Total
4661 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-1114 | 1 Eskom | 1 E-belediye | 2024-11-21 | N/A | 9.8 CRITICAL |
| Missing Authorization vulnerability in Eskom e-Belediye allows Information Elicitation.This issue affects e-Belediye: from 1.0.0.95 before 1.0.0.100. | |||||
| CVE-2023-1027 | 1 Joomunited | 1 Wp Meta Seo | 2024-11-21 | N/A | 4.3 MEDIUM |
| The WP Meta SEO plugin for WordPress is vulnerable to unauthorized sitemap generation due to a missing capability check on the checkAllCategoryInSitemap function in versions up to, and including, 4.5.3. This makes it possible for authenticated attackers with subscriber-level access to obtain post categories. This vulnerability occurred as a result of the plugin relying on nonce checks as a means of access control, and that nonce being accessible to all authenticated users regardless of role. | |||||
| CVE-2023-0923 | 1 Redhat | 2 Enterprise Linux, Openshift Data Science | 2024-11-21 | N/A | 8.8 HIGH |
| A flaw was found in the Kubernetes service for notebooks in RHODS, where it does not prevent pods from other namespaces and applications from making requests to the Jupyter API. This flaw can lead to file content exposure and other issues. | |||||
| CVE-2023-0890 | 1 Getshortcodes | 1 Shortcodes Ultimate | 2024-11-21 | N/A | 6.5 MEDIUM |
| The WordPress Shortcodes Plugin — Shortcodes Ultimate WordPress plugin before 5.12.8 does not ensure that posts to be displayed via some shortcodes are already public and can be accessed by the user making the request, allowing any authenticated users such as subscriber to view draft, private or even password protected posts. It is also possible to leak the password of protected posts | |||||
| CVE-2023-0720 | 1 Wickedplugins | 1 Wicked Folders | 2024-11-21 | N/A | 5.4 MEDIUM |
| The Wicked Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ajax_save_folder_order function in versions up to, and including, 2.18.16. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke this function and perform actions intended for administrators such as modifying the folder structure maintained by the plugin. | |||||
| CVE-2023-0713 | 1 Wickedplugins | 1 Wicked Folders | 2024-11-21 | N/A | 5.4 MEDIUM |
| The Wicked Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ajax_add_folder function in versions up to, and including, 2.18.16. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke this function and perform actions intended for administrators such as modifying the folder structure maintained by the plugin. | |||||
| CVE-2023-0678 | 1 Phpipam | 1 Phpipam | 2024-11-21 | N/A | 5.3 MEDIUM |
| Missing Authorization in GitHub repository phpipam/phpipam prior to v1.5.1. | |||||
| CVE-2023-0456 | 1 Redhat | 1 Apicast | 2024-11-21 | N/A | 7.4 HIGH |
| A flaw was found in APICast, when 3Scale's OIDC module does not properly evaluate the response to a mismatched token from a separate realm. This could allow a separate realm to be accessible to an attacker, permitting access to unauthorized information. | |||||
| CVE-2023-0404 | 1 E-dynamics | 1 Events Made Easy | 2024-11-21 | N/A | 5.4 MEDIUM |
| The Events Made Easy plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several functions related to AJAX actions in versions up to, and including, 2.3.16. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke those functions intended for administrator use. While the plugin is still pending review from the WordPress repository, site owners can download a copy of the patched version directly from the developer's Github at https://github.com/liedekef/events-made-easy | |||||
| CVE-2023-0019 | 1 Sap | 1 Grc Process Control | 2024-11-21 | N/A | 6.5 MEDIUM |
| In SAP GRC (Process Control) - versions GRCFND_A V1200, GRCFND_A V8100, GRCPINW V1100_700, GRCPINW V1100_731, GRCPINW V1200_750, remote-enabled function module in the proprietary SAP solution enables an authenticated attacker with minimal privileges to access all the confidential data stored in the database. Successful exploitation of this vulnerability can expose user credentials from client-specific tables of the database, leading to high impact on confidentiality. | |||||
| CVE-2022-4950 | 2 Coolplugins, Cryptocurrency Payment \& Donation Box Plugins | 10 Cool Timeline, Cryptocurrency Widgets, Cryptocurrency Widgets For Elementor and 7 more | 2024-11-21 | N/A | 8.8 HIGH |
| Several WordPress plugins developed by Cool Plugins are vulnerable to arbitrary plugin installation and activation that can lead to remote code execution by authenticated attackers with minimal permissions, such as a subscriber. | |||||
| CVE-2022-4948 | 1 Flying-press | 1 Flyingpress | 2024-11-21 | N/A | 4.3 MEDIUM |
| The FlyingPress plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on its AJAX actions in versions up to, and including, 3.9.6. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to interact with the plugin in ways administrators are intended to. One action (save_config) allows for the configuration of an external CDN. This could be used to include malicious javascript from a source controlled by the attacker. | |||||
| CVE-2022-4943 | 1 Miniorange | 1 Google Authenticator | 2024-11-21 | N/A | 7.5 HIGH |
| The miniOrange's Google Authenticator plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when changing plugin settings in versions up to, and including, 5.6.5. This makes it possible for unauthenticated attackers to change the plugin's settings. | |||||
| CVE-2022-4937 | 1 Wclovers | 1 Frontend Manager For Woocommerce Along With Bookings Subscription Listings Compatible | 2024-11-21 | N/A | 6.3 MEDIUM |
| The WCFM Frontend Manager plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 6.6.0 due to missing capability checks on various AJAX actions. This makes it possible for authenticated attackers, with minimal permissions such as subscribers, to perform a wide variety of actions such as modifying knowledge bases, modifying notices, modifying payments, managing vendors, capabilities, and so much more. There were hundreds of AJAX endpoints affected. | |||||
| CVE-2022-4935 | 1 Wclovers | 1 Wcfm Marketplace | 2024-11-21 | N/A | 8.8 HIGH |
| The WCFM Marketplace plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 3.4.11 due to missing capability checks on various AJAX actions. This makes it possible for authenticated attackers, with minimal permissions such as subscribers, to perform a wide variety of actions such as modifying shipping method details, modifying products, deleting arbitrary posts, and privilege escalation (via the wp_ajax_wcfm_vendor_store_online AJAX action). | |||||
| CVE-2022-4366 | 1 Daloradius | 1 Daloradius | 2024-11-21 | N/A | 7.5 HIGH |
| Missing Authorization in GitHub repository lirantal/daloradius prior to master branch. | |||||
| CVE-2022-4169 | 1 Theme And Plugin Translation For Polylang Project | 1 Theme And Plugin Translation For Polylang | 2024-11-21 | N/A | 6.5 MEDIUM |
| The Theme and plugin translation for Polylang is vulnerable to authorization bypass in versions up to, and including, 3.2.16 due to missing capability checks in the process_polylang_theme_translation_wp_loaded() function. This makes it possible for unauthenticated attackers to update plugin and theme translation settings and to import translation strings. | |||||
| CVE-2022-48491 | 1 Huawei | 1 Emui | 2024-11-21 | N/A | 5.3 MEDIUM |
| Vulnerability of missing authentication on certain HUAWEI phones.Successful exploitation of this vulnerability can lead to ads and other windows to display at any time. | |||||
| CVE-2022-48452 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2024-11-21 | N/A | 4.4 MEDIUM |
| In Ifaa service, there is a possible missing permission check. This could lead to local denial of service with System execution privileges needed | |||||
| CVE-2022-48318 | 1 Checkmk | 1 Checkmk | 2024-11-21 | N/A | 5.3 MEDIUM |
| No authorisation controls in the RestAPI documentation for Tribe29's Checkmk <= 2.1.0p13 and Checkmk <= 2.0.0p29 which may lead to unintended information disclosure through automatically generated user specific tags within Rest API documentation. | |||||