Total
4661 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-8369 | 1 Metagauss | 1 Eventprime | 2024-09-26 | N/A | 5.3 MEDIUM |
| The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access to Private or Password-protected events due to missing authorization checks in all versions up to, and including, 4.0.4.3. This makes it possible for unauthenticated attackers to view private or password-protected events. | |||||
| CVE-2024-8437 | 2024-09-26 | N/A | 4.3 MEDIUM | ||
| The WP Easy Gallery – WordPress Gallery Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions hooked via AJAX like wpeg_settings and wpeg_add_gallery in all versions up to, and including, 4.8.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify galleries. | |||||
| CVE-2024-47337 | 2024-09-26 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in Stuart Wilson Joy Of Text Lite.This issue affects Joy Of Text Lite: from n/a through 2.3.1. | |||||
| CVE-2024-45591 | 1 Xwiki | 1 Xwiki | 2024-09-20 | N/A | 5.3 MEDIUM |
| XWiki Platform is a generic wiki platform. The REST API exposes the history of any page in XWiki of which the attacker knows the name. The exposed information includes for each modification of the page the time of the modification, the version number, the author of the modification (both username and displayed name) and the version comment. This information is exposed regardless of the rights setup, and even when the wiki is configured to be fully private. On a private wiki, this can be tested by accessing /xwiki/rest/wikis/xwiki/spaces/Main/pages/WebHome/history, if this shows the history of the main page then the installation is vulnerable. This has been patched in XWiki 15.10.9 and XWiki 16.3.0RC1. | |||||
| CVE-2023-39298 | 1 Qnap | 2 Qts, Quts Hero | 2024-09-20 | N/A | 7.8 HIGH |
| A missing authorization vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow local authenticated users to access data or perform actions that they should not be allowed to perform via unspecified vectors. QuTScloud, is not affected. We have already fixed the vulnerability in the following versions: QTS 5.2.0.2737 build 20240417 and later QuTS hero h5.2.0.2782 build 20240601 and later | |||||
| CVE-2024-7727 | 1 Bplugins | 1 Html5 Video Player | 2024-09-18 | N/A | 5.3 MEDIUM |
| The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions called via the 'h5vp_ajax_handler' ajax action in all versions up to, and including, 2.5.32. This makes it possible for unauthenticated attackers to call these functions to manipulate data. | |||||
| CVE-2024-7721 | 1 Bplugins | 1 Html5 Video Player | 2024-09-18 | N/A | 4.3 MEDIUM |
| The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_password' function in all versions up to, and including, 2.5.34. This makes it possible for authenticated attackers, with Subscriber-level access and above, to set any options that are not explicitly checked as false to an array, including enabling user registration if it has been disabled. | |||||
| CVE-2024-8042 | 1 Rapid7 | 1 Insight Platform | 2024-09-17 | N/A | 2.4 LOW |
| Rapid7 Insight Platform versions between November 2019 and August 14, 2024 suffer from missing authorization issues whereby an attacker can intercept local requests to set the name and description of a new user group. This could potentially lead to an empty user group being added to the incorrect customer. This vulnerability is remediated as of August 14, 2024. | |||||
| CVE-2024-44112 | 1 Sap | 1 Oil \%\/ Gas | 2024-09-16 | N/A | 4.3 MEDIUM |
| Due to missing authorization check in SAP for Oil & Gas (Transportation and Distribution), an attacker authenticated as a non-administrative user could call a remote-enabled function which will allow them to delete non-sensitive entries in a user data table. There is no effect on confidentiality or availability. | |||||
| CVE-2024-41728 | 1 Sap | 1 Netweaver Application Server Abap | 2024-09-16 | N/A | 2.7 LOW |
| Due to missing authorization check, SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker logged in as a developer to read objects contained in a package. This causes an impact on confidentiality, as this attacker would otherwise not have access to view these objects. | |||||
| CVE-2024-45058 | 1 Portabilis | 1 I-educar | 2024-09-13 | N/A | 8.1 HIGH |
| i-Educar is free, fully online school management software that can be used by school secretaries, teachers, coordinators, and area managers. Prior to the 2.9 branch, an attacker with only minimal viewing privileges in the settings section is able to change their user type to Administrator (or another type with super-permissions) through a specifically crafted POST request to `/intranet/educar_usuario_cad.php`, modifying the `nivel_usuario_` parameter. The vulnerability occurs in the file located at `ieducar/intranet/educar_usuario_cad.php`, which does not check the user's current permission level before allowing changes. Commit c25910cdf11ab50e50162a49dd44bef544422b6e contains a patch for the issue. | |||||
| CVE-2024-7447 | 1 Funnelforms | 1 Funnelforms Free | 2024-09-13 | N/A | 5.3 MEDIUM |
| The Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'fnsf_af2_handel_file_upload' function in all versions up to, and including, 3.7.3.2. This makes it possible for unauthenticated attackers to upload arbitrary media to the site, even if no forms exist. | |||||
| CVE-2024-8195 | 1 Permalink Manager Lite Project | 1 Permalink Manager Lite | 2024-09-13 | N/A | 5.3 MEDIUM |
| The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'debug_data', 'debug_query', and 'debug_redirect' functions in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to extract sensitive data including password, title, and content of password-protected posts. | |||||
| CVE-2024-7856 | 1 Sonaar | 1 Mp3 Audio Player For Music\, Radio \& Podcast | 2024-09-13 | N/A | 9.1 CRITICAL |
| The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to unauthorized arbitrary file deletion due to a missing capability check on the removeTempFiles() function and insufficient path validation on the 'file' parameter in all versions up to, and including, 5.7.0.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files which can make remote code execution possible when wp-config.php is deleted. | |||||
| CVE-2024-37930 | 1 Theme-sphere | 1 Smartmag | 2024-09-12 | N/A | 5.3 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor, Missing Authorization vulnerability in ThemeSphere SmartMag allows Excavation, Accessing Functionality Not Properly Constrained by ACLs.This issue affects SmartMag: from n/a through 9.3.0. | |||||
| CVE-2024-6631 | 1 Imagerecycle | 1 Imagerecycle Pdf \& Image Compression | 2024-09-12 | N/A | 5.0 MEDIUM |
| The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several AJAX actions in all versions up to, and including, 3.1.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform unauthorized actions, such as updating plugin settings. | |||||
| CVE-2023-4027 | 1 Softlabbd | 1 Radio Player | 2024-09-12 | N/A | 5.3 MEDIUM |
| The Radio Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_settings function in versions up to, and including, 2.0.73. This makes it possible for unauthenticated attackers to update plugin settings. | |||||
| CVE-2024-42470 | 1 Openhab | 1 Openhab | 2024-09-12 | N/A | 6.5 MEDIUM |
| openHAB, a provider of open-source home automation software, has add-ons including the visualization add-on CometVisu. Several endpoints in versions prior to 4.2.1 of the CometVisu add-on of openHAB don't require authentication. This makes it possible for unauthenticated attackers to modify or to steal sensitive data. This issue may lead to sensitive information disclosure. Users should upgrade to version 4.2.1 of the CometVisu add-on of openHAB to receive a patch. | |||||
| CVE-2024-33005 | 1 Sap | 4 Content Server, Netweaver Abap, Netweaver Java and 1 more | 2024-09-12 | N/A | 6.3 MEDIUM |
| Due to the missing authorization checks in the local systems, the admin users of SAP Web Dispatcher, SAP NetWeaver Application Server (ABAP and Java), and SAP Content Server can impersonate other users and may perform some unintended actions. This could lead to a low impact on confidentiality and a high impact on the integrity and availability of the applications. | |||||
| CVE-2024-7605 | 1 Helloasso | 1 Helloasso | 2024-09-12 | N/A | 4.3 MEDIUM |
| The HelloAsso plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ha_ajax' function in all versions up to, and including, 1.1.10. This makes it possible for authenticated attackers, with Contributor-level access and above, to update plugin options, potentially disrupting the service. | |||||