| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2023-22473 |
284 |
|
Bypass |
2023-01-09 |
2023-01-13 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Talk-Android enables users to have video & audio calls through Nextcloud on Android. Due to passcode bypass, an attacker is able to access the user's Nextcloud files and view conversations. To exploit this the attacker needs to have physical access to the target's device. There are currently no known workarounds available. It is recommended that the Nextcloud Talk Android app is upgraded to 15.0.2. |
|
2 |
CVE-2023-0451 |
284 |
|
|
2023-01-26 |
2023-01-26 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
All versions of Econolite EOS traffic control software are vulnerable to CWE-284: Improper Access Control, and lack a password requirement for gaining “READONLY” access to log files, as well as certain database and configuration files. One such file contains tables with message-digest algorithm 5 (MD5) hashes and usernames for all defined users in the control software, including administrators and technicians. |
|
3 |
CVE-2023-0017 |
284 |
|
|
2023-01-10 |
2023-01-13 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An unauthenticated attacker in SAP NetWeaver AS for Java - version 7.50, due to improper access control, can attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data on the current system. This could allow the attacker to have full read access to user data, make modifications to user data, and make services within the system unavailable. |
|
4 |
CVE-2023-0012 |
284 |
|
+Priv |
2023-01-10 |
2023-01-13 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
In SAP Host Agent (Windows) - versions 7.21, 7.22, an attacker who gains local membership to SAP_LocalAdmin could be able to replace executables with a malicious file that will be started under a privileged account. Note that by default all user members of SAP_LocaAdmin are denied the ability to logon locally by security policy so that this can only occur if the system has already been compromised. |
|
5 |
CVE-2022-46664 |
284 |
|
|
2022-12-13 |
2023-01-10 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A vulnerability has been identified in Mendix Workflow Commons (All versions < V2.4.0), Mendix Workflow Commons V2.1 (All versions < V2.1.4), Mendix Workflow Commons V2.3 (All versions < V2.3.2). Affected versions of the module improperly handle access control for some module entities. This could allow authenticated remote attackers to read or delete sensitive information. |
|
6 |
CVE-2022-46331 |
284 |
|
|
2023-01-18 |
2023-01-25 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An unauthorized user could possibly delete any file on the system. |
|
7 |
CVE-2022-43494 |
284 |
|
|
2023-01-18 |
2023-01-25 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An unauthorized user could be able to read any file on the system, potentially exposing sensitive information. |
|
8 |
CVE-2022-41654 |
284 |
|
Bypass |
2022-12-22 |
2022-12-29 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An authentication bypass vulnerability exists in the newsletter subscription functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted HTTP request can lead to increased privileges. An attacker can send an HTTP request to trigger this vulnerability. |
|
9 |
CVE-2022-41261 |
284 |
|
|
2022-12-12 |
2022-12-15 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
SAP Solution Manager (Diagnostic Agent) - version 7.20, allows an authenticated attacker on Windows system to access a file containing sensitive data which can be used to access a configuration file which contains credentials to access other system files. Successful exploitation can make the attacker access files and systems for which he/she is not authorized. |
|
10 |
CVE-2022-36024 |
284 |
|
|
2022-08-18 |
2022-12-09 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
py-cord is a an API wrapper for Discord written in Python. Bots creating using py-cord version 2.0.0 are vulnerable to remote shutdown if they are added to the server with the `application.commands` scope without the `bot` scope. Currently, it appears that all public bots that use slash commands are affected. This issue has been patched in version 2.0.1. There are currently no recommended workarounds - please upgrade to a patched version. |
|
11 |
CVE-2022-34255 |
284 |
|
|
2022-08-16 |
2022-10-26 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Access Control vulnerability that could result in Privilege escalation. An attacker with a low privilege account could leverage this vulnerability to perform an account takeover for a victim. Exploitation of this issue does not require user interaction. |
|
12 |
CVE-2022-31024 |
284 |
|
|
2022-06-02 |
2022-06-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
richdocuments is the repository for NextCloud Collabra, the app for Nextcloud Office collaboration. Prior to versions 6.0.0, 5.0.4, and 4.2.6, a user could be tricked into working against a remote Office by sending them a federated share. richdocuments versions 6.0.0, 5.0.4 and 4.2.6 contain a fix for this issue. There are currently no known workarounds available. |
|
13 |
CVE-2022-29417 |
284 |
|
|
2022-04-25 |
2022-05-03 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
Plugin Settings Update vulnerability in ShortPixel's ShortPixel Adaptive Images plugin <= 3.3.1 at WordPress allows an attacker with a low user role like a subscriber or higher to change the plugin settings. |
|
14 |
CVE-2022-29160 |
284 |
|
|
2022-05-20 |
2022-06-02 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Nextcloud Android is the Android client for Nextcloud, a self-hosted productivity platform. Prior to version 3.19.0, sensitive tokens, images, and user related details exist after deletion of a user account. This could result in misuse of the former account holder's information. Nextcloud Android version 3.19.0 contains a patch for this issue. There are no known workarounds available. |
|
15 |
CVE-2022-27805 |
284 |
|
Bypass |
2022-10-25 |
2022-10-26 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An authentication bypass vulnerability exists in the GHOME control functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted network request can lead to arbitrary XCMD execution. An attacker can send a malicious XML payload to trigger this vulnerability. |
|
16 |
CVE-2022-27660 |
284 |
|
DoS |
2022-08-05 |
2022-08-09 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A denial of service vulnerability exists in the confctl_set_guest_wlan functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to denial of service. An attacker can send packets to trigger this vulnerability. |
|
17 |
CVE-2022-23513 |
284 |
|
|
2022-12-23 |
2022-12-30 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Pi-Hole is a network-wide ad blocking via your own Linux hardware, AdminLTE is a Pi-hole Dashboard for stats and more. In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on `queryads` endpoint. In the case of application, this vulnerability exists because of a lack of validation in code on a root server path: `/admin/scripts/pi-hole/phpqueryads.php.` Potential threat actor(s) are able to perform an unauthorized query search in blocked domain lists. This could lead to the disclosure for any victims' personal blacklists. |
|
18 |
CVE-2022-21950 |
284 |
|
|
2022-09-07 |
2023-01-19 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A Improper Access Control vulnerability in the systemd service of cana in openSUSE Backports SLE-15-SP3, openSUSE Backports SLE-15-SP4 allows local users to hijack the UNIX domain socket This issue affects: openSUSE Backports SLE-15-SP3 canna versions prior to canna-3.7p3-bp153.2.3.1. openSUSE Backports SLE-15-SP4 canna versions prior to 3.7p3-bp154.3.3.1. openSUSE Factory was also affected. Instead of fixing the package it was deleted there. |
|
19 |
CVE-2022-21947 |
284 |
|
|
2022-04-01 |
2022-04-11 |
5.8 |
None |
Local Network |
Low |
Not required |
Partial |
Partial |
Partial |
|
A Improper Access Control vulnerability in Rancher Desktop of SUSE allows attackers in the local network to connect to the Dashboard API (steve) to carry out arbitrary actions. This issue affects: SUSE Rancher Desktop versions prior to V. |
|
20 |
CVE-2022-4814 |
284 |
|
|
2022-12-28 |
2023-01-05 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Improper Access Control in GitHub repository usememos/memos prior to 0.9.1. |
|
21 |
CVE-2022-4810 |
284 |
|
|
2022-12-28 |
2023-01-05 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Improper Access Control in GitHub repository usememos/memos prior to 0.9.1. |
|
22 |
CVE-2022-4809 |
284 |
|
|
2022-12-28 |
2023-01-05 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Improper Access Control in GitHub repository usememos/memos prior to 0.9.1. |
|
23 |
CVE-2022-4807 |
284 |
|
|
2022-12-28 |
2023-01-05 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Improper Access Control in GitHub repository usememos/memos prior to 0.9.1. |
|
24 |
CVE-2022-4724 |
284 |
|
|
2022-12-27 |
2023-01-05 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Improper Access Control in GitHub repository ikus060/rdiffweb prior to 2.5.5. |
|
25 |
CVE-2022-4711 |
284 |
|
|
2023-01-10 |
2023-01-14 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_save_mega_menu_settings' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to enable and modify Mega Menu settings for any menu item. |
|
26 |
CVE-2022-4709 |
284 |
|
|
2023-01-10 |
2023-01-13 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_import_library_template' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to import and activate templates from the plugin's template library. |
|
27 |
CVE-2022-4708 |
284 |
|
|
2023-01-10 |
2023-01-13 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_save_template_conditions' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to modify the conditions under which templates are displayed. |
|
28 |
CVE-2022-4705 |
284 |
|
|
2023-01-10 |
2023-01-13 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_final_settings_setup' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to finalize activation of preset site configuration templates, which can be chosen and imported via a separate action documented in CVE-2022-4704. |
|
29 |
CVE-2022-4704 |
284 |
|
|
2023-01-10 |
2023-01-13 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_import_templates_kit' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to import preset site configuration templates including images and settings. |
|
30 |
CVE-2022-4703 |
284 |
|
|
2023-01-10 |
2023-01-13 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_reset_previous_import' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to reset previously imported data. |
|
31 |
CVE-2022-4702 |
284 |
|
|
2023-01-10 |
2023-01-13 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_fix_royal_compatibility' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to deactivate every plugin on the site unless it is part of an extremely limited hardcoded selection. This also switches the site to the 'royal-elementor-kit' theme, potentially resulting in availability issues. |
|
32 |
CVE-2022-4700 |
284 |
|
|
2023-01-10 |
2023-01-13 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_activate_required_theme' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to activate the 'royal-elementor-kit' theme. If no such theme is installed doing so can also impact site availability as the site attempts to load a nonexistent theme. |
|
33 |
CVE-2022-4689 |
284 |
|
|
2022-12-23 |
2022-12-30 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Improper Access Control in GitHub repository usememos/memos prior to 0.9.0. |
|
34 |
CVE-2022-4685 |
284 |
|
|
2022-12-23 |
2022-12-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Improper Access Control in GitHub repository usememos/memos prior to 0.9.0. |
|
35 |
CVE-2022-4684 |
284 |
|
|
2022-12-23 |
2022-12-30 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Improper Access Control in GitHub repository usememos/memos prior to 0.9.0. |
|
36 |
CVE-2022-4567 |
284 |
|
|
2022-12-17 |
2022-12-21 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Improper Access Control in GitHub repository openemr/openemr prior to 7.0.0.2. |
|
37 |
CVE-2022-4505 |
284 |
|
|
2022-12-15 |
2022-12-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Improper Access Control in GitHub repository openemr/openemr prior to 7.0.0.2. |
|
38 |
CVE-2022-4229 |
284 |
|
|
2022-11-30 |
2023-01-09 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A vulnerability classified as critical was found in SourceCodester Book Store Management System 1.0. This vulnerability affects unknown code of the file /bsms_ci/index.php. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-214588. |
|
39 |
CVE-2022-3923 |
284 |
|
|
2023-01-09 |
2023-01-13 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The ActiveCampaign for WooCommerce WordPress plugin through 1.9.6 does not have authorisation check when cleaning up its error logs via an AJAX action, which could allow any authenticated users, such as subscriber to call it and remove error logs. |
|
40 |
CVE-2022-3770 |
284 |
|
|
2022-10-31 |
2022-11-01 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A vulnerability classified as critical was found in Yunjing CMS. This vulnerability affects unknown code of the file /index/user/upload_img.html. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-212500. |
|
41 |
CVE-2022-3735 |
284 |
|
|
2022-10-28 |
2022-10-31 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A vulnerability was found in seccome Ehoney. It has been rated as critical. This issue affects some unknown processing of the file /api/public/signup. The manipulation leads to improper access controls. The identifier VDB-212417 was assigned to this vulnerability. |
|
42 |
CVE-2022-3458 |
284 |
|
|
2022-10-12 |
2022-10-13 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A vulnerability has been found in SourceCodester Human Resource Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /employeeview.php of the component Image File Handler. The manipulation leads to unrestricted upload. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-210559. |
|
43 |
CVE-2022-3225 |
284 |
|
|
2022-09-16 |
2022-09-19 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Improper Access Control in GitHub repository budibase/budibase prior to 1.3.20. |
|
44 |
CVE-2022-3186 |
284 |
|
|
2022-12-21 |
2022-12-28 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where the affected product allows an attacker to access the device’s main management page from the cloud. This feature enables users to remotely connect devices, however, the current implementation permits users to access other device's information. |
|
45 |
CVE-2022-2702 |
284 |
|
|
2022-08-08 |
2022-08-11 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A vulnerability was found in SourceCodester Company Website CMS and classified as critical. Affected by this issue is some unknown functionality of the file site-settings.php of the component Cookie Handler. The manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-205826 is the identifier assigned to this vulnerability. |
|
46 |
CVE-2022-2631 |
284 |
|
|
2022-08-02 |
2022-08-06 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Improper Access Control in GitHub repository tooljet/tooljet prior to v1.19.0. |
|
47 |
CVE-2022-2578 |
284 |
|
|
2022-07-29 |
2022-08-05 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A vulnerability, which was classified as critical, has been found in SourceCodester Garage Management System 1.0. This issue affects some unknown processing of the file /php_action/createUser.php. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. |
|
48 |
CVE-2022-2088 |
284 |
|
|
2022-06-27 |
2022-07-07 |
6.8 |
None |
Remote |
Low |
??? |
None |
None |
Complete |
|
An authenticated user with admin privileges may be able to terminate any process on the system running Elcomplus SmartICS v2.3.4.0. |
|
49 |
CVE-2022-1958 |
284 |
|
|
2022-06-15 |
2022-12-28 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
A vulnerability classified as critical has been found in FileCloud. Affected is an unknown function of the component NTFS Handler. The manipulation leads to improper access controls. It is possible to launch the attack remotely. Upgrading to version 21.3.5.18513 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-201960. |
|
50 |
CVE-2022-1656 |
284 |
|
|
2022-06-13 |
2022-06-17 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
|
Vulnerable versions of the JupiterX Theme (<=2.0.6) allow any logged-in user, including subscriber-level users, to access any of the functions registered in lib/api/api/ajax.php, which also grant access to the jupiterx_api_ajax_ actions registered by the JupiterX Core Plugin (<=2.0.6). This includes the ability to deactivate arbitrary plugins as well as update the theme’s API key. |
