft | 1 Rdiffweb | 2024-11-21 | N/A | 7.2 HIGH |
| Authentication Bypass by Primary Weakness in GitHub repository ikus060/rdiffweb prior to 2.5.5. | |||||
| CVE-2022-4441 | 1 Hitachi | 1 Storage Plug-in | 2024-11-21 | N/A | 7.6 HIGH |
| Incorrect Privilege Assignment vulnerability in Hitachi Storage Plug-in for VMware vCenter allows remote authenticated users to cause privilege escalation. This issue affects Hitachi Storage Plug-in for VMware vCenter: from 04.9.0 before 04.9.1. | |||||
| CVE-2022-4126 | 4 Abb, Apple, Linux and 1 more | 4 Rccmd, Macos, Linux Kernel and 1 more | 2024-11-21 | N/A | 9.6 CRITICAL |
| Use of Default Password vulnerability in ABB RCCMD on Windows, Linux, MacOS allows Try Common or Default Usernames and Passwords.This issue affects RCCMD: before 4.40 230207. | |||||
| CVE-2022-4041 | 1 Hitachi | 1 Storage Plug-in | 2024-11-21 | N/A | 5.9 MEDIUM |
| Incorrect Privilege Assignment vulnerability in Hitachi Storage Plug-in for VMware vCenter allows remote authenticated users to cause privilege escalation. This issue affects Hitachi Storage Plug-in for VMware vCenter: from 04.8.0 before 04.9.1. | |||||
| CVE-2022-47848 | 1 Bezeq | 4 Vtech Iad604-il, Vtech Iad604-il Firmware, Vtech Nb403-il and 1 more | 2024-11-21 | N/A | 7.5 HIGH |
| An issue was discovered in Bezeq Vtech NB403-IL version BZ_2.02.07.09.13.01 and Vtech IAD604-IL versions BZ_2.02.07.09.13.01, BZ_2.02.07.09.13T, and BZ_2.02.07.09.09T, allows remote attackers to gain sensitive information via rootDesc.xml page of the UPnP service. | |||||
| CVE-2022-47508 | 1 Solarwinds | 1 Server And Application Monitor | 2024-11-21 | N/A | 7.5 HIGH |
| Customers who had configured their polling to occur via Kerberos did not expect NTLM Traffic on their environment, but since we were querying for data via IP address this prevented us from utilizing Kerberos. | |||||
| CVE-2022-46829 | 1 Jetbrains | 1 Jetbrains Gateway | 2024-11-21 | N/A | 7.1 HIGH |
| In JetBrains JetBrains Gateway before 2022.3 a client could connect without a valid token if the host consented. | |||||
| CVE-2022-46774 | 1 Ibm | 2 Manage Application, Maximo Application Suite | 2024-11-21 | N/A | 5.4 MEDIUM |
| IBM Manage Application 8.8.0 and 8.9.0 in the IBM Maximo Application Suite is vulnerable to incorrect default permissions which could give access to a user to actions that they should not have access to. IBM X-Force ID: 242953. | |||||
| CVE-2022-46773 | 1 Ibm | 3 Robotic Process Automation, Robotic Process Automation As A Service, Robotic Process Automation For Cloud Pak | 2024-11-21 | N/A | 4.3 MEDIUM |
| IBM Robotic Process Automation 21.0.0 - 21.0.7 and 23.0.0 is vulnerable to client-side validation bypass for credential pools. Invalid credential pools may be created as a result. IBM X-Force ID: 242951. | |||||
| CVE-2022-46172 | 1 Goauthentik | 1 Authentik | 2024-11-21 | N/A | 6.4 MEDIUM |
| authentik is an open-source Identity provider focused on flexibility and versatility. In versions prior to 2022.10.4, and 2022.11.4, any authenticated user can create an arbitrary number of accounts through the default flows. This would circumvent any policy in a situation where it is undesirable for users to create new accounts by themselves. This may also affect other applications as these new basic accounts would exist throughout the SSO infrastructure. By default the newly created accounts cannot be logged into as no password reset exists by default. However password resets are likely to be enabled by most installations. This vulnerability pertains to the user context used in the default-user-settings-flow, /api/v3/flows/instances/default-user-settings-flow/execute/. This issue has been fixed in versions 2022.10.4 and 2022.11.4. | |||||
| CVE-2022-46170 | 1 Codeigniter | 1 Codeigniter | 2024-11-21 | N/A | 8.6 HIGH |
| CodeIgniter is a PHP full-stack web framework. When an application uses (1) multiple session cookies (e.g., one for user pages and one for admin pages) and (2) a session handler is set to `DatabaseHandler`, `MemcachedHandler`, or `RedisHandler`, then if an attacker gets one session cookie (e.g., one for user pages), they may be able to access pages that require another session cookie (e.g., for admin pages). This issue has been patched, please upgrade to version 4.2.11 or later. As a workaround, use only one session cookie. | |||||
| CVE-2022-46146 | 1 Prometheus | 1 Exporter Toolkit | 2024-11-21 | N/A | 6.2 MEDIUM |
| Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality. | |||||
| CVE-2022-46145 | 1 Goauthentik | 1 Authentik | 2024-11-21 | N/A | 8.1 HIGH |
| authentik is an open-source identity provider. Versions prior to 2022.11.2 and 2022.10.2 are vulnerable to unauthorized user creation and potential account takeover. With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows for email-verified password recovery, this can be used to overwrite the email address of admin accounts and take over their accounts. authentik 2022.11.2 and 2022.10.2 fix this issue. As a workaround, a policy can be created and bound to the `default-user-settings-flow flow` with the contents `return request.user.is_authenticated`. | |||||
| CVE-2022-45877 | 1 Openharmony | 1 Openharmony | 2024-11-21 | N/A | 8.3 HIGH |
| OpenHarmony-v3.1.4 and prior versions had an vulnerability. PIN code is transmitted to the peer device in plain text during cross-device authentication, which reduces the difficulty of man-in-the-middle attacks. | |||||
| CVE-2022-45860 | 1 Fortinet | 2 Fortinac, Fortinac-f | 2024-11-21 | N/A | 5.3 MEDIUM |
| A weak authentication vulnerability [CWE-1390] in FortiNAC-F version 7.2.0, FortiNAC version 9.4.2 and below, 9.2 all versions, 9.1 all versions, 8.8 all versions, 8.7 all versions in device registration page may allow an unauthenticated attacker to perform password spraying attacks with an increased chance of success. | |||||
| CVE-2022-45456 | 4 Acronis, Apple, Linux and 1 more | 4 Agent, Macos, Linux Kernel and 1 more | 2024-11-21 | N/A | 7.5 HIGH |
| Denial of service due to unauthenticated API endpoint. The following products are affected: Acronis Agent (Windows, macOS, Linux) before build 30161. | |||||
| CVE-2022-45124 | 1 Wellintech | 1 Kinghistorian | 2024-11-21 | N/A | 7.5 HIGH |
| An information disclosure vulnerability exists in the User authentication functionality of WellinTech KingHistorian 35.01.00.05. A specially crafted network packet can lead to a disclosure of sensitive information. An attacker can sniff network traffic to leverage this vulnerability. | |||||