CVE-2023-1979 Auth bypass in Web Stories for WordPress plugin

The Web Stories for WordPress plugin supports the WordPress built-in functionality of protecting content with a password. The content is then only accessible to website visitors after entering the password. In WordPress, users with the "Author" role can create stories, but don't have the ability ...

CVE-2023-1979

CVE-2023-1979 affects the Web Stories for WordPress plugin. The issue allows users with the WordPress Author role to bypass password-protection permission checks when duplicating password-protected stories in the plugin’s dashboard, exposing protected content. The vulnerability was fixed by upgra...

Download Manager < 3.2.71 - Broken Access Controls

The plugin does not adequately validate passwords for password-protected files. Upon validation, a master key is generated and exposed to the user, which may be used to download any password-protected file on the server, allowing a user to download any file with the knowledge of any one file's...

Download Manager < 3.2.71 - Broken Access Controls

The plugin does not adequately validate passwords for password-protected files. Upon validation, a master key is generated and exposed to the user, which may be used to download any password-protected file on the server, allowing a user to download any file with the knowledge of any one file's...

CVE-2023-28847 Nextcloud Server missing brute force protection for passwords of password protected share links

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server 24.0.0 prior to 24.0.11 and 25.0.0 prior to 25.0.5; as well as Nextcloud Server Enterprise 23.0.0 prior to 23.0.12.6, 24.0.0 prior to 24.0.11, and 25.0.0 prior to 25.0.5; an attack...

Design/Logic Flaw

The W4 Post List WordPress plugin before 2.4.6 does not ensure that password protected posts can be accessed before displaying their content, which could allow any authenticated users to access them...

CVE-2023-1371

CVE-2023-1371 affects the W4 Post List WordPress plugin prior to version 2.4.6. The vulnerability arises because the plugin does not properly enforce access controls for password-protected posts before displaying their content, potentially allowing any authenticated user (Subscriber level) to vie...

CVE-2023-1371 W4 Post List < 2.4.6 - Subscriber+ Password Protected Post Content Disclosure

The W4 Post List WordPress plugin before 2.4.6 does not ensure that password protected posts can be accessed before displaying their content, which could allow any authenticated users to access them...

DRUPAL-CONTRIB-2023-013

This module enables you to secure any page with a password. The module does not sufficiently restrict access to the page content...

GHSA-W7R6-V4J7-H94W Apache James server's JMX management service vulnerable to privilege escalation by local user

Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a malicious local user. Administrators are advised to disable JMX, or set up a JMX password. Note that version 3.7.4 onward will set up a JMX...

CVE-2023-28647 App pin of the iOS app can be bypassed in Nextcloud iOS

Nextcloud iOS is an ios application used to interface with the nextcloud home cloud ecosystem. In versions prior to 4.7.0 when an attacker has physical access to an unlocked device, they may enable the integration into the iOS Files app and bypass the Nextcloud pin/password protection and gain...

CVE-2023-28509

Rocket Software UniData versions prior to 8.2.4 build 3003 and UniVerse versions prior to 11.3.5 build 1001 or 12.2.1 build 2002 use weak encryption for packet-level security and passwords transferred on the wire...

CVE-2023-27927

The CVE-2023-27927 entry concerns SAUTER EY-modulo 5 Building Automation Station. Affected component: SMTP password handling within the web/mail client service; root cause: credentials transmitted in cleartext despite masking. Impact: potential for an authenticated attacker to obtain SMTP credent...

The vulnerability of the FortiAnalyzer event monitoring and analysis tool, related to insufficient password protection, allows a intruder to gain unauthorized access to protected information.

The vulnerability of the FortiAnalyzer event monitoring and analysis tool is related to insufficient password protection. Exploiting this vulnerability can allow an unauthorized attacker to gain unauthorized access to protected information through a specially crafted request...

W4 Post List < 2.4.6 - Subscriber+ Password Protected Post Content Disclosure

The plugin does not ensure that password protected posts can be accessed before displaying their content, which could allow any authenticated users to access them PoC Setup: Create a default Post list, and create a password protected post with secret content Then, run the below command in the...

W4 Post List < 2.4.6 - Subscriber+ Password Protected Post Content Disclosure

The plugin does not ensure that password protected posts can be accessed before displaying their content, which could allow any authenticated users to access them Setup: Create a default Post list, and create a password protected post with secret content Then, run the below command in the develop...

Nextcloud: Missing brute force protection for passwords of password protected share links

A missing brute force protection vulnerability was found in the password protection feature of shared files, allowing an attacker to bypass the password protection of the shared files due to the lack of rate limit. This could lead to unauthorized access to protected files...

WordPress plugin CMP–Coming Soon & Maintenance 信息泄露漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. An information disclosure vulnerability...

Schneider Electric Modicon M221 Programmable Logic Controller Use of a One-Way Hash with a Predictable Salt (CVE-2020-28214)

A CWE-760: Use of a One-Way Hash with a Predictable Salt vulnerability exists in Modicon M221 all references, all versions, that could allow an attacker to pre-compute the hash value using dictionary attack technique such as rainbow tables, effectively disabling the protection that an unpredictab...

Schneider Electric Modicon M221 Programmable Logic Controller Missing Encryption of Sensitive Data (CVE-2020-7567)

A CWE-311: Missing Encryption of Sensitive Data vulnerability exists in Modicon M221 all references, all versions that could allow the attacker to find the password hash when the attacker has captured the traffic between EcoStruxure Machine - Basic software and Modicon M221 controller and broke t...