SAMSUNG Mobile devices 安全漏洞

SAMSUNG Mobile devices are a range of Samsung mobile devices, including cell phones, tablets, and more, from South Korea's Samsung SAMSUNG. A security vulnerability exists in SAMSUNG Mobile devices SMR Nov-2022 Release 1 version, which stems from an improper authorization vulnerability in...

PT-2022-6023 · Fortinet · Fortios

Name of the Vulnerable Software and Affected Versions: FortiOS versions 7.0.0 through 7.0.7 FortiOS version 7.2.0 Description: The issue is related to improper access control, which may allow a remote authenticated read-only user to modify interface settings via the API. This could potentially be...

PT-2022-21777 · Mcafee · Mcafee Epo

Name of the Vulnerable Software and Affected Versions: McAfee ePO versions prior to 5.10 Update 14 Description: The issue allows an unauthenticated remote attacker to potentially trigger a Server Side Request Forgery attack by exploiting an External XML entity XXE vulnerability. This can be done ...

CVE-2022-41672

In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API...

UBUNTU-CVE-2022-3100

A flaw was found in the openstack-barbican component. This issue allows an access policy bypass via a query string when accessing the API...

CVE-2022-22526

In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a missing authentication allows for full access via API...

CVE-2022-22526

CVE-2022-22526 affects Carlo Gavazzi UWP3.0 and CPY Car Park Server (v2.8.3). The root cause is a missing authentication mechanism that allows full access via the API, enabling unauthorized control or data access. Public sources in connected documents describe an access control error leading to r...

Carlo Gavazzi UWP 访问控制错误漏洞

Carlo Gavazzi UWP is a monitoring and control Universal Web Platform from Carlo Gavazzi. for applications such as building automation, energy efficiency performance management, and parking lot guidance. Carlo Gavazzi UWP 3.0 suffers from an Access Control Error vulnerability that stems from a lac...

PT-2022-25756 · Jenkins · Jenkins Walti Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Walti Plugin versions 1.0.1 and earlier Description: The issue is related to a stored cross-site scripting XSS vulnerability. It occurs because the plugin does not escape the information provided by the Walti API, making it exploitabl...

CVE-2022-35946

GLPI vulnerability CVE-2022-35946 is a misvalidation in the plugin controller that can expose the low-level Plugin class API. An attacker with General setup rights can alter database data via this input handling flaw. The recommended fix is upgrading GLPI to version 10.0.3; as a workaround, remov...

CVE-2022-36103 Talos worker join token can be used to get elevated access level to the Talos API

Talos Linux is a Linux distribution built for Kubernetes deployments. Talos worker nodes use a join token to get accepted into the Talos cluster. Due to improper validation of the request while signing a worker node CSR certificate signing request Talos control plane node might issue Talos API...

PT-2022-4910 · Talos · Talos

Name of the Vulnerable Software and Affected Versions: Talos versions prior to 1.2.2 Description: The issue is related to improper validation of the request while signing a worker node CSR, which might allow a Talos control plane node to issue a Talos API certificate with full access to the Talos...

PT-2022-24563 · Transtek · Transtek Mojodat Fam

Name of the Vulnerable Software and Affected Versions: Transtek Mojodat FAM Fixed Asset Management version 2.4.6 Description: The issue allows remote attackers to send SCRIPT tags as injected input to the API request, potentially leading to security issues. Recommendations: For version 2.4.6,...

CVE-2022-31149 ActivityWatch vulnerable to DNS rebinding attack

ActivityWatch open-source automated time tracker. Versions prior to 0.12.0b2 are vulnerable to DNS rebinding attacks. This vulnerability impacts everyone running ActivityWatch and gives the attacker full access to the ActivityWatch REST API. Users should upgrade to v0.12.0b2 or later to receive a...

Rancher Labs Rancher 信息泄露漏洞

Rancher Labs Rancher is a suite of open source, enterprise-grade container management platforms from Rancher Labs, Inc. in the United States. An information disclosure vulnerability exists in Rancher for SUSE versions 2.5.0 through 2.5.12 and 2.6.0 through 2.6.3, which stems from the explicit...

CVE-2021-20260

A flaw was found in the Foreman project. The Datacenter plugin exposes the password through the API to an authenticated local attacker with viewhosts permission. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability...

CVE-2022-37316

Archer Platform 6.8 before 6.11 P3 6.11.0.3 contains an improper API access control vulnerability in a multi-instance system that could potentially present unauthorized metadata to an authenticated user of the affected system. 6.10 P3 HF1 6.10.0.3.1 is also a fixed release...

Improper access control

Archer Platform 6.8 before 6.11 P3 6.11.0.3 contains an improper API access control vulnerability in a multi-instance system that could potentially present unauthorized metadata to an authenticated user of the affected system. 6.10 P3 HF1 6.10.0.3.1 is also a fixed release...

CVE-2022-37316

Archer Platform 6.8 before 6.11 P3 6.11.0.3 contains an improper API access control vulnerability in a multi-instance system that could potentially present unauthorized metadata to an authenticated user of the affected system. 6.10 P3 HF1 6.10.0.3.1 is also a fixed release...

CVE-2022-38184

There is an improper access control vulnerability in Portal for ArcGIS versions 10.8.1 and below which could allow a remote, unauthenticated attacker to access an API that may induce Esri Portal for ArcGIS to read arbitrary URLs...