ReportizFlow
Filtered by vendor
Subscriptions
Total
804 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-4804 | 1 Usememos | 1 Memos | 2024-11-21 | 5.3 Medium |
| Improper Authorization in GitHub repository usememos/memos prior to 0.9.1. | ||||
| CVE-2022-4688 | 1 Usememos | 1 Memos | 2024-11-21 | 8.8 High |
| Improper Authorization in GitHub repository usememos/memos prior to 0.9.0. | ||||
| CVE-2022-47553 | 1 Ormazabal | 4 Ekorccp, Ekorccp Firmware, Ekorrci and 1 more | 2024-11-21 | 8.6 High |
| Incorrect authorisation in ekorCCP and ekorRCI, which could allow a remote attacker to obtain resources with sensitive information for the organisation, without being authenticated within the web server. | ||||
| CVE-2022-41974 | 4 Debian, Fedoraproject, Opensvc and 1 more | 7 Debian Linux, Fedora, Multipath-tools and 4 more | 2024-11-21 | 7.8 High |
| multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR. | ||||
| CVE-2022-40536 | 1 Qualcomm | 162 315 5g Iot Modem, 315 5g Iot Modem Firmware, Ar8035 and 159 more | 2024-11-21 | 7.5 High |
| Transient DOS due to improper authentication in modem while receiving plain TLB OTA request message from network. | ||||
| CVE-2022-40521 | 1 Qualcomm | 484 315 5g Iot Modem, 315 5g Iot Modem Firmware, 8953pro and 481 more | 2024-11-21 | 7.5 High |
| Transient DOS due to improper authorization in Modem | ||||
| CVE-2022-3187 | 1 Dataprobe | 24 Iboot-pdu4-n20, Iboot-pdu4-n20 Firmware, Iboot-pdu4a-n15 and 21 more | 2024-11-21 | 5.3 Medium |
| Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where certain PHP pages only validate when a valid connection is established with the database. However, these PHP pages do not verify the validity of a user. Attackers could leverage this lack of verification to read the state of outlets. | ||||
| CVE-2022-39905 | 1 Google | 1 Android | 2024-11-21 | 4 Medium |
| Implicit intent hijacking vulnerability in Telecom application prior to SMR Dec-2022 Release 1 allows attacker to access sensitive information via implicit intent. | ||||
| CVE-2022-39902 | 1 Samsung | 2 Exynos, Exynos Firmware | 2024-11-21 | 6.5 Medium |
| Improper authorization in Exynos baseband prior to SMR DEC-2022 Release 1 allows remote attacker to get sensitive information including IMEI via emergency call. | ||||
| CVE-2022-39890 | 1 Samsung | 1 Billing | 2024-11-21 | 6.2 Medium |
| Improper Authorization in Samsung Billing prior to version 5.0.56.0 allows attacker to get sensitive information. | ||||
| CVE-2022-39883 | 1 Google | 1 Android | 2024-11-21 | 4 Medium |
| Improper authorization vulnerability in StorageManagerService prior to SMR Nov-2022 Release 1 allows local attacker to call privileged API. | ||||
| CVE-2022-39879 | 1 Google | 1 Android | 2024-11-21 | 5.9 Medium |
| Improper authorization vulnerability in?CallBGProvider prior to SMR Nov-2022 Release 1 allows local attacker to grant permission for accessing information with phone uid. | ||||
| CVE-2022-39873 | 1 Samsung | 1 Internet | 2024-11-21 | 4.3 Medium |
| Improper authorization vulnerability in Samsung Internet prior to version 18.0.4.14 allows physical attackers to add bookmarks in secret mode without user authentication. | ||||
| CVE-2022-39862 | 2 Google, Samsung | 2 Android, Dynamic Lockscreen | 2024-11-21 | 5.3 Medium |
| Improper authorization in Dynamic Lockscreen prior to SMR Sep-2022 Release 1 in Android R(11) and 3.3.03.66 in Android S(12) allows unauthorized use of javascript interface api. | ||||
| CVE-2022-39356 | 1 Discourse | 1 Discourse | 2024-11-21 | 8.9 High |
| Discourse is a platform for community discussion. Users who receive an invitation link that is not scoped to a single email address can enter any non-admin user's email and gain access to their account when accepting the invitation. All users should upgrade to the latest version. A workaround is temporarily disabling invitations with `SiteSetting.max_invites_per_day = 0` or scope them to individual email addresses. | ||||
| CVE-2022-39342 | 1 Openfga | 1 Openfga | 2024-11-21 | 5.9 Medium |
| OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users whose model has a relation defined as a tupleset (the right hand side of a ‘from’ statement) that involves anything other than a direct relationship (e.g. ‘as self’) are vulnerable. Version 0.2.4 contains a patch for this issue. | ||||
| CVE-2022-39341 | 1 Openfga | 1 Openfga | 2024-11-21 | 5.9 Medium |
| OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users who have wildcard (`*`) defined on tupleset relations in their authorization model are vulnerable. Version 0.2.4 contains a patch for this issue. | ||||
| CVE-2022-39340 | 1 Openfga | 1 Openfga | 2024-11-21 | 5.3 Medium |
| OpenFGA is an authorization/permission engine. Prior to version 0.2.4, the `streamed-list-objects` endpoint was not validating the authorization header, resulting in disclosure of objects in the store. Users `openfga/openfga` versions 0.2.3 and prior who are exposing the OpenFGA service to the internet are vulnerable. Version 0.2.4 contains a patch for this issue. | ||||
| CVE-2022-39329 | 1 Nextcloud | 2 Nextcloud Enterprise Server, Nextcloud Server | 2024-11-21 | 3.5 Low |
| Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 23.0.9 and 24.0.5 are vulnerable to exposure of information that cannot be controlled by administrators without direct database access. Versions 23.0.9 and 24.0.5 contains patches for this issue. No known workarounds are available. | ||||
| CVE-2022-39322 | 1 Keystonejs | 1 Keystone | 2024-11-21 | 9.1 Critical |
| @keystone-6/core is a core package for Keystone 6, a content management system for Node.js. Starting with version 2.2.0 and prior to version 2.3.1, users who expected their `multiselect` fields to use the field-level access control - if configured - are vulnerable to their field-level access control not being used. List-level access control is not affected. Field-level access control for fields other than `multiselect` are not affected. Version 2.3.1 contains a fix for this issue. As a workaround, stop using the `multiselect` field. | ||||