CVE-2024-32470

Tolgee is an open-source localization platform. When API key created by admin user is used it bypasses the permission check at all. This error was introduced in v3.57.2 and immediately fixed in v3.57.4...

CVE-2024-28120

codeium-chrome is an open source code completion plugin for the chrome web browser. The service worker of the codeium-chrome extension doesn't check the sender when receiving an external message. This allows an attacker to host a website that will steal the user's Codeium api-key, and thus...

CVE-2024-7713

The AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0 discloses the Open AI API Key, allowing unauthenticated users to obtain it...

CVE-2024-23453

Android Spoon application version 7.11.1 to 8.6.0 uses hard-coded credentials, which may allow a local attacker to retrieve the hard-coded API key when the application binary is reverse-engineered. This API key may be used for unexpected access of the associated service...

CVE-2024-1162

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.10.29. This is due to missing or incorrect nonce validation on the registerreference function. This makes it possible for unauthenticated attackers to update the...

CVE-2024-5674

The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the checkapikey function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to list, create or delete...

CVE-2024-23686

DependencyCheck for Maven 9.0.0 to 9.0.6, for CLI version 9.0.0 to 9.0.5, and for Ant versions 9.0.0 to 9.0.5, when used in debug mode, allows an attacker to recover the NVD API Key from a log file...

CVE-2024-5225

An SQL Injection vulnerability exists in the berriai/litellm repository, specifically within the /global/spend/logs endpoint. The vulnerability arises due to improper neutralization of special elements used in an SQL command. The affected code constructs an SQL query by concatenating an unvalidat...

CVE-2024-6845

The Chatbot with ChatGPT WordPress plugin before 2.4.6 does not have proper authorization in one of its REST endpoint, allowing unauthenticated users to retrieve the encoded key and then decode it, thereby leaking the OpenAI API key...

CVE-2024-9109

The WooCommerce UPS Shipping – Live Rates and Access Points plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deleteoauthdata function in all versions up to, and including, 2.3.12. This makes it possible for authenticated attackers,...

CVE-2024-38480

"Piccoma" App for Android and iOS versions prior to 6.20.0 uses a hard-coded API key for an external service, which may allow a local attacker to obtain the API key. Note that the users of the app are not directly affected by this vulnerability...

CVE-2024-51493

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.2 contain a vulnerability that allows an attacker that has gained temporary control over an authenticated victim's OctoPrint browser session to retrieve/recreate/delete the user...

CVE-2024-6489

The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getgoogleapikey function in all versions up to, and including, 2.0.10. This makes it possible for authenticated attackers, with Contributor-level access a...

CVE-2024-6599

The Meks Video Importer plugin for WordPress is vulnerable to unauthorized API key modification due to a missing capability check on the ajaxsavesettings function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and...

CVE-2024-6491

The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the mailchimpapikeymanage function in all versions up to, and including, 2.0.10. This makes it possible for authenticated attackers, with Contributor-level...

CVE-2024-28088

LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a loadchain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome can be disclosure...

CVE-2024-4858

The Testimonial Carousel For Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'savetestimonialsoptioncallback' function in versions up to, and including, 10.2.0. This makes it possible for unauthenticated attackers to updat...

CVE-2024-8199

The Reviews Feed – Add Testimonials and Customer Reviews From Google Reviews, Yelp, TripAdvisor, and More plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'updateapikey' function in all versions up to, and including, 1.1.2. This make...

CVE-2024-8200

The Reviews Feed – Add Testimonials and Customer Reviews From Google Reviews, Yelp, TripAdvisor, and More plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the 'updateapikey'...

CVE-2024-57726

SimpleHelp remote support software v5.5.7 and before has a vulnerability that allows low-privileges technicians to create API keys with excessive permissions. These API keys can be used to escalate privileges to the server admin role...