Total
653 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-4798 | 1 Usememos | 1 Memos | 2024-08-03 | 5.3 Medium |
| Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. | ||||
| CVE-2022-4686 | 1 Usememos | 1 Memos | 2024-08-03 | 9.8 Critical |
| Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.0. | ||||
| CVE-2022-4505 | 1 Open-emr | 1 Openemr | 2024-08-03 | 8.8 High |
| Authorization Bypass Through User-Controlled Key in GitHub repository openemr/openemr prior to 7.0.0.2. | ||||
| CVE-2022-4097 | 1 Updraftplus | 1 All-in-one Security | 2024-08-03 | 5.3 Medium |
| The All-In-One Security (AIOS) WordPress plugin before 5.0.8 is susceptible to IP Spoofing attacks, which can lead to bypassed security features (like IP blocks, rate limiting, brute force protection, and more). | ||||
| CVE-2022-3995 | 1 Standalonetech | 1 Terawallet | 2024-08-03 | 4.3 Medium |
| The TeraWallet plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.4.3. This is due to insufficient validation of the user-controlled key on the lock_unlock_terawallet AJAX action. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to lock/unlock other users wallets. | ||||
| CVE-2022-3876 | 1 Clickstudios | 1 Passwordstate | 2024-08-03 | 4.3 Medium |
| A vulnerability, which was classified as problematic, has been found in Click Studios Passwordstate and Passwordstate Browser Extension Chrome. This issue affects some unknown processing of the file /api/browserextension/UpdatePassword/ of the component API. The manipulation of the argument PasswordID leads to authorization bypass. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. The identifier VDB-216245 was assigned to this vulnerability. | ||||
| CVE-2022-3589 | 1 Miele | 1 Appwash | 2024-08-03 | 8.1 High |
| An API Endpoint used by Miele's "AppWash" MobileApp in all versions was vulnerable to an authorization bypass. A low privileged, remote attacker would have been able to gain read and partial write access to other users data by modifying a small part of a HTTP request sent to the API. Reading or changing the password of another user was not possible, thus no impact to Availability. | ||||
| CVE-2022-3413 | 1 Gitlab | 1 Gitlab | 2024-08-03 | 4.3 Medium |
| Incorrect authorization during display of Audit Events in GitLab EE affecting all versions from 14.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2, allowed Developers to view the project's Audit Events and Developers or Maintainers to view the group's Audit Events. These should have been restricted to Project Maintainers, Group Owners, and above. | ||||
| CVE-2022-3331 | 1 Gitlab | 1 Gitlab | 2024-08-03 | 3.5 Low |
| An issue has been discovered in GitLab EE affecting all versions starting from 14.5 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. GitLab's Zentao integration has an insecure direct object reference vulnerability that may be exploited by an attacker to leak Zentao project issues. | ||||
| CVE-2022-3282 | 1 Codedropz | 1 Drag And Drop Multiple File Upload - Contact Form 7 | 2024-08-03 | 4.3 Medium |
| The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.5 does not properly check for the upload size limit set in forms, taking the value from user input sent when submitting the form. As a result, attackers could control the file length limit and bypass the limit set by admins in the contact form. | ||||
| CVE-2022-3019 | 1 Tooljet | 1 Tooljet | 2024-08-03 | 8.8 High |
| The forgot password token basically just makes us capable of taking over the account of whoever comment in an app that we can see (bruteforcing comment id's might also be an option but I wouldn't count on it, since it would take a long time to find a valid one). | ||||
| CVE-2022-2913 | 1 Login No Captcha Recaptcha Project | 1 Login No Captcha Recaptcha | 2024-08-03 | 4.3 Medium |
| The Login No Captcha reCAPTCHA WordPress plugin before 1.7 doesn't check the proper IP address allowing attackers to spoof IP addresses on the allow list and bypass the need for captcha on the login screen. | ||||
| CVE-2022-2877 | 1 Cm-wp | 1 Titan Anti-spam \& Security | 2024-08-03 | 5.3 Medium |
| The Titan Anti-spam & Security WordPress plugin before 7.3.1 does not properly checks HTTP headers in order to validate the origin IP address, allowing threat actors to bypass it's block feature by spoofing the headers. | ||||
| CVE-2022-2828 | 1 Octopus | 1 Octopus Server | 2024-08-03 | 6.5 Medium |
| In affected versions of Octopus Server it is possible to reveal information about teams via the API due to an Insecure Direct Object Reference (IDOR) vulnerability | ||||
| CVE-2022-2824 | 1 Open-emr | 1 Openemr | 2024-08-03 | 8.8 High |
| Authorization Bypass Through User-Controlled Key in GitHub repository openemr/openemr prior to 7.0.0.1. | ||||
| CVE-2022-2730 | 1 Open-emr | 1 Openemr | 2024-08-03 | 6.5 Medium |
| Authorization Bypass Through User-Controlled Key in GitHub repository openemr/openemr prior to 7.0.0.1. | ||||
| CVE-2022-2535 | 1 Searchwp | 1 Searchwp Live Ajax Search | 2024-08-03 | 5.3 Medium |
| The SearchWP Live Ajax Search WordPress plugin before 1.6.2 does not ensure that users making a live search are limited to published posts only, allowing unauthenticated users to make a crafted query disclosing private/draft/pending post titles along with their permalink | ||||
| CVE-2022-2499 | 1 Gitlab | 1 Gitlab | 2024-08-03 | 3.5 Low |
| An issue has been discovered in GitLab EE affecting all versions starting from 13.10 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. GitLab's Jira integration has an insecure direct object reference vulnerability that may be exploited by an attacker to leak Jira issues. | ||||
| CVE-2022-2367 | 1 Wsm Downloader Project | 1 Wsm Downloader | 2024-08-03 | 7.5 High |
| The WSM Downloader WordPress plugin through 1.4.0 allows only specific popular websites to download images/files from, this can be bypassed due to the lack of good "link" parameter validation | ||||
| CVE-2022-2312 | 1 Student Result Or Employee Database Project | 1 Student Result Or Employee Database | 2024-08-03 | 5.4 Medium |
| The Student Result or Employee Database WordPress plugin before 1.7.5 does not have CSRF in its AJAX actions, allowing attackers to make logged in user with a role as low as contributor to add/edit and delete students via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site scripting | ||||