Total
2382 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-34046 | 1 Wavlink | 2 Wn533a8, Wn533a8 Firmware | 2024-11-21 | 7.5 High |
| An access control issue in Wavlink WN533A8 M33A8.V5030.190716 allows attackers to obtain usernames and passwords via view-source:http://IP_ADDRESS/sysinit.shtml?r=52300 and searching for [logincheck(user);]. | ||||
| CVE-2022-33718 | 1 Google | 1 Android | 2024-11-21 | 6.2 Medium |
| An improper access control vulnerability in Wi-Fi Service prior to SMR AUG-2022 Release 1 allows untrusted applications to manipulate the list of apps that can use mobile data. | ||||
| CVE-2022-33174 | 1 Powertekpdus | 14 Basic Pdu, Basic Pdu Firmware, Piml Pdu and 11 more | 2024-11-21 | 9.8 Critical |
| Power Distribution Units running on Powertek firmware (multiple brands) before 3.30.30 allows remote authorization bypass in the web interface. To exploit the vulnerability, an attacker must send an HTTP packet to the data retrieval interface (/cgi/get_param.cgi) with the tmpToken cookie set to an empty string followed by a semicolon. This bypasses an active session authorization check. This can be then used to fetch the values of protected sys.passwd and sys.su.name fields that contain the username and password in cleartext. | ||||
| CVE-2022-32532 | 1 Apache | 1 Shiro | 2024-11-21 | 9.8 Critical |
| Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass. | ||||
| CVE-2022-32310 | 1 Ingredient Stock Management System Project | 1 Ingredient Stock Management System | 2024-11-21 | 9.8 Critical |
| An access control issue in Ingredient Stock Management System v1.0 allows attackers to take over user accounts via a crafted POST request to /isms/classes/Users.php. | ||||
| CVE-2022-32294 | 1 Zimbra | 1 Collaboration | 2024-11-21 | 9.8 Critical |
| Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-login randomly created password (from the "zmprove ca" command). It is visible in cleartext on port UDP 514 (aka the syslog port). NOTE: a third party reports that this cannot be reproduced. | ||||
| CVE-2022-32290 | 1 Northern.tech | 1 Mender | 2024-11-21 | 4.3 Medium |
| The client in Northern.tech Mender 3.2.0, 3.2.1, and 3.2.2 has Incorrect Access Control. It listens on a random, unprivileged TCP port and exposes an HTTP proxy to facilitate API calls from additional client components running on the device. However, it listens on all network interfaces instead of only the localhost interface. Therefore, any client on the same network can connect to this TCP port and send HTTP requests. The Mender Client will forward these requests to the Mender Server. Additionally, if mTLS is set up, the Mender Client will connect to the Mender Server using the device's client certificate, making it possible for the attacker to bypass mTLS authentication and send requests to the Mender Server without direct access to the client certificate and related private key. Accessing the HTTP proxy from the local network doesn't represent a direct threat, because it doesn't expose any device or server-specific data. However, it increases the attack surface and can be a potential vector to exploit other vulnerabilities both on the Client and the Server. | ||||
| CVE-2022-31589 | 1 Sap | 3 Erp Financial Accounting, Erp Localization For Cee Countries, S\/4hana | 2024-11-21 | 6.5 Medium |
| Due to improper authorization check, business users who are using Israeli File from SHAAM program (/ATL/VQ23 transaction), are granted more than needed authorization to perform certain transaction, which may lead to users getting access to data that would otherwise be restricted. | ||||
| CVE-2022-31252 | 2 Opensuse, Suse | 3 Leap, Leap Micro, Linux Enterprise Server | 2024-11-21 | 4.4 Medium |
| A Incorrect Authorization vulnerability in chkstat of SUSE Linux Enterprise Server 12-SP5; openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 did not consider group writable path components, allowing local attackers with access to a group what can write to a location included in the path to a privileged binary to influence path resolution. This issue affects: SUSE Linux Enterprise Server 12-SP5 permissions versions prior to 20170707. openSUSE Leap 15.3 permissions versions prior to 20200127. openSUSE Leap 15.4 permissions versions prior to 20201225. openSUSE Leap Micro 5.2 permissions versions prior to 20181225. | ||||
| CVE-2022-30311 | 1 Festo | 16 Controller Cecc-x-m1, Controller Cecc-x-m1-mv, Controller Cecc-x-m1-mv-s1 and 13 more | 2024-11-21 | 9.8 Critical |
| In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-refresh-request" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection. | ||||
| CVE-2022-30310 | 1 Festo | 16 Controller Cecc-x-m1, Controller Cecc-x-m1-mv, Controller Cecc-x-m1-mv-s1 and 13 more | 2024-11-21 | 9.8 Critical |
| In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-acknerr-request" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection. | ||||
| CVE-2022-30309 | 1 Festo | 16 Controller Cecc-x-m1, Controller Cecc-x-m1-mv, Controller Cecc-x-m1-mv-s1 and 13 more | 2024-11-21 | 9.8 Critical |
| In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-web-viewer-request-off" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection. | ||||
| CVE-2022-30308 | 1 Festo | 16 Controller Cecc-x-m1, Controller Cecc-x-m1-mv, Controller Cecc-x-m1-mv-s1 and 13 more | 2024-11-21 | 9.8 Critical |
| In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-web-viewer-request-on" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection. | ||||
| CVE-2022-30016 | 1 Rescue Dispatch Management System Project | 1 Rescue Dispatch Management System | 2024-11-21 | 8.8 High |
| Rescue Dispatch Management System 1.0 is vulnerable to Incorrect Access Control via http://localhost/rdms/admin/?page=system_info. | ||||
| CVE-2022-2990 | 2 Buildah Project, Redhat | 4 Buildah, Enterprise Linux, Openshift and 1 more | 2024-11-21 | 7.1 High |
| An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container. | ||||
| CVE-2022-2597 | 1 Visualportfolio | 1 Visual Portfolio\, Photo Gallery \& Post Grid | 2024-11-21 | 5.4 Medium |
| The Visual Portfolio, Photo Gallery & Post Grid WordPress plugin before 2.19.0 does not have proper authorisation checks in some of its REST endpoints, allowing users with a role as low as contributor to call them and inject arbitrary CSS in arbitrary saved layouts | ||||
| CVE-2022-2501 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 5.9 Medium |
| An improper access control issue in GitLab EE affecting all versions from 12.0 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 allows an attacker to bypass IP allow-listing and download artifacts. This attack only bypasses IP allow-listing, proper permissions are still required. | ||||
| CVE-2022-2354 | 1 Wp-dbmanager Project | 1 Wp-dbmanager | 2024-11-21 | 7.2 High |
| The WP-DBManager WordPress plugin before 2.80.8 does not prevent administrators from running arbitrary commands on the server in multisite installations, where only super-administrators should. | ||||
| CVE-2022-2326 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 6.4 Medium |
| An issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible to gain access to a private project through an email invite by using other user's email address as an unverified secondary email. | ||||
| CVE-2022-2095 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.3 Medium |
| An improper access control check in GitLab CE/EE affecting all versions starting from 13.7 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1 allows a malicious authenticated user to view a public project's Deploy Key's public fingerprint and name when that key has write permission. Note that GitLab never asks for nor stores the private key. | ||||