Total
542 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-42330 | 1 Xinheinformation | 1 Xinhe Teaching Platform System | 2022-08-12 | 8.8 High |
| The “Teacher Edit” function of ShinHer StudyOnline System does not perform authority control. After logging in with user’s privilege, remote attackers can access and edit other users’ credential and personal information by crafting URL parameters. | ||||
| CVE-2021-42331 | 1 Xinheinformation | 1 Xinhe Teaching Platform System | 2022-08-12 | 5.4 Medium |
| The “Study Edit” function of ShinHer StudyOnline System does not perform permission control. After logging in with user’s privilege, remote attackers can access and edit other users’ tutorial schedule by crafting URL parameters. | ||||
| CVE-2021-42332 | 1 Xinheinformation | 1 Xinhe Teaching Platform System | 2022-08-12 | 4.3 Medium |
| The “List View” function of ShinHer StudyOnline System is not under authority control. After logging in with user’s privilege, remote attackers can access the content of other users’ message boards by crafting URL parameters. | ||||
| CVE-2021-42336 | 1 Huaju | 1 Easytest Online Learning Test Platform | 2022-08-12 | 4.3 Medium |
| The learning history page of the Easytest is vulnerable by permission bypass. After obtaining a user’s permission, remote attackers can access other users’ and administrator’s account information except password by crafting URL parameters. | ||||
| CVE-2022-33722 | 1 Google | 1 Android | 2022-08-11 | 3.3 Low |
| Implicit Intent hijacking vulnerability in Smart View prior to SMR Aug-2022 Release 1 allows attacker to access connected device MAC address. | ||||
| CVE-2021-42126 | 1 Ivanti | 1 Avalanche | 2022-08-09 | 8.8 High |
| An improper authorization control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform privilege escalation. | ||||
| CVE-2021-42338 | 1 4mosan | 1 Gcb Doctor | 2022-08-09 | 9.8 Critical |
| 4MOSAn GCB Doctor’s login page has improper validation of Cookie, which allows an unauthenticated remote attacker to bypass authentication by code injection in cookie, and arbitrarily manipulate the system or interrupt services by upload and execution of arbitrary files. | ||||
| CVE-2021-42337 | 1 Aifu | 1 Cashier Accounting Management System | 2022-08-09 | 4.3 Medium |
| The permission control of AIFU cashier management salary query function can be bypassed, thus after obtaining general user’s permission, the remote attacker can access account information except passwords by crafting URL parameters. | ||||
| CVE-2021-41308 | 1 Atlassian | 4 Jira, Jira Data Center, Jira Server and 1 more | 2022-08-09 | 6.5 Medium |
| Affected versions of Atlassian Jira Server and Data Center allow authenticated yet non-administrator remote attackers to edit the File Replication settings via a Broken Access Control vulnerability in the `ReplicationSettings!default.jspa` endpoint. The affected versions are before version 8.6.0, from version 8.7.0 before 8.13.12, and from version 8.14.0 before 8.20.1. | ||||
| CVE-2021-43847 | 1 Humhub | 1 Humhub | 2022-08-09 | 6.5 Medium |
| HumHub is an open-source social network kit written in PHP. Prior to HumHub version 1.10.3 or 1.9.3, it could be possible for registered users to become unauthorized members of private Spaces. Versions 1.10.3 and 1.9.3 contain a patch for this issue. | ||||
| CVE-2021-44204 | 2 Acronis, Microsoft | 5 Agent, Cyber Protect, Cyber Protect Home Office and 2 more | 2022-08-09 | 7.8 High |
| Local privilege escalation via named pipe due to improper access control checks. The following products are affected: Acronis Cyber Protect 15 (Windows) before build 28035, Acronis Agent (Windows) before build 27147, Acronis Cyber Protect Home Office (Windows) before build 39612, Acronis True Image 2021 (Windows) before build 39287 | ||||
| CVE-2021-42000 | 1 Pingidentity | 1 Pingfederate | 2022-08-09 | 6.5 Medium |
| When a password reset or password change flow with an authentication policy is configured and the adapter in the reset or change policy supports multiple parallel reset flows, an existing user can reset another existing users password. | ||||
| CVE-2021-43939 | 1 Smartptt | 1 Smartptt Scada | 2022-08-09 | 8.8 High |
| Elcomplus SmartPTT is vulnerable when a low-authenticated user can access higher level administration authorization by issuing requests directly to the desired endpoints. | ||||
| CVE-2022-26310 | 1 Pandorafms | 1 Pandora Fms | 2022-08-05 | 8.8 High |
| Pandora FMS v7.0NG.760 and below allows an improper authorization in User Management where any authenticated user with access to the User Management module could create, modify or delete any user with full admin privilege. The impact could lead to a vertical privilege escalation to access the privileges of a higher-level user or typically an admin user. | ||||
| CVE-2020-17517 | 1 Apache | 1 Ozone | 2022-08-05 | 7.5 High |
| The S3 buckets and keys in a secure Apache Ozone Cluster must be inaccessible to anonymous access by default. The current security vulnerability allows access to keys and buckets through a curl command or an unauthenticated HTTP request. This enables unauthorized access to buckets and keys thereby exposing data to anonymous clients or users. This affected Apache Ozone prior to the 1.1.0 release. | ||||
| CVE-2021-32620 | 1 Xwiki | 1 Xwiki | 2022-08-05 | 8.8 High |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions prior to 11.10.13, 12.6.7, and 12.10.2, a user disabled on a wiki using email verification for registration canouldre-activate themself by using the activation link provided for his registration. The problem has been patched in the following versions of XWiki: 11.10.13, 12.6.7, 12.10.2, 13.0. It is possible to workaround the issue by resetting the `validkey` property of the disabled XWiki users. This can be done by editing the user profile with object editor. | ||||
| CVE-2021-32619 | 1 Deno | 1 Deno | 2022-08-05 | 9.8 Critical |
| Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. In Deno versions 1.5.0 to 1.10.1, modules that are dynamically imported through `import()` or `new Worker` might have been able to bypass network and file system permission checks when statically importing other modules. The vulnerability has been patched in Deno release 1.10.2. | ||||
| CVE-2021-39341 | 1 Optinmonster | 1 Optinmonster | 2022-08-05 | 8.2 High |
| The OptinMonster WordPress plugin is vulnerable to sensitive information disclosure and unauthorized setting updates due to insufficient authorization validation via the logged_in_or_has_api_key function in the ~/OMAPI/RestApi.php file that can used to exploit inject malicious web scripts on sites with the plugin installed. This affects versions up to, and including, 2.6.4. | ||||
| CVE-2022-2595 | 1 Kromit | 1 Titra | 2022-08-05 | 10.0 Critical |
| Improper Authorization in GitHub repository kromitgmbh/titra prior to 0.79.1. | ||||
| CVE-2021-32523 | 1 Qsan | 1 Storage Manager | 2022-08-04 | 7.2 High |
| Improper authorization vulnerability in QSAN Storage Manager allows remote privileged users to bypass the access control and execute arbitrary commands. Suggest contacting with QSAN and refer to recommendations in QSAN Document. | ||||