Total
406 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-40521 | 1 Qualcomm | 484 315 5g Iot Modem, 315 5g Iot Modem Firmware, 8953pro and 481 more | 2024-11-21 | N/A | 7.5 HIGH |
| Transient DOS due to improper authorization in Modem | |||||
| CVE-2022-3187 | 1 Dataprobe | 24 Iboot-pdu4-n20, Iboot-pdu4-n20 Firmware, Iboot-pdu4a-n15 and 21 more | 2024-11-21 | N/A | 5.3 MEDIUM |
| Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where certain PHP pages only validate when a valid connection is established with the database. However, these PHP pages do not verify the validity of a user. Attackers could leverage this lack of verification to read the state of outlets. | |||||
| CVE-2022-31168 | 1 Zulip | 1 Zulip | 2024-11-21 | N/A | 5.4 MEDIUM |
| Zulip is an open source team chat tool. Due to an incorrect authorization check in Zulip Server 5.4 and earlier, a member of an organization could craft an API call that grants organization administrator privileges to one of their bots. The vulnerability is fixed in Zulip Server 5.5. Members who don’t own any bots, and lack permission to create them, can’t exploit the vulnerability. As a workaround for the vulnerability, an organization administrator can restrict the `Who can create bots` permission to administrators only, and change the ownership of existing bots. | |||||
| CVE-2022-30670 | 2 Adobe, Microsoft | 2 Robohelp Server, Windows | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| RoboHelp Server earlier versions than RHS 11 Update 3 are affected by an Improper Authorization vulnerability which could lead to privilege escalation. An authenticated attacker could leverage this vulnerability to achieve full administrator privileges. Exploitation of this issue does not require user interaction. | |||||
| CVE-2022-2901 | 1 Chatwoot | 1 Chatwoot | 2024-11-21 | N/A | 7.1 HIGH |
| Improper Authorization in GitHub repository chatwoot/chatwoot prior to 2.8. | |||||
| CVE-2022-2595 | 1 Kromit | 1 Titra | 2024-11-21 | N/A | 10.0 CRITICAL |
| Improper Authorization in GitHub repository kromitgmbh/titra prior to 0.79.1. | |||||
| CVE-2022-29236 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker can circumvent access restrictions for drawing on the whiteboard. The permission check is inadvertently skipped on the server, due to a previously introduced grace period. The attacker must be a meeting participant. The problem has been patched in versions 2.3.18 and 2.4-rc-6. There are currently no known workarounds. | |||||
| CVE-2022-29234 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4.1, an attacker could send messages to a locked chat within a grace period of 5s any lock setting in the meeting was changed. The attacker needs to be a participant in the meeting. Versions 2.3.18 and 2.4.1 contain a patch for this issue. There are currently no known workarounds. | |||||
| CVE-2022-29233 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 5.0 MEDIUM | 4.3 MEDIUM |
| BigBlueButton is an open source web conferencing system. In BigBlueButton starting with 2.2 but before 2.3.18 and 2.4-rc-1, an attacker can circumvent access controls to gain access to all breakout rooms of the meeting they are in. The permission checks rely on knowledge of internal ids rather than on verification of the role of the user. Versions 2.3.18 and 2.4-rc-1 contain a patch for this issue. There are currently no known workarounds. | |||||
| CVE-2022-23542 | 1 Openfga | 1 Openfga | 2024-11-21 | N/A | 7.7 HIGH |
| OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. During an internal security assessment, it was discovered that OpenFGA version 0.3.0 is vulnerable to authorization bypass under certain conditions. This issue has been patched in version 0.3.1 and is backward compatible. | |||||
| CVE-2022-0860 | 2 Cobbler Project, Fedoraproject | 2 Cobbler, Fedora | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2. | |||||
| CVE-2022-0829 | 1 Webmin | 1 Webmin | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| Improper Authorization in GitHub repository webmin/webmin prior to 1.990. | |||||
| CVE-2022-0587 | 1 Librenms | 1 Librenms | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Improper Authorization in Packagist librenms/librenms prior to 22.2.0. | |||||
| CVE-2021-32688 | 2 Fedoraproject, Nextcloud | 2 Fedora, Nextcloud Server | 2024-11-21 | 7.5 HIGH | 8.8 HIGH |
| Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user to not have any filesystem access. Due to a lacking permission check, the tokens were able to change their own permissions in versions prior to 19.0.13, 20.0.11, and 21.0.3. Thus fileystem limited tokens were able to grant themselves access to the filesystem. The issue is patched in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds aside from upgrading. | |||||
| CVE-2020-6311 | 1 Sap | 2 Bank Analyzer, S\/4hana For Financial Products Subledger | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Banking services from SAP 9.0 (Bank Analyzer), version - 500, and SAP S/4HANA for financial products subledger, version ? 100, does not correctly perform necessary authorization checks for an authenticated user due to Improper Authorization checks, that may cause a system administrator to create incorrect authorization proposals. This may result in privilege escalation and may expose restricted banking data. | |||||
| CVE-2020-24431 | 3 Adobe, Apple, Microsoft | 6 Acrobat, Acrobat Dc, Acrobat Reader and 3 more | 2024-11-21 | 5.8 MEDIUM | 4.4 MEDIUM |
| Acrobat Reader DC versions 2020.012.20048 (and earlier), 2020.001.30005 (and earlier) and 2017.011.30175 (and earlier) for macOS are affected by a security feature bypass that could result in dynamic library code injection by the Adobe Reader process. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | |||||
| CVE-2019-18827 | 1 Barco | 8 Clickshare Cs-100, Clickshare Cs-100 Firmware, Clickshare Cse-200 and 5 more | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| On Barco ClickShare Button R9861500D01 devices (before firmware version 1.9.0) JTAG access is disabled after ROM code execution. This means that JTAG access is possible when the system is running code from ROM before handing control over to embedded firmware. | |||||
| CVE-2019-14828 | 1 Moodle | 1 Moodle | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in Moodle affecting 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where users with the capability to create courses were assigned as a teacher in those courses, regardless of whether they had the capability to be automatically assigned that role. | |||||
| CVE-2019-10159 | 1 Redhat | 2 Cfme-gemset, Cloudforms | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| cfme-gemset versions 5.10.4.3 and below, 5.9.9.3 and below are vulnerable to a data leak, due to an improper authorization in the migration log controller. An attacker with access to an unprivileged user can access all VM migration logs available. | |||||
| CVE-2018-20945 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 7.9 HIGH | 5.7 MEDIUM |
| bin/csvprocess in cPanel before 68.0.27 allows insecure file operations (SEC-354). | |||||