Total
2036 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-27609 | 1 Forcepoint | 1 One Endpoint | 2024-11-21 | 3.6 LOW | 6.0 MEDIUM |
| Forcepoint One Endpoint prior to version 22.01 installed on Microsoft Windows does not provide sufficient anti-tampering protection of services by users with Administrator privileges. This could result in a user disabling Forcepoint One Endpoint and the protection offered by it. | |||||
| CVE-2022-27608 | 1 Forcepoint | 1 One Endpoint | 2024-11-21 | 3.6 LOW | 6.0 MEDIUM |
| Forcepoint One Endpoint prior to version 22.01 installed on Microsoft Windows is vulnerable to registry key tampering by users with Administrator privileges. This could result in a user disabling anti-tampering mechanisms which would then allow the user to disable Forcepoint One Endpoint and the protection offered by it. | |||||
| CVE-2022-27575 | 1 Google | 1 Android | 2024-11-21 | 4.3 MEDIUM | 3.3 LOW |
| Information exposure vulnerability in One UI Home prior to SMR April-2022 Release 1 allows to access currently launched foreground app information without permission. | |||||
| CVE-2022-27551 | 1 Hcltechsw | 1 Hcl Launch | 2024-11-21 | N/A | 5.3 MEDIUM |
| HCL Launch could allow an authenticated user to obtain sensitive information in some instances due to improper security checking. | |||||
| CVE-2022-27134 | 1 B1 | 1 Eosio Batdappboomx | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| EOSIO batdappboomx v327c04cf has an Access-control vulnerability in the `transfer` function of the smart contract which allows remote attackers to win the cryptocurrency without paying ticket fee via the `std::string memo` parameter. | |||||
| CVE-2022-27055 | 1 Ecjia | 1 Daojia | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| ecjia-daojia 1.38.1-20210202629 is vulnerable to information leakage via content/apps/installer/classes/Helper.php. When the web program is installed, a new environment file is created, and the database information is recorded, including the database record password. NOTE: the vendor disputes this because the environment file is in the data directory, which is not intended for access by website visitors (only the statics directory can be accessed by website visitors) | |||||
| CVE-2022-26676 | 1 Aenrich | 1 A\+hrd | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| aEnrich a+HRD has inadequate privilege restrictions, an unauthenticated remote attacker can use the API function to upload and execute malicious scripts to control the system or disrupt service. | |||||
| CVE-2022-26668 | 1 Asus | 1 Control Center | 2024-11-21 | 6.4 MEDIUM | 7.3 HIGH |
| ASUS Control Center API has a broken access control vulnerability. An unauthenticated remote attacker can call privileged API functions to perform partial system operations or cause partial disrupt of service. | |||||
| CVE-2022-26629 | 3 Linux, Microsoft, Splus | 3 Linux Kernel, Windows, Soroushplus | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| An Access Control vulnerability exists in SoroushPlus+ Messenger 1.0.30 in the Lock Screen Security Feature function due to insufficient permissions and privileges, which allows a malicious attacker bypass the lock screen function. | |||||
| CVE-2022-26563 | 1 Tildeslash | 1 Monit | 2024-11-21 | N/A | 8.8 HIGH |
| An issue was discovered in Tildeslash Monit before 5.31.0, allows remote attackers to gain escilated privlidges due to improper PAM-authorization. | |||||
| CVE-2022-26479 | 1 Poly | 2 Eagleeye Director Ii, Eagleeye Director Ii Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| An issue was discovered in Poly EagleEye Director II before 2.2.2.1. Existence of a certain file (which can be created via an rsync backdoor) causes all API calls to execute as admin without authentication. | |||||
| CVE-2022-25335 | 1 Rigoblock | 1 Drago | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| RigoBlock Dragos through 2022-02-17 lacks the onlyOwner modifier for setMultipleAllowances. This enables token manipulation, as exploited in the wild in February 2022. NOTE: although 2022-02-17 is the vendor's vulnerability announcement date, the vulnerability will not be remediated until a major protocol upgrade occurs. | |||||
| CVE-2022-25318 | 1 Cerebrate-project | 1 Cerebrate | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Cerebrate through 1.4. An incorrect sharing group ACL allowed an unprivileged user to edit and modify sharing groups. | |||||
| CVE-2022-25270 | 1 Drupal | 1 Drupal | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. | |||||
| CVE-2022-24865 | 1 Humhub | 1 Humhub | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| HumHub is an Open Source Enterprise Social Network. In affected versions users who are forced to change their password by an administrator may retrieve other users' data. This issue has been resolved by commit `eb83de20`. It is recommended that the HumHub is upgraded to 1.11.0, 1.10.4 or 1.9.4. There are no known workarounds for this issue. | |||||
| CVE-2022-24841 | 1 Fleetdm | 1 Fleet | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
| fleetdm/fleet is an open source device management, built on osquery. All versions of fleet making use of the teams feature are affected by this authorization bypass issue. Fleet instances without teams, or with teams but without restricted team accounts are not affected. In affected versions a team admin can erroneously add themselves as admin, maintainer or observer on other teams. Users are advised to upgrade to version 4.13. There are no known workarounds for this issue. | |||||
| CVE-2022-24783 | 1 Deno | 1 Deno | 2024-11-21 | 7.5 HIGH | 10.0 CRITICAL |
| Deno is a runtime for JavaScript and TypeScript. The versions of Deno between release 1.18.0 and 1.20.2 (inclusive) are vulnerable to an attack where a malicious actor controlling the code executed in a Deno runtime could bypass all permission checks and execute arbitrary shell code. This vulnerability does not affect users of Deno Deploy. The vulnerability has been patched in Deno 1.20.3. There is no workaround. All users are recommended to upgrade to 1.20.3 immediately. | |||||
| CVE-2022-24778 | 2 Fedoraproject, Linuxfoundation | 2 Fedora, Imgcrypt | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The imgcrypt library provides API exensions for containerd to support encrypted container images and implements the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. The imgcrypt function `CheckAuthorization` is supposed to check whether the current used is authorized to access an encrypted image and prevent the user from running an image that another user previously decrypted on the same system. In versions prior to 1.1.4, a failure occurs when an image with a ManifestList is used and the architecture of the local host is not the first one in the ManifestList. Only the first architecture in the list was tested, which may not have its layers available locally since it could not be run on the host architecture. Therefore, the verdict on unavailable layers was that the image could be run anticipating that image run failure would occur later due to the layers not being available. However, this verdict to allow the image to run enabled other architectures in the ManifestList to run an image without providing keys if that image had previously been decrypted. A patch has been applied to imgcrypt 1.1.4. Workarounds may include usage of different namespaces for each remote user. | |||||
| CVE-2022-24755 | 1 Bareos | 1 Bareos | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| Bareos is open source software for backup, archiving, and recovery of data for operating systems. When Bareos Director >= 18.2 >= 18.2 but prior to 21.1.0, 20.0.6, and 19.2.12 is built and configured for PAM authentication, it will skip authorization checks completely. Expired accounts and accounts with expired passwords can still login. This problem will affect users that have PAM enabled. Currently there is no authorization (e.g. check for expired or disabled accounts), but only plain authentication (i.e. check if username and password match). Bareos Director versions 21.1.0, 20.0.6 and 19.2.12 implement the authorization check that was previously missing. The only workaround is to make sure that authentication fails if the user is not authorized. | |||||
| CVE-2022-24748 | 1 Shopware | 1 Shopware | 2024-11-21 | 5.0 MEDIUM | 6.8 MEDIUM |
| Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In versions prior to 6.4.8.2 it is possible to modify customers and to create orders without App Permission. This issue is a result of improper api route checking. Users are advised to upgrade to version 6.4.8.2. There are no known workarounds. | |||||