Total
29685 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-39890 | 1 Samsung | 1 Billing | 2025-05-01 | 6.2 Medium |
| Improper Authorization in Samsung Billing prior to version 5.0.56.0 allows attacker to get sensitive information. | ||||
| CVE-2022-3285 | 1 Gitlab | 1 Gitlab | 2025-05-01 | 5.3 Medium |
| Bypass of healthcheck endpoint allow list affecting all versions from 12.0 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an unauthorized attacker to prevent access to GitLab | ||||
| CVE-2022-3706 | 1 Gitlab | 1 Gitlab | 2025-05-01 | 3.1 Low |
| Improper authorization in GitLab CE/EE affecting all versions from 7.14 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a user retrying a job in a downstream pipeline to take ownership of the retried jobs in the upstream pipeline even if the user doesn't have access to that project. | ||||
| CVE-2022-3793 | 1 Gitlab | 1 Gitlab | 2025-05-01 | 4.3 Medium |
| An improper authorization issue in GitLab CE/EE affecting all versions from 14.4 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to read variables set directly in a GitLab CI/CD configuration file they don't have access to. | ||||
| CVE-2022-31687 | 1 Vmware | 1 Workspace One Assist | 2025-05-01 | 9.8 Critical |
| VMware Workspace ONE Assist prior to 22.10 contains a Broken Access Control vulnerability. A malicious actor with network access to Workspace ONE Assist may be able to obtain administrative access without the need to authenticate to the application. | ||||
| CVE-2022-20452 | 1 Google | 1 Android | 2025-05-01 | 7.8 High |
| In initializeFromParcelLocked of BaseBundle.java, there is a possible method arbitrary code execution due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-240138318 | ||||
| CVE-2022-39884 | 1 Google | 1 Android | 2025-05-01 | 4.3 Medium |
| Improper access control vulnerability in IImsService prior to SMR Nov-2022 Release 1 allows local attacker to access to Call information. | ||||
| CVE-2021-33193 | 6 Apache, Debian, Fedoraproject and 3 more | 9 Http Server, Debian Linux, Fedora and 6 more | 2025-05-01 | 7.5 High |
| A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48. | ||||
| CVE-2022-30556 | 4 Apache, Fedoraproject, Netapp and 1 more | 5 Http Server, Fedora, Clustered Data Ontap and 2 more | 2025-05-01 | 7.5 High |
| Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer. | ||||
| CVE-2022-44560 | 1 Huawei | 2 Emui, Harmonyos | 2025-05-01 | 5.3 Medium |
| The launcher module has an Intent redirection vulnerability. Successful exploitation of this vulnerability may cause launcher module data to be modified. | ||||
| CVE-2022-27673 | 1 Amd | 1 Amd Link | 2025-05-01 | 7.5 High |
| Insufficient access controls in the AMD Link Android app may potentially result in information disclosure. | ||||
| CVE-2024-21890 | 2 Nodejs, Redhat | 2 Node.js, Enterprise Linux | 2025-04-30 | 6.5 Medium |
| The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For example: ``` --allow-fs-read=/home/node/.ssh/*.pub ``` will ignore `pub` and give access to everything after `.ssh/`. This misleading documentation affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. | ||||
| CVE-2021-22884 | 6 Fedoraproject, Netapp, Nodejs and 3 more | 16 Fedora, Active Iq Unified Manager, E-series Performance Analyzer and 13 more | 2025-04-30 | 7.5 High |
| Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160. | ||||
| CVE-2019-15606 | 5 Debian, Nodejs, Opensuse and 2 more | 9 Debian Linux, Node.js, Leap and 6 more | 2025-04-30 | 9.8 Critical |
| Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons | ||||
| CVE-2021-37499 | 1 Reprisesoftware | 1 Reprise License Manager | 2025-04-30 | 6.5 Medium |
| CRLF vulnerability in Reprise License Manager (RLM) web interface through 14.2BL4 in the password parameter in View License Result function, that allows remote attackers to inject arbitrary HTTP headers. | ||||
| CVE-2022-38705 | 1 Ibm | 1 Cics Tx | 2025-04-30 | 5.3 Medium |
| IBM CICS TX 11.1 Standard and Advanced could allow a remote attacker to bypass security restrictions, caused by a reverse tabnabbing flaw. An attacker could exploit this vulnerability and redirect a victim to a phishing site. IBM X-Force ID: 234172. | ||||
| CVE-2024-20059 | 2 Google, Mediatek | 26 Android, Mt6580, Mt6739 and 23 more | 2025-04-30 | 6.7 Medium |
| In da, there is a possible escalation of privilege due to an incorrect status check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541749; Issue ID: ALPS08541749. | ||||
| CVE-2024-20060 | 2 Google, Mediatek | 26 Android, Mt6580, Mt6739 and 23 more | 2025-04-30 | 5.9 Medium |
| In da, there is a possible escalation of privilege due to an incorrect status check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541749; Issue ID: ALPS08541754. | ||||
| CVE-2022-43690 | 1 Concretecms | 1 Concrete Cms | 2025-04-30 | 6.3 Medium |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 did not use strict comparison for the legacy_salt so that limited authentication bypass could occur if using this functionality. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | ||||
| CVE-2025-29925 | 1 Xwiki | 1 Xwiki | 2025-04-30 | 5.3 Medium |
| XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pages are listed when requesting the REST endpoints /rest/wikis/[wikiName]/pages even if the user doesn't have view rights on them. It's particularly true if the entire wiki is protected with "Prevent unregistered user to view pages": the endpoint would still list the pages of the wiki, though only for the main wiki. The problem has been patched in XWiki 15.10.14, 16.4.6, 16.10.0RC1. In those versions the endpoint can still be requested but the result is filtered out based on pages rights. | ||||