CWE-862 <span class="text-2xl md:text-3xl font-bold ml-2" style="color:var(--text-secondary)">— Missing Authorization

CVE-2022-27205MEDIUMCVSS 4.3EG 4.3

A missing permission check in Jenkins CloudBees AWS Credentials Plugin 189.v3551d5642995 and earlier allows attackers with Overall/Read permission to connect to an AWS service using an attacker-specified token.

CVE-2022-27209MEDIUMCVSS 6.5EG 4.3

A missing permission check in Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.

CVE-2022-27211MEDIUMCVSS 6.5EG 7.1

A missing permission check in Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-27215MEDIUMCVSS 4.3EG 4.3

A missing permission check in Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained thro…

CVE-2022-2732HIGHCVSS 8.3EG 8.3

A missing permission check in Jenkins Release Helper Plugin 1.3.3 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

2022-08-09

Missing Authorization in GitHub repository openemr/openemr prior to 7.0.0.1.

CVE-2022-27333HIGHCVSS 7.5EG 7.5

2022-03-21

idcCMS v1.10 was discovered to contain an issue which allows attackers to arbitrarily delete the install.lock file, resulting in a reset of the CMS settings and data.

CVE-2022-27480HIGHCVSS 7.5EG 7.5

2022-04-12

A vulnerability has been identified in SICAM A8000 CP-8031 (All versions < V4.80), SICAM A8000 CP-8050 (All versions < V4.80). Affected devices do not require an user to be authenticated to access certain files. This could allow unauthenti…

CVE-2022-27658HIGHCVSS 7.5EG 7.5

2022-03-28

Under certain conditions, SAP Innovation management - version 2.0, allows an attacker to access information which could lead to information gathering for further exploits and attacks.

CVE-2022-27669HIGHCVSS 7.5EG 7.5

2022-04-12

An unauthenticated user can use functions of XML Data Archiving Service of SAP NetWeaver Application Server for Java - version 7.50, to which access should be restricted. This may result in an escalation of privileges.

CVE-2022-27948HIGHCVSS 7.2EG 4.3

2022-03-27

Certain Tesla vehicles through 2022-03-26 allow attackers to open the charging port via a 315 MHz RF signal containing a fixed sequence of approximately one hundred symbols. NOTE: the vendor's perspective is that the behavior is as intended

CVE-2022-28134MEDIUMCVSS 5.4EG 5.4

CVE-2022-28137MEDIUMCVSS 4.3EG 4.3

Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to create, view, and delete BitBucket Server consumers.

CVE-2022-28139MEDIUMCVSS 4.3EG 4.3

A missing permission check in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

CVE-2022-28144MEDIUMCVSS 6.5EG 6.5

A missing permission check in Jenkins RocketChat Notifier Plugin 1.4.10 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

CVE-2022-28147MEDIUMCVSS 4.3EG 4.3

Jenkins Proxmox Plugin 0.7.0 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified host using attacker-specified username and password…

CVE-2022-28151MEDIUMCVSS 4.3EG 4.3

A missing permission check in Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file s…

CVE-2022-28158MEDIUMCVSS 6.5EG 6.5

A missing permission check in Jenkins Job and Node ownership Plugin 0.13.0 and earlier allows attackers with Item/Read permission to change the owners and item-specific permissions of a job.

CVE-2022-28165HIGHCVSS 8.8EG 8.8

A missing permission check in Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

2022-05-06

A vulnerability in the role-based access control (RBAC) functionality of the Brocade SANNav before 2.2.0 could allow an authenticated, remote attacker to access resources that they should not be able to access and perform actions that they…

CVE-2022-2841LOWCVSS 2.7EG 2.7

2022-08-22

A vulnerability was found in CrowdStrike Falcon 6.31.14505.0/6.42.15610/6.44.15806. It has been classified as problematic. Affected is an unknown function of the component Uninstallation Handler. The manipulation leads to missing authoriza…

CVE-2022-2846MEDIUMCVSS 4.3EG 8.8

2022-08-16

The Calendar Event Multi View WordPress plugin before 1.4.07 does not have any authorisation and CSRF checks in place when creating an event, and is also lacking sanitisation as well as escaping in some of the event fields. This could allo…

CVE-2022-28789MEDIUMCVSS 6.2EG 5.5

2022-05-03

Unprotected activities in Voice Note prior to version 21.3.51.11 allows attackers to record voice without user interaction. The patch adds proper permission for vulnerable activities.

CVE-2022-28866HIGHCVSS 8.8EG 8.8

2022-10-12

Multiple Improper Access Control was discovered in Nokia AirFrame BMC Web GUI < R18 Firmware v4.13.00. It does not properly validate requests for access to (or editing of) data and functionality in all endpoints under /#settings/* and /api…

CVE-2022-28993CRITICALCVSS 9.8EG 9.8

2022-05-20

Multi Store Inventory Management System v1.0 allows attackers to perform an account takeover via a crafted POST request.

CVE-2022-29051MEDIUMCVSS 4.3EG 4.3

2022-04-12

Missing permission checks in Jenkins Publish Over FTP Plugin 1.16 and earlier allow attackers with Overall/Read permission to connect to an FTP server using attacker-specified credentials.

CVE-2022-29154HIGHCVSS 7.4EG 7.4

2022-08-02

An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync c…

CVE-2022-29176CRITICALCVSS 9.9EG 9.9

2022-05-05

Rubygems is a package registry used to supply software for the Ruby language ecosystem. Due to a bug in the yank action, it was possible for any RubyGems.org user to remove and replace certain gems even if that user was not authorized to d…

CVE-2022-29330MEDIUMCVSS 4.9EG 4.9

2022-06-24

Missing access control in the backup system of Telesoft VitalPBX before 3.2.1 allows attackers to access the PJSIP and SIP extension credentials, cryptographic keys and voicemails files via unspecified vectors.

CVE-2022-29512MEDIUMCVSS 6.5EG 6.5

2022-07-11

Exposure of sensitive information to an unauthorized actor issue in multiple applications of Cybozu Garoon 4.0.0 to 5.9.1 allows a remote authenticated attacker to obtain the data without the viewing privilege.

CVE-2022-29611HIGHCVSS 8.8EG 8.8

2022-05-11

SAP NetWeaver Application Server for ABAP and ABAP Platform do not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

CVE-2022-2985HIGHCVSS 7.8EG 7.8

2022-10-14

In music service, there is a missing permission check. This could lead to elevation of privilege in contacts service with no additional execution privileges needed.

CVE-2022-2987HIGHCVSS 7.5EG 7.5

2022-09-26

The Ldap WP Login / Active Directory Integration WordPress plugin before 3.0.2 does not have any authorisation and CSRF checks when updating it's settings (which are hooked to the init action), allowing unauthenticated attackers to update …

CVE-2022-29906CRITICALCVSS 9.8EG 9.8

2022-04-29

The admin API module in the QuizGame extension for MediaWiki through 1.37.2 (before 665e33a68f6fa1167df99c0aa18ed0157cdf9f66) omits a check for the quizadmin user.

CVE-2022-3007HIGHCVSS 8.1EG 8.1

2023-10-31

The vulnerability exists in Syska SW100 Smartwatch due to an improper implementation and/or configuration of Nordic Device Firmware Update (DFU) which is used for performing Over-The-Air (OTA) firmware updates on the Bluetooth Low Energy (…

CVE-2022-3048MEDIUMCVSS 6.8EG 6.8

2022-09-26

Inappropriate implementation in Chrome OS lockscreen in Google Chrome on Chrome OS prior to 105.0.5195.52 allowed a local attacker to bypass lockscreen navigation restrictions via physical access to the device.

CVE-2022-30594HIGHCVSS 7.8EG 7.8

2022-05-12

The Linux kernel before 5.17.2 mishandles seccomp permissions. The PTRACE_SEIZE code path allows attackers to bypass intended restrictions on setting the PT_SUSPEND_SECCOMP flag.

CVE-2022-30715MEDIUMCVSS 4.0EG 5.3

2022-06-07

Improper access control vulnerability in DofViewer prior to SMR Jun-2022 Release 1 allows attackers to control floating system alert window.

CVE-2022-30731MEDIUMCVSS 5.1EG 5.5

2022-06-07

Improper access control vulnerability in My Files prior to version 13.1.00.193 allows attackers to access arbitrary private files in My Files application.

CVE-2022-30746HIGHCVSS 7.5EG 7.5

2022-06-07

Missing caller check in Smart Things prior to version 1.7.85.12 allows attacker to access senstive information remotely using javascript interface API.

CVE-2022-3082MEDIUMCVSS 6.5EG 6.5

2022-10-17

The miniOrange Discord Integration WordPress plugin before 2.1.6 does not have authorisation and CSRF in some of its AJAX actions, allowing any logged in users, such as subscriber to call them, and disable the app for example

CVE-2022-30951HIGHCVSS 8.8EG 8.8

CVE-2022-30954MEDIUMCVSS 6.5EG 6.5

Jenkins WMI Windows Agents Plugin 1.8 and earlier includes the Windows Remote Command library does not implement access control, potentially allowing users to start processes even if they're not allowed to log in.

CVE-2022-30955MEDIUMCVSS 6.5EG 6.5

Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server.

CVE-2022-30957MEDIUMCVSS 4.3EG 4.3

Jenkins GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-30959MEDIUMCVSS 6.5EG 7.1

A missing permission check in Jenkins SSH Plugin 2.6.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.