Total
3290 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-26429 | 2 Google, Mediatek | 42 Android, Mt6580, Mt6735 and 39 more | 2024-08-03 | 7.8 High |
| In cta, there is a possible way to write permission usage records of an app due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07025415; Issue ID: ALPS07025415. | ||||
| CVE-2022-26102 | 1 Sap | 1 Netweaver Application Server Abap | 2024-08-03 | 5.4 Medium |
| Due to missing authorization check, SAP NetWeaver Application Server for ABAP - versions 700, 701, 702, 731, allows an authenticated attacker, to access content on the start screen of any transaction that is available with in the same SAP system even if he/she isn't authorized for that transaction. A successful exploitation could expose information and in worst case manipulate data before the start screen is executed, resulting in limited impact on confidentiality and integrity of the application. | ||||
| CVE-2022-26104 | 1 Sap | 1 Financial Consolidation | 2024-08-03 | 5.3 Medium |
| SAP Financial Consolidation - version 10.1, does not perform necessary authorization checks for updating homepage messages, resulting for an unauthorized user to alter the maintenance system message. | ||||
| CVE-2022-26103 | 1 Sap | 1 Netweaver Application Server Java | 2024-08-03 | 5.3 Medium |
| Under certain conditions, SAP NetWeaver (Real Time Messaging Framework) - version 7.50, allows an attacker to access information which could lead to information gathering for further exploits and attacks. | ||||
| CVE-2022-25810 | 1 Transposh | 1 Transposh Wordpress Translation | 2024-08-03 | 6.5 Medium |
| The Transposh WordPress Translation WordPress plugin through 1.0.8 exposes a couple of sensitive actions such has “tp_reset” under the Utilities tab (/wp-admin/admin.php?page=tp_utils), which can be used/executed as the lowest-privileged user. Basically all Utilities functionalities are vulnerable this way, which involves resetting configurations and backup/restore operations. | ||||
| CVE-2022-25342 | 1 Olivetti | 2 D-color Mf3555, D-color Mf3555 Firmware | 2024-08-03 | 8.1 High |
| An issue was discovered on Olivetti d-COLOR MF3555 2XD_S000.002.271 devices. The Web Application is affected by Broken Access Control. It does not properly validate requests for access to data and functionality under the /mngset/authset path. By not verifying permissions for access to resources, it allows a potential attacker to view pages that are not allowed. | ||||
| CVE-2022-25201 | 1 Jenkins | 1 Checkmarx | 2024-08-03 | 6.5 Medium |
| Missing permission checks in Jenkins Checkmarx Plugin 2022.1.2 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | ||||
| CVE-2022-25199 | 1 Jenkins | 1 Scp Publisher | 2024-08-03 | 8.8 High |
| A missing permission check in Jenkins SCP publisher Plugin 1.8 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials. | ||||
| CVE-2022-25208 | 1 Jenkins | 1 Chef Sinatra | 2024-08-03 | 8.8 High |
| A missing permission check in Jenkins Chef Sinatra Plugin 1.20 and earlier allows attackers with Overall/Read permission to have Jenkins send an HTTP request to an attacker-controlled URL and have it parse an XML response. | ||||
| CVE-2022-25206 | 1 Jenkins | 1 Dbcharts | 2024-08-03 | 8.8 High |
| A missing check in Jenkins dbCharts Plugin 0.5.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified database via JDBC using attacker-specified credentials. | ||||
| CVE-2022-25193 | 1 Jenkins | 1 Snow Commander | 2024-08-03 | 6.5 Medium |
| Missing permission checks in Jenkins Snow Commander Plugin 1.10 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | ||||
| CVE-2022-25195 | 1 Jenkins | 1 Autonomiq | 2024-08-03 | 4.3 Medium |
| A missing permission check in Jenkins autonomiq Plugin 1.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. | ||||
| CVE-2022-25211 | 1 Jenkins | 1 Swamp | 2024-08-03 | 8.8 High |
| A missing permission check in Jenkins SWAMP Plugin 1.2.6 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified web server using attacker-specified credentials. | ||||
| CVE-2022-24896 | 1 Enalean | 1 Tuleap | 2024-08-03 | 4.3 Medium |
| Tuleap is a Free & Open Source Suite to manage software developments and collaboration. In versions prior to 13.7.99.239 Tuleap does not properly verify authorizations when displaying the content of tracker report renderer and chart widgets. Malicious users could use this vulnerability to retrieve the name of a tracker they cannot access as well as the name of the fields used in reports. | ||||
| CVE-2022-24594 | 1 Waline | 1 Waline | 2024-08-03 | 5.3 Medium |
| In waline 1.6.1, an attacker can submit messages using X-Forwarded-For to forge any IP address. | ||||
| CVE-2022-24450 | 2 Nats, Redhat | 3 Nats Server, Nats Streaming Server, Acm | 2024-08-03 | 8.8 High |
| NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature. | ||||
| CVE-2022-24317 | 1 Schneider-electric | 1 Interactive Graphical Scada System Data Server | 2024-08-03 | 7.5 High |
| A CWE-862: Missing Authorization vulnerability exists that could cause information exposure when an attacker sends a specific message. Affected Product: Interactive Graphical SCADA System Data Server (V15.0.0.22020 and prior) | ||||
| CVE-2022-24190 | 1 Sz-fujia | 1 Ourphoto | 2024-08-03 | 7.5 High |
| The /device/acceptBind end-point for Ourphoto App version 1.4.1 does not require authentication or authorization. The user_token header is not implemented or present on this end-point. An attacker can send a request to bind their account to any users picture frame, then send a POST request to accept their own bind request, without the end-users approval or interaction. | ||||
| CVE-2022-23945 | 1 Apache | 1 Shenyu | 2024-08-03 | 7.5 High |
| Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1. | ||||
| CVE-2022-23944 | 1 Apache | 1 Shenyu | 2024-08-03 | 9.1 Critical |
| User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1. | ||||