Search
Total
622 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-0680 | 1 Google | 1 Android | 2022-07-12 | 2.1 LOW | 5.5 MEDIUM |
| In system properties, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-192535676 | |||||
| CVE-2021-37976 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2022-07-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inappropriate implementation in Memory in Google Chrome prior to 94.0.4606.71 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | |||||
| CVE-2021-39753 | 1 Google | 1 Android | 2022-07-12 | 2.1 LOW | 5.5 MEDIUM |
| In DomainVerificationService, there is a possible way to access app domain verification information due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-200035185 | |||||
| CVE-2021-0653 | 1 Google | 1 Android | 2022-07-12 | 4.9 MEDIUM | 5.5 MEDIUM |
| In enqueueNotification of NetworkPolicyManagerService.java, there is a possible way to retrieve a trackable identifier due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-9Android ID: A-177931370 | |||||
| CVE-2021-0654 | 1 Google | 1 Android | 2022-07-12 | 4.3 MEDIUM | 5.5 MEDIUM |
| In isRealSnapshot of TaskThumbnailView.java, there is possible data exposure due to a missing permission check. This could lead to local information disclosure from locked profiles with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-168802517References: N/A | |||||
| CVE-2021-20715 | 1 Recruit-holdings | 1 Hot Pepper Gourmet | 2022-07-12 | 4.3 MEDIUM | 4.3 MEDIUM |
| Improper access control vulnerability in Hot Pepper Gourmet App for Android ver.4.111.0 and earlier, and for iOS ver.4.111.0 and earlier allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App. | |||||
| CVE-2022-34785 | 1 Jenkins | 1 Build-metrics | 2022-07-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins build-metrics Plugin 1.3 and earlier does not perform permission checks in multiple HTTP endpoints, allowing attackers with Overall/Read permission to obtain information about jobs otherwise inaccessible to them. | |||||
| CVE-2022-34779 | 1 Jenkins | 1 Xebialabs Xl Release | 2022-07-08 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||||
| CVE-2022-34794 | 1 Jenkins | 1 Recipe | 2022-07-08 | 4.0 MEDIUM | 6.5 MEDIUM |
| Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML. | |||||
| CVE-2022-23055 | 1 Frappe | 1 Erpnext | 2022-07-05 | 5.5 MEDIUM | 5.4 MEDIUM |
| In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of other users. | |||||
| CVE-2021-32477 | 1 Moodle | 1 Moodle | 2022-07-02 | 4.0 MEDIUM | 4.3 MEDIUM |
| The last time a user accessed the mobile app is displayed on their profile page, but should be restricted to users with the relevant capability (site administrators by default). Moodle versions 3.10 to 3.10.3 are affected. | |||||
| CVE-2022-34208 | 1 Jenkins | 1 Beaker Builder | 2022-06-30 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins Beaker builder Plugin 1.10 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. | |||||
| CVE-2022-34206 | 1 Jenkins | 1 Jianliao Notification | 2022-06-30 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins Jianliao Notification Plugin 1.1 and earlier allows attackers with Overall/Read permission to send HTTP POST requests to an attacker-specified URL. | |||||
| CVE-2022-34204 | 1 Jenkins | 1 Easyqa | 2022-06-30 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins EasyQA Plugin 1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server. | |||||
| CVE-2022-34210 | 1 Jenkins | 1 Threadfix | 2022-06-29 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins ThreadFix Plugin 1.5.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. | |||||
| CVE-2022-34212 | 1 Jenkins | 1 Vrealize Orchestrator | 2022-06-29 | 3.5 LOW | 5.7 MEDIUM |
| A missing permission check in Jenkins vRealize Orchestrator Plugin 3.0 and earlier allows attackers with Overall/Read permission to send an HTTP POST request to an attacker-specified URL. | |||||
| CVE-2022-34201 | 1 Jenkins | 1 Convertigo Mobile Platform | 2022-06-29 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. | |||||
| CVE-2022-20736 | 1 Cisco | 1 Appdynamics Controller | 2022-06-27 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in the web-based management interface of Cisco AppDynamics Controller Software could allow an unauthenticated, remote attacker to access a configuration file and the login page for an administrative console that they would not normally have authorization to access. This vulnerability is due to improper authorization checking for HTTP requests that are submitted to the affected web-based management interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected instance of AppDynamics Controller. A successful exploit could allow the attacker to access the login page for an administrative console. AppDynamics has released software updates that address this vulnerability. | |||||
| CVE-2022-31752 | 1 Huawei | 2 Emui, Magic Ui | 2022-06-18 | 2.1 LOW | 5.5 MEDIUM |
| Missing authorization vulnerability in the system components. Successful exploitation of this vulnerability will affect confidentiality. | |||||
| CVE-2022-0745 | 1 Likebtn | 1 Like Button Rating | 2022-06-18 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Like Button Rating WordPress plugin before 2.6.45 allows any logged-in user, such as subscriber, to send arbitrary e-mails to any recipient, with any subject and body | |||||
| CVE-2021-25116 | 1 Enqueue Anything Project | 1 Enqueue Anything | 2022-06-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Enqueue Anything WordPress plugin through 1.0.1 does not have authorisation and CSRF checks in the remove_asset AJAX action, and does not ensure that the item to be deleted is actually an asset. As a result, low privilege users such as subscriber could delete arbitrary assets, as well as put arbitrary posts in the trash. | |||||
| CVE-2022-24896 | 1 Enalean | 1 Tuleap | 2022-06-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| Tuleap is a Free & Open Source Suite to manage software developments and collaboration. In versions prior to 13.7.99.239 Tuleap does not properly verify authorizations when displaying the content of tracker report renderer and chart widgets. Malicious users could use this vulnerability to retrieve the name of a tracker they cannot access as well as the name of the fields used in reports. | |||||
| CVE-2022-1570 | 1 Files Download Delay Project | 1 Files Download Delay | 2022-06-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Files Download Delay WordPress plugin before 1.0.7 does not have authorisation and CSRF checks when reseting its settings, which could allow any authenticated users, such as subscriber to perform such action. | |||||
| CVE-2022-30731 | 1 Samsung | 1 My Files | 2022-06-13 | 2.1 LOW | 5.5 MEDIUM |
| Improper access control vulnerability in My Files prior to version 13.1.00.193 allows attackers to access arbitrary private files in My Files application. | |||||
| CVE-2022-30715 | 1 Google | 1 Android | 2022-06-11 | 5.0 MEDIUM | 5.3 MEDIUM |
| Improper access control vulnerability in DofViewer prior to SMR Jun-2022 Release 1 allows attackers to control floating system alert window. | |||||
| CVE-2022-1203 | 1 Content Mask Project | 1 Content Mask | 2022-06-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Content Mask WordPress plugin before 1.8.4.1 does not have authorisation and CSRF checks in various AJAX actions, as well as does not validate the option to be updated to ensure it belongs to the plugin. As a result, any authenticated user, such as subscriber could modify arbitrary blog options | |||||
| CVE-2020-8193 | 1 Citrix | 11 4000-wo, 4100-wo, 5000-wo and 8 more | 2022-06-04 | 5.0 MEDIUM | 6.5 MEDIUM |
| Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows unauthenticated access to certain URL endpoints. | |||||
| CVE-2020-8139 | 2 Fedoraproject, Nextcloud | 2 Fedora, Nextcloud Server | 2022-06-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing access control check in Nextcloud Server < 18.0.1, < 17.0.4, and < 16.0.9 causes hide-download shares to be downloadable when appending /download to the URL. | |||||
| CVE-2021-42848 | 1 Lenovo | 10 A1, A1 Firmware, T1 and 7 more | 2022-06-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| An information disclosure vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an unauthenticated user to retrieve device and networking details. | |||||
| CVE-2021-23975 | 1 Mozilla | 1 Firefox | 2022-05-27 | 4.3 MEDIUM | 6.5 MEDIUM |
| The developer page about:memory has a Measure function for exploring what object types the browser has allocated and their sizes. When this function was invoked we incorrectly called the sizeof function, instead of using the API method that checks for invalid pointers. This vulnerability affects Firefox < 86. | |||||
| CVE-2021-42851 | 1 Lenovo | 10 A1, A1 Firmware, T1 and 7 more | 2022-05-26 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an unauthenticated user to create a standard user account. | |||||
| CVE-2022-30955 | 1 Jenkins | 1 Gitlab | 2022-05-26 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||||
| CVE-2022-30954 | 1 Jenkins | 1 Blue Ocean | 2022-05-26 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server. | |||||
| CVE-2022-30959 | 1 Jenkins | 1 Ssh | 2022-05-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins SSH Plugin 2.6.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2020-8196 | 1 Citrix | 11 4000-wo, 4100-wo, 5000-wo and 8 more | 2022-05-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in limited information disclosure to low privileged users. | |||||
| CVE-2021-21468 | 1 Sap | 1 Business Warehouse | 2022-05-19 | 4.0 MEDIUM | 6.5 MEDIUM |
| The BW Database Interface does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges that allows the user to practically read out any database table. | |||||
| CVE-2021-21473 | 1 Sap | 1 Netweaver As Abap | 2022-05-19 | 6.5 MEDIUM | 6.3 MEDIUM |
| SAP NetWeaver AS ABAP and ABAP Platform, versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contains function module SRM_RFC_SUBMIT_REPORT which fails to validate authorization of an authenticated user thus allowing an unauthorized user to execute reports in SAP NetWeaver ABAP Platform. | |||||
| CVE-2022-20121 | 1 Google | 1 Android | 2022-05-17 | 2.1 LOW | 5.5 MEDIUM |
| In getNodeValue of USCCDMPlugin.java, there is a possible disclosure of ICCID due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-212573046References: N/A | |||||
| CVE-2022-20011 | 1 Google | 1 Android | 2022-05-16 | 2.1 LOW | 5.5 MEDIUM |
| In getArray of NotificationManagerService.java , there is a possible leak of one user notifications to another due to missing check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-214999128 | |||||
| CVE-2022-20115 | 1 Google | 1 Android | 2022-05-16 | 2.1 LOW | 5.5 MEDIUM |
| In broadcastServiceStateChanged of TelephonyRegistry.java, there is a possible way to learn base station information without location permission due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12 Android-12LAndroid ID: A-210118427 | |||||
| CVE-2019-18790 | 2 Debian, Digium | 3 Debian Linux, Asterisk, Certified Asterisk | 2022-05-13 | 5.8 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in channels/chan_sip.c in Sangoma Asterisk 13.x before 13.29.2, 16.x before 16.6.2, and 17.x before 17.0.1, and Certified Asterisk 13.21 before cert5. A SIP request can be sent to Asterisk that can change a SIP peer's IP address. A REGISTER does not need to occur, and calls can be hijacked as a result. The only thing that needs to be known is the peer's name; authentication details such as passwords do not need to be known. This vulnerability is only exploitable when the nat option is set to the default, or auto_force_rport. | |||||
| CVE-2020-10701 | 1 Redhat | 1 Libvirt | 2022-05-13 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing authorization flaw was found in the libvirt API responsible for changing the QEMU agent response timeout. This flaw allows read-only connections to adjust the time that libvirt waits for the QEMU guest agent to respond to agent commands. Depending on the timeout value that is set, this flaw can make guest agent commands fail because the agent cannot respond in time. Unprivileged users with a read-only connection could abuse this flaw to set the response timeout for all guest agent messages to zero, potentially leading to a denial of service. This flaw affects libvirt versions before 6.2.0. | |||||
| CVE-2022-0634 | 1 Caseproof | 1 Thirstyaffiliates Affiliate Link Manager | 2022-05-12 | 4.0 MEDIUM | 4.3 MEDIUM |
| The ThirstyAffiliates Affiliate Link Manager WordPress plugin before 3.10.5 lacks authorization checks in the ta_insert_external_image action, allowing a low-privilege user (with a role as low as Subscriber) to add an image from an external URL to an affiliate link. Further the plugin lacks csrf checks, allowing an attacker to trick a logged in user to perform the action by crafting a special request. | |||||
| CVE-2022-1092 | 1 Mycred | 1 Mycred | 2022-05-12 | 4.0 MEDIUM | 4.3 MEDIUM |
| The myCred WordPress plugin before 2.4.4 does not have authorisation and CSRF checks in its mycred-tools-import-export AJAX action, allowing any authenticated user to call and and retrieve the list of email address present in the blog | |||||
| CVE-2022-20102 | 2 Google, Mediatek | 45 Android, Mt6580, Mt6739 and 42 more | 2022-05-12 | 2.1 LOW | 4.4 MEDIUM |
| In aee daemon, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06296442; Issue ID: ALPS06296405. | |||||
| CVE-2022-28789 | 1 Samsung | 1 Voice Note | 2022-05-11 | 2.1 LOW | 5.5 MEDIUM |
| Unprotected activities in Voice Note prior to version 21.3.51.11 allows attackers to record voice without user interaction. The patch adds proper permission for vulnerable activities. | |||||
| CVE-2022-20098 | 2 Google, Mediatek | 45 Android, Mt6580, Mt6739 and 42 more | 2022-05-11 | 2.1 LOW | 4.4 MEDIUM |
| In aee daemon, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06419017; Issue ID: ALPS06419017. | |||||
| CVE-2022-20100 | 2 Google, Mediatek | 45 Android, Mt6580, Mt6739 and 42 more | 2022-05-11 | 2.1 LOW | 4.4 MEDIUM |
| In aee daemon, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06383944; Issue ID: ALPS06270804. | |||||
| CVE-2021-20777 | 1 Gu-global | 1 Gu | 2022-05-03 | 4.3 MEDIUM | 4.3 MEDIUM |
| Improper authorization in handler for custom URL scheme vulnerability in GU App for Android versions from 4.8.0 to 5.0.2 allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App. | |||||
| CVE-2021-20834 | 1 Nike | 1 Nike | 2022-05-03 | 5.8 MEDIUM | 6.1 MEDIUM |
| Improper authorization in handler for custom URL scheme vulnerability in Nike App for Android versions prior to 2.177 and Nike App for iOS versions prior to 2.177.1 allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App. | |||||