CVE-2023-32230

An improper handling of a malformed API request to an API server in Bosch BT software products can allow an unauthenticated attacker to cause a Denial of Service DoS situation...

CVE-2023-28377

Improper authentication in some IntelR NUC Kit NUC11PH USB firmware installation software before version 1.1 for Windows may allow an authenticated user to potentially enable escalation of privilege via local access...

CVE-2023-27964

An authentication issue was addressed with improved state management. This issue is fixed in AirPods Firmware Update 5E133. When your headphones are seeking a connection request to one of your previously paired devices, an attacker in Bluetooth range might be able to spoof the intended source...

CVE-2023-3510

The FTP Access WordPress plugin through 1.0 does not have authorisation and CSRF checks when updating its settings and is missing sanitisation as well as escaping in them, allowing any authenticated users, such as subscriber to update them with XSS payloads, which will be triggered when an admin...

CVE-2023-2796

The EventON WordPress plugin before 2.1.2 lacks authentication and authorization in its eventonicsdownload ajax action, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id...

CVE-2023-48849

Ruijie EG Series Routers version EG3.01B11P216 and before allows unauthenticated attackers to remotely execute arbitrary code due to incorrect filtering...

CVE-2022-2382

The Product Slider for WooCommerce WordPress plugin before 2.5.7 has flawed CSRF checks and lack authorisation in some of its AJAX actions, allowing any authenticated users, such as subscriber to call them. One in particular could allow them to delete arbitrary blog options...

CVE-2022-2531

An issue has been discovered in GitLab EE affecting all versions starting from 12.5 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. GitLab was not performing correct authentication on Grafana API under specific conditions allowing...

CVE-2022-47606

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Tim Stephenson WP-CORS plugin = 0.2.1 versions...

CVE-2022-22847

Formpipe Lasernet before 9.13.3 allows file inclusion in Client Web Services either by an authenticated attacker, or in a configuration that does not require authentication...

CVE-2022-22671

An authentication issue was addressed with improved state management. This issue is fixed in iOS 15.4 and iPadOS 15.4. A person with physical access to an iOS device may be able to access photos from the lock screen...

CVE-2022-41807

Missing authorization vulnerability exists in Kyocera Document Solutions MFPs and printers, which may allow a network-adjacent attacker to alter the product settings without authentication by sending a specially crafted request. Affected products/versions are as follows: TASKalfa 7550ci/6550ci,...

CVE-2022-33138

A vulnerability has been identified in SIMATIC MV540 H All versions V3.3, SIMATIC MV540 S All versions V3.3, SIMATIC MV550 H All versions V3.3, SIMATIC MV550 S All versions V3.3, SIMATIC MV560 U All versions V3.3, SIMATIC MV560 X All versions V3.3. Affected devices do not perform authentication f...

CVE-2022-4103

The Royal Elementor Addons WordPress plugin before 1.3.56 does not have authorisation and CSRF checks when creating a template, and does not ensure that the post created is a template. This could allow any authenticated users, such as subscriber to create a post as well as any post type with an...

CVE-2022-41965

Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to Opencast 12.5, Opencast's Paella authentication page could be used to redirect to an arbitrary URL for authenticated users. The vulnerability allows attackers to redirect users to...

CVE-2022-22656

An authentication issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.6.5, macOS Monterey 12.3, Security Update 2022-003 Catalina. A local attacker may be able to view the previous logged in user’s desktop from the fast user switching screen...

CVE-2022-41672

In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API...

CVE-2022-33946

Improper authentication in the IntelR SUR software before version 2.4.8902 may allow an authenticated user to potentially enable escalation of privilege via local access...

CVE-2022-32557

An issue was discovered in Couchbase Server before 7.0.4. The Index Service does not enforce authentication for TCP/TLS servers...

CVE-2022-3247

The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 6.9.10 does not have authorisation in an AJAX action, and does not ensure that the URL to make a request to is an external one. As a result, any authenticated users, such as subscriber could perform SSRF attacks...