Total
2047 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-41274 | 1 Sap | 1 Disclosure Management | 2024-11-21 | N/A | 6.5 MEDIUM |
| SAP Disclosure Management - version 10.1, allows an authenticated attacker to exploit certain misconfigured application endpoints to read sensitive data. These endpoints are normally exposed over the network and successful exploitation can lead to the exposure of data like financial reports. | |||||
| CVE-2022-41091 | 1 Microsoft | 12 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 9 more | 2024-11-21 | N/A | 5.4 MEDIUM |
| Windows Mark of the Web Security Feature Bypass Vulnerability | |||||
| CVE-2022-40682 | 1 Fortinet | 1 Forticlient | 2024-11-21 | N/A | 7.8 HIGH |
| A incorrect authorization in Fortinet FortiClient (Windows) 7.0.0 - 7.0.7, 6.4.0 - 6.4.9, 6.2.0 - 6.2.9 and 6.0.0 - 6.0.10 allows an attacker to execute unauthorized code or commands via sending a crafted request to a specific named pipe. | |||||
| CVE-2022-40529 | 1 Qualcomm | 392 Aqt1000, Aqt1000 Firmware, Ar8031 and 389 more | 2024-11-21 | N/A | 7.1 HIGH |
| Memory corruption due to improper access control in kernel while processing a mapping request from root process. | |||||
| CVE-2022-3248 | 1 Redhat | 2 Advanced Cluster Management For Kubernetes, Openshift Container Platform | 2024-11-21 | N/A | 4.4 MEDIUM |
| A flaw was found in OpenShift API, as admission checks do not enforce "custom-host" permissions. This issue could allow an attacker to violate the boundaries, as permissions will not be applied. | |||||
| CVE-2022-39914 | 1 Google | 1 Android | 2024-11-21 | N/A | 4.0 MEDIUM |
| Exposure of Sensitive Information from an Unauthorized Actor vulnerability in Samsung DisplayManagerService prior to Android T(13) allows local attacker to access connected DLNA device information. | |||||
| CVE-2022-39913 | 1 Google | 1 Android | 2024-11-21 | N/A | 6.8 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor in Persona Manager prior to Android T(13) allows local attacker to access user profiles information. | |||||
| CVE-2022-39903 | 1 Google | 1 Android | 2024-11-21 | N/A | 4.0 MEDIUM |
| Improper access control vulnerability in RCS call prior to SMR Dec-2022 Release 1 allows local attackers to access RCS incoming call number. | |||||
| CVE-2022-39388 | 1 Istio | 1 Istio | 2024-11-21 | N/A | 7.6 HIGH |
| Istio is an open platform to connect, manage, and secure microservices. In versions on the 1.15.x branch prior to 1.15.3, a user can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane. Version 1.15.3 contains a patch for this issue. There are no known workarounds. | |||||
| CVE-2022-39385 | 1 Discourse | 1 Discourse | 2024-11-21 | N/A | 6.5 MEDIUM |
| Discourse is the an open source discussion platform. In some rare cases users redeeming an invitation can be added as a participant to several private message topics that they should not be added to. They are not notified of this, it happens transparently in the background. This issue has been resolved in commit `a414520742` and will be included in future releases. Users are advised to upgrade. Users are also advised to set `SiteSetting.max_invites_per_day` to 0 until the patch is installed. | |||||
| CVE-2022-39352 | 1 Openfga | 1 Openfga | 2024-11-21 | N/A | 4.8 MEDIUM |
| OpenFGA is a high-performance authorization/permission engine inspired by Google Zanzibar. Versions prior to 0.2.5 are vulnerable to authorization bypass under certain conditions. You are affected by this vulnerability if you added a tuple with a wildcard (*) assigned to a tupleset relation (the right hand side of a ‘from’ statement). This issue has been patched in version v0.2.5. This update is not backward compatible with any authorization model that uses wildcard on a tupleset relation. | |||||
| CVE-2022-39337 | 1 Apache | 1 Hertzbeat | 2024-11-21 | N/A | 7.5 HIGH |
| Hertzbeat is an open source, real-time monitoring system with custom-monitoring, high performance cluster, prometheus-like and agentless. Hertzbeat versions 1.20 and prior have a permission bypass vulnerability. System authentication can be bypassed and invoke interfaces without authorization. Version 1.2.1 contains a patch for this issue. | |||||
| CVE-2022-39322 | 1 Keystonejs | 1 Keystone | 2024-11-21 | N/A | 9.1 CRITICAL |
| @keystone-6/core is a core package for Keystone 6, a content management system for Node.js. Starting with version 2.2.0 and prior to version 2.3.1, users who expected their `multiselect` fields to use the field-level access control - if configured - are vulnerable to their field-level access control not being used. List-level access control is not affected. Field-level access control for fields other than `multiselect` are not affected. Version 2.3.1 contains a fix for this issue. As a workaround, stop using the `multiselect` field. | |||||
| CVE-2022-39302 | 1 Ree6 | 1 Ree6 | 2024-11-21 | N/A | 5.5 MEDIUM |
| Ree6 is a moderation bot. This vulnerability would allow other server owners to create configurations such as "Better-Audit-Logging" which contain a channel from another server as a target. This would mean you could send log messages to another Guild channel and bypass raid and webhook protections. A specifically crafted log message could allow spamming and mass advertisements. This issue has been patched in version 1.9.9. There are currently no known workarounds. | |||||
| CVE-2022-39275 | 1 Saleor | 1 Saleor | 2024-11-21 | N/A | 5.3 MEDIUM |
| Saleor is a headless, GraphQL commerce platform. In affected versions some GraphQL mutations were not properly checking the ID type input which allowed to access database objects that the authenticated user may not be allowed to access. This vulnerability can be used to expose the following information: Estimating database row counts from tables with a sequential primary key or Exposing staff user and customer email addresses and full name through the `assignNavigation()` mutation. This issue has been patched in main and backported to multiple releases (3.7.17, 3.6.18, 3.5.23, 3.4.24, 3.3.26, 3.2.14, 3.1.24). Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-39214 | 1 Combodo | 1 Itop | 2024-11-21 | N/A | 9.6 CRITICAL |
| Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, a user who can log in on iTop is able to take over any account just by knowing the account's username. This issue is fixed in versions 2.7.8 and 3.0.2-1. | |||||
| CVE-2022-39031 | 1 Lcnet | 1 Smart Evision | 2024-11-21 | N/A | 5.3 MEDIUM |
| Smart eVision has insufficient authorization for task acquisition function. An unauthorized remote attacker can exploit this vulnerability to acquire the Session IDs of other general users only. | |||||
| CVE-2022-39030 | 1 Lcnet | 1 Smart Evision | 2024-11-21 | N/A | 7.5 HIGH |
| smart eVision has inadequate authorization for system information query function. An unauthenticated remote attacker, who is not explicitly authorized to access the information, can access sensitive information. | |||||
| CVE-2022-39029 | 1 Lcnet | 1 Smart Evision | 2024-11-21 | N/A | 6.5 MEDIUM |
| Smart eVision has inadequate authorization for the database query function. A remote attacker with general user privilege, who is not explicitly authorized to access the information, can access sensitive information. | |||||
| CVE-2022-37767 | 1 Pebbletemplates | 1 Pebble Templates | 2024-11-21 | N/A | 9.8 CRITICAL |
| Pebble Templates 3.1.5 allows attackers to bypass a protection mechanism and implement arbitrary code execution with springbok. NOTE: the vendor disputes this because input to the Pebble templating engine is intended to include arbitrary Java code, and thus either the input should not arrive from an untrusted source, or else the application using the engine should apply restrictions to the input. The engine is not responsible for validating the input. | |||||