Total
3290 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-23709 | 1 Elastic | 1 Kibana | 2024-08-03 | 4.3 Medium |
| A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. A user with this privilege would be able to create new alerting rules or overwrite existing ones. However, any new or modified rules would not be enabled, and a user with this privilege could not modify alerting connectors. This effectively means that Read users could disable existing alerting rules. | ||||
| CVE-2022-23642 | 1 Sourcegraph | 1 Sourcegraph | 2024-08-03 | 8.8 High |
| Sourcegraph is a code search and navigation engine. Sourcegraph prior to version 3.37 is vulnerable to remote code execution in the `gitserver` service. The service acts as a git exec proxy, and fails to properly restrict calling `git config`. This allows an attacker to set the git `core.sshCommand` option, which sets git to use the specified command instead of ssh when they need to connect to a remote system. Exploitation of this vulnerability depends on how Sourcegraph is deployed. An attacker able to make HTTP requests to internal services like gitserver is able to exploit it. This issue is patched in Sourcegraph version 3.37. As a workaround, ensure that requests to gitserver are properly protected. | ||||
| CVE-2022-23617 | 1 Xwiki | 1 Xwiki | 2024-08-03 | 6.5 Medium |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit right can copy the content of a page it does not have access to by using it as template of a new page. This issue has been patched in XWiki 13.2CR1 and 12.10.6. Users are advised to update. There are no known workarounds for this issue. | ||||
| CVE-2022-23621 | 1 Xwiki | 1 Xwiki | 2024-08-03 | 5.5 Medium |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can read any file located in the XWiki WAR (for example xwiki.cfg and xwiki.properties) through XWiki#invokeServletAndReturnAsString as `$xwiki.invokeServletAndReturnAsString("/WEB-INF/xwiki.cfg")`. This issue has been patched in XWiki versions 12.10.9, 13.4.3 and 13.7-rc-1. Users are advised to update. The only workaround is to limit SCRIPT right. | ||||
| CVE-2022-23183 | 1 Advancedcustomfields | 1 Advanced Custom Fields | 2024-08-03 | 6.5 Medium |
| Missing authorization vulnerability in Advanced Custom Fields versions prior to 5.12.1 and Advanced Custom Fields Pro versions prior to 5.12.1 allows a remote authenticated attacker to view the information on the database without the access permission. | ||||
| CVE-2022-23180 | 1 Themehunk | 1 Contact Form \& Lead Form Elementor Builder | 2024-08-03 | 4.3 Medium |
| The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.7.4 doesn't have authorisation and nonce checks, which could allow any authenticated users, such as subscriber to update and change various settings | ||||
| CVE-2022-23112 | 1 Jenkins | 1 Publish Over Ssh | 2024-08-03 | 6.5 Medium |
| A missing permission check in Jenkins Publish Over SSH Plugin 1.22 and earlier allows attackers with Overall/Read access to connect to an attacker-specified SSH server using attacker-specified credentials. | ||||
| CVE-2022-22854 | 1 Hospital\'s Patient Records Management System Project | 1 Hospital\'s Patient Records Management System | 2024-08-03 | 8.8 High |
| An access control issue in hprms/admin/?page=user/list of Hospital Patient Record Management System v1.0 allows attackers to escalate privileges via accessing and editing the user list. | ||||
| CVE-2022-22535 | 1 Sap | 1 Erp Human Capital Management | 2024-08-03 | 6.5 Medium |
| SAP ERP HCM Portugal - versions 600, 604, 608, does not perform necessary authorization checks for a report that reads the payroll data of employees in a certain area. Since the affected report only reads the payroll information, the attacker can neither modify any information nor cause availability impacts. | ||||
| CVE-2022-22111 | 1 Daybydaycrm | 1 Daybyday Crm | 2024-08-03 | 8.8 High |
| In DayByDay CRM, version 2.2.0 is vulnerable to missing authorization. Any application user in the application who has update user permission enabled is able to change the password of other users, including the administrator’s. This allows the attacker to gain access to the highest privileged user in the application. | ||||
| CVE-2022-22108 | 1 Daybydaycrm | 1 Daybyday Crm | 2024-08-03 | 4.3 Medium |
| In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the absences of all users in the system including administrators. This type of user is not authorized to view this kind of information. | ||||
| CVE-2022-22107 | 1 Daybydaycrm | 1 Daybyday Crm | 2024-08-03 | 4.3 Medium |
| In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. However, this type of user is not authorized to view the calendar at all. | ||||
| CVE-2022-21953 | 1 Suse | 1 Rancher | 2024-08-03 | 7.4 High |
| A Missing Authorization vulnerability in of SUSE Rancher allows authenticated user to create an unauthorized shell pod and kubectl access in the local cluster This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10; Rancher versions prior to 2.7.1. | ||||
| CVE-2022-21777 | 2 Google, Mediatek | 42 Android, Mt6580, Mt6735 and 39 more | 2024-08-03 | 7.8 High |
| In Autoboot, there is a possible permission bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06713894; Issue ID: ALPS06713894. | ||||
| CVE-2022-21764 | 2 Google, Mediatek | 45 Android, Mt6739, Mt6761 and 42 more | 2024-08-03 | 5.5 Medium |
| In telecom service, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07044717; Issue ID: ALPS07044717. | ||||
| CVE-2022-21763 | 2 Google, Mediatek | 45 Android, Mt6739, Mt6761 and 42 more | 2024-08-03 | 5.5 Medium |
| In telecom service, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07044717; Issue ID: ALPS07044708. | ||||
| CVE-2022-21749 | 2 Google, Mediatek | 55 Android, Mt6739, Mt6750 and 52 more | 2024-08-03 | 5.5 Medium |
| In telephony, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06511058; Issue ID: ALPS06511058. | ||||
| CVE-2022-21748 | 2 Google, Mediatek | 35 Android, Mt6580, Mt6735 and 32 more | 2024-08-03 | 5.5 Medium |
| In telephony, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS06511030; Issue ID: ALPS06511030. | ||||
| CVE-2022-21718 | 1 Electronjs | 1 Electron | 2024-08-03 | 3.4 Low |
| Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` allows renderers to obtain access to a bluetooth device via the web bluetooth API if the app has not configured a custom `select-bluetooth-device` event handler. This has been patched and Electron versions `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` contain the fix. Code from the GitHub Security Advisory can be added to the app to work around the issue. | ||||
| CVE-2022-21707 | 1 Wasmcloud | 1 Host Runtime | 2024-08-03 | 6.3 Medium |
| wasmCloud Host Runtime is a server process that securely hosts and provides dispatch for web assembly (WASM) actors and capability providers. In versions prior to 0.52.2 actors can bypass capability authorization. Actors are normally required to declare their capabilities for inbound invocations, but with this vulnerability actor capability claims are not verified upon receiving invocations. This compromises the security model for actors as they can receive unauthorized invocations from linked capability providers. The problem has been patched in versions `0.52.2` and greater. There is no workaround and users are advised to upgrade to an unaffected version as soon as possible. | ||||