Total
1333 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-44719 | 1 Ucopia | 2 Wireless Appliance, Wireless Appliance Firmware | 2024-08-03 | 7.5 High |
| An issue was discovered in Weblib Ucopia before 6.0.13. The SSH Server has Insecure Permissions. | ||||
| CVE-2022-44725 | 1 Opcfoundation | 1 Local Discovery Server | 2024-08-03 | 7.8 High |
| OPC Foundation Local Discovery Server (LDS) through 1.04.403.478 uses a hard-coded file path to a configuration file. This allows a normal user to create a malicious file that is loaded by LDS (running as a high-privilege user). | ||||
| CVE-2022-44746 | 1 Acronis | 1 Cyber Protect Home Office | 2024-08-03 | 5.5 Medium |
| Sensitive information disclosure due to insecure folder permissions. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40107. | ||||
| CVE-2022-44715 | 1 Netscout | 1 Ngeniusone | 2024-08-03 | 8.8 High |
| Improper File Permissions in NetScout nGeniusONE 6.3.2 build 904 allows authenticated remote users to gain permissions via a crafted payload. | ||||
| CVE-2022-44263 | 1 Dentsplysirona | 1 Sidexis | 2024-08-03 | 7.8 High |
| Dentsply Sirona Sidexis <= 4.3 is vulnerable to Incorrect Access Control. | ||||
| CVE-2022-43946 | 1 Fortinet | 1 Forticlient | 2024-08-03 | 7.3 High |
| Multiple vulnerabilities including an incorrect permission assignment for critical resource [CWE-732] vulnerability and a time-of-check time-of-use (TOCTOU) race condition [CWE-367] vulnerability in Fortinet FortiClientWindows before 7.0.7 allows attackers on the same file sharing network to execute commands via writing data into a windows pipe. | ||||
| CVE-2022-43773 | 1 Hitachi | 1 Vantara Pentaho Business Analytics Server | 2024-08-03 | 8.8 High |
| Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x is installed with a sample HSQLDB data source configured with stored procedures enabled. | ||||
| CVE-2022-43517 | 1 Siemens | 1 Star-ccm\+ | 2024-08-03 | 7.8 High |
| A vulnerability has been identified in Simcenter STAR-CCM+ (All versions < V2306). The affected application improperly assigns file permissions to installation folders. This could allow a local attacker with an unprivileged account to override or modify the service executables and subsequently gain elevated privileges. | ||||
| CVE-2022-43309 | 1 Supermicro | 292 H11dsi, H11dsi-nt, H11dsi-nt Firmware and 289 more | 2024-08-03 | 5.5 Medium |
| Supermicro X11SSL-CF HW Rev 1.01, BMC firmware v1.63 was discovered to contain insecure permissions. | ||||
| CVE-2022-42972 | 2 Microsoft, Schneider-electric | 8 Windows 10, Windows 11, Windows 7 and 5 more | 2024-08-03 | 7.8 High |
| A CWE-732: Incorrect Permission Assignment for Critical Resource vulnerability exists that could cause local privilege escalation when a local attacker modifies the webroot directory. Affected Products: APC Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 - Versions prior to V2.5-GA), APC Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 - Versions prior to V2.5-GA-01-22261), Schneider Electric Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 - Versions prior to V2.5-GS), Schneider Electric Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 - Versions prior to V2.5-GS-01-22261) | ||||
| CVE-2022-42949 | 1 Silverstripe | 1 Subsites | 2024-08-03 | 7.5 High |
| Silverstripe silverstripe/subsites through 2.6.0 has Insecure Permissions. | ||||
| CVE-2022-41926 | 1 Nextcloud | 1 Talk | 2024-08-03 | 3.3 Low |
| Nextcould talk android is the android OS implementation of the nextcloud talk chat system. In affected versions the receiver is not protected by broadcastPermission allowing malicious apps to monitor communication. It is recommended that the Nextcloud Talk Android is upgraded to 14.1.0. There are no known workarounds for this issue. | ||||
| CVE-2022-41766 | 1 Mediawiki | 1 Mediawiki | 2024-08-03 | 4.3 Medium |
| An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. Upon an action=rollback operation, the alreadyrolled message can leak a user name (when the user has been revision deleted/suppressed). | ||||
| CVE-2022-41699 | 1 Intel | 1 Quickassist Technology | 2024-08-03 | 8.2 High |
| Incorrect permission assignment for critical resource in some Intel(R) QAT drivers for Windows before version 1.9.0 may allow an authenticated user to potentially enable escalation of privilege via local access. | ||||
| CVE-2022-41771 | 1 Intel | 1 Quickassist Technology | 2024-08-03 | 6.5 Medium |
| Incorrect permission assignment for critical resource in some Intel(R) QAT drivers for Windows before version 1.9.0 may allow an authenticated user to potentially enable information disclosure via local access. | ||||
| CVE-2022-41658 | 1 Intel | 1 Vtune Profiler | 2024-08-03 | 6.7 Medium |
| Insecure inherited permissions in the Intel(R) VTune(TM) Profiler software before version 2023.0 may allow an authenticated user to potentially enable escalation of privilege via local access. | ||||
| CVE-2022-40817 | 1 Zammad | 1 Zammad | 2024-08-03 | 4.3 Medium |
| Zammad 5.2.1 has a fine-grained permission model that allows to configure read-only access to tickets. However, agents were still wrongly able to perform some operations on such tickets, like adding and removing links, tags. and related answers. This issue has been fixed in 5.2.2. | ||||
| CVE-2022-40298 | 1 Crestron | 1 Airmedia | 2024-08-03 | 8.8 High |
| Crestron AirMedia for Windows before 5.5.1.84 has insecure inherited permissions, which leads to a privilege escalation vulnerability found in the AirMedia Windows Application, version 4.3.1.39. A low privileged user can initiate a repair of the system and gain a SYSTEM level shell. | ||||
| CVE-2022-39284 | 1 Codeigniter | 1 Codeigniter | 2024-08-03 | 2.6 Low |
| CodeIgniter is a PHP full-stack web framework. In versions prior to 4.2.7 setting `$secure` or `$httponly` value to `true` in `Config\Cookie` is not reflected in `set_cookie()` or `Response::setCookie()`. As a result cookie values are erroneously exposed to scripts. It should be noted that this vulnerability does not affect session cookies. Users are advised to upgrade to v4.2.7 or later. Users unable to upgrade are advised to manually construct their cookies either by setting the options in code or by constructing Cookie objects. Examples of each workaround are available in the linked GHSA. | ||||
| CVE-2022-39207 | 1 Onedev Project | 1 Onedev | 2024-08-03 | 5.4 Medium |
| Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. During CI/CD builds, it is possible to save build artifacts for later retrieval. They can be accessed through OneDev's web UI after the successful run of a build. These artifact files are served by the webserver in the same context as the UI without any further restrictions. This leads to Cross-Site Scripting (XSS) when a user creates a build artifact that contains HTML. When accessing the artifact, the content is rendered by the browser, including any JavaScript that it contains. Since all cookies (except for the rememberMe one) do not set the HttpOnly flag, an attacker could steal the session of a victim and use it to impersonate them. To exploit this issue, attackers need to be able to modify the content of artifacts, which usually means they need to be able to modify a project's build spec. The exploitation requires the victim to click on an attacker's link. It can be used to elevate privileges by targeting admins of a OneDev instance. In the worst case, this can lead to arbitrary code execution on the server, because admins can create Server Shell Executors and use them to run any command on the server. This issue has been patched in version 7.3.0. Users are advised to upgrade. There are no known workarounds for this issue. | ||||