Total
8699 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-25787 | 1 Secomea | 8 Gatemanager 4250, Gatemanager 4250 Firmware, Gatemanager 4260 and 5 more | 2024-08-03 | 7.5 High |
| Information Exposure Through Query Strings in GET Request vulnerability in LMM API of Secomea GateManager allows system administrator to hijack connection. This issue affects: Secomea GateManager all versions prior to 9.7. | ||||
| CVE-2022-25823 | 1 Samsung | 1 Galaxy Watch Plugin | 2024-08-03 | 1.9 Low |
| Information Exposure vulnerability in Galaxy Watch Plugin prior to version 2.2.05.220126741 allows attackers to access user information in log. | ||||
| CVE-2022-25826 | 1 Samsung | 1 Galaxy Watch 3 Plugin | 2024-08-03 | 1.9 Low |
| Information Exposure vulnerability in Galaxy S3 Plugin prior to version 2.2.03.22012751 allows attacker to access password information of connected WiFiAp in the log | ||||
| CVE-2022-25830 | 1 Samsung | 1 Galaxy Watch 3 Plugin | 2024-08-03 | 1.9 Low |
| Information Exposure vulnerability in Galaxy Watch3 Plugin prior to version 2.2.09.22012751 allows attacker to access password information of connected WiFiAp in the log | ||||
| CVE-2022-25780 | 1 Secomea | 8 Gatemanager 4250, Gatemanager 4250 Firmware, Gatemanager 4260 and 5 more | 2024-08-03 | 4.3 Medium |
| Information Exposure vulnerability in web UI of Secomea GateManager allows logged in user to query devices outside own scope. | ||||
| CVE-2022-25512 | 1 Freetakserver-ui Project | 1 Freetakserver-ui | 2024-08-03 | 7.5 High |
| FreeTAKServer-UI v1.9.8 was discovered to leak sensitive API and Websocket keys. | ||||
| CVE-2022-25184 | 2 Jenkins, Redhat | 2 Pipeline\, Openshift | 2024-08-03 | 6.5 Medium |
| Jenkins Pipeline: Build Step Plugin 2.15 and earlier reveals password parameter default values when generating a pipeline script using the Pipeline Snippet Generator, allowing attackers with Item/Read permission to retrieve the default password parameter value from jobs. | ||||
| CVE-2022-25166 | 1 Amazon | 1 Aws Client Vpn | 2024-08-03 | 5.0 Medium |
| An issue was discovered in Amazon AWS VPN Client 2.0.0. It is possible to include a UNC path in the OpenVPN configuration file when referencing file paths for parameters (such as auth-user-pass). When this file is imported and the client attempts to validate the file path, it performs an open operation on the path and leaks the user's Net-NTLMv2 hash to an external server. This could be exploited by having a user open a crafted malicious ovpn configuration file. | ||||
| CVE-2022-24886 | 1 Nextcloud | 1 Nextcloud | 2024-08-03 | 2.2 Low |
| Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. In versions prior to 3.19.0, any application with notification permission can access contacts if Nextcloud has access to Contacts without applying for the Contacts permission itself. Version 3.19.0 contains a fix for this issue. There are currently no known workarounds. | ||||
| CVE-2022-24906 | 1 Nextcloud | 1 Deck | 2024-08-03 | 3.5 Low |
| Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud, similar to Trello. The full path of the application is exposed to unauthorized users. It is recommended that the Nextcloud Deck app is upgraded to 1.2.11, 1.4.6, or 1.5.4. There is no workaround available. | ||||
| CVE-2022-24890 | 1 Nextcloud | 1 Talk | 2024-08-03 | 2.4 Low |
| Nextcloud Talk is a video and audio conferencing app for Nextcloud. In versions prior to 13.0.5 and 14.0.0, a call moderator can indirectly enable user webcams by granting permissions, if they were enabled before removing the permissions. A patch is available in versions 13.0.5 and 14.0.0. There are currently no known workarounds. | ||||
| CVE-2022-24866 | 1 Discourse | 1 Assign | 2024-08-03 | 4.3 Medium |
| Discourse Assign is a plugin for assigning users to a topic in Discourse, an open-source messaging platform. Prior to version 1.0.1, the UserBookmarkSerializer serialized the whole User / Group object, which leaked some private information. The data was only being serialized to people who could view assignment info, which is limited to staff by default. For the vast majority of sites, this data was only leaked to trusted staff member, but for sites with assign features enabled publicly, the data was accessible to more people than just staff. Version 1.0.1 contains a patch. There are currently no known workarounds. | ||||
| CVE-2022-24865 | 1 Humhub | 1 Humhub | 2024-08-03 | 6.5 Medium |
| HumHub is an Open Source Enterprise Social Network. In affected versions users who are forced to change their password by an administrator may retrieve other users' data. This issue has been resolved by commit `eb83de20`. It is recommended that the HumHub is upgraded to 1.11.0, 1.10.4 or 1.9.4. There are no known workarounds for this issue. | ||||
| CVE-2022-24867 | 1 Glpi-project | 1 Glpi | 2024-08-03 | 7.5 High |
| GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. When you pass the config to the javascript, some entries are filtered out. The variable ldap_pass is not filtered and when you look at the source code of the rendered page, we can see the password for the root dn. Users are advised to upgrade. There is no known workaround for this issue. | ||||
| CVE-2022-24850 | 1 Discourse | 1 Discourse | 2024-08-03 | 5.3 Medium |
| Discourse is an open source platform for community discussion. A category's group permissions settings can be viewed by anyone that has access to the category. As a result, a normal user is able to see whether a group has read/write permissions in the category even though the information should only be available to the users that can manage a category. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. There are no workarounds for this problem. | ||||
| CVE-2022-24837 | 1 Hedgedoc | 1 Hedgedoc | 2024-08-03 | 5.3 Medium |
| HedgeDoc is an open-source, web-based, self-hosted, collaborative markdown editor. Images uploaded with HedgeDoc version 1.9.1 and later have an enumerable filename after the upload, resulting in potential information leakage of uploaded documents. This is especially relevant for private notes and affects all upload backends, except Lutim and imgur. This issue is patched in version 1.9.3 by replacing the filename generation with UUIDv4. If you cannot upgrade to HedgeDoc 1.9.3, it is possible to block POST requests to `/uploadimage`, which will disable future uploads. | ||||
| CVE-2022-24804 | 1 Discourse | 1 Discourse | 2024-08-03 | 5.3 Medium |
| Discourse is an open source platform for community discussion. In stable versions prior to 2.8.3 and beta versions prior 2.9.0.beta4 erroneously expose groups. When a group with restricted visibility has been used to set the permissions of a category, the name of the group is leaked to any user that is able to see the category. To workaround the problem, a site administrator can remove groups with restricted visibility from any category's permissions setting. | ||||
| CVE-2022-24853 | 1 Metabase | 1 Metabase | 2024-08-03 | 5.9 Medium |
| Metabase is an open source business intelligence and analytics application. Metabase has a proxy to load arbitrary URLs for JSON maps as part of our GeoJSON support. While we do validation to not return contents of arbitrary URLs, there is a case where a particularly crafted request could result in file access on windows, which allows enabling an `NTLM relay attack`, potentially allowing an attacker to receive the system password hash. If you use Windows and are on this version of Metabase, please upgrade immediately. The following patches (or greater versions) are available: 0.42.4 and 1.42.4, 0.41.7 and 1.41.7, 0.40.8 and 1.40.8. | ||||
| CVE-2022-24849 | 1 Aitsys | 1 Discatsharp | 2024-08-03 | 6.5 Medium |
| DisCatSharp is a Discord API wrapper for .NET. Users of versions 9.8.5, 9.8.6, 9.9.0 and previously published prereleases of 10.0.0 who have used either one of the two `RequireDisCatSharpDeveloperAttribute`s or the `BaseDiscordClient.LibraryDeveloperTeam` have potentially had their bot token sent to a web server not affiliated with Discord. This server is owned and operated by DisCatSharp's development team. The tokens were not logged, yet it is still advisable to reset the tokens of potentially affected bots. 9.9.1 has been released to patch the issue for the current stable release and the current 10.0.0 prereleases are also no longer affected. Users unable to upgrade should remove all uses of the two `RequireDisCatSharpDeveloperAttribute`s and all direct calls to `BaseDiscordClient.LibraryDeveloperTeam`. | ||||
| CVE-2022-24797 | 1 Pomerium | 1 Pomerium | 2024-08-03 | 6.5 Medium |
| Pomerium is an identity-aware access proxy. In distributed service mode, Pomerium's Authenticate service exposes pprof debug and prometheus metrics handlers to untrusted traffic. This can leak potentially sensitive environmental information or lead to limited denial of service conditions. This issue is patched in version v0.17.1 Workarounds: Block access to `/debug` and `/metrics` paths on the authenticate service. This can be done with any L7 proxy, including Pomerium's own proxy service. | ||||