Total
845 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-1165 | 1 Plugin-planet | 1 Blackhole For Bad Bots | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| The Blackhole for Bad Bots WordPress plugin before 3.3.2 uses headers such as CF-CONNECTING-IP, CLIENT-IP etc to determine the IP address of requests hitting the blackhole URL, which allows them to be spoofed. This could result in blocking arbitrary IP addresses, such as legitimate/good search engine crawlers / bots. This could also be abused by competitors to cause damage related to visibility in search engines, can be used to bypass arbitrary blocks caused by this plugin, block any visitor or even the administrator and even more. | |||||
| CVE-2022-0732 | 1 1byte | 9 Copy9, Exactspy, Fonetracker and 6 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability. | |||||
| CVE-2022-0691 | 1 Url-parse Project | 1 Url-parse | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9. | |||||
| CVE-2022-0686 | 1 Url-parse Project | 1 Url-parse | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8. | |||||
| CVE-2022-0639 | 1 Url-parse Project | 1 Url-parse | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7. | |||||
| CVE-2022-0624 | 1 Parse-path Project | 1 Parse-path | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
| Authorization Bypass Through User-Controlled Key in GitHub repository ionicabizau/parse-path prior to 5.0.0. | |||||
| CVE-2022-0613 | 2 Fedoraproject, Uri.js Project | 2 Fedora, Uri.js | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
| Authorization Bypass Through User-Controlled Key in NPM urijs prior to 1.19.8. | |||||
| CVE-2022-0512 | 1 Url-parse Project | 1 Url-parse | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6. | |||||
| CVE-2022-0442 | 1 Ayecode | 1 Userswp | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The UsersWP WordPress plugin before 1.2.3.1 is missing access controls when updating a user avatar, and does not make sure file names for user avatars are unique, allowing a logged in user to overwrite another users avatar. | |||||
| CVE-2022-0266 | 1 Livehelperchat | 1 Live Helper Chat | 2024-11-21 | 6.0 MEDIUM | 6.6 MEDIUM |
| Authorization Bypass Through User-Controlled Key in Packagist remdex/livehelperchat prior to 3.92v. | |||||
| CVE-2021-46416 | 1 Sma | 2 Sunny Tripower, Sunny Tripower Firmware | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| Insecure direct object reference in SUNNY TRIPOWER 5.0 Firmware version 3.10.16.R leads to unauthorized user groups accessing due to insecure cookie handling. | |||||
| CVE-2021-46249 | 1 Scratchoauth2 Project | 1 Scratchoauth2 | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An authorization bypass exploited by a user-controlled key in SpecificApps REST API in ScratchOAuth2 before commit d856dc704b2504cd3b92cf089fdd366dd40775d6 allows app owners to set flags that indicate whether an app is verified on their own apps. | |||||
| CVE-2021-45428 | 1 Telesquare | 2 Tlr-2005ksh, Tlr-2005ksh Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| TLR-2005KSH is affected by an incorrect access control vulnerability. THe PUT method is enabled so an attacker can upload arbitrary files including HTML and CGI formats. | |||||
| CVE-2021-44949 | 1 Glfusion | 1 Glfusion | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| glFusion CMS 1.7.9 is affected by an access control vulnerability via /public_html/users.php. | |||||
| CVE-2021-44836 | 1 Deltarm | 1 Delta Rm | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Delta RM 1.2. The /risque/risque/workflow/reset endpoint is lacking access controls, and it is possible for an unprivileged user to reopen a risk with a POST request, using the risqueID parameter to identify the risk to be re-opened. | |||||
| CVE-2021-43957 | 1 Atlassian | 2 Crucible, Fisheye | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Affected versions of Atlassian Fisheye & Crucible allowed remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory and bypass the fix for CVE-2020-29446 due to a lack of url decoding. The affected versions are before version 4.8.9. | |||||
| CVE-2021-43828 | 1 Patrowl | 1 Patrowlmanager | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| PatrOwl is a free and open-source solution for orchestrating Security Operations. In versions prior to 1.77 an improper privilege management (IDOR) has been found in PatrowlManager. All imports findings file is placed under /media/imports/<owner_id>/<tmp_file> In that, owner_id is predictable and tmp_file is in format of import_<ownder_id>_<time_created>, for example: import_1_1639213059582.json This filename is predictable and allows anyone without logging in to download all finding import files This vulnerability is capable of allowing unlogged in users to download all finding imports file. Users are advised to update to 1.7.7 as soon as possible. There are no known workarounds. | |||||
| CVE-2021-43820 | 1 Seafile | 1 Seafile Server | 2024-11-21 | 4.3 MEDIUM | 7.4 HIGH |
| Seafile is an open source cloud storage system. A sync token is used in Seafile file syncing protocol to authorize access to library data. To improve performance, the token is cached in memory in seaf-server. Upon receiving a token from sync client or SeaDrive client, the server checks whether the token exist in the cache. However, if the token exists in cache, the server doesn't check whether it's associated with the specific library in the URL. This vulnerability makes it possible to use any valid sync token to access data from any **known** library. Note that the attacker has to first find out the ID of a library which it has no access to. The library ID is a random UUID, which is not possible to be guessed. There are no workarounds for this issue. | |||||
| CVE-2021-41847 | 1 3xlogic | 1 Infinias Access Control | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in 3xLogic Infinias Access Control through 6.7.10708.0, affecting physical security. Users with login credentials assigned to a specific zone can send modified HTTP GET and POST requests, allowing them to view user data such as personal information and Prox card credentials. Also, an authorized user of one zone can send API requests to unlock electronic locks associated with zones they are unauthorized to have access to. They can also create new user logins for zones they were not authorized to access, including the root zone of the software. | |||||
| CVE-2021-41608 | 1 Classapps | 1 Selectsurvey.net | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A file disclosure vulnerability in the UploadedImageDisplay.aspx endpoint of SelectSurvey.NET before 5.052.000 allows a remote, unauthenticated attacker to retrieve survey user submitted data by modifying the value of the ID parameter in sequential order beginning from 1. | |||||