Total
1460 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-26238 | 2 Beckmancoulter, Microsoft | 2 Remisol Advance, Windows | 2024-11-21 | 5.5 Medium |
| The default privileges for the running service Normand Service Manager in Beckman Coulter Remisol Advance v2.0.12.1 and prior allows non-privileged users to overwrite and manipulate executables and libraries. This allows attackers to access sensitive data. | ||||
| CVE-2022-26237 | 2 Beckmancoulter, Microsoft | 2 Remisol Advance, Windows | 2024-11-21 | 5.5 Medium |
| The default privileges for the running service Normand Viewer Service in Beckman Coulter Remisol Advance v2.0.12.1 and prior allows non-privileged users to overwrite and manipulate executables and libraries. This allows attackers to access sensitive data. | ||||
| CVE-2022-26236 | 2 Beckmancoulter, Microsoft | 2 Remisol Advance, Windows | 2024-11-21 | 5.5 Medium |
| The default privileges for the running service Normand Remisol Advance Launcher in Beckman Coulter Remisol Advance v2.0.12.1 and prior allows non-privileged users to overwrite and manipulate executables and libraries. This allows attackers to access sensitive data. | ||||
| CVE-2022-25172 | 1 Inhandnetworks | 2 Ir302, Ir302 Firmware | 2024-11-21 | 6.1 Medium |
| An information disclosure vulnerability exists in the web interface session cookie functionality of InHand Networks InRouter302 V3.5.4. The session cookie misses the HttpOnly flag, making it accessible via JavaScript and thus allowing an attacker, able to perform an XSS attack, to steal the session cookie. | ||||
| CVE-2022-25010 | 1 Stepmania | 1 Stepmania | 2024-11-21 | 9.1 Critical |
| The component /rootfs in RageFile of Stepmania v5.1b2 and below allows attackers access to the entire file system. | ||||
| CVE-2022-24886 | 1 Nextcloud | 1 Nextcloud | 2024-11-21 | 2.2 Low |
| Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. In versions prior to 3.19.0, any application with notification permission can access contacts if Nextcloud has access to Contacts without applying for the Contacts permission itself. Version 3.19.0 contains a fix for this issue. There are currently no known workarounds. | ||||
| CVE-2022-24872 | 1 Shopware | 1 Shopware | 2024-11-21 | 8.1 High |
| Shopware is an open commerce platform based on Symfony Framework and Vue. Permissions set to sales channel context by admin-api are still usable within normal user session. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. There are no known workarounds for this issue. | ||||
| CVE-2022-24769 | 6 Debian, Fedoraproject, Linux and 3 more | 6 Debian Linux, Fedora, Linux Kernel and 3 more | 2024-11-21 | 5.9 Medium |
| Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in Moby (Docker Engine) 20.10.14. Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This fix changes Moby (Docker Engine) behavior such that containers are started with a more typical Linux environment. As a workaround, the entry point of a container can be modified to use a utility like `capsh(1)` to drop inheritable capabilities prior to the primary process starting. | ||||
| CVE-2022-24327 | 1 Jetbrains | 1 Hub | 2024-11-21 | 7.5 High |
| In JetBrains Hub before 2021.1.13890, integration with JetBrains Account exposed an API key with excessive permissions. | ||||
| CVE-2022-24236 | 1 Snapt | 1 Aria | 2024-11-21 | 3.5 Low |
| An insecure permissions vulnerability in Snapt Aria v12.8 allows unauthenticated attackers to send e-mails from spoofed users' accounts. | ||||
| CVE-2022-23869 | 1 Ruoyi | 1 Ruoyi | 2024-11-21 | 6.5 Medium |
| In RuoYi v4.7.2 through the WebUI, user test1 does not have permission to reset the password of user test3, but the password of user test3 can be reset through the /system/user/resetPwd request. | ||||
| CVE-2022-23743 | 1 Checkpoint | 1 Zonealarm | 2024-11-21 | 7.8 High |
| Check Point ZoneAlarm before version 15.8.200.19118 allows a local actor to escalate privileges during the upgrade process. In addition, weak permissions in the ProgramData\CheckPoint\ZoneAlarm\Data\Updates directory allow a local attacker the ability to execute an arbitrary file write, leading to execution of code as local system, in ZoneAlarm versions before v15.8.211.192119 | ||||
| CVE-2022-23726 | 1 Pingidentity | 1 Pingcentral | 2024-11-21 | 5.4 Medium |
| PingCentral versions prior to listed versions expose Spring Boot actuator endpoints that with administrative authentication return large amounts of sensitive environmental and application information. | ||||
| CVE-2022-23725 | 1 Pingidentity | 1 Pingid Integration For Windows Login | 2024-11-21 | 7.7 High |
| PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances. | ||||
| CVE-2022-23448 | 1 Siemens | 2 Simatic Energy Manager Basic, Simatic Energy Manager Pro | 2024-11-21 | 7.8 High |
| A vulnerability has been identified in SIMATIC Energy Manager Basic (All versions < V7.3 Update 1), SIMATIC Energy Manager PRO (All versions < V7.3 Update 1). Affected applications improperly assign permissions to critical directories and files used by the application processes. This could allow a local unprivileged attacker to achieve code execution with ADMINISTRATOR or even NT AUTHORITY/SYSTEM privileges. | ||||
| CVE-2022-23143 | 1 Zte | 2 Otcp, Otcp Firmware | 2024-11-21 | 6.5 Medium |
| ZTE OTCP product is impacted by a permission and access control vulnerability. Due to improper permission settings, an attacker with high permissions could use this vulnerability to maliciously delete and modify files. | ||||
| CVE-2022-23132 | 2 Fedoraproject, Zabbix | 2 Fedora, Zabbix | 2024-11-21 | 3.3 Low |
| During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability is in use to access PID files in [/var/run/zabbix] folder. In this case, Zabbix Proxy or Server processes can bypass file read, write and execute permissions check on the file system level | ||||
| CVE-2022-22988 | 1 Westerndigital | 1 Edgerover | 2024-11-21 | 7.7 High |
| File and directory permissions have been corrected to prevent unintended users from modifying or accessing resources. It would be more difficult for an authenticated attacker to now traverse through the files and directories. This can only be exploited once an attacker has already found a way to get authenticated access to the device. | ||||
| CVE-2022-22941 | 1 Saltstack | 1 Salt | 2024-11-21 | 8.8 High |
| An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. When configured as a Master-of-Masters, with a publisher_acl, if a user configured in the publisher_acl targets any minion connected to the Syndic, the Salt Master incorrectly interpreted no valid targets as valid, allowing configured users to target any of the minions connected to the syndic with their configured commands. This requires a syndic master combined with publisher_acl configured on the Master-of-Masters, allowing users specified in the publisher_acl to bypass permissions, publishing authorized commands to any configured minion. | ||||
| CVE-2022-22521 | 1 Miele | 1 Benchmark Programming Tool | 2024-11-21 | 7.3 High |
| In Miele Benchmark Programming Tool with versions Prior to 1.2.71, executable files manipulated by attackers are unknowingly executed with users privileges. An attacker with low privileges may trick a user with administrative privileges to execute these binaries as admin. | ||||