Total
1780 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-45760 | 1 Sens Project | 1 Sens | 2024-08-03 | 8.8 High |
| SENS v1.0 is vulnerable to Incorrect Access Control vulnerability. | ||||
| CVE-2022-45435 | 1 Sailpoint | 1 Identityiq | 2024-08-03 | 6.8 Medium |
| IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6, and all prior versions allow authenticated users assigned the Identity Administrator capability or any custom capability that contains the SetIdentityForwarding right to modify the work item forwarding configuration for identities other than the ones that should be allowed by Lifecycle Manager Quicklink Population configuration. | ||||
| CVE-2022-45383 | 1 Jenkins | 1 Support Core | 2024-08-03 | 6.5 Medium |
| An incorrect permission check in Jenkins Support Core Plugin 1206.v14049fa_b_d860 and earlier allows attackers with Support/DownloadBundle permission to download a previously created support bundle containing information limited to users with Overall/Administer permission. | ||||
| CVE-2022-45353 | 1 Muffingroup | 1 Betheme | 2024-08-03 | 4.3 Medium |
| Broken Access Control in Betheme theme <= 26.6.1 on WordPress. | ||||
| CVE-2022-45172 | 1 Liveboxcloud | 1 Vdesk | 2024-08-03 | 9.8 Critical |
| An issue was discovered in LIVEBOX Collaboration vDesk before v018. Broken Access Control can occur under the /api/v1/registration/validateEmail endpoint, the /api/v1/vdeskintegration/user/adduser endpoint, and the /api/v1/registration/changePasswordUser endpoint. The web application is affected by flaws in authorization logic, through which a malicious user (with no privileges) is able to perform privilege escalation to the administrator role, and steal the accounts of any users on the system. | ||||
| CVE-2022-45128 | 1 Intel | 1 Endpoint Management Assistant | 2024-08-03 | 5 Medium |
| Improper authorization in the Intel(R) EMA software before version 1.9.0.0 may allow an authenticated user to potentially enable denial of service via local access. | ||||
| CVE-2022-44039 | 1 Franklinfueling | 1 Colibri Firmware | 2024-08-03 | 9.8 Critical |
| Franklin Fueling System FFS Colibri 1.9.22.8925 is affected by: File system overwrite. The impact is: File system rewrite (remote). ¶¶ An attacker can overwrite system files like [system.conf] and [passwd], this occurs because the insecure usage of "fopen" system function with the mode "wb" which allows overwriting file if exists. Overwriting files such as passwd, allows an attacker to escalate his privileges by planting backdoor user with root privilege or change root password. | ||||
| CVE-2022-43872 | 2 Ibm, Linux | 4 Aix, Financial Transaction Manager, Linux On Ibm Z and 1 more | 2024-08-03 | 5.3 Medium |
| IBM Financial Transaction Manager 3.2.4 authorization checks are done incorrectly for some HTTP requests which allows getting unauthorized technical information (e.g. event log entries) about the FTM SWIFT system. IBM X-Force ID: 239708. | ||||
| CVE-2022-43940 | 1 Hitachi | 1 Vantara Pentaho Business Analytics Server | 2024-08-03 | 8.8 High |
| Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x do not correctly perform an authorization check in the data source management service. | ||||
| CVE-2022-43770 | 1 Hitachivantara | 1 Pentaho Business Analytics | 2024-08-03 | 5.4 Medium |
| Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.4 and 8.3.0.27 does not correctly perform an authorization check in the dashboard editor plugin API. | ||||
| CVE-2022-43465 | 1 Intel | 1 Setup And Configuration Software | 2024-08-03 | 5 Medium |
| Improper authorization in the Intel(R) SCS software all versions may allow an authenticated user to potentially enable denial of service via local access. | ||||
| CVE-2022-43438 | 1 Easy Test Project | 1 Easy Test | 2024-08-03 | 8.8 High |
| The Administrator function of EasyTest has an Incorrect Authorization vulnerability. A remote attacker authenticated as a general user can exploit this vulnerability to bypass the intended access restrictions, to make API functions calls, manipulate system and terminate service. | ||||
| CVE-2022-42978 | 1 Atlassian | 1 Confluence Data Center | 2024-08-03 | 7.5 High |
| In the Netic User Export add-on before 1.3.5 for Atlassian Confluence, authorization is mishandled. An unauthenticated attacker could access files on the remote system. | ||||
| CVE-2022-42724 | 1 Misp-project | 1 Malware Information Sharing Platform | 2024-08-03 | 4.3 Medium |
| app/Controller/UsersController.php in MISP before 2.4.164 allows attackers to discover role names (this is information that only the site admin should have). | ||||
| CVE-2022-41970 | 1 Nextcloud | 1 Nextcloud Server | 2024-08-03 | 2.6 Low |
| Nextcloud Server is an open source personal cloud server. Prior to versions 24.0.7 and 25.0.1, disabled download shares still allow download through preview images. Images could be downloaded and previews of documents (first page) can be downloaded without being watermarked. Versions 24.0.7 and 25.0.1 contain a fix for this issue. No known workarounds are available. | ||||
| CVE-2022-41923 | 1 Grails | 1 Spring Security Core | 2024-08-03 | 9.1 Critical |
| Grails Spring Security Core plugin is vulnerable to privilege escalation. The vulnerability allows an attacker access to one endpoint (i.e. the targeted endpoint) using the authorization requirements of a different endpoint (i.e. the donor endpoint). In some Grails framework applications, access to the targeted endpoint will be granted based on meeting the authorization requirements of the donor endpoint, which can result in a privilege escalation attack. This vulnerability has been patched in grails-spring-security-core versions 3.3.2, 4.0.5 and 5.1.1. Impacted Applications: Grails Spring Security Core plugin versions: 1.x 2.x >=3.0.0 <3.3.2 >=4.0.0 <4.0.5 >=5.0.0 <5.1.1 We strongly suggest that all Grails framework applications using the Grails Spring Security Core plugin be updated to a patched release of the plugin. Workarounds: Users should create a subclass extending one of the following classes from the `grails.plugin.springsecurity.web.access.intercept` package, depending on their security configuration: * `AnnotationFilterInvocationDefinition` * `InterceptUrlMapFilterInvocationDefinition` * `RequestmapFilterInvocationDefinition` In each case, the subclass should override the `calculateUri` method like so: ``` @Override protected String calculateUri(HttpServletRequest request) { UrlPathHelper.defaultInstance.getRequestUri(request) } ``` This should be considered a temporary measure, as the patched versions of grails-spring-security-core deprecates the `calculateUri` method. Once upgraded to a patched version of the plugin, this workaround is no longer needed. The workaround is especially important for version 2.x, as no patch is available version 2.x of the GSSC plugin. | ||||
| CVE-2022-41962 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-03 | 2.7 Low |
| BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6, and 2.5-alpha-1 contain Incorrect Authorization for setting emoji status. A user with moderator rights can use the clear status feature to set any emoji status for other users. Moderators should only be able to set none as the status of other users. This issue is patched in 2.4-rc-6 and 2.5-alpha-1There are no workarounds. | ||||
| CVE-2022-41944 | 1 Discourse | 1 Discourse | 2024-08-03 | 3.5 Low |
| Discourse is an open-source discussion platform. In stable versions prior to 2.8.12 and beta or tests-passed versions prior to 2.9.0.beta.13, under certain conditions, a user can see notifications for topics they no longer have access to. If there is sensitive information in the topic title, it will therefore have been exposed. This issue is patched in stable version 2.8.12, beta version 2.9.0.beta13, and tests-passed version 2.9.0.beta13. There are no workarounds available. | ||||
| CVE-2022-41918 | 1 Amazon | 1 Opensearch | 2024-08-03 | 6.3 Medium |
| OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. There is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the indices that back data streams potentially leading to incorrect access authorization. OpenSearch 1.3.7 and 2.4.0 contain a fix for this issue. Users are advised to update. There are no known workarounds for this issue. | ||||
| CVE-2022-41610 | 1 Intel | 2 Endpoint Management Assistant Configuration Tool, Manageability Commander | 2024-08-03 | 5 Medium |
| Improper authorization in Intel(R) EMA Configuration Tool before version 1.0.4 and Intel(R) MC before version 2.4 software may allow an authenticated user to potentially enable denial of service via local access. | ||||