Total
6931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-17707 | 1 Pleasantsolutions | 1 Pleasant Password Server | 2024-11-21 | 6.5 MEDIUM | 8.1 HIGH |
|
Due to missing authorization checks, any authenticated user is able to list, upload, or delete attachments to password safe entries in Pleasant Password Server before 7.8.3. To perform those actions on an entry, the user needs to know the corresponding "CredentialId" value, which uniquely identifies a password safe entry. Since "CredentialId" values are implemented as GUIDs, they are hard to guess. However, if for example an entry's owner grants read-only access to a malicious user, the value ge ...
Show More |
|||||
| CVE-2017-15680 | 1 Craftercms | 1 Crafter Cms | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
|
In Crafter CMS Crafter Studio 3.0.1 an IDOR vulnerability exists which allows unauthenticated attackers to view and modify administrative data.
|
|||||
| CVE-2017-13247 | 1 Google | 1 Android | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
In the Pixel 2 bootloader, there is a missing permission check which bypasses carrier bootloader lock. This could lead to local elevation of privileges with user execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-71486645.
|
|||||
| CVE-2017-13209 | 1 Google | 1 Android | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
In the ServiceManager::add function in the hardware service manager, there is an insecure permissions check based on the PID of the caller which could allow an application or service to replace a HAL service with its own service. This could lead to a local elevation of privilege enabling code execution as a privileged process with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 8.0, 8.1. Android ID: A-68217907.
|
|||||
| CVE-2017-1000400 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(job-name)/api contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only lists upstream and downstream projects that the current user has access to.
|
|||||
| CVE-2017-1000390 | 1 Jenkins | 1 Multijob | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Jenkins Multijob plugin version 1.25 and earlier did not check permissions in the Resume Build action, allowing anyone with Job/Read permission to resume the build.
|
|||||
| CVE-2017-1000388 | 1 Jenkins | 1 Dependency Graph Viewer | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Jenkins Dependency Graph Viewer plugin 0.12 and earlier did not perform permission checks for the API endpoint that modifies the dependency graph, allowing anyone with Overall/Read permission to modify this data.
|
|||||
| CVE-2016-11036 | 1 Google | 1 Android | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was discovered on Samsung mobile devices with M(6.0) software. There is a Factory Reset Protection (FRP) bypass. The Samsung ID is SVE-2016-6008 (August 2016).
|
|||||
| CVE-2015-20067 | 1 Wp Attachment Export Project | 1 Wp Attachment Export | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
The WP Attachment Export WordPress plugin before 0.2.4 does not have proper access controls, allowing unauthenticated users to download the XML data that holds all the details of attachments/posts on a Wordpress
|
|||||
| CVE-2013-4226 | 1 Drupal | 1 Authenticated User Page Caching | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
The Authenticated User Page Caching (Authcache) module 7.x-1.x before 7.x-1.5 for Drupal does not properly restrict access to cached pages, which allows remote attackers with the same role-combination as the superuser to obtain sensitive information via the cached pages of the superuser.
|
|||||
| CVE-2013-3960 | 1 Easytimestudio | 1 Easy File Manager | 2024-11-21 | 8.7 HIGH | 9.9 CRITICAL |
|
Easytime Studio Easy File Manager 1.1 has a HTTP request security bypass
|
|||||
| CVE-2013-3703 | 1 Opensuse | 1 Open Build Service | 2024-11-21 | 4.0 MEDIUM | 8.8 HIGH |
|
The controller of the Open Build Service API prior to version 2.4.4 is missing a write permission check, allowing an authenticated attacker to add or remove user roles from packages and/or project meta data.
|
|||||
| CVE-2012-6614 | 1 Dlink | 2 Dsr-250n, Dsr-250n Firmware | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
|
D-Link DSR-250N devices before 1.08B31 allow remote authenticated users to obtain "persistent root access" via the BusyBox CLI, as demonstrated by overwriting the super user password.
|
|||||
| CVE-2012-0055 | 2 Canonical, Linux | 2 Ubuntu Linux, Linux Kernel | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
OverlayFS in the Linux kernel before 3.0.0-16.28, as used in Ubuntu 10.0.4 LTS and 11.10, is missing inode security checks which could allow attackers to bypass security restrictions and perform unauthorized actions.
|
|||||
| CVE-2011-4183 | 1 Opensuse | 1 Open Build Service | 2024-11-21 | 7.5 HIGH | 6.5 MEDIUM |
|
A vulnerability in open build service allows remote attackers to upload arbitrary RPM files. Affected releases are SUSE open build service prior to 2.1.16.
|
|||||
| CVE-2024-10897 | 1 Themeum | 1 Tutor Lms Elementor Addons | 2024-11-20 | N/A | 4.3 MEDIUM |
|
The Tutor LMS Elementor Addons plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the install_etlms_dependency_plugin() function in all versions up to, and including, 2.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install Elementor or Tutor LMS. Please note the impact of this issue is incredibly limited due to the fact that these two plugins will likely already be installed as a depend ...
Show More |
|||||
| CVE-2024-48898 | 1 Moodle | 1 Moodle | 2024-11-20 | N/A | 4.3 MEDIUM |
|
A vulnerability was found in Moodle. Users with access to delete audiences from reports could delete audiences from other reports that they do not have permission to delete from.
|
|||||
| CVE-2024-10390 | 2024-11-19 | N/A | 6.4 MEDIUM | ||
|
The Elfsight Telegram Chat CC plugin for WordPress is vulnerable to unauthorized modification of data to a missing capability check on the 'updatePreferences' function in all versions up to, and including, 1.1.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-51817 | 2024-11-19 | N/A | 5.4 MEDIUM | ||
|
Missing Authorization vulnerability in CodeZel Combo WP Rewrite Slugs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Combo WP Rewrite Slugs: from n/a through 1.0.
|
|||||
| CVE-2024-51671 | 2024-11-19 | N/A | 2.7 LOW | ||
|
Missing Authorization vulnerability in ThemeIsle Otter - Gutenberg Block allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Otter - Gutenberg Block: from n/a through 3.0.3.
|
|||||
| CVE-2024-51660 | 2024-11-19 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in Zakaria Binsaifullah Easy Accordion Gutenberg Block allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Accordion Gutenberg Block: from n/a through 1.2.3.
|
|||||
| CVE-2024-11194 | 2024-11-19 | N/A | 8.8 HIGH | ||
|
The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a misconfigured check on the 'rtcl_import_settings' function in all versions up to, and including, 3.1.15.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update limited arbitrary options on the WordPress site. This can be leveraged to update the Subscriber role wit ...
Show More |
|||||
| CVE-2024-49680 | 2024-11-19 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in Rextheme WP VR allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP VR: from n/a through 8.5.5.
|
|||||
| CVE-2024-49689 | 2024-11-19 | N/A | 5.4 MEDIUM | ||
|
Missing Authorization vulnerability in Harmonic Design HD Quiz – Save Results Light allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HD Quiz – Save Results Light: from n/a through 0.5.
|
|||||
| CVE-2024-10486 | 2024-11-19 | N/A | 5.3 MEDIUM | ||
|
The Google for WooCommerce plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.8.6. This is due to publicly accessible print_php_information.php file. This makes it possible for unauthenticated attackers to retrieve information about Webserver and PHP configuration, which can be used to aid other attacks.
|
|||||
| CVE-2024-52395 | 2024-11-19 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in QunatumCloud Floating Buttons for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Floating Buttons for WooCommerce: from n/a through 2.8.8.
|
|||||
| CVE-2024-10582 | 1 Smartwpress | 1 Music Player For Elementor | 2024-11-19 | N/A | 4.3 MEDIUM |
|
The Music Player for Elementor – Audio Player & Podcast Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the import_mpfe_template() function in all versions up to, and including, 2.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import templates.
|
|||||
| CVE-2024-43323 | 1 Wpdeveloper | 1 Reviewx | 2024-11-19 | N/A | 9.8 CRITICAL |
|
Missing Authorization vulnerability in ReviewX ReviewX allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ReviewX: from n/a through 1.6.28.
|
|||||
| CVE-2024-10575 | 1 Schneider-electric | 1 Ecostruxure It Gateway | 2024-11-19 | N/A | 9.8 CRITICAL |
|
CWE-862: Missing Authorization vulnerability exists that could cause unauthorized access when enabled on
the network and potentially impacting connected devices.
|
|||||
| CVE-2024-10800 | 1 Vanquish | 1 User Extra Fields | 2024-11-19 | N/A | 8.8 HIGH |
|
The WordPress User Extra Fields plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the ajax_save_fields() function in all versions up to, and including, 16.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to add custom fields that can be updated and then use the check_and_overwrite_wp_or_woocommerce_fields function to update the wp_capabilities field to have administrator privileges.
|
|||||
| CVE-2021-3987 | 1 Janeczku | 1 Calibre-web | 2024-11-19 | N/A | 4.3 MEDIUM |
|
An improper access control vulnerability exists in janeczku/calibre-web. The affected version allows users without public shelf permissions to create public shelves. The vulnerability is due to the `create_shelf` method in `shelf.py` not verifying if the user has the necessary permissions to create a public shelf. This issue can lead to unauthorized actions being performed by users.
|
|||||
| CVE-2024-10861 | 2024-11-18 | N/A | 5.3 MEDIUM | ||
|
The Popup Box – Create Countdown, Coupon, Video, Contact Form Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_plugin_option() function in all versions up to, and including, 4.9.7. This makes it possible for unauthenticated attackers to update the 'ays_pb_upgrade_plugin' option with arbitrary data.
|
|||||
| CVE-2024-10786 | 2024-11-18 | N/A | 4.3 MEDIUM | ||
|
The Simple Local Avatars plugin for WordPress is vulnerable to unauthorized modification of datadue to a missing capability check on the sla_clear_user_cache function in all versions up to, and including, 2.7.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear user caches.
|
|||||
| CVE-2024-11085 | 2024-11-18 | N/A | 5.4 MEDIUM | ||
|
The WP Log Viewer plugin for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on several AJAX actions in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access logs, update plugin-related user settings and general plugin settings.
|
|||||
| CVE-2024-10533 | 2024-11-18 | N/A | 4.3 MEDIUM | ||
|
The WP Chat App plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the ajax_install_plugin() function in all versions up to, and including, 3.6.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the filebird plugin.
|
|||||
| CVE-2024-52416 | 2024-11-18 | N/A | 10.0 CRITICAL | ||
|
Missing Authorization vulnerability in Eugen Bobrowski Debug Tool allows Upload a Web Shell to a Web Server.This issue affects Debug Tool: from n/a through 2.2.
|
|||||
| CVE-2024-48073 | 2024-11-18 | N/A | 9.8 CRITICAL | ||
|
sunniwell HT3300 before 1.0.0.B022.2 is vulnerable to Insecure Permissions. The /usr/local/bin/update program, which is responsible for updating the software in the HT3300 device, is given the execution mode of sudo NOPASSWD. This program is vulnerable to a command injection vulnerability, which could allow an attacker to pass commands to this program via command line arguments to gain elevated root privileges.
|
|||||
| CVE-2024-10531 | 1 Kognetiks | 1 Kognetiks Chatbot | 2024-11-18 | N/A | 4.3 MEDIUM |
|
The Kognetiks Chatbot for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_assistant() function in all versions up to, and including, 2.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to update GTP assistants.
|
|||||
| CVE-2024-10530 | 1 Kognetiks | 1 Kognetiks Chatbot | 2024-11-18 | N/A | 4.3 MEDIUM |
|
The Kognetiks Chatbot for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the add_new_assistant() function in all versions up to, and including, 2.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to create new GTP assistants.
|
|||||
| CVE-2024-10529 | 1 Kognetiks | 1 Kognetiks Chatbot | 2024-11-18 | N/A | 5.3 MEDIUM |
|
The Kognetiks Chatbot for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_assistant() function in all versions up to, and including, 2.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete GTP assistants.
|
|||||