Total
833 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-27700 | 2024-11-18 | N/A | 7.6 HIGH | ||
| SOCIFI Socifi Guest wifi as SAAS wifi portal is affected by Insecure Permissions. Any authorized customer with partner mode can switch to another customer dashboard and perform actions like modify user, delete user, etc. | |||||
| CVE-2024-11073 | 1 Mayurik | 1 Hospital Management System | 2024-11-18 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability classified as problematic has been found in SourceCodester Hospital Management System 1.0. This affects an unknown part of the file /vm/patient/delete-account.php. The manipulation of the argument id leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-52507 | 2024-11-18 | N/A | 3.5 LOW | ||
| Nextcloud Tables allows users to to create tables with individual columns. The information which Table (numeric ID) is shared with which groups and users and the respective permissions was not limited to affected users. It is recommended that the Nextcloud Tables app is upgraded to 0.8.1. | |||||
| CVE-2024-52511 | 2024-11-18 | N/A | 6.3 MEDIUM | ||
| Nextcloud Tables allows users to to create tables with individual columns. By directly specifying the ID of a table or view, a malicious user could blindly insert new rows into tables they have no access to. It is recommended that the Nextcloud Tables is upgraded to 0.8.0. | |||||
| CVE-2024-10795 | 2024-11-18 | N/A | 4.3 MEDIUM | ||
| The Popularis Extra plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.7 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created via Elementor that they should not have access to. | |||||
| CVE-2024-11318 | 2024-11-18 | N/A | 7.5 HIGH | ||
| An IDOR (Insecure Direct Object Reference) vulnerability has been discovered in AbsysNet, affecting version 2.3.1. This vulnerability could allow a remote attacker to obtain the session of an unauthenticated user by brute-force attacking the session identifier on the "/cgi-bin/ocap/" endpoint. | |||||
| CVE-2021-37577 | 2024-11-15 | N/A | 6.8 MEDIUM | ||
| Bluetooth LE and BR/EDR Secure Connections pairing and Secure Simple Pairing using the Passkey entry protocol in Bluetooth Core Specifications 2.1 through 5.3 may permit an unauthenticated man-in-the-middle attacker to identify the Passkey used during pairing by reflection of a crafted public key with the same X coordinate as the offered public key and by reflection of the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. This is a related issue to CVE-2020-26558. | |||||
| CVE-2024-10695 | 1 Futuriowp | 1 Futurio Extra | 2024-11-14 | N/A | 4.3 MEDIUM |
| The Futurio Extra plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.0.13 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts that they should not have access to. | |||||
| CVE-2024-10778 | 2024-11-13 | N/A | 4.3 MEDIUM | ||
| The BuddyPress Builder for Elementor – BuddyBuilder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.7.4 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts crated by Elementor that they should not have access to. | |||||
| CVE-2024-10794 | 2024-11-13 | N/A | 4.3 MEDIUM | ||
| The Boostify Header Footer Builder for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.3.6 via the 'bhf' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created via Elementor that they should not have access to. | |||||
| CVE-2024-10669 | 2024-11-12 | N/A | 4.3 MEDIUM | ||
| The Countdown Timer block – Display the event's date into a timer. plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.4 via the [ctb] shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to. | |||||
| CVE-2024-10688 | 2024-11-12 | N/A | 4.3 MEDIUM | ||
| The Attesa Extra plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.2 via the 'attesa-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to. | |||||
| CVE-2024-10667 | 2024-11-12 | N/A | 4.3 MEDIUM | ||
| The Content Slider Block plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.1.5 via the [csb] shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to. | |||||
| CVE-2024-9262 | 2024-11-12 | N/A | 6.5 MEDIUM | ||
| The User Meta – User Profile Builder and User management plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.1 via the getUser() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to obtain user meta values from form fields. Please note that this requires a site administrator to create a form that displays potentially sensitive information like password hashes. This may also be exploited by unauthenticated users if the 'user-meta-public-profile' shortcode is used insecurely. | |||||
| CVE-2024-43438 | 2024-11-08 | N/A | 7.5 HIGH | ||
| A flaw was found in Feedback. Bulk messaging in the activity's non-respondents report did not verify message recipients belonging to the set of users returned by the report. | |||||
| CVE-2024-10452 | 1 Grafana | 1 Grafana | 2024-11-08 | N/A | 2.2 LOW |
| Organization admins can delete pending invites created in an organization they are not part of. | |||||
| CVE-2024-48217 | 2024-11-05 | N/A | 8.8 HIGH | ||
| An Insecure Direct Object Reference (IDOR) in the dashboard of SiSMART v7.4.0 allows attackers to execute a horizontal-privilege escalation. | |||||
| CVE-2024-10654 | 2024-11-05 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability has been found in TOTOLINK LR350 up to 9.3.5u.6369 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /formLoginAuth.htm. The manipulation of the argument authCode with the input 1 leads to authorization bypass. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 9.3.5u.6698_B20230810 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2024-7473 | 1 Lunary | 1 Lunary | 2024-11-03 | N/A | 6.5 MEDIUM |
| An IDOR vulnerability exists in the 'Evaluations' function of the 'umgws datasets' section in lunary-ai/lunary versions 1.3.2. This vulnerability allows an authenticated user to update other users' prompts by manipulating the 'id' parameter in the request. The issue is fixed in version 1.4.3. | |||||
| CVE-2024-50483 | 1 Tareqhasan | 1 Meetup | 2024-10-31 | N/A | 9.8 CRITICAL |
| Authorization Bypass Through User-Controlled Key vulnerability in Meetup allows Privilege Escalation.This issue affects Meetup: from n/a through 0.1. | |||||