Total
4622 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-27205 | 1 Jenkins | 1 Extended Choice Parameter | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. | |||||
| CVE-2022-27199 | 1 Jenkins | 1 Cloudbees Aws Credentials | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins CloudBees AWS Credentials Plugin 189.v3551d5642995 and earlier allows attackers with Overall/Read permission to connect to an AWS service using an attacker-specified token. | |||||
| CVE-2022-26581 | 1 Paxtechnology | 2 A930, Paydroid | 2024-11-21 | N/A | 6.8 MEDIUM |
| PAX A930 device with PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 can allow an unauthorized attacker to perform privileged actions through the execution of specific binaries listed in ADB daemon. The attacker must have physical USB access to the device in order to exploit this vulnerability. | |||||
| CVE-2022-26546 | 1 Hospital Management System Project | 1 Hospital Management System | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| Hospital Management System v1.0 was discovered to lack an authorization component, allowing attackers to access sensitive information and obtain the admin password. | |||||
| CVE-2022-26429 | 2 Google, Mediatek | 42 Android, Mt6580, Mt6735 and 39 more | 2024-11-21 | N/A | 7.8 HIGH |
| In cta, there is a possible way to write permission usage records of an app due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07025415; Issue ID: ALPS07025415. | |||||
| CVE-2022-26104 | 1 Sap | 1 Financial Consolidation | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| SAP Financial Consolidation - version 10.1, does not perform necessary authorization checks for updating homepage messages, resulting for an unauthorized user to alter the maintenance system message. | |||||
| CVE-2022-26102 | 1 Sap | 1 Netweaver Application Server Abap | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| Due to missing authorization check, SAP NetWeaver Application Server for ABAP - versions 700, 701, 702, 731, allows an authenticated attacker, to access content on the start screen of any transaction that is available with in the same SAP system even if he/she isn't authorized for that transaction. A successful exploitation could expose information and in worst case manipulate data before the start screen is executed, resulting in limited impact on confidentiality and integrity of the application. | |||||
| CVE-2022-25810 | 1 Transposh | 1 Transposh Wordpress Translation | 2024-11-21 | N/A | 6.5 MEDIUM |
| The Transposh WordPress Translation WordPress plugin through 1.0.8 exposes a couple of sensitive actions such has “tp_reset” under the Utilities tab (/wp-admin/admin.php?page=tp_utils), which can be used/executed as the lowest-privileged user. Basically all Utilities functionalities are vulnerable this way, which involves resetting configurations and backup/restore operations. | |||||
| CVE-2022-25342 | 1 Olivetti | 2 D-color Mf3555, D-color Mf3555 Firmware | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| An issue was discovered on Olivetti d-COLOR MF3555 2XD_S000.002.271 devices. The Web Application is affected by Broken Access Control. It does not properly validate requests for access to data and functionality under the /mngset/authset path. By not verifying permissions for access to resources, it allows a potential attacker to view pages that are not allowed. | |||||
| CVE-2022-25211 | 1 Jenkins | 1 Swamp | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A missing permission check in Jenkins SWAMP Plugin 1.2.6 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified web server using attacker-specified credentials. | |||||
| CVE-2022-25208 | 1 Jenkins | 1 Chef Sinatra | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A missing permission check in Jenkins Chef Sinatra Plugin 1.20 and earlier allows attackers with Overall/Read permission to have Jenkins send an HTTP request to an attacker-controlled URL and have it parse an XML response. | |||||
| CVE-2022-25206 | 1 Jenkins | 1 Dbcharts | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A missing check in Jenkins dbCharts Plugin 0.5.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified database via JDBC using attacker-specified credentials. | |||||
| CVE-2022-25201 | 1 Jenkins | 1 Checkmarx | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Missing permission checks in Jenkins Checkmarx Plugin 2022.1.2 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2022-25199 | 1 Jenkins | 1 Scp Publisher | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A missing permission check in Jenkins SCP publisher Plugin 1.8 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials. | |||||
| CVE-2022-25195 | 1 Jenkins | 1 Autonomiq | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins autonomiq Plugin 1.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. | |||||
| CVE-2022-25193 | 1 Jenkins | 1 Snow Commander | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Missing permission checks in Jenkins Snow Commander Plugin 1.10 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2022-25190 | 1 Jenkins | 1 Conjur Secrets | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins Conjur Secrets Plugin 1.0.11 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||||
| CVE-2022-24896 | 1 Enalean | 1 Tuleap | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Tuleap is a Free & Open Source Suite to manage software developments and collaboration. In versions prior to 13.7.99.239 Tuleap does not properly verify authorizations when displaying the content of tracker report renderer and chart widgets. Malicious users could use this vulnerability to retrieve the name of a tracker they cannot access as well as the name of the fields used in reports. | |||||
| CVE-2022-24768 | 1 Argoproj | 1 Argo Cd | 2024-11-21 | 6.5 MEDIUM | 9.9 CRITICAL |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All unpatched versions of Argo CD starting with 1.0.0 are vulnerable to an improper access control bug, allowing a malicious user to potentially escalate their privileges to admin-level. Versions starting with 0.8.0 and 0.5.0 contain limited versions of this issue. To perform exploits, an authorized Argo CD user must have push access to an Application's source git or Helm repository or `sync` and `override` access to an Application. Once a user has that access, different exploitation levels are possible depending on their other RBAC privileges. A patch for this vulnerability has been released in Argo CD versions 2.3.2, 2.2.8, and 2.1.14. Some mitigation measures are available but do not serve as a substitute for upgrading. To avoid privilege escalation, limit who has push access to Application source repositories or `sync` + `override` access to Applications; and limit which repositories are available in projects where users have `update` access to Applications. To avoid unauthorized resource inspection/tampering, limit who has `delete`, `get`, or `action` access to Applications. | |||||
| CVE-2022-24669 | 1 Forgerock | 1 Access Management | 2024-11-21 | N/A | 6.5 MEDIUM |
| It may be possible to gain some details of the deployment through a well-crafted attack. This may allow that data to be used to probe internal network services. | |||||