Total
1379 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-29263 | 1 F5 | 2 Access Policy Manager Clients, Big-ip Access Policy Manager | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| On F5 BIG-IP APM 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, as well as F5 BIG-IP APM Clients 7.x versions prior to 7.2.1.5, the BIG-IP Edge Client Component Installer Service does not use best practice while saving temporary files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | |||||
| CVE-2022-28802 | 1 Zapier | 1 Code By Zapier | 2024-11-21 | N/A | 9.9 CRITICAL |
| Code by Zapier before 2022-08-17 allowed intra-account privilege escalation that included execution of Python or JavaScript code. In other words, Code by Zapier was providing a customer-controlled general-purpose virtual machine that unintentionally granted full access to all users of a company's account, but was supposed to enforce role-based access control within that company's account. Before 2022-08-17, a customer could have resolved this by (in effect) using a separate virtual machine for an application that held credentials - or other secrets - that weren't supposed to be shared among all of its employees. (Multiple accounts would have been needed to operate these independent virtual machines.) | |||||
| CVE-2022-26526 | 2 Anaconda, Conda | 2 Anaconda3, Miniconda3 | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| Anaconda Anaconda3 (Anaconda Distribution) through 2021.11.0.0 and Miniconda3 through 4.11.0.0 can create a world-writable directory under %PROGRAMDATA% and place that directory into the system PATH environment variable. Thus, for example, local users can gain privileges by placing a Trojan horse file into that directory. (This problem can only happen in a non-default installation. The person who installs the product must specify that it is being installed for all users. Also, the person who installs the product must specify that the system PATH should be changed. | |||||
| CVE-2022-26340 | 1 F5 | 12 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 9 more | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, and F5 BIG-IQ Centralized Management all versions of 8.x and 7.x, an authenticated, high-privileged attacker with no bash access may be able to access Certificate and Key files using Secure Copy (SCP) protocol from a remote system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | |||||
| CVE-2022-26281 | 1 Bigantsoft | 1 Bigant Server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| BigAnt Server v5.6.06 was discovered to contain an incorrect access control issue. | |||||
| CVE-2022-26250 | 1 Synametrics | 1 Synaman | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| Synaman v5.1 and below was discovered to contain weak file permissions which allows authenticated attackers to escalate privileges. | |||||
| CVE-2022-26247 | 1 Teamwork Management System Project | 1 Teamwork Management System | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| TMS v2.28.0 contains an insecure permissions vulnerability via the component /TMS/admin/user/Update2. This vulnerability allows attackers to modify the administrator account and password. | |||||
| CVE-2022-26240 | 2 Beckmancoulter, Microsoft | 2 Remisol Advance, Windows | 2024-11-21 | N/A | 6.5 MEDIUM |
| The default privileges for the running service Normand Message Buffer in Beckman Coulter Remisol Advance v2.0.12.1 and prior allows non-privileged users to overwrite and manipulate executables and libraries. This allows attackers to access sensitive data. | |||||
| CVE-2022-26239 | 2 Beckmancoulter, Microsoft | 2 Remisol Advance, Windows | 2024-11-21 | N/A | 5.5 MEDIUM |
| The default privileges for the running service Normand License Manager in Beckman Coulter Remisol Advance v2.0.12.1 and prior allows unprivileged users to overwrite and manipulate executables and libraries. This allows attackers to access sensitive data. | |||||
| CVE-2022-26238 | 2 Beckmancoulter, Microsoft | 2 Remisol Advance, Windows | 2024-11-21 | N/A | 5.5 MEDIUM |
| The default privileges for the running service Normand Service Manager in Beckman Coulter Remisol Advance v2.0.12.1 and prior allows non-privileged users to overwrite and manipulate executables and libraries. This allows attackers to access sensitive data. | |||||
| CVE-2022-26237 | 2 Beckmancoulter, Microsoft | 2 Remisol Advance, Windows | 2024-11-21 | N/A | 5.5 MEDIUM |
| The default privileges for the running service Normand Viewer Service in Beckman Coulter Remisol Advance v2.0.12.1 and prior allows non-privileged users to overwrite and manipulate executables and libraries. This allows attackers to access sensitive data. | |||||
| CVE-2022-26236 | 2 Beckmancoulter, Microsoft | 2 Remisol Advance, Windows | 2024-11-21 | N/A | 5.5 MEDIUM |
| The default privileges for the running service Normand Remisol Advance Launcher in Beckman Coulter Remisol Advance v2.0.12.1 and prior allows non-privileged users to overwrite and manipulate executables and libraries. This allows attackers to access sensitive data. | |||||
| CVE-2022-25992 | 1 Intel | 1 Oneapi-cli | 2024-11-21 | N/A | 7.5 HIGH |
| Insecure inherited permissions in the Intel(R) oneAPI Toolkits oneapi-cli before version 0.2.0 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2022-25172 | 1 Inhandnetworks | 2 Ir302, Ir302 Firmware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An information disclosure vulnerability exists in the web interface session cookie functionality of InHand Networks InRouter302 V3.5.4. The session cookie misses the HttpOnly flag, making it accessible via JavaScript and thus allowing an attacker, able to perform an XSS attack, to steal the session cookie. | |||||
| CVE-2022-25151 | 1 Itarian | 2 On-premise, Saas Service Desk | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Within the Service Desk module of the ITarian platform (SAAS and on-premise), a remote attacker can obtain sensitive information, caused by the failure to set the HTTP Only flag. A remote attacker could exploit this vulnerability to gain access to the management interface by using this vulnerability in combination with a successful Cross-Site Scripting attack on a user. | |||||
| CVE-2022-25010 | 1 Stepmania | 1 Stepmania | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| The component /rootfs in RageFile of Stepmania v5.1b2 and below allows attackers access to the entire file system. | |||||
| CVE-2022-24886 | 1 Nextcloud | 1 Nextcloud | 2024-11-21 | 2.1 LOW | 2.2 LOW |
| Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. In versions prior to 3.19.0, any application with notification permission can access contacts if Nextcloud has access to Contacts without applying for the Contacts permission itself. Version 3.19.0 contains a fix for this issue. There are currently no known workarounds. | |||||
| CVE-2022-24872 | 1 Shopware | 1 Shopware | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| Shopware is an open commerce platform based on Symfony Framework and Vue. Permissions set to sales channel context by admin-api are still usable within normal user session. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. There are no known workarounds for this issue. | |||||
| CVE-2022-24769 | 5 Debian, Fedoraproject, Linux and 2 more | 5 Debian Linux, Fedora, Linux Kernel and 2 more | 2024-11-21 | 4.6 MEDIUM | 5.9 MEDIUM |
| Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in Moby (Docker Engine) 20.10.14. Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This fix changes Moby (Docker Engine) behavior such that containers are started with a more typical Linux environment. As a workaround, the entry point of a container can be modified to use a utility like `capsh(1)` to drop inheritable capabilities prior to the primary process starting. | |||||
| CVE-2022-24327 | 1 Jetbrains | 1 Hub | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In JetBrains Hub before 2021.1.13890, integration with JetBrains Account exposed an API key with excessive permissions. | |||||