CVE-2025-3471 SureForms < 1.4.4 - Contributor+ Settings Update

The SureForms WordPress plugin before 1.4.4 does not have proper authorisation check when updating its settings via the REST API, which could allow Contributor and above roles to perform such action...

CVE-2025-3471

CVE-2025-3471 concerns the SureForms WordPress plugin, prior to version 1.4.4. The root cause is an insufficient authorisation check when updating plugin settings via the REST API, potentially allowing a user with Contributor or higher privileges to perform settings updates. Public details across...

TeamPass 3.0.0.21 SQL Injection

TeamPass version 3.0.0.21 suffers from a remote SQL injection vulnerability. Exploit Title: TeamPass SQL Injection Google Dork: intitle:"Teampass" + inurl:index.php?page=items Date: 02/23/2025 Exploit Author: Max Meyer - Rivendell Vendor Homepage: http://www.teampass.net Software Link:...

CVE-2025-29997 Improper Access Control Vulnerability in CAP back office application

This vulnerability exists in the CAP back office application due to improper authorization checks on certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating API request URL to gain unauthorized access to other user accounts...

CVE-2025-26523

This vulnerability exists in RupeeWeb trading platform due to insufficient authorization controls on certain API endpoints handling addition and deletion operations. Successful exploitation of this vulnerability could allow an authenticated remote attacker to modify information belonging to other...

PT-2025-5705 · Cisco · Cisco Ise

Name of the Vulnerable Software and Affected Versions: Cisco ISE affected versions not specified Description: A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker with valid read-only credentials to obtain sensitive information, change node configurations, and...

CVE-2025-0580 Shiprocket Module REST API Module rest_api authorization

A vulnerability was found in Shiprocket Module 3 on OpenCart. It has been rated as critical. Affected by this issue is some unknown functionality of the file /index.php?route=extension/module/restapi&action=getOrders of the component REST API Module. The manipulation of the argument contentHash...

forgejo -- multiple vulnerabilities

Problem Description: It was possible to use a token sent via email for secondary email validation to reset the password instead. In other words, a token sent for a given action registration, password reset or secondary email validation could be used to perform a different action. It is no longer...

CVE-2024-49209

Archer Platform 2024.03 before version 2024.09 is affected by an API authorization bypass vulnerability related to supporting application files. A remote unprivileged attacker could potentially exploit this vulnerability to elevate their privileges and upload additional system icons...

CVE-2024-49209

Archer Platform 2024.03 before version 2024.09 is affected by an API authorization bypass vulnerability related to supporting application files. A remote unprivileged attacker could potentially exploit this vulnerability to elevate their privileges and upload additional system icons...

GitLab 11.3 < 13.1.10 / 13.2 < 13.2.8 / 13.3 < 13.3.4 (CVE-2020-13284)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. API Authorization Using Outdated CI Job Token CVE-2020-13284 Note that Nessus has not tested for this issue but has...

VulnCheck KEV: CVE-2022-25237

Bonita Web 2021.2 is affected by a authentication/authorization bypass vulnerability due to an overly broad exclude pattern used in the RestAPIAuthorizationFilter. By appending ;i18ntranslation or /../i18ntranslation/ to the end of a URL, users with no privileges can access privileged API...

PaperCut NG < 20.1.10 / 21.x < 21.2.14 / 22.x < 22.1.5 / 23.x < 23.0.7 Multiple Vulnerabilities

The version of PaperCut NG installed on the remote Windows host is affected by multiple vulnerabilities, as follows: - This allows attackers to use a maliciously formed API request to gain access to an API authorization level with elevated privileges. This applies to a small subset of PaperCut...

PaperCut MF < 20.1.10 / 21.x < 21.2.14 / 22.x < 22.1.5 / 23.x < 23.0.7 Multiple Vulnerabilities

The version of PaperCut MF installed on the remote Windows host is affected by multiple vulnerabilities, as follows: - This allows attackers to use a maliciously formed API request to gain access to an API authorization level with elevated privileges. This applies to a small subset of PaperCut...

BIT-GITLAB-2020-13284

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. API Authorization Using Outdated CI Job Token...

PT-2023-32233 · WordPress · Wp Mail Log

Name of the Vulnerable Software and Affected Versions: WP Mail Log WordPress plugin versions prior to 1.1.3 Description: The issue arises from incorrect authorization of REST API endpoints in the WP Mail Log WordPress plugin, allowing users with the Contributor role to view and delete data that...

Urgent: New Security Flaws Discovered in NGINX Ingress Controller for Kubernetes

Three unpatched high-severity security flaws have been disclosed in the NGINX Ingress controller for Kubernetes that could be weaponized by a threat actor to steal secret credentials from the cluster. The vulnerabilities are as follows - CVE-2022-4886 CVSS score: 8.8 - Ingress-nginx path...

CVE-2023-41319 Remote Code Execution in Custom Integration Upload in Fides

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows custom integrations to be uploaded as a ZIP file. This ZIP file must contain YAML...

SQL injection in API authorization check

Description TeamPass /authorize API endpoint is vulnerable to SQL injection in the login field. It is possible to forge an arbitrary Blowfish hash and use it in the query to bypass the password verification check. Using the same query it is possible to define an arbitrary apikey value too: "login...

CVE-2022-3876 Click Studios Passwordstate API authorization

A vulnerability, which was classified as problematic, has been found in Click Studios Passwordstate and Passwordstate Browser Extension Chrome. This issue affects some unknown processing of the file /api/browserextension/UpdatePassword/ of the component API. The manipulation of the argument...