Total
4980 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-1511 | 1 Snipeitapp | 1 Snipe-it | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Missing Authorization in GitHub repository snipe/snipe-it prior to 5.4.4. | |||||
| CVE-2022-1423 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 6.5 MEDIUM | 7.1 HIGH |
| Improper access control in the CI/CD cache mechanism in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 allows a malicious actor with Developer privileges to perform cache poisoning leading to arbitrary code execution in protected branches | |||||
| CVE-2022-1384 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 6.0 MEDIUM | 4.7 MEDIUM |
| Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities. | |||||
| CVE-2022-1329 | 1 Elementor | 1 Website Builder | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers to modify site data in addition to uploading malicious files that can be used to obtain remote code execution, in versions 3.6.0 to 3.6.2. | |||||
| CVE-2022-1323 | 1 2code | 1 Discy | 2024-11-21 | N/A | 6.5 MEDIUM |
| The Discy WordPress theme before 5.0 lacks authorization checks then processing ajax requests to the discy_update_options action, allowing any logged in users (with privileges as low as Subscriber,) to change Theme options by sending a crafted POST request. | |||||
| CVE-2022-1203 | 1 Content Mask Project | 1 Content Mask | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Content Mask WordPress plugin before 1.8.4.1 does not have authorisation and CSRF checks in various AJAX actions, as well as does not validate the option to be updated to ensure it belongs to the plugin. As a result, any authenticated user, such as subscriber could modify arbitrary blog options | |||||
| CVE-2022-1092 | 1 Mycred | 1 Mycred | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The myCred WordPress plugin before 2.4.3.1 does not have authorisation and CSRF checks in its mycred-tools-import-export AJAX action, allowing any authenticated user to call and and retrieve the list of email address present in the blog | |||||
| CVE-2022-1054 | 1 Wpchill | 1 Rsvp And Event Management | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The RSVP and Event Management Plugin WordPress plugin before 2.7.8 does not have any authorisation checks when exporting its entries, and has the export function hooked to the init action. As a result, unauthenticated attackers could call it and retrieve PII such as first name, last name and email address of user registered for events | |||||
| CVE-2022-1020 | 1 Codeastrology | 1 Woo Product Table | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Product Table for WooCommerce (wooproducttable) WordPress plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or one user controlled argument | |||||
| CVE-2022-0952 | 1 Sitemap Project | 1 Sitemap | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The Sitemap by click5 WordPress plugin before 1.0.36 does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin. As a result, unauthenticated attackers could change arbitrary blog options, such as the users_can_register and default_role, allowing them to create a new admin account and take over the blog. | |||||
| CVE-2022-0932 | 1 Saleor | 1 Saleor | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Missing Authorization in GitHub repository saleor/saleor prior to 3.1.2. | |||||
| CVE-2022-0919 | 1 Salonbookingsystem | 1 Salon Booking System | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Salon booking system Free and pro WordPress plugins before 7.6.3 do not have proper authorisation when searching bookings, allowing any unauthenticated users to search other's booking, as well as retrieve sensitive information about the bookings, such as the full name, email and phone number of the person who booked it. | |||||
| CVE-2022-0905 | 1 Gitea | 1 Gitea | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
| Missing Authorization in GitHub repository go-gitea/gitea prior to 1.16.4. | |||||
| CVE-2022-0885 | 1 Memberhero | 1 Member Hero | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Member Hero WordPress plugin through 1.0.9 lacks authorization checks, and does not validate the a request parameter in an AJAX action, allowing unauthenticated users to call arbitrary PHP functions with no arguments. | |||||
| CVE-2022-0871 | 1 Gogs | 1 Gogs | 2024-11-21 | 5.8 MEDIUM | 9.1 CRITICAL |
| Missing Authorization in GitHub repository gogs/gogs prior to 0.12.5. | |||||
| CVE-2022-0837 | 1 Tms-outsource | 1 Amelia | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| The Amelia WordPress plugin before 1.0.48 does not have proper authorisation when handling Amelia SMS service, allowing any customer to send paid test SMS notification as well as retrieve sensitive information about the admin, such as the email, account balance and payment history. A malicious actor can abuse this vulnerability to drain out the account balance by keep sending SMS notification. | |||||
| CVE-2022-0833 | 1 Church Admin Project | 1 Church Admin | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Church Admin WordPress plugin before 3.4.135 does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repeatedly request the "refresh-backup" action, and simultaneously keep requesting a publicly accessible temporary file generated by the plugin in order to disclose the final backup filename, which can then be fetched by the attacker to download the backup of the plugin's DB data | |||||
| CVE-2022-0756 | 1 Salesagility | 1 Suitecrm | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Missing Authorization in GitHub repository salesagility/suitecrm prior to 7.12.5. | |||||
| CVE-2022-0755 | 1 Salesagility | 1 Suitecrm | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Missing Authorization in GitHub repository salesagility/suitecrm prior to 7.12.5. | |||||
| CVE-2022-0745 | 1 Likebtn | 1 Like Button Rating | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Like Button Rating WordPress plugin before 2.6.45 allows any logged-in user, such as subscriber, to send arbitrary e-mails to any recipient, with any subject and body | |||||