Total
542 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-38486 | 1 Inhandnetworks | 2 Ir615, Ir615 Firmware | 2022-10-27 | 8.5 High |
| InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 cloud portal allows for self-registration of the affected product without any requirements to create an account, which may allow an attacker to have full control over the product and execute code within the internal network to which the product is connected. | ||||
| CVE-2021-33723 | 1 Siemens | 1 Sinec Nms | 2022-10-27 | 6.5 Medium |
| A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). An authenticated attacker could change the user profile of any user without proper authorization. With this, the attacker could change the password of any user in the affected system. | ||||
| CVE-2021-36029 | 1 Adobe | 2 Adobe Commerce, Magento Open Source | 2022-10-27 | 7.2 High |
| Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper improper authorization vulnerability. An attacker with admin privileges could leverage this vulnerability to achieve remote code execution. | ||||
| CVE-2021-37705 | 1 Microsoft | 1 Onefuzz | 2022-10-27 | 10.0 Critical |
| OneFuzz is an open source self-hosted Fuzzing-As-A-Service platform. Starting with OneFuzz 2.12.0 or greater, an incomplete authorization check allows an authenticated user from any Azure Active Directory tenant to make authorized API calls to a vulnerable OneFuzz instance. To be vulnerable, a OneFuzz deployment must be both version 2.12.0 or greater and deployed with the non-default --multi_tenant_domain option. This can result in read/write access to private data such as software vulnerability and crash information, security testing tools and proprietary code and symbols. Via authorized API calls, this also enables tampering with existing data and unauthorized code execution on Azure compute resources. This issue is resolved starting in release 2.31.0, via the addition of application-level check of the bearer token's `issuer` against an administrator-configured allowlist. As a workaround users can restrict access to the tenant of a deployed OneFuzz instance < 2.31.0 by redeploying in the default configuration, which omits the `--multi_tenant_domain` option. | ||||
| CVE-2021-35964 | 1 Learningdigital | 1 Orca Hcm | 2022-10-27 | 9.8 Critical |
| The management page of the Orca HCM digital learning platform does not perform identity verification, which allows remote attackers to execute the management function without logging in, access members’ information, modify and delete the courses in system, thus causing users fail to access the learning content. | ||||
| CVE-2021-3837 | 1 Openwhyd | 1 Openwhyd | 2022-10-27 | 6.1 Medium |
| openwhyd is vulnerable to Improper Authorization | ||||
| CVE-2021-25399 | 1 Samsung | 1 Smart Manager | 2022-10-25 | 7.1 High |
| Improper configuration in Smart Manager prior to version 11.0.05.0 allows attacker to access the file with system privilege. | ||||
| CVE-2021-25382 | 1 Google | 1 Android | 2022-10-25 | 5.5 Medium |
| An improper authorization of using debugging command in Secure Folder prior to SMR Oct-2020 Release 1 allows unauthorized access to contents in Secure Folder via debugging command. | ||||
| CVE-2021-27663 | 1 Johnsoncontrols | 2 Ac2000, Ac2000 Firmware | 2022-10-25 | 9.8 Critical |
| A vulnerability in versions 10.1 through 10.5 of Johnson Controls CEM Systems AC2000 allows a remote attacker to access to the system without adequate authorization. This issue affects: Johnson Controls CEM Systems AC2000 10.1; 10.2; 10.3; 10.4; 10.5. | ||||
| CVE-2021-21362 | 1 Minio | 1 Minio | 2022-10-21 | 6.5 Medium |
| MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary 'mc share upload' URL. Everyone is impacted who uses MinIO multi-users. This is fixed in version RELEASE.2021-03-04T00-53-13Z. As a workaround, one can disable uploads with `Content-Type: multipart/form-data` as mentioned in the S3 API RESTObjectPOST docs by using a proxy in front of MinIO. | ||||
| CVE-2020-24403 | 1 Magento | 1 Magento | 2022-10-21 | 2.7 Low |
| Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect user permissions vulnerability within the Inventory component. This vulnerability could be abused by authenticated users with Inventory and Source permissions to make unauthorized changes to inventory source data via the REST API. | ||||
| CVE-2020-24404 | 1 Magento | 1 Magento | 2022-10-21 | 2.7 Low |
| Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability within the Integrations component. This vulnerability could be abused by users with permissions to the Pages resource to delete cms pages via the REST API without authorization. | ||||
| CVE-2020-24405 | 1 Magento | 1 Magento | 2022-10-21 | 4.3 Medium |
| Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions issue vulnerability in the Inventory module. This vulnerability could be abused by authenticated users to modify inventory stock data without authorization. | ||||
| CVE-2020-15087 | 1 Prestosql | 1 Presto | 2022-10-21 | 8.8 High |
| In Presto before version 337, authenticated users can bypass authorization checks by directly accessing internal APIs. This impacts Presto server installations with secure internal communication configured. This does not affect installations that have not configured secure internal communication, as these installations are inherently insecure. This only affects Presto server installations. This does NOT affect clients such as the CLI or JDBC driver. This vulnerability has been fixed in version 337. Additionally, this issue can be mitigated by blocking network access to internal APIs on the coordinator and workers. | ||||
| CVE-2020-15084 | 1 Auth0 | 1 Express-jwt | 2022-10-21 | 9.1 Critical |
| In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have **algorithms** configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the **secret**. You can fix this by specifying **algorithms** in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0. | ||||
| CVE-2020-10716 | 2 Redhat, Theforeman | 3 Satellite, Satellite Capsule, Foreman Ansible | 2022-10-21 | 6.5 Medium |
| A flaw was found in Red Hat Satellite's Job Invocation, where the "User Input" entry was not properly restricted to the view. This flaw allows a malicious Satellite user to scan through the Job Invocation, with the ability to search for passwords and other sensitive data. This flaw affects tfm-rubygem-foreman_ansible versions before 4.0.3.4. | ||||
| CVE-2022-36870 | 1 Samsung | 2 Samsung Pay, Samsung Pay Kr | 2022-10-01 | 6.5 Medium |
| Pending Intent hijacking vulnerability in MTransferNotificationManager in Samsung Pay prior to version 5.0.63 for KR and 5.1.47 for Global allows attackers to access files without permission via implicit Intent. | ||||
| CVE-2022-36871 | 1 Samsung | 2 Samsung Pay, Samsung Pay Kr | 2022-10-01 | 6.5 Medium |
| Pending Intent hijacking vulnerability in NotiCenterUtils in Samsung Pay prior to version 5.0.63 for KR and 5.1.47 for Global allows attackers to access files without permission via implicit Intent. | ||||
| CVE-2022-36872 | 1 Samsung | 2 Samsung Pay, Samsung Pay Kr | 2022-10-01 | 6.5 Medium |
| Pending Intent hijacking vulnerability in SpayNotification in Samsung Pay prior to version 5.0.63 for KR and 5.1.47 for Global allows attackers to access files without permission via implicit Intent. | ||||
| CVE-2017-0892 | 1 Nextcloud | 1 Nextcloud Server | 2022-09-27 | 3.5 Low |
| Nextcloud Server before 11.0.3 is vulnerable to an improper session handling allowed an application specific password without permission to the files access to the users file. | ||||