Mars: unauthorized access and add user and change personal information all users

The report describes a vulnerability in the ██████████ website, where unauthorized access to an API endpoint allowed attackers to add new users and modify personal information of existing users. The vulnerability was classified as Improper Access Control. The issue stemmed from the absence of...

CVE-2020-11926

CVE-2020-11926 affects Luvion Grand Elite 3 Connect (through 2020-02-25). The issue allows a client to authenticate with a username/password, with credentials retrievable via an unauthenticated web request (e.g., a JavaScript file). The disclosure also includes the device’s Wi‑Fi SSID and WPA2 ke...

CVE-2020-11926

An issue was discovered in Luvion Grand Elite 3 Connect through 2020-02-25. Clients can authenticate themselves to the device using a username and password. These credentials can be obtained through an unauthenticated web request, e.g., for a JavaScript file. Also, the disclosed information...

CVE-2020-11926

An issue was discovered in Luvion Grand Elite 3 Connect through 2020-02-25. Clients can authenticate themselves to the device using a username and password. These credentials can be obtained through an unauthenticated web request, e.g., for a JavaScript file. Also, the disclosed information...

PYSEC-2024-183

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication method confusion allows logging in as the built-in root user from an external service. The built-in root user up until 6.24.1 is generated in a weak manner, cannot...

PT-2025-11662

Name of the Vulnerable Software and Affected Versions Synology Drive Server versions prior to 3.0.4-12699 Synology Drive Server versions prior to 3.2.1-23280 Synology Drive Server versions prior to 3.5.0-26085 Synology Drive Server versions prior to 3.5.1-26102 Description The issue is related to...

CVE-2024-43296

Missing Authorization vulnerability in bPlugins LLC Flash & HTML5 Video allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flash & HTML5 Video: from n/a through 2.5.30...

Lunary 安全漏洞

Lunary is a production toolkit for LLMs open sourced by Lunary. A security vulnerability exists in Lunary v1.3.2, which stems from the presence of an IDOR vulnerability that allows an authenticated user to update another user's prompt by manipulating the id parameter in the request...

CVE-2024-9628 WPS Telegram Chat <= 4.6.0 - Authenticated (Subscriber+) Unauthorized Access to Telegram Bot API

The WPS Telegram Chat plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'WpsTelegramChatAdmin::checkСonnection' function in versions up to, and including, 4.6.0. This makes it possible for authenticated attackers, wit...

PT-2024-7516 · Rockwell Automation · Rockwell Automation Thinmanager

Name of the Vulnerable Software and Affected Versions: Rockwell Automation ThinManager affected versions not specified Description: An authentication issue exists in the affected product, allowing a threat actor with network access to send crafted messages to the device, potentially resulting in...

CVE-2024-9927

The WooCommerce Order Proposal plugin for WordPress is vulnerable to privilege escalation via order proposal in all versions up to and including 2.0.5. This is due to the improper implementation of allowpaymentwithoutlogin function. This makes it possible for authenticated attackers, with Shop...

PT-2024-7217

Name of the Vulnerable Software and Affected Versions FortiManager versions 6.2.0 through 6.2.12 FortiManager versions 6.4.0 through 6.4.14 FortiManager versions 7.0.0 through 7.0.12 FortiManager versions 7.2.0 through 7.2.7 FortiManager versions 7.4.0 through 7.4.4 FortiManager version 7.6.0...

PT-2024-9164 · Nextcloud +2 · Nextcloud Server +2

Name of the Vulnerable Software and Affected Versions: Nextcloud Server versions prior to 28.0.12 Nextcloud Server versions prior to 29.0.9 Nextcloud Server versions prior to 30.0.2 Description: The issue is related to insufficient authentication procedure in Nextcloud Server, allowing an attacke...

CVE-2024-35584

SQL injection vulnerabilities were discovered in Ajax.php, ForWindow.php, ForExport.php, Modules.php, functions/HackingLogFnc.php in OpenSis Community Edition 9.1 to 8.0, and possibly earlier versions. It is possible for an authenticated user to perform SQL Injection due to the lack to...

Red Hat Quay 安全漏洞

Red Hat Quay is a distributed container image repository from Red Hat USA that is used to build, distribute and deploy containers. A security vulnerability exists in Red Hat Quay that stems from allowing successful authentication using a truncated version of a password...

PT-2024-39676 · WordPress · Wp Users Masquerade

Name of the Vulnerable Software and Affected Versions: WP Users Masquerade plugin for WordPress versions up to, and including, 2.0.0 Description: The issue is due to incorrect authentication and capability checking in the ajax masq login function, allowing authenticated attackers with...

CVE-2024-8433 Easy Mega Menu Plugin for WordPress – ThemeHunk <= 1.1.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting

The Easy Mega Menu Plugin for WordPress – ThemeHunk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘themehunkmegamenubgimage' parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2024-46887

The web server of affected devices do not properly authenticate user request to the '/ClientArea/RuntimeInfoData.mwsl' endpoint. This could allow an unauthenticated remote attacker to gain knowledge about current actual and configured maximum cycle times as well as about configured maximum...

CVE-2024-39364

Advantech ADAM-5630 has built-in commands that can be executed without authenticating the user. These commands allow for restarting the operating system, rebooting the hardware, and stopping the execution. The commands can be sent to a simple HTTP request and are executed by the device...

PT-2024-39148

Name of the Vulnerable Software and Affected Versions: ValeApp versions prior to 2.0.0 Description: The issue is a Session Fixation vulnerability that allows for Brute Force and Session Hijacking. This vulnerability affects the authentication mechanism of the software, potentially allowing...