CVE-2024-5333

The Events Calendar WordPress plugin before 6.8.2.1 is missing access checks in the REST API, allowing for unauthenticated users to access information about password protected events...

PT-2024-35723

Name of the Vulnerable Software and Affected Versions The Events Calendar WordPress plugin versions prior to 6.8.2.1 Description The issue is related to missing access checks in the REST API, allowing unauthenticated users to access information about password-protected events. Recommendations For...

PT-2024-36214 · Hurrakify · Hurrakify

Name of the Vulnerable Software and Affected Versions: Hurrakify versions n/a through 2.4 Description: A Server-Side Request Forgery SSRF vulnerability is present in Hurrakify, enabling Server Side Request Forgery. This issue allows for the reading of application data. Recommendations: For versio...

CVE-2024-47760

GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.17, a technician with an access to the API can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue...

CVE-2024-47760 GLPI vulnerable to account takeover via API

GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.17, a technician with an access to the API can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue...

CVE-2024-47760

GLPI (Asset & IT Management) affected in CVE-2024-47760: prior to 10.0.17, a technician with API access can elevate privileges and take control of a higher-privileged account. A patch is available in version 10.0.17. Connected sources corroborate version ranges around 9.1.0–10.0.17/10.0.18 and in...

CVE-2024-47760 GLPI vulnerable to account takeover via API

GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.17, a technician with an access to the API can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue...

CVE-2024-47758

CVE-2024-47758 affects GLPI: authenticated users can via the API take control of another user with equal or lower privileges in versions 9.3.0 up to, but not including, 10.0.17. A patch is available in 10.0.17. Connected documents corroborate GLPI context and indicate multiple vendor advisories f...

What is Nudge Security and How Does it Work?

Regain control of SaaS sprawl with Day One discovery of all SaaS and GenAI accounts along with workflows to help you mitigate security risks, curb rogue app usage, and manage SaaS spend. In today's highly distributed workplace, every employee has the ability to act as their own CIO, adopting new...

CVE-2024-8256

In Teltonika Networks RUTOS devices, running on versions 7.0 to 7.8 excluding and TSWOS devices running on versions 1.0 to 1.3 excluding, due to incorrect permission handling a vulnerability exists which allows a lower privileged user with default permissions to access critical device resources v...

CVE-2024-8256 Incorrect Permission Assignment in RutOS based routers and TSWOS based managed switches

In Teltonika Networks RUTOS devices, running on versions 7.0 to 7.8 excluding and TSWOS devices running on versions 1.0 to 1.3 excluding, due to incorrect permission handling a vulnerability exists which allows a lower privileged user with default permissions to access critical device resources v...

CVE-2024-8256

CVE-2024-8256 affects Teltonika Networks RUTOS and TSWOS devices due to incorrect permission handling in the API, enabling a lower-privileged user with default permissions to access critical device resources. Affected: RUTOS versions 7.0–7.7/7.8 exclusion (per PT-2024-38894 and CVE docs) and TSWO...

PT-2024-38894 · Teltonika Networks · Tswos +1

Name of the Vulnerable Software and Affected Versions: Teltonika Networks RUTOS versions 7.0 through 7.7 Teltonika Networks TSWOS versions 1.0 through 1.2 Description: A vulnerability exists due to incorrect permission handling, allowing a lower privileged user with default permissions to access...

CVE-2024-53949

Improper Authorization vulnerability in Apache Superset when FABADDSECURITYAPI is enabled disabled by default. Allows for lower privilege users to use this API. issue affects Apache Superset: from 2.0.0 before 4.1.0. Users are recommended to upgrade to version 4.1.0, which fixes the issue...

CVE-2024-53949

Improper Authorization vulnerability in Apache Superset when FABADDSECURITYAPI is enabled disabled by default. Allows for lower privilege users to use this API. issue affects Apache Superset: from 2.0.0 before 4.1.0. Users are recommended to upgrade to version 4.1.0, which fixes the issue...

CVE-2024-53949

CVE-2024-53949 describes an improper authorization vulnerability in Apache Superset that occurs when the FAB_ADD_SECURITY_API is enabled (default is disabled). The issue allows lower-privilege users to use the security API to perform actions that should be restricted. Affected versions are 2.0.0 ...

CVE-2023-47871

Missing Authorization vulnerability in IT Path Solutions Contact Form to Any API allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form to Any API: from n/a through 1.1.6...

Exploit for CVE-2024-42327

PoC for CVE-2024-42327 / ZBX-25623 A non-admin user account on...

CVE-2024-50357

FutureNet NXR series routers provided by Century Systems Co., Ltd. have REST-APIs, which are configured as disabled in the initial factory default configuration. But, REST-APIs are unexpectedly enabled when the affected product is powered up, provided either http-server GUI or Web authentication ...

CVE-2024-42327

A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is availabl...