PT-2024-9715 · Adobe · Experience Manager

Name of the Vulnerable Software and Affected Versions: Adobe Experience Manager versions 6.5.21 and earlier Description: The issue is related to a stored Cross-Site Scripting XSS vulnerability. This vulnerability could be exploited by an attacker to inject malicious scripts into vulnerable form...

CVE-2024-12028

The Friends plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several REST API endpoints in all versions up to, and including, 3.2.1. This makes it possible for unauthenticated attackers to send arbitrary friend requests on behalf of another website,...

CVE-2024-12028 Friends <= 3.2.1 - Missing Authorization

The Friends plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several REST API endpoints in all versions up to, and including, 3.2.1. This makes it possible for unauthenticated attackers to send arbitrary friend requests on behalf of another website,...

CVE-2024-12028

The CVE-2024-12028 entry covers the WordPress Friends plugin (up to v3.2.1) with a missing capability check on multiple REST API endpoints. This vulnerability allows unauthenticated attackers to perform actions on behalf of another website, including sending arbitrary friend requests, accepting t...

CVE-2024-12028 Friends <= 3.2.1 - Missing Authorization

The Friends plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several REST API endpoints in all versions up to, and including, 3.2.1. This makes it possible for unauthenticated attackers to send arbitrary friend requests on behalf of another website,...

CVE-2024-11481

CVE-2024-11481 concerns Trellix Enterprise Security Manager (ESM) 11.6.10. The issue enables unauthenticated access to the internal Snowservice API, with improper path traversal handling and insecure forwarding to an AJP backend, lacking authentication for internal API endpoints. Documents indica...

CVE-2024-11481

A vulnerability in ESM 11.6.10 allows unauthenticated access to the internal Snowservice API. This leads to improper handling of path traversal, insecure forwarding to an AJP backend without adequate validation, and lack of authentication for accessing internal API endpoints...

BIT-GITLAB-2024-11669 Incorrect Authorization in GitLab

An issue was discovered in GitLab CE/EE affecting all versions from 16.9.8 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Certain API endpoints could potentially allow unauthorized access to sensitive data due to overly broad application of token scopes...

PT-2024-16315 · WordPress · Element Pack Elementor Addons

Name of the Vulnerable Software and Affected Versions: Element Pack Elementor Addons plugin for WordPress versions prior to 5.10.3 Description: The issue concerns the Element Pack Elementor Addons plugin for WordPress, which does not validate and escape some of its block options before outputting...

CVE-2024-53855

Centurion ERP Enterprise Rescource Planning is a simple application developed to provide open source IT management with a large emphasis on the IT Service Management ITSM modules. A user who is authenticated and has view permissions for a ticket, can view the tickets of another organization they...

CVE-2024-53855 User can view tickets from organizations they're not apart of in centurion_erp

Centurion ERP Enterprise Rescource Planning is a simple application developed to provide open source IT management with a large emphasis on the IT Service Management ITSM modules. A user who is authenticated and has view permissions for a ticket, can view the tickets of another organization they...

CVE-2024-53855 User can view tickets from organizations they're not apart of in centurion_erp

Centurion ERP Enterprise Rescource Planning is a simple application developed to provide open source IT management with a large emphasis on the IT Service Management ITSM modules. A user who is authenticated and has view permissions for a ticket, can view the tickets of another organization they...

CVE-2024-53855

Centurion ERP prior to 1.3.1 allows an authenticated user with certain ticket-view permissions (view_ticket_change, view_ticket_incident, view_ticket_request, view_ticket_problem) to view tickets belonging to other organizations when using the API endpoints for tickets. The UI and Project Tasks a...

CVE-2024-11669 Incorrect Authorization in GitLab

An issue was discovered in GitLab CE/EE affecting all versions from 16.9.8 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Certain API endpoints could potentially allow unauthorized access to sensitive data due to overly broad application of token scopes...

CVE-2024-11483

A vulnerability was found in the Ansible Automation Platform AAP. This flaw allows attackers to escalate privileges by improperly leveraging read-scoped OAuth2 tokens to gain write access. This issue affects API endpoints that rely on ansiblebase.oauth2provider for OAuth2 authentication. While th...

CVE-2024-11483 Automation-gateway: aap-gateway: improper scope handling in oauth2 tokens for aap 2.5

A vulnerability was found in the Ansible Automation Platform AAP. This flaw allows attackers to escalate privileges by improperly leveraging read-scoped OAuth2 tokens to gain write access. This issue affects API endpoints that rely on ansiblebase.oauth2provider for OAuth2 authentication. While th...

CVE-2024-11483

CVE-2024-11483 affects Red Hat Ansible Automation Platform 2.5, specifically automation-gateway: improper scope handling in OAuth2 tokens for AAP 2.5. The flaw allows write access via read-scoped OAuth2 tokens to API endpoints using ansible_base.oauth2_provider, enabling potential modifications w...

Exploit for CVE-2023-38646

Metabase Pre-Authentication RCE CVE-2023-38646 CVE-2023-38...

CVE-2020-26063 Cisco Integrated Management Controller Software Authorization Bypass Vulnerability

A vulnerability in the API endpoints of Cisco Integrated Management Controller could allow an authenticated, remote attacker to bypass authorization and take actions on a vulnerable system without authorization. The vulnerability is due to improper authorization checks on API endpoints. An attack...

CVE-2024-3501

In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of single-use tokens in the responses of GET /v1/users/me and GET /v1/users/me/org API endpoints. These tokens, intended for sensitive operations such as password resets or...