Total
833 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-2575 | 1 Oretnom23 | 1 Employee Task Management System | 2025-02-20 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability, which was classified as critical, has been found in SourceCodester Employee Task Management System 1.0. Affected by this issue is some unknown functionality of the file /task-details.php. The manipulation of the argument task_id leads to authorization bypass. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-257078 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-2576 | 1 Oretnom23 | 1 Employee Task Management System | 2025-02-20 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability, which was classified as critical, was found in SourceCodester Employee Task Management System 1.0. This affects an unknown part of the file /update-admin.php. The manipulation of the argument admin_id leads to authorization bypass. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257079. | |||||
| CVE-2024-2577 | 1 Oretnom23 | 1 Employee Task Management System | 2025-02-20 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability has been found in SourceCodester Employee Task Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /update-employee.php. The manipulation of the argument admin_id leads to authorization bypass. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257080. | |||||
| CVE-2024-2472 | 1 Latepoint | 1 Latepoint | 2025-02-20 | N/A | 9.1 CRITICAL |
| The LatePoint Plugin plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'start_or_use_session_for_customer' function in all versions up to and including 4.9.9. This makes it possible for unauthenticated attackers to view other customer's cabinets, including the ability to view PII such as email addresses and to change their LatePoint user password, which may or may not be associated with a WordPress account. | |||||
| CVE-2023-28686 | 3 Debian, Dino, Fedoraproject | 3 Debian Linux, Dino, Fedora | 2025-02-19 | N/A | 7.1 HIGH |
| Dino before 0.2.3, 0.3.x before 0.3.2, and 0.4.x before 0.4.2 allows attackers to modify the personal bookmark store via a crafted message. The attacker can change the display of group chats or force a victim to join a group chat; the victim may then be tricked into disclosing sensitive information. | |||||
| CVE-2024-13601 | 1 Majesticsupport | 1 Majestic Support | 2025-02-18 | N/A | 4.3 MEDIUM |
| The Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.5 via the 'exportusereraserequest' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export ticket data for any user. | |||||
| CVE-2023-26984 | 1 Peppermint | 1 Peppermint | 2025-02-18 | N/A | 8.1 HIGH |
| An issue in the password reset function of Peppermint v0.2.4 allows attackers to access the emails and passwords of the Tickets page via a crafted request. | |||||
| CVE-2025-26788 | 2025-02-15 | N/A | 8.4 HIGH | ||
| StrongKey FIDO Server before 4.15.1 treats a non-discoverable (namedcredential) flow as a discoverable transaction. | |||||
| CVE-2024-1470 | 1 Netiq | 1 Client Login Extension | 2025-02-14 | N/A | 7.1 HIGH |
| Authorization Bypass Through User-Controlled Key vulnerability in NetIQ (OpenText) Client Login Extension on Windows allows Privilege Escalation, Code Injection.This issue only affects NetIQ Client Login Extension: 4.6. | |||||
| CVE-2024-34520 | 2025-02-13 | N/A | 8.8 HIGH | ||
| An authorization bypass vulnerability exists in the Mavenir SCE Application Provisioning Portal, version PORTAL-LBS-R_1_0_24_0, which allows an authenticated 'guest' user to perform unauthorized administrative actions, such as accessing the 'add user' feature, by bypassing client-side access controls. | |||||
| CVE-2023-0967 | 1 Imaworldhealth | 1 Bhima | 2025-02-13 | N/A | 6.5 MEDIUM |
| Bhima version 1.27.0 allows an attacker authenticated with normal user permissions to view sensitive data of other application users and data that should only be viewed by the administrator. This is possible because the application is vulnerable to IDOR, it does not properly validate user permissions with respect to certain actions the user can perform. | |||||
| CVE-2024-1313 | 2025-02-13 | N/A | 6.5 MEDIUM | ||
| It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/<key> using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized. Grafana Labs would like to thank Ravid Mazon and Jay Chen of Palo Alto Research for discovering and disclosing this vulnerability. This issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5. | |||||
| CVE-2023-28656 | 1 F5 | 3 Nginx Api Connectivity Manager, Nginx Instance Manager, Nginx Security Monitoring | 2025-02-13 | N/A | 8.1 HIGH |
| NGINX Management Suite may allow an authenticated attacker to gain access to configuration objects outside of their assigned environment. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2025-1270 | 2025-02-13 | N/A | 9.1 CRITICAL | ||
| Insecure direct object reference (IDOR) vulnerability in Anapi Group's h6web, allows an authenticated attacker to access other users' information by making a POST request and modifying the “pkrelated” parameter in the “/h6web/ha_datos_hermano.php” endpoint to refer to another user. In addition, the first request could also allow the attacker to impersonate other users. As a result, all requests made after exploitation of the IDOR vulnerability will be executed with the privileges of the impersonated user. | |||||
| CVE-2023-6897 | 1 Wpfactory | 1 Ean For Woocommerce | 2025-02-11 | N/A | 4.3 MEDIUM |
| The EAN for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.9.2 via the the 'alg_wc_ean_product_meta' shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to expose potentially sensitive post metadata. | |||||
| CVE-2024-43322 | 1 Zephyr-one | 1 Zephyr Project Manager | 2025-02-11 | N/A | 5.4 MEDIUM |
| Authorization Bypass Through User-Controlled Key vulnerability in Dylan James Zephyr Project Manager.This issue affects Zephyr Project Manager: from n/a through 3.3.100. | |||||
| CVE-2025-24976 | 2025-02-11 | N/A | N/A | ||
| Distribution is a toolkit to pack, ship, store, and deliver container content. Systems running registry versions 3.0.0-beta.1 through 3.0.0-rc.2 with token authentication enabled may be vulnerable to an issue in which token authentication allows an attacker to inject an untrusted signing key in a JSON web token (JWT). The issue lies in how the JSON web key (JWK) verification is performed. When a JWT contains a JWK header without a certificate chain, the code only checks if the KeyID (`kid`) matches one of the trusted keys, but doesn't verify that the actual key material matches. A fix for the issue is available at commit 5ea9aa028db65ca5665f6af2c20ecf9dc34e5fcd and expected to be a part of version 3.0.0-rc.3. There is no way to work around this issue without patching if the system requires token authentication. | |||||
| CVE-2023-1417 | 1 Gitlab | 1 Gitlab | 2025-02-11 | N/A | 4.3 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible for an unauthorised user to add child epics linked to victim's epic in an unrelated group. | |||||
| CVE-2024-6410 | 1 Metagauss | 1 Profilegrid | 2025-02-10 | N/A | 4.3 MEDIUM |
| The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.8.9 via the 'pm_upload_image' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the profile picture of any user. | |||||
| CVE-2024-32683 | 1 Wpmet | 1 Wp Ultimate Review | 2025-02-09 | N/A | 5.3 MEDIUM |
| Authorization Bypass Through User-Controlled Key vulnerability in Wpmet Wp Ultimate Review.This issue affects Wp Ultimate Review: from n/a through 2.2.5. | |||||