Total
2061 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-35487 | 1 Zammad | 1 Zammad | 2024-11-21 | N/A | 7.5 HIGH |
| Zammad 5.2.0 suffers from Incorrect Access Control. Zammad did not correctly perform authorization on certain attachment endpoints. This could be abused by an unauthenticated attacker to gain access to attachments, such as emails or attached files. | |||||
| CVE-2022-34814 | 1 Jenkins | 1 Request Rename Or Delete | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Request Rename Or Delete Plugin 1.1.0 and earlier does not correctly perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to view an administrative configuration page listing pending requests. | |||||
| CVE-2022-34785 | 1 Jenkins | 1 Build-metrics | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins build-metrics Plugin 1.3 and earlier does not perform permission checks in multiple HTTP endpoints, allowing attackers with Overall/Read permission to obtain information about jobs otherwise inaccessible to them. | |||||
| CVE-2022-34782 | 1 Jenkins | 1 Requests | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests. | |||||
| CVE-2022-34397 | 1 Dell | 3 Evasa Provider Virtual Appliance, Solutions Enabler Virtual Appliance, Unisphere For Powermax Virtual Appliance | 2024-11-21 | N/A | 6.9 MEDIUM |
| Dell Unisphere for PowerMax vApp, VASA Provider vApp, and Solution Enabler vApp version 10.0.0.5 and below contains an authorization bypass vulnerability, allowing users to perform actions in which they are not authorized. | |||||
| CVE-2022-34255 | 2 Adobe, Magento | 2 Commerce, Magento | 2024-11-21 | N/A | 8.8 HIGH |
| Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Access Control vulnerability that could result in Privilege escalation. An attacker with a low privilege account could leverage this vulnerability to perform an account takeover for a victim. Exploitation of this issue does not require user interaction. | |||||
| CVE-2022-34180 | 1 Jenkins | 1 Embeddable Build Status | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Jenkins Embeddable Build Status Plugin 2.0.3 and earlier does not correctly perform the ViewStatus permission check in the HTTP endpoint it provides for "unprotected" status badge access, allowing attackers without any permissions to obtain the build status badge icon for any attacker-specified job and/or build. | |||||
| CVE-2022-34046 | 1 Wavlink | 2 Wn533a8, Wn533a8 Firmware | 2024-11-21 | N/A | 7.5 HIGH |
| An access control issue in Wavlink WN533A8 M33A8.V5030.190716 allows attackers to obtain usernames and passwords via view-source:http://IP_ADDRESS/sysinit.shtml?r=52300 and searching for [logincheck(user);]. | |||||
| CVE-2022-33718 | 1 Google | 1 Android | 2024-11-21 | N/A | 6.2 MEDIUM |
| An improper access control vulnerability in Wi-Fi Service prior to SMR AUG-2022 Release 1 allows untrusted applications to manipulate the list of apps that can use mobile data. | |||||
| CVE-2022-33174 | 1 Powertekpdus | 14 Basic Pdu, Basic Pdu Firmware, Piml Pdu and 11 more | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| Power Distribution Units running on Powertek firmware (multiple brands) before 3.30.30 allows remote authorization bypass in the web interface. To exploit the vulnerability, an attacker must send an HTTP packet to the data retrieval interface (/cgi/get_param.cgi) with the tmpToken cookie set to an empty string followed by a semicolon. This bypasses an active session authorization check. This can be then used to fetch the values of protected sys.passwd and sys.su.name fields that contain the username and password in cleartext. | |||||
| CVE-2022-32532 | 1 Apache | 1 Shiro | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass. | |||||
| CVE-2022-32310 | 1 Ingredient Stock Management System Project | 1 Ingredient Stock Management System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An access control issue in Ingredient Stock Management System v1.0 allows attackers to take over user accounts via a crafted POST request to /isms/classes/Users.php. | |||||
| CVE-2022-32294 | 1 Zimbra | 1 Collaboration | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-login randomly created password (from the "zmprove ca" command). It is visible in cleartext on port UDP 514 (aka the syslog port). NOTE: a third party reports that this cannot be reproduced. | |||||
| CVE-2022-32290 | 1 Northern.tech | 1 Mender | 2024-11-21 | 3.3 LOW | 4.3 MEDIUM |
| The client in Northern.tech Mender 3.2.0, 3.2.1, and 3.2.2 has Incorrect Access Control. It listens on a random, unprivileged TCP port and exposes an HTTP proxy to facilitate API calls from additional client components running on the device. However, it listens on all network interfaces instead of only the localhost interface. Therefore, any client on the same network can connect to this TCP port and send HTTP requests. The Mender Client will forward these requests to the Mender Server. Additionally, if mTLS is set up, the Mender Client will connect to the Mender Server using the device's client certificate, making it possible for the attacker to bypass mTLS authentication and send requests to the Mender Server without direct access to the client certificate and related private key. Accessing the HTTP proxy from the local network doesn't represent a direct threat, because it doesn't expose any device or server-specific data. However, it increases the attack surface and can be a potential vector to exploit other vulnerabilities both on the Client and the Server. | |||||
| CVE-2022-31589 | 1 Sap | 3 Erp Financial Accounting, Erp Localization For Cee Countries, S\/4hana | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Due to improper authorization check, business users who are using Israeli File from SHAAM program (/ATL/VQ23 transaction), are granted more than needed authorization to perform certain transaction, which may lead to users getting access to data that would otherwise be restricted. | |||||
| CVE-2022-31252 | 2 Opensuse, Suse | 3 Leap, Leap Micro, Linux Enterprise Server | 2024-11-21 | N/A | 4.4 MEDIUM |
| A Incorrect Authorization vulnerability in chkstat of SUSE Linux Enterprise Server 12-SP5; openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 did not consider group writable path components, allowing local attackers with access to a group what can write to a location included in the path to a privileged binary to influence path resolution. This issue affects: SUSE Linux Enterprise Server 12-SP5 permissions versions prior to 20170707. openSUSE Leap 15.3 permissions versions prior to 20200127. openSUSE Leap 15.4 permissions versions prior to 20201225. openSUSE Leap Micro 5.2 permissions versions prior to 20181225. | |||||
| CVE-2022-31190 | 1 Duraspace | 1 Dspace | 2024-11-21 | N/A | 5.3 MEDIUM |
| DSpace open source software is a repository application which provides durable access to digital resources. dspace-xmlui is a UI component for DSpace. In affected versions metadata on a withdrawn Item is exposed via the XMLUI "mets.xml" object, as long as you know the handle/URL of the withdrawn Item. This vulnerability only impacts the XMLUI. Users are advised to upgrade to version 6.4 or newer. | |||||
| CVE-2022-31178 | 1 Elabftw | 1 Elabftw | 2024-11-21 | N/A | 4.3 MEDIUM |
| eLabFTW is an electronic lab notebook manager for research teams. A vulnerability was discovered which allows a logged in user to read a template without being authorized to do so. This vulnerability has been patched in 4.3.4. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-31168 | 1 Zulip | 1 Zulip | 2024-11-21 | N/A | 5.4 MEDIUM |
| Zulip is an open source team chat tool. Due to an incorrect authorization check in Zulip Server 5.4 and earlier, a member of an organization could craft an API call that grants organization administrator privileges to one of their bots. The vulnerability is fixed in Zulip Server 5.5. Members who don’t own any bots, and lack permission to create them, can’t exploit the vulnerability. As a workaround for the vulnerability, an organization administrator can restrict the `Who can create bots` permission to administrators only, and change the ownership of existing bots. | |||||
| CVE-2022-31155 | 1 Sourcegraph | 1 Sourcegraph | 2024-11-21 | N/A | 4.3 MEDIUM |
| Sourcegraph is an opensource code search and navigation engine. In Sourcegraph versions before 3.41.0, it is possible for an attacker to delete other users’ saved searches due to a bug in the authorization check. The vulnerability does not allow the reading of other users’ saved searches, only overwriting them with attacker-controlled searches. The issue is patched in Sourcegraph version 3.41.0. There is no workaround for this issue and updating to a secure version is highly recommended. | |||||