CVSS: 4.0EPSS: 0%CPEs: 4EXPL: 0CVE-2023-21464
https://notcve.org/view.php?id=CVE-2023-21464
Improper access control in Samsung Calendar prior to versions 12.4.02.9000 in Android 13 and 12.3.08.2000 in Android 12 allows local attacker to configure improper status. • https://security.samsungmobile.com/serviceWeb.smsb?year=2023&month=03 • CWE-281: Improper Preservation of Permissions •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-39915
https://notcve.org/view.php?id=CVE-2022-39915
Improper access control vulnerability in Calendar prior to versions 11.6.08.0 in Android Q(10), 12.2.11.3000 in Android R(11), 12.3.07.2000 in Android S(12), and 12.4.02.0 in Android T(13) allows attackers to access sensitive information via implicit intent. Una vulnerabilidad de control de acceso inadecuado en Calendar anterior a las versiones 11.6.08.0 en Android Q(10), 12.2.11.3000 en Android R(11), 12.3.07.2000 en Android S(12) y 12.4.02.0 en Android T(13) permite los atacantes accedan a información confidencial mediante una intención implícita. • https://security.samsungmobile.com/serviceWeb.smsb?year=2022&month=12 • CWE-284: Improper Access Control •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41913 – Discourse-calendar exposes members of hidden groups
https://notcve.org/view.php?id=CVE-2022-41913
Discourse-calendar is a plugin for the Discourse messaging platform which adds the ability to create a dynamic calendar in the first post of a topic. Members of private groups or public groups with private members can be listed by users, who can create and edit post events. This vulnerability only affects sites which have discourse post events enabled. This issue has been patched in commit `ca5ae3e7e` which will be included in future releases. Users unable to upgrade should disable the `discourse_post_event_enabled` setting to fully mitigate the issue. • https://github.com/discourse/discourse-calendar/commit/ca5ae3e7e0c2b32af5ca4ec69c95e95b2ecef2e9 https://github.com/discourse/discourse-calendar/security/advisories/GHSA-jh96-w279-g7r9 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2022-27617
https://notcve.org/view.php?id=CVE-2022-27617
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology Calendar before 2.3.4-0631 allows remote authenticated users to download arbitrary files via unspecified vectors. Una limitación inapropiada de un nombre de ruta a un directorio restringido ("Salto de Ruta") es una vulnerabilidad del componente webapi en Synology Calendar versiones anteriores a 2.3.4-0631, que permite a usuarios remotos autenticados descargar archivos arbitrarios por medio de vectores no especificados • https://www.synology.com/security/advisory/Synology_SA_20_07 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-22686
https://notcve.org/view.php?id=CVE-2022-22686
Cross-Site Request Forgery (CSRF) vulnerability in webapi component in Synology Calendar before 2.3.4-0631 allows remote authenticated users to hijack the authentication of administrators via unspecified vectors. Una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en el componente webapi de Synology Calendar versiones anteriores a 2.3.4-0631, permite a usuarios remotos autenticados secuestrar la autenticación de los administradores por medio de vectores no especificados. • https://www.synology.com/security/advisory/Synology_SA_20_07 • CWE-352: Cross-Site Request Forgery (CSRF) •