1618 matches found
CVE-2023-45000 WordPress LiteSpeed Cache plugin <= 5.7 - Unauthenticated Broken Access Control on API vulnerability
Missing Authorization vulnerability in LiteSpeed Technologies LiteSpeed Cache.This issue affects LiteSpeed Cache: from n/a through 5.7...
CVE-2023-45000 WordPress LiteSpeed Cache plugin <= 5.7 - Unauthenticated Broken Access Control on API vulnerability
Missing Authorization vulnerability in LiteSpeed Technologies LiteSpeed Cache.This issue affects LiteSpeed Cache: from n/a through 5.7...
PT-2024-5058 · Aimhubio · Aim
Name of the Vulnerable Software and Affected Versions: aimhubio/aim versions = 3.0.0 Description: A critical Remote Code Execution RCE vulnerability was identified in the aimhubio/aim project, specifically within the "/api/runs/search/run/" endpoint. The vulnerability resides in the run search ap...
CVE-2024-0899 s2Member – Best Membership Plugin for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions <= 230815 - Information Exposure
The s2Member – Best Membership Plugin for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 230815 via the API. This makes it possible for unauthenticated attackers ...
EulerOS 2.0 SP9 : openssl (EulerOS-SA-2024-1491)
According to the versions of the openssl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact...
PT-2024-24223 · Totolink · Totolink Ex200
Name of the Vulnerable Software and Affected Versions: TOTOLINK EX200 version 4.0.3c.7314 B20191204 Description: An attacker can obtain the configuration file without authorization through the "/cgi-bin/ExportSettings.sh" API endpoint. Recommendations: For TOTOLINK EX200 version 4.0.3c.7314...
CVE-2024-27620
CVE-2024-27620 affects Ladder v0.0.1 through v0.0.21. A server-side request forgery flaw in the API allows remote attackers to obtain sensitive information. Red Hat and NVD entries confirm the issue and the affected range; 0day/Exploit-DB variant describes exploitation against internal metadata e...
CVE-2024-23449
An uncaught exception in Elasticsearch = 8.4.0 and 8.11.1 occurs when an encrypted PDF is passed to an attachment processor through the REST API. The Elasticsearch ingest node that attempts to parse the PDF file will crash. This does not happen with password-protected PDF files or with unencrypte...
CVE-2024-0913
The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is vulnerable to time-based SQL Injection via the erp/v1/accounting/v1/transactions/sales REST API endpoint in all versions up to, and including, 1.12.9 due to insufficient escapi...
CVE-2024-29200 API returns timesheet entries a user should not be authorized to view
Kimai is a web-based multi-user time-tracking application. The permission viewothertimesheet performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the viewothertimesheet permission to true, on the frontend, users can only see timesheet...
asia.990121:message-example (=1.0.0), be.yildiz-games:module-webserver-undertow (>=1.0.0 <=1.1.12) +3154 more potentially affected by CVE-2023-5685 via org.jboss.xnio:xnio-api (>=2.0.0.CR2 <=3.8.13.Final)
org.jboss.xnio:xnio-api MAVEN version =2.0.0.CR2, =1.0.0, =0.4.0, =2.0.0, =1.0.2, =1.0.0, =1.0, =1.0, =6.0-2, =6.1-S-5 and more Source cves: CVE-2023-5685 Source advisory: OSV:GHSA-7F88-5HHX-67M2...
Cross site request forgery (csrf)
yourspotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions 1.9.0 do not protect the API and login flow against Cross-Site Request Forgery CSRF. Attackers can use this to execute CSRF attacks on victims, allowing them to retrieve, modify or delete data on the...
WordPress Plugin Restrict User Access Security Vulnerability
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed in the PHP language that supports personal blogs on PHP and MySQL servers.WordPress plugin is an application...
CVE-2024-0906
The fx Private Site plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.1 via the API. This makes it possible for unauthenticated attackers to obtain page and post contents of a site protected with this plugin...
BIT-TENSORFLOW-2021-29519 CHECK-fail in SparseCross due to type confusion
TensorFlow is an end-to-end open source platform for machine learning. The API of tf.rawops.SparseCross allows combinations which would result in a CHECK-failure and denial of service. This is because the...
PT-2024-8940 · Abb · S+ Control Api +3
Name of the Vulnerable Software and Affected Versions: Symphony Plus S+ Operations versions 2.0;0 through 2.0 SP6 TC6 Symphony Plus S+ Operations versions 2.1;0 through 2.1 SP2 RU3 Symphony Plus S+ Operations versions 3.0;0 through 3.3 SP1 RU4 Symphony Plus S+ Engineering versions 2.1 through 2.3...
DEBIAN-CVE-2024-20945
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Security. Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM...
GHSA-3HV4-R2FM-H27F Email Validation Bypass And Preventing Sign Up From Email's Owner
Summary Email validation can easily be bypassed because verifyemailenabled option enable email validation at sign up only. A user changing it's email after signing up and verifying it can change it without verification in /profile. This can be used to prevent legitimate owner of the email address...
CVE-2024-24776
Mattermost vulnerability CVE-2024-24776: The API POST /api/v4/channels/stats/member_count fails to enforce required permissions, leaking channel member counts to users without permissions. Documents confirm affected product (Mattermost) and the underlying issue is a permissions check gap in the c...
CVE-2024-1353
A vulnerability, which was classified as critical, has been found in PHPEMS up to 1.0. Affected by this issue is the function index of the file app/weixin/controller/index.api.php. The manipulation of the argument picurl leads to deserialization. The exploit has been disclosed to the public and m...