Total
3286 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-4223 | 2 Fedoraproject, Postgresql | 2 Fedora, Pgadmin | 2024-08-03 | 8.8 High |
| The pgAdmin server includes an HTTP API that is intended to be used to validate the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. The utility is executed by the server to determine what PostgreSQL version it is from. Versions of pgAdmin prior to 6.17 failed to properly secure this API, which could allow an unauthenticated user to call it with a path of their choosing, such as a UNC path to a server they control on a Windows machine. This would cause an appropriately named executable in the target path to be executed by the pgAdmin server. | ||||
| CVE-2022-4169 | 1 Theme And Plugin Translation For Polylang Project | 1 Theme And Plugin Translation For Polylang | 2024-08-03 | 6.5 Medium |
| The Theme and plugin translation for Polylang is vulnerable to authorization bypass in versions up to, and including, 3.2.16 due to missing capability checks in the process_polylang_theme_translation_wp_loaded() function. This makes it possible for unauthenticated attackers to update plugin and theme translation settings and to import translation strings. | ||||
| CVE-2022-4148 | 1 Dash10 | 1 Oauth Server | 2024-08-03 | 4.3 Medium |
| The WP OAuth Server (OAuth Authentication) WordPress plugin before 4.3.0 has a flawed CSRF and authorisation check when deleting a client, which could allow any authenticated users, such as subscriber to delete arbitrary client. | ||||
| CVE-2022-4102 | 1 Royal-elementor-addons | 1 Royal Elementor Addons | 2024-08-03 | 3.1 Low |
| The Royal Elementor Addons WordPress plugin before 1.3.56 does not have authorization and CSRF checks when deleting a template and does not ensure that the post to be deleted is a template. This could allow any authenticated users, such as subscribers, to delete arbitrary posts assuming they know the related slug. | ||||
| CVE-2022-4124 | 1 Popup Manager Project | 1 Popup Manager | 2024-08-03 | 4.3 Medium |
| The Popup Manager WordPress plugin through 1.6.6 does not have authorisation and CSRF checks when deleting popups, which could allow unauthenticated users to delete them | ||||
| CVE-2022-4103 | 1 Royal-elementor-addons | 1 Royal Elementor Addons | 2024-08-03 | 4.3 Medium |
| The Royal Elementor Addons WordPress plugin before 1.3.56 does not have authorisation and CSRF checks when creating a template, and does not ensure that the post created is a template. This could allow any authenticated users, such as subscriber to create a post (as well as any post type) with an arbitrary title | ||||
| CVE-2022-4024 | 1 Genetechsolutions | 1 Pie Register | 2024-08-03 | 6.5 Medium |
| The Registration Forms WordPress plugin before 3.8.1.3 does not have authorisation and CSRF when deleting users via an init action handler, allowing unauthenticated attackers to delete arbitrary users (along with their posts) | ||||
| CVE-2022-3999 | 1 Dpdgroup | 1 Woocommerce Shipping | 2024-08-03 | 8.1 High |
| The DPD Baltic Shipping WordPress plugin before 1.2.57 does not have authorisation and CSRF in an AJAX action, which could allow any authenticated users, such as subscriber to delete arbitrary options from the blog, which could make the blog unavailable. | ||||
| CVE-2022-3961 | 1 Wpwax | 1 Directorist | 2024-08-03 | 6.5 Medium |
| The Directorist WordPress plugin before 7.4.4 does not prevent users with low privileges (like subscribers) from accessing sensitive system information. | ||||
| CVE-2022-3946 | 1 Collne | 1 Welcart E-commerce | 2024-08-03 | 6.5 Medium |
| The Welcart e-Commerce WordPress plugin before 2.8.4 does not have authorisation and CSRF in an AJAX action, allowing any logged-in user to create, update and delete shipping methods. | ||||
| CVE-2022-3923 | 1 Activecampaign | 1 Activecampaign For Woocommerce | 2024-08-03 | 4.3 Medium |
| The ActiveCampaign for WooCommerce WordPress plugin before 1.9.8 does not have authorisation check when cleaning up its error logs via an AJAX action, which could allow any authenticated users, such as subscriber to call it and remove error logs. | ||||
| CVE-2022-3920 | 1 Hashicorp | 1 Consul | 2024-08-03 | 5.3 Medium |
| HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI. Fixed in 1.14.0. | ||||
| CVE-2022-3911 | 1 Iubenda | 1 Iubenda-cookie-law-solution | 2024-08-03 | 8.8 High |
| The iubenda WordPress plugin before 3.3.3 does does not have authorisation and CSRF in an AJAX action, and does not ensure that the options to be updated belong to the plugin as long as they are arrays. As a result, any authenticated users, such as subscriber can grant themselves any privileges, such as edit_plugins etc | ||||
| CVE-2022-3007 | 1 Syska | 2 Sw100 Smartwatch, Sw100 Smartwatch Firmware | 2024-08-03 | 8.1 High |
| The vulnerability exists in Syska SW100 Smartwatch due to an improper implementation and/or configuration of Nordic Device Firmware Update (DFU) which is used for performing Over-The-Air (OTA) firmware updates on the Bluetooth Low Energy (BLE) devices. An unauthenticated attacker could exploit this vulnerability by setting arbitrary values to handle on the vulnerable device over Bluetooth. Successful exploitation of this vulnerability could allow the attacker to perform firmware update, device reboot or data manipulation on the target device. | ||||
| CVE-2022-3538 | 1 Webmaster Tools Verification Project | 1 Webmaster Tools Verification | 2024-08-03 | 6.5 Medium |
| The Webmaster Tools Verification WordPress plugin through 1.2 does not have authorisation and CSRF checks when disabling plugins, allowing unauthenticated users to disable arbitrary plugins | ||||
| CVE-2022-3512 | 1 Cloudflare | 1 Warp | 2024-08-03 | 6.7 Medium |
| Using warp-cli command "add-trusted-ssid", a user was able to disconnect WARP client and bypass the "Lock WARP switch" feature resulting in Zero Trust policies not being enforced on an affected endpoint. | ||||
| CVE-2022-3489 | 1 Weberge | 1 Wp Hide | 2024-08-03 | 5.3 Medium |
| The WP Hide WordPress plugin through 0.0.2 does not have authorisation and CSRF checks in place when updating the custom_wpadmin_slug settings, allowing unauthenticated attackers to update it with a crafted request | ||||
| CVE-2022-3482 | 1 Gitlab | 1 Gitlab | 2024-08-03 | 5.3 Medium |
| An improper access control issue in GitLab CE/EE affecting all versions from 11.3 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allowed an unauthorized user to see release names even when releases we set to be restricted to project members only | ||||
| CVE-2022-3451 | 1 Addify | 1 Product Stock Manager | 2024-08-03 | 4.3 Medium |
| The Product Stock Manager WordPress plugin before 1.0.5 does not have authorisation and proper CSRF checks in multiple AJAX actions, allowing users with a role as low as subscriber to call them. One action in particular could allow to update arbitrary options | ||||
| CVE-2022-3337 | 1 Cloudflare | 1 Warp Mobile Client | 2024-08-03 | 6.7 Medium |
| It was possible for a user to delete a VPN profile from WARP mobile client on iOS platform despite the Lock WARP switch https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/warp-settings/#lock-warp-switch feature being enabled on Zero Trust Platform. This led to bypassing policies and restrictions enforced for enrolled devices by the Zero Trust platform. | ||||