Total
2036 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-47553 | 1 Ormazabal | 4 Ekorccp, Ekorccp Firmware, Ekorrci and 1 more | 2024-11-21 | N/A | 8.6 HIGH |
| Incorrect authorisation in ekorCCP and ekorRCI, which could allow a remote attacker to obtain resources with sensitive information for the organisation, without being authenticated within the web server. | |||||
| CVE-2022-47002 | 1 Masacms | 1 Masacms | 2024-11-21 | N/A | 9.8 CRITICAL |
| A vulnerability in the Remember Me function of Masa CMS v7.2, 7.3, and 7.4-beta allows attackers to bypass authentication via a crafted web request. | |||||
| CVE-2022-46308 | 1 Sguda | 2 U-lock, U-lock Firmware | 2024-11-21 | N/A | 8.8 HIGH |
| SGUDA U-Lock central lock control service’s user management function has incorrect authorization. A remote attacker with general user privilege can exploit this vulnerability to call privileged APIs to access, modify and delete user information. | |||||
| CVE-2022-46307 | 1 Sguda | 2 U-lock, U-lock Firmware | 2024-11-21 | N/A | 8.8 HIGH |
| SGUDA U-Lock central lock control service’s lock management function has incorrect authorization. A remote attacker with general privilege can exploit this vulnerability to call privileged APIs to acquire information, manipulate or disrupt the functionality of arbitrary electronic locks. | |||||
| CVE-2022-46167 | 1 Clastix | 1 Capsule | 2024-11-21 | N/A | 8.8 HIGH |
| Capsule is a multi-tenancy and policy-based framework for Kubernetes. Prior to version 0.1.3, a ServiceAccount deployed in a Tenant Namespace, when granted with `PATCH` capabilities on its own Namespace, is able to edit it and remove the Owner Reference, breaking the reconciliation of the Capsule Operator and removing all the enforcement like Pod Security annotations, Network Policies, Limit Range and Resource Quota items. An attacker could detach the Namespace from a Tenant that is forbidding starting privileged Pods using the Pod Security labels by removing the OwnerReference, removing the enforcement labels, and being able to start privileged containers that would be able to start a generic Kubernetes privilege escalation. Patches have been released for version 0.1.3. No known workarounds are available. | |||||
| CVE-2022-46160 | 1 Enalean | 1 Tuleap | 2024-11-21 | N/A | 4.3 MEDIUM |
| Tuleap is an Open Source Suite to improve management of software developments and collaboration. In versions prior to 14.2.99.104, project level authorizations are not properly verified when accessing the project "homepage"/dashboards. Users not authorized to access a project may still be able to get some information provided by the widgets (e.g. number of members, content of the Notes widget...). This issue has been patched in Tuleap Community Edition 14.2.99.104, Tuleap Enterprise Edition 14.2-4, and Tuleap Enterprise Edition 14.1-5. | |||||
| CVE-2022-46080 | 1 Nexxtsolutions | 2 Nebula1200-ac, Nebula1200-ac Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| Nexxt Nebula 1200-AC 15.03.06.60 allows authentication bypass and command execution by using the HTTPD service to enable TELNET. | |||||
| CVE-2022-45544 | 1 Schlix | 1 Cms | 2024-11-21 | N/A | 8.8 HIGH |
| Insecure Permission vulnerability in Schlix Web Inc SCHLIX CMS 2.2.7-2 allows attacker to upload arbitrary files and execute arbitrary code via the tristao parameter. NOTE: this is disputed by the vendor because an admin is intentionally allowed to upload new executable PHP code, such as a theme that was obtained from a trusted source or was developed for their own website. Only an admin can upload such code, not someone else in an "attacker" role. | |||||
| CVE-2022-45435 | 1 Sailpoint | 1 Identityiq | 2024-11-21 | N/A | 6.8 MEDIUM |
| IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6, and all prior versions allow authenticated users assigned the Identity Administrator capability or any custom capability that contains the SetIdentityForwarding right to modify the work item forwarding configuration for identities other than the ones that should be allowed by Lifecycle Manager Quicklink Population configuration. | |||||
| CVE-2022-45353 | 1 Muffingroup | 1 Betheme | 2024-11-21 | N/A | 4.3 MEDIUM |
| Broken Access Control in Betheme theme <= 26.6.1 on WordPress. | |||||
| CVE-2022-45128 | 1 Intel | 1 Endpoint Management Assistant | 2024-11-21 | N/A | 5.0 MEDIUM |
| Improper authorization in the Intel(R) EMA software before version 1.9.0.0 may allow an authenticated user to potentially enable denial of service via local access. | |||||
| CVE-2022-43940 | 1 Hitachi | 1 Vantara Pentaho Business Analytics Server | 2024-11-21 | N/A | 8.8 HIGH |
| Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x do not correctly perform an authorization check in the data source management service. | |||||
| CVE-2022-43872 | 2 Ibm, Linux | 4 Aix, Financial Transaction Manager, Linux On Ibm Z and 1 more | 2024-11-21 | N/A | 5.3 MEDIUM |
| IBM Financial Transaction Manager 3.2.4 authorization checks are done incorrectly for some HTTP requests which allows getting unauthorized technical information (e.g. event log entries) about the FTM SWIFT system. IBM X-Force ID: 239708. | |||||
| CVE-2022-43770 | 1 Hitachivantara | 1 Pentaho Business Analytics | 2024-11-21 | N/A | 5.4 MEDIUM |
| Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.4 and 8.3.0.27 does not correctly perform an authorization check in the dashboard editor plugin API. | |||||
| CVE-2022-43515 | 1 Zabbix | 1 Frontend | 2024-11-21 | N/A | 5.3 MEDIUM |
| Zabbix Frontend provides a feature that allows admins to maintain the installation and ensure that only certain IP addresses can access it. In this way, any user will not be able to access the Zabbix Frontend while it is being maintained and possible sensitive data will be prevented from being disclosed. An attacker can bypass this protection and access the instance using IP address not listed in the defined range. | |||||
| CVE-2022-43465 | 1 Intel | 1 Setup And Configuration Software | 2024-11-21 | N/A | 5.0 MEDIUM |
| Improper authorization in the Intel(R) SCS software all versions may allow an authenticated user to potentially enable denial of service via local access. | |||||
| CVE-2022-43438 | 1 Easy Test Project | 1 Easy Test | 2024-11-21 | N/A | 8.8 HIGH |
| The Administrator function of EasyTest has an Incorrect Authorization vulnerability. A remote attacker authenticated as a general user can exploit this vulnerability to bypass the intended access restrictions, to make API functions calls, manipulate system and terminate service. | |||||
| CVE-2022-42724 | 1 Misp-project | 1 Malware Information Sharing Platform | 2024-11-21 | N/A | 4.3 MEDIUM |
| app/Controller/UsersController.php in MISP before 2.4.164 allows attackers to discover role names (this is information that only the site admin should have). | |||||
| CVE-2022-42351 | 1 Adobe | 2 Experience Manager, Experience Manager Cloud Service | 2024-11-21 | N/A | 4.3 MEDIUM |
| Adobe Experience Manager version 6.5.14 (and earlier) is affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to disclose low level confidentiality information. Exploitation of this issue does not require user interaction. | |||||
| CVE-2022-42344 | 2 Adobe, Magento | 2 Commerce, Magento | 2024-11-21 | N/A | 8.8 HIGH |
| Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Incorrect Authorization vulnerability. An authenticated attacker can exploit this vulnerability to achieve information exposure and privilege escalation. | |||||