Total
2136 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-39388 | 1 Istio | 1 Istio | 2024-11-21 | N/A | 7.6 HIGH |
| Istio is an open platform to connect, manage, and secure microservices. In versions on the 1.15.x branch prior to 1.15.3, a user can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane. Version 1.15.3 contains a patch for this issue. There are no known workarounds. | |||||
| CVE-2022-39385 | 1 Discourse | 1 Discourse | 2024-11-21 | N/A | 6.5 MEDIUM |
| Discourse is the an open source discussion platform. In some rare cases users redeeming an invitation can be added as a participant to several private message topics that they should not be added to. They are not notified of this, it happens transparently in the background. This issue has been resolved in commit `a414520742` and will be included in future releases. Users are advised to upgrade. Users are also advised to set `SiteSetting.max_invites_per_day` to 0 until the patch is installed. | |||||
| CVE-2022-39352 | 1 Openfga | 1 Openfga | 2024-11-21 | N/A | 4.8 MEDIUM |
| OpenFGA is a high-performance authorization/permission engine inspired by Google Zanzibar. Versions prior to 0.2.5 are vulnerable to authorization bypass under certain conditions. You are affected by this vulnerability if you added a tuple with a wildcard (*) assigned to a tupleset relation (the right hand side of a ‘from’ statement). This issue has been patched in version v0.2.5. This update is not backward compatible with any authorization model that uses wildcard on a tupleset relation. | |||||
| CVE-2022-39337 | 1 Apache | 1 Hertzbeat | 2024-11-21 | N/A | 7.5 HIGH |
| Hertzbeat is an open source, real-time monitoring system with custom-monitoring, high performance cluster, prometheus-like and agentless. Hertzbeat versions 1.20 and prior have a permission bypass vulnerability. System authentication can be bypassed and invoke interfaces without authorization. Version 1.2.1 contains a patch for this issue. | |||||
| CVE-2022-39322 | 1 Keystonejs | 1 Keystone | 2024-11-21 | N/A | 9.1 CRITICAL |
| @keystone-6/core is a core package for Keystone 6, a content management system for Node.js. Starting with version 2.2.0 and prior to version 2.3.1, users who expected their `multiselect` fields to use the field-level access control - if configured - are vulnerable to their field-level access control not being used. List-level access control is not affected. Field-level access control for fields other than `multiselect` are not affected. Version 2.3.1 contains a fix for this issue. As a workaround, stop using the `multiselect` field. | |||||
| CVE-2022-39302 | 1 Ree6 | 1 Ree6 | 2024-11-21 | N/A | 5.5 MEDIUM |
| Ree6 is a moderation bot. This vulnerability would allow other server owners to create configurations such as "Better-Audit-Logging" which contain a channel from another server as a target. This would mean you could send log messages to another Guild channel and bypass raid and webhook protections. A specifically crafted log message could allow spamming and mass advertisements. This issue has been patched in version 1.9.9. There are currently no known workarounds. | |||||
| CVE-2022-39275 | 1 Saleor | 1 Saleor | 2024-11-21 | N/A | 5.3 MEDIUM |
| Saleor is a headless, GraphQL commerce platform. In affected versions some GraphQL mutations were not properly checking the ID type input which allowed to access database objects that the authenticated user may not be allowed to access. This vulnerability can be used to expose the following information: Estimating database row counts from tables with a sequential primary key or Exposing staff user and customer email addresses and full name through the `assignNavigation()` mutation. This issue has been patched in main and backported to multiple releases (3.7.17, 3.6.18, 3.5.23, 3.4.24, 3.3.26, 3.2.14, 3.1.24). Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-39214 | 1 Combodo | 1 Itop | 2024-11-21 | N/A | 9.6 CRITICAL |
| Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, a user who can log in on iTop is able to take over any account just by knowing the account's username. This issue is fixed in versions 2.7.8 and 3.0.2-1. | |||||
| CVE-2022-39031 | 1 Lcnet | 1 Smart Evision | 2024-11-21 | N/A | 5.3 MEDIUM |
| Smart eVision has insufficient authorization for task acquisition function. An unauthorized remote attacker can exploit this vulnerability to acquire the Session IDs of other general users only. | |||||
| CVE-2022-39030 | 1 Lcnet | 1 Smart Evision | 2024-11-21 | N/A | 7.5 HIGH |
| smart eVision has inadequate authorization for system information query function. An unauthenticated remote attacker, who is not explicitly authorized to access the information, can access sensitive information. | |||||
| CVE-2022-39029 | 1 Lcnet | 1 Smart Evision | 2024-11-21 | N/A | 6.5 MEDIUM |
| Smart eVision has inadequate authorization for the database query function. A remote attacker with general user privilege, who is not explicitly authorized to access the information, can access sensitive information. | |||||
| CVE-2022-37767 | 1 Pebbletemplates | 1 Pebble Templates | 2024-11-21 | N/A | 9.8 CRITICAL |
| Pebble Templates 3.1.5 allows attackers to bypass a protection mechanism and implement arbitrary code execution with springbok. NOTE: the vendor disputes this because input to the Pebble templating engine is intended to include arbitrary Java code, and thus either the input should not arrive from an untrusted source, or else the application using the engine should apply restrictions to the input. The engine is not responsible for validating the input. | |||||
| CVE-2022-36634 | 1 Zkteco | 1 Zkbiosecurity V5000 | 2024-11-21 | N/A | 8.8 HIGH |
| An access control issue in ZKTeco ZKBioSecurity V5000 3.0.5_r allows attackers to arbitrarily create admin users via a crafted HTTP request. | |||||
| CVE-2022-36126 | 1 Inductiveautomation | 1 Ignition | 2024-11-21 | N/A | 7.2 HIGH |
| An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. The ScriptInvoke function allows remote attackers to execute arbitrary code by supplying a Python script. | |||||
| CVE-2022-36103 | 1 Siderolabs | 1 Talos Linux | 2024-11-21 | N/A | 7.2 HIGH |
| Talos Linux is a Linux distribution built for Kubernetes deployments. Talos worker nodes use a join token to get accepted into the Talos cluster. Due to improper validation of the request while signing a worker node CSR (certificate signing request) Talos control plane node might issue Talos API certificate which allows full access to Talos API on a control plane node. Accessing Talos API with full level access on a control plane node might reveal sensitive information which allows full level access to the cluster (Kubernetes and Talos PKI, etc.). Talos API join token is stored in the machine configuration on the worker node. When configured correctly, Kubernetes workloads don't have access to the machine configuration, but due to a misconfiguration workload might access the machine configuration and reveal the join token. This problem has been fixed in Talos 1.2.2. Enabling the Pod Security Standards mitigates the vulnerability by denying hostPath mounts and host networking by default in the baseline policy. Clusters that don't run untrusted workloads are not affected. Clusters with correct Pod Security configurations which don't allow hostPath mounts, and secure access to cloud metadata server (or machine configuration is not supplied via cloud metadata server) are not affected. | |||||
| CVE-2022-36074 | 1 Nextcloud | 2 Nextcloud Enterprise Server, Nextcloud Server | 2024-11-21 | N/A | 6.4 MEDIUM |
| Nextcloud server is an open source personal cloud product. Affected versions of this package are vulnerable to Information Exposure which fails to strip the Authorization header on HTTP downgrade. This can lead to account access exposure and compromise. It is recommended that the Nextcloud Server is upgraded to 23.0.7 or 24.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.11, 23.0.7 or 24.0.3. There are no known workarounds for this issue. | |||||
| CVE-2022-36051 | 1 Zitadel | 1 Zitadel | 2024-11-21 | N/A | 8.7 HIGH |
| ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the API and **1.56.0** for Console, is a feature, where users with role.`ORG_OWNER` are able to create Javascript Code, which is invoked by the system at certain points during the login. **Actions**, for example, allow creating authorizations (user grants) on newly created users programmatically. Due to a missing authorization check, **Actions** were able to grant authorizations for projects that belong to other organizations inside the same Instance. Granting authorizations via API and Console is not affected by this vulnerability. There is currently no known workaround, users should update. | |||||
| CVE-2022-36009 | 1 Matrix | 2 Dendrite, Gomatrixserverlib | 2024-11-21 | N/A | 5.0 MEDIUM |
| gomatrixserverlib is a Go library for matrix protocol federation. Dendrite is a Matrix homeserver written in Go, an alternative to Synapse. The power level parsing within gomatrixserverlib was failing to parse the `"events_default"` key of the `m.room.power_levels` event, defaulting the event default power level to zero in all cases. Power levels are the matrix terminology for user access level. In rooms where the `"events_default"` power level had been changed, this could result in events either being incorrectly authorised or rejected by Dendrite servers. gomatrixserverlib contains a fix as of commit `723fd49` and Dendrite 0.9.3 has been updated accordingly. Matrix rooms where the `"events_default"` power level has not been changed from the default of zero are not vulnerable. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-35924 | 1 Nextauth.js | 1 Next-auth | 2024-11-21 | N/A | 9.1 CRITICAL |
| NextAuth.js is a complete open source authentication solution for Next.js applications. `next-auth` users who are using the `EmailProvider` either in versions before `4.10.3` or `3.29.10` are affected. If an attacker could forge a request that sent a comma-separated list of emails (eg.: `attacker@attacker.com,victim@victim.com`) to the sign-in endpoint, NextAuth.js would send emails to both the attacker and the victim's e-mail addresses. The attacker could then login as a newly created user with the email being `attacker@attacker.com,victim@victim.com`. This means that basic authorization like `email.endsWith("@victim.com")` in the `signIn` callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an `@attacker.com` address. This vulnerability has been patched in `v4.10.3` and `v3.29.10` by normalizing the email value that is sent to the sign-in endpoint before accessing it anywhere else. We also added a `normalizeIdentifier` callback on the `EmailProvider` configuration, where you can further tweak your requirements for what your system considers a valid e-mail address. (E.g.: strict RFC2821 compliance). Users are advised to upgrade. There are no known workarounds for this vulnerability. If for some reason you cannot upgrade, you can normalize the incoming request using Advanced Initialization. | |||||
| CVE-2022-35921 | 1 Friendsofflarum | 1 Byobu | 2024-11-21 | N/A | 3.5 LOW |
| fof/byobu is a private discussions extension for Flarum forum. Affected versions were found to not respect private discussion disablement by users. Users of Byobu should update the extension to version 1.1.7, where this has been patched. Users of Byobu with Flarum 1.0 or 1.1 should upgrade to Flarum 1.2 or later, or evaluate the impact this issue has on your forum's users and choose to disable the extension if needed. There are no workarounds for this issue. | |||||