Total
2925 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-32294 | 1 Zimbra | 1 Collaboration | 2026-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-login randomly created password (from the "zmprove ca" command). It is visible in cleartext on port UDP 514 (aka the syslog port). NOTE: a third party reports that this cannot be reproduced. | |||||
| CVE-2022-32290 | 1 Northern.tech | 1 Mender | 2026-06-17 | 3.3 LOW | 4.3 MEDIUM |
| The client in Northern.tech Mender 3.2.0, 3.2.1, and 3.2.2 has Incorrect Access Control. It listens on a random, unprivileged TCP port and exposes an HTTP proxy to facilitate API calls from additional client components running on the device. However, it listens on all network interfaces instead of only the localhost interface. Therefore, any client on the same network can connect to this TCP port and send HTTP requests. The Mender Client will forward these requests to the Mender Server. Additionally, if mTLS is set up, the Mender Client will connect to the Mender Server using the device's client certificate, making it possible for the attacker to bypass mTLS authentication and send requests to the Mender Server without direct access to the client certificate and related private key. Accessing the HTTP proxy from the local network doesn't represent a direct threat, because it doesn't expose any device or server-specific data. However, it increases the attack surface and can be a potential vector to exploit other vulnerabilities both on the Client and the Server. | |||||
| CVE-2022-31671 | 1 Linuxfoundation | 1 Harbor | 2026-06-17 | N/A | 7.4 HIGH |
| Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, malicious authenticated users could read all the job logs stored in the Harbor database. | |||||
| CVE-2022-31670 | 1 Linuxfoundation | 1 Harbor | 2026-06-17 | N/A | 7.7 HIGH |
| Harbor fails to validate the user permissions when updating tag retention policies. By sending a request to update a tag retention policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify tag retention policies configured in other projects. | |||||
| CVE-2022-31669 | 1 Linuxfoundation | 1 Harbor | 2026-06-17 | N/A | 6.4 MEDIUM |
| Harbor fails to validate the user permissions when updating tag immutability policies. By sending a request to update a tag immutability policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify tag immutability policies configured in other projects. | |||||
| CVE-2022-31668 | 1 Linuxfoundation | 1 Harbor | 2026-06-17 | N/A | 7.4 HIGH |
| Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects. | |||||
| CVE-2022-31667 | 1 Linuxfoundation | 1 Harbor | 2026-06-17 | N/A | 6.4 MEDIUM |
| Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to. By sending a request that attempts to update a robot account, and specifying a robot account id and robot account name that belongs to a different project that the user doesn’t have access to, it was possible to revoke the robot account permissions. | |||||
| CVE-2022-31646 | 1 Hp | 654 Dragonfly Folio G3 2-in-1, Dragonfly Folio G3 2-in-1 Firmware, Elite Dragonfly and 651 more | 2026-06-17 | N/A | 7.8 HIGH |
| Potential vulnerabilities have been identified in the system BIOS of certain HP PC products, which might allow arbitrary code execution, escalation of privilege, denial of service, and information disclosure. | |||||
| CVE-2022-31644 | 1 Hp | 654 Dragonfly Folio G3 2-in-1, Dragonfly Folio G3 2-in-1 Firmware, Elite Dragonfly and 651 more | 2026-06-17 | N/A | 7.8 HIGH |
| Potential vulnerabilities have been identified in the system BIOS of certain HP PC products, which might allow arbitrary code execution, escalation of privilege, denial of service, and information disclosure. | |||||
| CVE-2022-31252 | 2 Opensuse, Suse | 3 Leap, Leap Micro, Linux Enterprise Server | 2026-06-17 | N/A | 4.4 MEDIUM |
| A Incorrect Authorization vulnerability in chkstat of SUSE Linux Enterprise Server 12-SP5; openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 did not consider group writable path components, allowing local attackers with access to a group what can write to a location included in the path to a privileged binary to influence path resolution. This issue affects: SUSE Linux Enterprise Server 12-SP5 permissions versions prior to 20170707. openSUSE Leap 15.3 permissions versions prior to 20200127. openSUSE Leap 15.4 permissions versions prior to 20201225. openSUSE Leap Micro 5.2 permissions versions prior to 20181225. | |||||
| CVE-2022-31190 | 1 Duraspace | 1 Dspace | 2026-06-17 | N/A | 5.3 MEDIUM |
| DSpace open source software is a repository application which provides durable access to digital resources. dspace-xmlui is a UI component for DSpace. In affected versions metadata on a withdrawn Item is exposed via the XMLUI "mets.xml" object, as long as you know the handle/URL of the withdrawn Item. This vulnerability only impacts the XMLUI. Users are advised to upgrade to version 6.4 or newer. | |||||
| CVE-2022-31178 | 1 Elabftw | 1 Elabftw | 2026-06-17 | N/A | 4.3 MEDIUM |
| eLabFTW is an electronic lab notebook manager for research teams. A vulnerability was discovered which allows a logged in user to read a template without being authorized to do so. This vulnerability has been patched in 4.3.4. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-31168 | 1 Zulip | 1 Zulip | 2026-06-17 | N/A | 5.4 MEDIUM |
| Zulip is an open source team chat tool. Due to an incorrect authorization check in Zulip Server 5.4 and earlier, a member of an organization could craft an API call that grants organization administrator privileges to one of their bots. The vulnerability is fixed in Zulip Server 5.5. Members who don’t own any bots, and lack permission to create them, can’t exploit the vulnerability. As a workaround for the vulnerability, an organization administrator can restrict the `Who can create bots` permission to administrators only, and change the ownership of existing bots. | |||||
| CVE-2022-31155 | 1 Sourcegraph | 1 Sourcegraph | 2026-06-17 | N/A | 4.3 MEDIUM |
| Sourcegraph is an opensource code search and navigation engine. In Sourcegraph versions before 3.41.0, it is possible for an attacker to delete other users’ saved searches due to a bug in the authorization check. The vulnerability does not allow the reading of other users’ saved searches, only overwriting them with attacker-controlled searches. The issue is patched in Sourcegraph version 3.41.0. There is no workaround for this issue and updating to a secure version is highly recommended. | |||||
| CVE-2022-31154 | 1 Sourcegraph | 1 Sourcegraph | 2026-06-17 | N/A | 6.4 MEDIUM |
| Sourcegraph is an opensource code search and navigation engine. It is possible for an authenticated Sourcegraph user to edit the Code Monitors owned by any other Sourcegraph user. This includes being able to edit both the trigger and the action of the monitor in question. An attacker is not able to read contents of existing code monitors, only override the data. The issue is fixed in Sourcegraph 3.42. There are no workaround for the issue and patching is highly recommended. | |||||
| CVE-2022-31153 | 1 Openzeppelin | 1 Contracts | 2026-06-17 | N/A | 6.5 MEDIUM |
| OpenZeppelin Contracts for Cairo is a library for contract development written in Cairo for StarkNet, a decentralized ZK Rollup. Version 0.2.0 is vulnerable to an error that renders account contracts unusable on live networks. This issue affects all accounts (vanilla and ethereum flavors) in the v0.2.0 release of OpenZeppelin Contracts for Cairo, which are not whitelisted on StarkNet mainnet. Only goerli deployments of v0.2.0 accounts are affected. This faulty behavior is not observed in StarkNet's testing framework. This bug has been patched in v0.2.1. | |||||
| CVE-2022-31139 | 1 Unsafe Accessor Project | 1 Unsafe Accessor | 2026-06-17 | 4.3 MEDIUM | 5.9 MEDIUM |
| UnsafeAccessor (UA) is a bridge to access jdk.internal.misc.Unsafe & sun.misc.Unsafe. Normally, if UA is loaded as a named module, the internal data of UA is protected by JVM and others can only access UA via UA's standard API. The main application can set up `SecurityCheck.AccessLimiter` for UA to limit access to UA. Starting with version 1.4.0 and prior to version 1.7.0, when `SecurityCheck.AccessLimiter` is set up, untrusted code can access UA without limitation, even when UA is loaded as a named module. This issue does not affect those for whom `SecurityCheck.AccessLimiter` is not set up. Version 1.7.0 contains a patch. | |||||
| CVE-2022-31107 | 2 Grafana, Netapp | 2 Grafana, E-series Performance Analyzer | 2026-06-17 | N/A | 7.1 HIGH |
| Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take over the account of another user in that Grafana instance. This can occur when the malicious user is authorized to log in to Grafana via OAuth, the malicious user's external user id is not already associated with an account in Grafana, the malicious user's email address is not already associated with an account in Grafana, and the malicious user knows the Grafana username of the target user. If these conditions are met, the malicious user can set their username in the OAuth provider to that of the target user, then go through the OAuth flow to log in to Grafana. Due to the way that external and internal user accounts are linked together during login, if the conditions above are all met then the malicious user will be able to log in to the target user's Grafana account. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch for this issue. As a workaround, concerned users can disable OAuth login to their Grafana instance, or ensure that all users authorized to log in via OAuth have a corresponding user account in Grafana linked to their email address. | |||||
| CVE-2022-31087 | 2 Debian, Ldap-account-manager | 2 Debian Linux, Ldap Account Manager | 2026-06-17 | 7.2 HIGH | 7.8 HIGH |
| LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the tmp directory, which is accessible by /lam/tmp/, allows interpretation of .php (and .php5/.php4/.phpt/etc) files. An attacker capable of writing files under www-data privileges can write a web-shell into this directory, and gain a Code Execution on the host. This issue has been fixed in version 8.0. Users unable to upgrade should disallow executing PHP scripts in (/var/lib/ldap-account-manager/)tmp directory. | |||||
| CVE-2022-31039 | 1 Bigbluebutton | 1 Greenlight | 2026-06-17 | 5.0 MEDIUM | 4.3 MEDIUM |
| Greenlight is a simple front-end interface for your BigBlueButton server. In affected versions an attacker can view any room's settings even though they are not authorized to do so. Only the room owner and administrator should be able to view a room's settings. This issue has been patched in release version 2.12.6. | |||||