Total
880 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-0732 | 1 1byte | 9 Copy9, Exactspy, Fonetracker and 6 more | 2024-11-21 | 7.5 High |
| The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability. | ||||
| CVE-2022-0731 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-21 | 6.5 Medium |
| Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0. | ||||
| CVE-2022-0691 | 2 Redhat, Url-parse Project | 2 Rhmt, Url-parse | 2024-11-21 | 9.8 Critical |
| Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9. | ||||
| CVE-2022-0686 | 2 Redhat, Url-parse Project | 2 Rhmt, Url-parse | 2024-11-21 | 9.1 Critical |
| Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8. | ||||
| CVE-2022-0639 | 2 Redhat, Url-parse Project | 2 Rhmt, Url-parse | 2024-11-21 | 5.3 Medium |
| Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7. | ||||
| CVE-2022-0624 | 1 Parse-path Project | 1 Parse-path | 2024-11-21 | 7.3 High |
| Authorization Bypass Through User-Controlled Key in GitHub repository ionicabizau/parse-path prior to 5.0.0. | ||||
| CVE-2022-0613 | 3 Fedoraproject, Redhat, Uri.js Project | 6 Fedora, Acm, Enterprise Linux and 3 more | 2024-11-21 | 6.5 Medium |
| Authorization Bypass Through User-Controlled Key in NPM urijs prior to 1.19.8. | ||||
| CVE-2022-0512 | 2 Redhat, Url-parse Project | 2 Rhmt, Url-parse | 2024-11-21 | 5.3 Medium |
| Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6. | ||||
| CVE-2022-0442 | 1 Ayecode | 1 Userswp | 2024-11-21 | 4.3 Medium |
| The UsersWP WordPress plugin before 1.2.3.1 is missing access controls when updating a user avatar, and does not make sure file names for user avatars are unique, allowing a logged in user to overwrite another users avatar. | ||||
| CVE-2022-0266 | 1 Livehelperchat | 1 Live Helper Chat | 2024-11-21 | 6.6 Medium |
| Authorization Bypass Through User-Controlled Key in Packagist remdex/livehelperchat prior to 3.92v. | ||||
| CVE-2021-4142 | 2 Candlepinproject, Redhat | 4 Candlepin, Satellite, Satellite Capsule and 1 more | 2024-11-21 | 5.5 Medium |
| The Candlepin component of Red Hat Satellite was affected by an improper authentication flaw. Few factors could allow an attacker to use the SCA (simple content access) certificate for authentication with Candlepin. | ||||
| CVE-2021-46416 | 1 Sma | 2 Sunny Tripower, Sunny Tripower Firmware | 2024-11-21 | 8.1 High |
| Insecure direct object reference in SUNNY TRIPOWER 5.0 Firmware version 3.10.16.R leads to unauthorized user groups accessing due to insecure cookie handling. | ||||
| CVE-2021-46249 | 1 Scratchoauth2 Project | 1 Scratchoauth2 | 2024-11-21 | 6.5 Medium |
| An authorization bypass exploited by a user-controlled key in SpecificApps REST API in ScratchOAuth2 before commit d856dc704b2504cd3b92cf089fdd366dd40775d6 allows app owners to set flags that indicate whether an app is verified on their own apps. | ||||
| CVE-2021-45428 | 1 Telesquare | 2 Tlr-2005ksh, Tlr-2005ksh Firmware | 2024-11-21 | 9.8 Critical |
| TLR-2005KSH is affected by an incorrect access control vulnerability. THe PUT method is enabled so an attacker can upload arbitrary files including HTML and CGI formats. | ||||
| CVE-2021-44949 | 1 Glfusion | 1 Glfusion | 2024-11-21 | 9.8 Critical |
| glFusion CMS 1.7.9 is affected by an access control vulnerability via /public_html/users.php. | ||||
| CVE-2021-44836 | 1 Deltarm | 1 Delta Rm | 2024-11-21 | 4.3 Medium |
| An issue was discovered in Delta RM 1.2. The /risque/risque/workflow/reset endpoint is lacking access controls, and it is possible for an unprivileged user to reopen a risk with a POST request, using the risqueID parameter to identify the risk to be re-opened. | ||||
| CVE-2021-44160 | 1 Cth | 1 Carinal Tien Hospital Health Report System | 2024-11-21 | 7.3 High |
| Carinal Tien Hospital Health Report System’s login page has improper authentication, a remote attacker can acquire another general user’s privilege by modifying the cookie parameter without authentication. The attacker can then perform limited operations on the system or modify data, making the service partially unavailable to the user. | ||||
| CVE-2021-43957 | 1 Atlassian | 2 Crucible, Fisheye | 2024-11-21 | 7.5 High |
| Affected versions of Atlassian Fisheye & Crucible allowed remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory and bypass the fix for CVE-2020-29446 due to a lack of url decoding. The affected versions are before version 4.8.9. | ||||
| CVE-2021-43828 | 1 Patrowl | 1 Patrowlmanager | 2024-11-21 | 7.5 High |
| PatrOwl is a free and open-source solution for orchestrating Security Operations. In versions prior to 1.77 an improper privilege management (IDOR) has been found in PatrowlManager. All imports findings file is placed under /media/imports/<owner_id>/<tmp_file> In that, owner_id is predictable and tmp_file is in format of import_<ownder_id>_<time_created>, for example: import_1_1639213059582.json This filename is predictable and allows anyone without logging in to download all finding import files This vulnerability is capable of allowing unlogged in users to download all finding imports file. Users are advised to update to 1.7.7 as soon as possible. There are no known workarounds. | ||||
| CVE-2021-43820 | 1 Seafile | 1 Seafile Server | 2024-11-21 | 7.4 High |
| Seafile is an open source cloud storage system. A sync token is used in Seafile file syncing protocol to authorize access to library data. To improve performance, the token is cached in memory in seaf-server. Upon receiving a token from sync client or SeaDrive client, the server checks whether the token exist in the cache. However, if the token exists in cache, the server doesn't check whether it's associated with the specific library in the URL. This vulnerability makes it possible to use any valid sync token to access data from any **known** library. Note that the attacker has to first find out the ID of a library which it has no access to. The library ID is a random UUID, which is not possible to be guessed. There are no workarounds for this issue. | ||||