Total
6931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-42373 | 1 Sap | 1 Student Life Cycle Management | 2024-09-12 | N/A | 5.4 MEDIUM |
|
SAP Student Life Cycle Management (SLcM) fails to conduct proper authorization checks for authenticated users, leading to the potential escalation of privileges. On successful exploitation it could allow an attacker to delete non-sensitive report variants that are typically restricted, causing minimal impact on the integrity of the application.
|
|||||
| CVE-2024-6332 | 1 Tmsproducts | 1 Amelia | 2024-09-12 | N/A | 6.5 MEDIUM |
|
The Booking for Appointments and Events Calendar – Amelia Premium and Lite plugins for WordPress are vulnerable to unauthorized access of data due to a missing capability check on the 'ameliaButtonCommand' function in all versions up to, and including, Premium 7.7 and Lite 1.2.3. This makes it possible for unauthenticated attackers to access employee calendar details, including Google Calendar OAuth tokens in the premium version.
|
|||||
| CVE-2024-8427 | 1 Wpshuffle | 1 Frontend Post Submission Manager | 2024-09-11 | N/A | 4.3 MEDIUM |
|
The Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_global_settings and process_form_edit functions in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings and forms.
|
|||||
| CVE-2024-5309 | 1 Wpvibes | 1 Form Vibes | 2024-09-11 | N/A | 5.4 MEDIUM |
|
The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the fv_export_csv, reset_settings, save_settings, save_columns_settings, get_analytics_data, get_event_logs_data, delete_submissions, and get_submissions functions in all versions up to, and including, 1.4.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform multiple unauth ...
Show More |
|||||
| CVE-2024-44408 | 1 Dlink | 2 Dir-823g, Dir-823g Firmware | 2024-09-10 | N/A | 7.5 HIGH |
|
D-Link DIR-823G v1.0.2B05_20181207 is vulnerable to Information Disclosure. The device allows unauthorized configuration file downloads, and the downloaded configuration files contain plaintext user passwords.
|
|||||
| CVE-2024-45286 | 2024-09-10 | N/A | 6.5 MEDIUM | ||
|
Due to lack of proper authorization checks when calling user, a function module in obsolete Tobin interface in SAP Production and Revenue Accounting allows unauthorized access that could lead to disclosure of highly sensitive data. There is no impact on integrity or availability.
|
|||||
| CVE-2024-44113 | 2024-09-10 | N/A | 4.3 MEDIUM | ||
|
Due to missing authorization checks, SAP Business Warehouse (BEx Analyzer) allows an authenticated attacker to access information over the network which is otherwise restricted. On successful exploitation the attacker can enumerate information causing a limited impact on confidentiality of the application.
|
|||||
| CVE-2024-44117 | 2024-09-10 | N/A | 5.4 MEDIUM | ||
|
The RFC enabled function module allows a low privileged user to perform various actions, such as modifying the URLs of any user's favourite nodes and workbook ID. There is low impact on integrity and availability of the application.
|
|||||
| CVE-2024-45284 | 2024-09-10 | N/A | 2.4 LOW | ||
|
An authenticated attacker with high privilege can use functions of SLCM transactions to which access should be restricted. This may result in an escalation of privileges causing low impact on integrity of the application.
|
|||||
| CVE-2024-44116 | 2024-09-10 | N/A | 4.3 MEDIUM | ||
|
The RFC enabled function module allows a low privileged user to add any workbook to any user's workplace favourites. This vulnerability could be utilized to identify usernames and access information about targeted user's workplaces. There is low impact on integrity of the application.
|
|||||
| CVE-2024-41729 | 2024-09-10 | N/A | 4.3 MEDIUM | ||
|
Due to missing authorization checks, SAP BEx Analyzer allows an authenticated attacker to access information over the network which is otherwise restricted. On successful exploitation the attacker can enumerate information causing a limited impact on confidentiality of the application.
|
|||||
| CVE-2024-45285 | 2024-09-10 | N/A | 5.4 MEDIUM | ||
|
The RFC enabled function module allows a low privileged user to perform denial of service on any user and also change or delete favourite nodes. By sending a crafted packet in the function module targeting specific parameters, the specific targeted user will no longer have access to any functionality of SAP GUI. There is low impact on integrity and availability of the application.
|
|||||
| CVE-2024-44115 | 2024-09-10 | N/A | 4.3 MEDIUM | ||
|
The RFC enabled function module allows a low privileged user to add URLs to any user's workplace favourites. This vulnerability could be utilized to identify usernames and access information about targeted user's workplaces, and nodes. There is low impact on integrity of the application
|
|||||
| CVE-2024-42380 | 2024-09-10 | N/A | 4.3 MEDIUM | ||
|
The RFC enabled function module allows a low privileged user to read any user's workplace favourites and user menu along with all the specific data of each node. Usernames can be enumerated by exploiting vulnerability. There is low impact on confidentiality of the application.
|
|||||
| CVE-2024-42371 | 2024-09-10 | N/A | 5.4 MEDIUM | ||
|
The RFC enabled function module allows a low privileged user to delete the workplace favourites of any user. This vulnerability could be utilized to identify usernames and access information about targeted user's workplaces and nodes. There is low impact on integrity and availability of the application.
|
|||||
| CVE-2024-40709 | 2024-09-09 | N/A | 7.8 HIGH | ||
|
A missing authorization vulnerability allows a local low-privileged user on the machine to escalate their privileges to root level.
|
|||||
| CVE-2024-45307 | 1 Onesoftnet | 1 Sudobot | 2024-09-07 | N/A | 9.8 CRITICAL |
|
SudoBot, a Discord moderation bot, is vulnerable to privilege escalation and exploit of the `-config` command in versions prior to 9.26.7. Anyone is theoretically able to update any configuration of the bot and potentially gain control over the bot's settings. Every version of v9 before v9.26.7 is affected. Other versions (e.g. v8) are not affected. Users should upgrade to version 9.26.7 to receive a patch. A workaround would be to create a command permission overwrite in the Database. A SQL sta ...
Show More |
|||||
| CVE-2024-37898 | 1 Xwiki | 1 Xwiki | 2024-09-06 | N/A | 4.3 MEDIUM |
|
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When a user has view but not edit right on a page in XWiki, that user can delete the page and replace it by a page with new content without having delete right. The previous version of the page is moved into the recycle bin and can be restored from there by an admin. As the user is recorded as deleter, the user would in theory also be able to view the deleted content, but this is not directly ...
Show More |
|||||
| CVE-2024-37901 | 1 Xwiki | 1 Xwiki | 2024-09-06 | N/A | 8.8 HIGH |
|
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit right on any page can perform arbitrary remote code execution by adding instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.21, 15.5.5 and 15.10.2.
|
|||||
| CVE-2024-8121 | 1 Wpextended | 1 Wp Extended | 2024-09-06 | N/A | 4.3 MEDIUM |
|
The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to unauthorized modification of user names due to a missing capability check on the wpext_change_admin_name() function in all versions up to, and including, 3.0.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change an admin's username to a username of their liking as long as the default 'admin' was used.
|
|||||
| CVE-2024-7381 | 1 Infinitumform | 1 Geo Controller | 2024-09-06 | N/A | 5.3 MEDIUM |
|
The Geo Controller plugin for WordPress is vulnerable to unauthorized shortcode execution due to missing authorization and capability checks on the ajax__shortcode_cache function in all versions up to, and including, 8.6.9. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes available on the target site.
|
|||||
| CVE-2024-7380 | 1 Infinitumform | 1 Geo Controller | 2024-09-06 | N/A | 4.3 MEDIUM |
|
The Geo Controller plugin for WordPress is vulnerable to unauthorized menu creation/deletion due to missing capability checks on the ajax__geolocate_menu and ajax__geolocate_remove_menu functions in all versions up to, and including, 8.6.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create or delete WordPress menus.
|
|||||
| CVE-2024-8289 | 1 Multivendorx | 1 Multivendorx | 2024-09-05 | N/A | 9.8 CRITICAL |
|
The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to privilege escalation/de-escalation and account takeover due to an insufficient capability check on the update_item_permissions_check and create_item_permissions_check functions in all versions up to, and including, 4.2.0. This makes it possible for unauthenticated attackers to change the password of any user with the vendor role, create new users with the vendor role, and demote oth ...
Show More |
|||||
| CVE-2024-41108 | 1 Fogproject | 1 Fogproject | 2024-09-05 | N/A | 5.9 MEDIUM |
|
FOG is a free open-source cloning/imaging/rescue suite/inventory management system. The hostinfo page has missing/improper access control since only the host's mac address is required to obtain the configuration information. This data can only be retrieved if a task is pending on that host. Otherwise, an error message containing "Invalid tasking!" will be returned. The domainpassword in the hostinfo dump is hidden even to authenticated users, as it is displayed as a row of asterisks when navigat ...
Show More |
|||||
| CVE-2024-8102 | 1 Wpextended | 1 Wp Extended | 2024-09-05 | N/A | 8.8 HIGH |
|
The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the module_all_toggle_ajax() function in all versions up to, and including, 3.0.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administr ...
Show More |
|||||
| CVE-2024-45050 | 2024-09-05 | N/A | 7.1 HIGH | ||
|
Ringer server is the server code for the Ringer messaging app. Prior to version 1.3.1, there is an issue with the messages loading route where Ringer Server does not check to ensure that the user loading the conversation is actually a member of that conversation. This allows any user with a Lif Account to load any conversation between two users without permission. This issue had been patched in version 1.3.1. There is no action required for users. Lif Platforms will update their servers with the ...
Show More |
|||||
| CVE-2024-7858 | 1 Maxfoundry | 1 Media Library Folders | 2024-09-03 | N/A | 6.3 MEDIUM |
|
The Media Library Folders plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several AJAX functions in the media-library-plus.php file in all versions up to, and including, 8.2.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several actions related to managing media files and folder along with controlling settings.
|
|||||
| CVE-2024-7032 | 1 Zaytech | 1 Smart Online Order For Clover | 2024-08-31 | N/A | 6.5 MEDIUM |
|
The Smart Online Order for Clover plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'moo_deactivateAndClean' function in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to deactivate the plugin and drop all plugin tables from the database.
|
|||||
| CVE-2024-7030 | 1 Zaytech | 1 Smart Online Order For Clover | 2024-08-31 | N/A | 4.3 MEDIUM |
|
The Smart Online Order for Clover plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 1.5.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update product and category descriptions, category titles and images, and sort order.
|
|||||
| CVE-2024-41918 | 1 Rakuten | 1 Ichiba | 2024-08-30 | N/A | 6.1 MEDIUM |
|
'Rakuten Ichiba App' for Android 12.4.0 and earlier and 'Rakuten Ichiba App' for iOS 11.7.0 and earlier are vulnerable to improper authorization in handler for custom URL scheme. An arbitrary site may be displayed on the WebView of the product via Intent from another application installed on the user's device. As a result, the user may be redirected to an unauthorized site, and the user may become a victim of a phishing attack.
|
|||||
| CVE-2024-8199 | 1 Smashballoon | 1 Reviews Feed | 2024-08-30 | N/A | 4.3 MEDIUM |
|
The Reviews Feed – Add Testimonials and Customer Reviews From Google Reviews, Yelp, TripAdvisor, and More plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_api_key' function in all versions up to, and including, 1.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update API Key options.
|
|||||
| CVE-2024-20413 | 2024-08-29 | N/A | 6.7 MEDIUM | ||
|
A vulnerability in Cisco NX-OS Software could allow an authenticated, local attacker with privileges to access the Bash shell to elevate privileges to network-admin on an affected device.
This vulnerability is due to insufficient security restrictions when executing application arguments from the Bash shell. An attacker with privileges to access the Bash shell could exploit this vulnerability by executing crafted commands on the underlying operating system. A successful exploit could allow th ...
Show More |
|||||
| CVE-2023-4024 | 1 Softlabbd | 1 Radio Player | 2024-08-28 | N/A | 5.3 MEDIUM |
|
The Radio Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_player function in versions up to, and including, 2.0.73. This makes it possible for unauthenticated attackers to delete player instances.
|
|||||
| CVE-2023-4025 | 1 Softlabbd | 1 Radio Player | 2024-08-28 | N/A | 5.3 MEDIUM |
|
The Radio Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_player function in versions up to, and including, 2.0.73. This makes it possible for unauthenticated attackers to update player instances.
|
|||||
| CVE-2024-6688 | 2024-08-27 | N/A | 4.3 MEDIUM | ||
|
The Oxygen Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the oxy_save_css_from_admin AJAX action in all versions up to, and including, 4.8.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update stylesheets.
|
|||||
| CVE-2024-5941 | 1 Givewp | 1 Givewp | 2024-08-26 | N/A | 5.4 MEDIUM |
|
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access and deletion of data due to a missing capability check on the 'handle_request' function in all versions up to, and including, 3.14.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read attachment paths and delete attachment files.
|
|||||
| CVE-2024-5940 | 1 Givewp | 1 Givewp | 2024-08-26 | N/A | 5.3 MEDIUM |
|
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_request' function in all versions up to, and including, 3.13.0. This makes it possible for unauthenticated attackers to edit event ticket settings if the Events beta feature is enabled.
|
|||||
| CVE-2024-5939 | 1 Givewp | 1 Givewp | 2024-08-26 | N/A | 5.3 MEDIUM |
|
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'setup_wizard' function in all versions up to, and including, 3.13.0. This makes it possible for unauthenticated attackers to read the setup wizard administrative pages.
|
|||||
| CVE-2024-43401 | 1 Xwiki | 1 Xwiki | 2024-08-20 | N/A | 8.0 HIGH |
|
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user without script/programming right can trick a user with elevated rights to edit a content with a malicious payload using a WYSIWYG editor. The user with elevated rights is not warned beforehand that they are going to edit possibly dangerous content. The payload is executed at edit time. This vulnerability has been patched in XWiki 15.10RC1.
|
|||||
| CVE-2024-43326 | 2024-08-20 | N/A | 5.4 MEDIUM | ||
|
Missing Authorization vulnerability in Jamie Bergen Plugin Notes Plus allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Plugin Notes Plus: from n/a through 1.2.7.
|
|||||