Total
1969 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-0985 | 1 Moodle | 1 Moodle | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability. | |||||
| CVE-2022-0984 | 3 Fedoraproject, Moodle, Redhat | 3 Fedora, Moodle, Enterprise Linux | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges. | |||||
| CVE-2022-0981 | 1 Quarkus | 1 Quarkus | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A flaw was found in Quarkus. The state and potentially associated permissions can leak from one web request to another in RestEasy Reactive. This flaw allows a low-privileged user to perform operations on the database with a different set of privileges than intended. | |||||
| CVE-2022-0920 | 1 Salonbookingsystem | 1 Salon Booking System | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The Salon booking system Free and Pro WordPress plugins before 7.6.3 do not have proper authorisation in some of its endpoints, which could allow customers to access all bookings and other customer's data | |||||
| CVE-2022-0866 | 1 Redhat | 3 Jboss Enterprise Application Platform, Openstack Platform, Wildfly | 2024-11-21 | 4.3 MEDIUM | 5.3 MEDIUM |
| This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. In particular, the org.jboss.as.ejb3.component.EJBComponent class has an incomingRunAsIdentity field. This field is used by the org.jboss.as.ejb3.security.RunAsPrincipalInterceptor to keep track of the current identity prior to switching to a new identity created using the RunAs principal. The exploit consist that the EJBComponent#incomingRunAsIdentity field is currently just a SecurityIdentity. This means in a concurrent environment, where multiple users are repeatedly invoking an EJB that is configured with a RunAs principal, it's possible for the wrong the caller principal to be returned from EJBComponent#getCallerPrincipal. Similarly, it's also possible for EJBComponent#isCallerInRole to return the wrong value. Both of these methods rely on incomingRunAsIdentity. Affects all versions of JBoss EAP from 7.1.0 and all versions of WildFly 11+ when Elytron is enabled. | |||||
| CVE-2022-0825 | 1 Tms-outsource | 1 Amelia | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| The Amelia WordPress plugin before 1.0.49 does not have proper authorisation when managing appointments, allowing any customer to update other's booking status, as well as retrieve sensitive information about the bookings, such as the full name and phone number of the person who booked it. | |||||
| CVE-2022-0775 | 1 Woocommerce | 1 Woocommerce | 2024-11-21 | N/A | 4.3 MEDIUM |
| The WooCommerce WordPress plugin before 6.2.1 does not have proper authorisation check when deleting reviews, which could allow any authenticated users, such as subscriber to delete arbitrary comment | |||||
| CVE-2022-0762 | 1 Microweber | 1 Microweber | 2024-11-21 | 4.0 MEDIUM | 5.5 MEDIUM |
| Incorrect Authorization in GitHub repository microweber/microweber prior to 1.3. | |||||
| CVE-2022-0740 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 3.1 LOW |
| Incorrect authorization in the Asana integration's branch restriction feature in all versions of GitLab CE/EE starting from version 7.8.0 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 makes it possible to close Asana tasks from unrestricted branches. | |||||
| CVE-2022-0727 | 1 Framasoft | 1 Peertube | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| Improper Access Control in GitHub repository chocobozzz/peertube prior to 4.1.0. | |||||
| CVE-2022-0720 | 1 Tms-outsource | 1 Amelia | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| The Amelia WordPress plugin before 1.0.47 does not have proper authorisation when managing appointments, allowing any customer to update other's booking, as well as retrieve sensitive information about the bookings, such as the full name and phone number of the person who booked it. | |||||
| CVE-2022-0633 | 1 Updraftplus | 1 Updraftplus | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| The UpdraftPlus WordPress plugin Free before 1.22.3 and Premium before 2.22.3 do not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site (such as subscriber) to download the most recent site & database backup. | |||||
| CVE-2022-0594 | 1 Shareaholic | 1 Shareaholic | 2024-11-21 | N/A | 5.3 MEDIUM |
| The Professional Social Sharing Buttons, Icons & Related Posts WordPress plugin before 9.7.6 does not have proper authorisation check in one of the AJAX action, available to unauthenticated (in v < 9.7.5) and author+ (in v9.7.5) users, allowing them to call it and retrieve various information such as the list of active plugins, various version like PHP, cURL, WP etc. | |||||
| CVE-2022-0580 | 1 Librenms | 1 Librenms | 2024-11-21 | 6.5 MEDIUM | 7.1 HIGH |
| Incorrect Authorization in Packagist librenms/librenms prior to 22.2.0. | |||||
| CVE-2022-0577 | 2 Debian, Scrapy | 2 Debian Linux, Scrapy | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1. | |||||
| CVE-2022-0574 | 1 Publify Project | 1 Publify | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
| Improper Access Control in GitHub repository publify/publify prior to 9.2.8. | |||||
| CVE-2022-0451 | 1 Dart | 1 Dart Software Development Kit | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Dart SDK contains the HTTPClient in dart:io library whcih includes authorization headers when handling cross origin redirects. These headers may be explicitly set and contain sensitive information. By default, HttpClient handles redirection logic. If a request is sent to example.com with authorization header and it redirects to an attackers site, they might not expect attacker site to receive authorization header. We recommend updating the Dart SDK to version 2.16.0 or beyond. | |||||
| CVE-2022-0406 | 1 Janeczku | 1 Calibre-web | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Improper Authorization in GitHub repository janeczku/calibre-web prior to 0.6.16. | |||||
| CVE-2022-0333 | 1 Moodle | 1 Moodle | 2024-11-21 | 5.5 MEDIUM | 3.8 LOW |
| A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The calendar:manageentries capability allowed managers to access or modify any calendar event, but should have been restricted from accessing user level events. | |||||
| CVE-2022-0309 | 1 Google | 1 Chrome | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inappropriate implementation in Autofill in Google Chrome prior to 97.0.4692.99 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |||||