Total
5148 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-2377 | 1 Wpwax | 1 Directorist | 2024-11-21 | 4.3 Medium |
| The Directorist WordPress plugin before 7.3.0 does not have authorisation and CSRF checks in an AJAX action, allowing any authenticated users to send arbitrary emails on behalf of the blog | ||||
| CVE-2022-2376 | 1 Wpwax | 1 Directorist | 2024-11-21 | 5.3 Medium |
| The Directorist WordPress plugin before 7.3.1 discloses the email address of all users in an AJAX action available to both unauthenticated and any authenticated users | ||||
| CVE-2022-2373 | 1 Nsqua | 1 Simply Schedule Appointments | 2024-11-21 | 5.3 Medium |
| The Simply Schedule Appointments WordPress plugin before 1.5.7.7 is missing authorisation in a REST endpoint, allowing unauthenticated users to retrieve WordPress users details such as name and email address | ||||
| CVE-2022-2370 | 1 Yaycommerce | 1 Yaysmtp | 2024-11-21 | 6.5 Medium |
| The YaySMTP WordPress plugin before 2.2.1 does not have capability check before displaying the Mailer Credentials in JS code for the settings, allowing any authenticated users, such as subscriber to retrieve them | ||||
| CVE-2022-2369 | 1 Yaycommerce | 1 Yaysmtp | 2024-11-21 | 4.3 Medium |
| The YaySMTP WordPress plugin before 2.2.1 does not have capability check in an AJAX action, allowing any logged in users, such as subscriber to view the Logs of the plugin | ||||
| CVE-2022-2350 | 1 Brainvire | 1 Disable User Login | 2024-11-21 | 5.3 Medium |
| The Disable User Login WordPress plugin through 1.0.1 does not have authorisation and CSRF checks when updating its settings, allowing unauthenticated attackers to block (or unblock) users at will. | ||||
| CVE-2022-2276 | 1 Wp Edit Menu Project | 1 Wp Edit Menu | 2024-11-21 | 4.3 Medium |
| The WP Edit Menu WordPress plugin before 1.5.0 does not have authorisation and CSRF in an AJAX action, which could allow unauthenticated attackers to delete arbitrary posts/pages from the blog | ||||
| CVE-2022-29906 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 9.8 Critical |
| The admin API module in the QuizGame extension for MediaWiki through 1.37.2 (before 665e33a68f6fa1167df99c0aa18ed0157cdf9f66) omits a check for the quizadmin user. | ||||
| CVE-2022-29611 | 1 Sap | 1 Netweaver Application Server Abap | 2024-11-21 | 8.8 High |
| SAP NetWeaver Application Server for ABAP and ABAP Platform do not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | ||||
| CVE-2022-29051 | 1 Jenkins | 1 Publish Over Ftp | 2024-11-21 | 4.3 Medium |
| Missing permission checks in Jenkins Publish Over FTP Plugin 1.16 and earlier allow attackers with Overall/Read permission to connect to an FTP server using attacker-specified credentials. | ||||
| CVE-2022-28993 | 1 Bdtask | 1 Multi Store Inventory Management System | 2024-11-21 | 9.8 Critical |
| Multi Store Inventory Management System v1.0 allows attackers to perform an account takeover via a crafted POST request. | ||||
| CVE-2022-28866 | 1 Nokia | 1 Airframe Bmc Web Gui R18 Firmware | 2024-11-21 | 8.8 High |
| Multiple Improper Access Control was discovered in Nokia AirFrame BMC Web GUI < R18 Firmware v4.13.00. It does not properly validate requests for access to (or editing of) data and functionality in all endpoints under /#settings/* and /api/settings/*. By not verifying the permissions for access to resources, it allows a potential attacker to view pages, with sensitive data, that are not allowed, and modify system configurations also causing DoS, which should be accessed only by user with administration profile, bypassing all controls (without checking for user identity). | ||||
| CVE-2022-28789 | 1 Samsung | 1 Voice Note | 2024-11-21 | 6.2 Medium |
| Unprotected activities in Voice Note prior to version 21.3.51.11 allows attackers to record voice without user interaction. The patch adds proper permission for vulnerable activities. | ||||
| CVE-2022-28158 | 1 Jenkins | 1 Pipeline\ | 2024-11-21 | 6.5 Medium |
| A missing permission check in Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | ||||
| CVE-2022-28151 | 1 Jenkins | 1 Job And Node Ownership | 2024-11-21 | 4.3 Medium |
| A missing permission check in Jenkins Job and Node ownership Plugin 0.13.0 and earlier allows attackers with Item/Read permission to change the owners and item-specific permissions of a job. | ||||
| CVE-2022-28147 | 1 Jenkins | 1 Continuous Integration With Toad Edge | 2024-11-21 | 4.3 Medium |
| A missing permission check in Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. | ||||
| CVE-2022-28144 | 1 Jenkins | 1 Proxmox | 2024-11-21 | 6.5 Medium |
| Jenkins Proxmox Plugin 0.7.0 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified host using attacker-specified username and password (perform a connection test), disable SSL/TLS validation for the entire Jenkins controller JVM as part of the connection test (see CVE-2022-28142), and test a rollback with attacker-specified parameters. | ||||
| CVE-2022-28139 | 1 Jenkins | 1 Rocketchat Notifier | 2024-11-21 | 4.3 Medium |
| A missing permission check in Jenkins RocketChat Notifier Plugin 1.4.10 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. | ||||
| CVE-2022-28137 | 1 Jenkins | 1 Jiratestresultreporter | 2024-11-21 | 4.3 Medium |
| A missing permission check in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. | ||||
| CVE-2022-28134 | 1 Jenkins | 1 Bitbucket Server Integration | 2024-11-21 | 5.4 Medium |
| Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to create, view, and delete BitBucket Server consumers. | ||||