Total
447 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-0609 | 1 Wallabag | 1 Wallabag | 2024-11-21 | N/A | 4.3 MEDIUM |
| Improper Authorization in GitHub repository wallabag/wallabag prior to 2.5.3. | |||||
| CVE-2022-4962 | 1 Apolloconfig | 1 Apollo | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in Apollo 2.0.0/2.0.1 and classified as problematic. Affected by this issue is some unknown functionality of the file /users of the component Configuration Center. The manipulation leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. VDB-250430 is the identifier assigned to this vulnerability. NOTE: The maintainer explains that user data information like user id, name, and email are not sensitive. | |||||
| CVE-2022-4868 | 1 Froxlor | 1 Froxlor | 2024-11-21 | N/A | 4.3 MEDIUM |
| Improper Authorization in GitHub repository froxlor/froxlor prior to 2.0.0-beta1. | |||||
| CVE-2022-4804 | 1 Usememos | 1 Memos | 2024-11-21 | N/A | 5.3 MEDIUM |
| Improper Authorization in GitHub repository usememos/memos prior to 0.9.1. | |||||
| CVE-2022-4688 | 1 Usememos | 1 Memos | 2024-11-21 | N/A | 8.8 HIGH |
| Improper Authorization in GitHub repository usememos/memos prior to 0.9.0. | |||||
| CVE-2022-4062 | 1 Schneider-electric | 1 Ecostruxure Power Commission | 2024-11-21 | N/A | 7.8 HIGH |
| A CWE-285: Improper Authorization vulnerability exists that could cause unauthorized access to certain software functions when an attacker gets access to localhost interface of the EcoStruxure Power Commission application. Affected Products: EcoStruxure Power Commission (Versions prior to V2.25) | |||||
| CVE-2022-3187 | 1 Dataprobe | 24 Iboot-pdu4-n20, Iboot-pdu4-n20 Firmware, Iboot-pdu4a-n15 and 21 more | 2024-11-21 | N/A | 5.3 MEDIUM |
| Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where certain PHP pages only validate when a valid connection is established with the database. However, these PHP pages do not verify the validity of a user. Attackers could leverage this lack of verification to read the state of outlets. | |||||
| CVE-2022-31168 | 1 Zulip | 1 Zulip | 2024-11-21 | N/A | 5.4 MEDIUM |
| Zulip is an open source team chat tool. Due to an incorrect authorization check in Zulip Server 5.4 and earlier, a member of an organization could craft an API call that grants organization administrator privileges to one of their bots. The vulnerability is fixed in Zulip Server 5.5. Members who don’t own any bots, and lack permission to create them, can’t exploit the vulnerability. As a workaround for the vulnerability, an organization administrator can restrict the `Who can create bots` permission to administrators only, and change the ownership of existing bots. | |||||
| CVE-2022-30670 | 2 Adobe, Microsoft | 2 Robohelp Server, Windows | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| RoboHelp Server earlier versions than RHS 11 Update 3 are affected by an Improper Authorization vulnerability which could lead to privilege escalation. An authenticated attacker could leverage this vulnerability to achieve full administrator privileges. Exploitation of this issue does not require user interaction. | |||||
| CVE-2022-2901 | 1 Chatwoot | 1 Chatwoot | 2024-11-21 | N/A | 7.1 HIGH |
| Improper Authorization in GitHub repository chatwoot/chatwoot prior to 2.8. | |||||
| CVE-2022-2595 | 1 Kromit | 1 Titra | 2024-11-21 | N/A | 10.0 CRITICAL |
| Improper Authorization in GitHub repository kromitgmbh/titra prior to 0.79.1. | |||||
| CVE-2022-29236 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker can circumvent access restrictions for drawing on the whiteboard. The permission check is inadvertently skipped on the server, due to a previously introduced grace period. The attacker must be a meeting participant. The problem has been patched in versions 2.3.18 and 2.4-rc-6. There are currently no known workarounds. | |||||
| CVE-2022-29234 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4.1, an attacker could send messages to a locked chat within a grace period of 5s any lock setting in the meeting was changed. The attacker needs to be a participant in the meeting. Versions 2.3.18 and 2.4.1 contain a patch for this issue. There are currently no known workarounds. | |||||
| CVE-2022-29233 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 5.0 MEDIUM | 4.3 MEDIUM |
| BigBlueButton is an open source web conferencing system. In BigBlueButton starting with 2.2 but before 2.3.18 and 2.4-rc-1, an attacker can circumvent access controls to gain access to all breakout rooms of the meeting they are in. The permission checks rely on knowledge of internal ids rather than on verification of the role of the user. Versions 2.3.18 and 2.4-rc-1 contain a patch for this issue. There are currently no known workarounds. | |||||
| CVE-2022-23542 | 1 Openfga | 1 Openfga | 2024-11-21 | N/A | 7.7 HIGH |
| OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. During an internal security assessment, it was discovered that OpenFGA version 0.3.0 is vulnerable to authorization bypass under certain conditions. This issue has been patched in version 0.3.1 and is backward compatible. | |||||
| CVE-2022-0860 | 2 Cobbler Project, Fedoraproject | 2 Cobbler, Fedora | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2. | |||||
| CVE-2022-0829 | 1 Webmin | 1 Webmin | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| Improper Authorization in GitHub repository webmin/webmin prior to 1.990. | |||||
| CVE-2022-0587 | 1 Librenms | 1 Librenms | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Improper Authorization in Packagist librenms/librenms prior to 22.2.0. | |||||
| CVE-2021-32688 | 2 Fedoraproject, Nextcloud | 2 Fedora, Nextcloud Server | 2024-11-21 | 7.5 HIGH | 8.8 HIGH |
| Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user to not have any filesystem access. Due to a lacking permission check, the tokens were able to change their own permissions in versions prior to 19.0.13, 20.0.11, and 21.0.3. Thus fileystem limited tokens were able to grant themselves access to the filesystem. The issue is patched in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds aside from upgrading. | |||||
| CVE-2020-6311 | 1 Sap | 2 Bank Analyzer, S\/4hana For Financial Products Subledger | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Banking services from SAP 9.0 (Bank Analyzer), version - 500, and SAP S/4HANA for financial products subledger, version ? 100, does not correctly perform necessary authorization checks for an authenticated user due to Improper Authorization checks, that may cause a system administrator to create incorrect authorization proposals. This may result in privilege escalation and may expose restricted banking data. | |||||