CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

NVD•added 2024/06/06 6:15 p.m.•15 views

CVE-2024-3504

An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, where an admin can update any organization user to the organization owner. This vulnerability allows the elevated user to delete projects within the organization. The issue is resolved in versi...

8.1CVSS0.00494EPSS

OSV•added 2024/06/06 6:15 p.m.•10 views

CVE-2024-3152

mintplex-labs/anything-llm is vulnerable to multiple security issues due to improper input validation in several endpoints. An attacker can exploit these vulnerabilities to escalate privileges from a default user role to an admin role, read and delete arbitrary files on the system, and perform...

8.8CVSS7.5AI score

Exploits0References2

Vulnrichment•added 2024/06/06 5:53 p.m.•11 views

CVE-2024-3504 Improper Access Control in lunary-ai/lunary

8.1CVSS6.7AI score0.00494EPSS

CVE•added 2024/06/06 5:53 p.m.•49 views

CVE-2024-3504

CVE-2024-3504 affects lunary-ai/lunary up to version 1.2.2. The root cause is improper access control that allows an admin to elevate any organization user to the owner role, enabling the elevated user to delete projects within the organization. The issue is mitigated by upgrading to version 1.2....

8.1CVSS7.1AI score0.00494EPSS

Exploits1References2Affected Software1

WPVulnDB•added 2024/06/05 12:0 a.m.•9 views

Simple Photoswipe <= 0.1 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1 As admin, go to plugin settings...

5.4AI score0.00281EPSS

Cvelist•added 2024/06/04 6:0 a.m.•22 views

CVE-2024-2470 Simple Ajax Chat < 20240412 - Admin+ Stored XSS

The Simple Ajax Chat WordPress plugin before 20240412 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

7.8AI score0.00335EPSS

WPVulnDB•added 2024/05/31 12:0 a.m.•15 views

CSSable Countdown <= 1.5 - Admin+ Stored XSS

5.4AI score0.00354EPSS

WPVulnDB•added 2024/05/31 12:0 a.m.•16 views

Widget Bundle <= 2.0.0 - Admin+ Stored XSS

5.4AI score0.00356EPSS

Vulnrichment•added 2024/05/29 6:0 a.m.•9 views

CVE-2024-3921 Gianism <= 5.1.0 - Admin+ Stored XSS

The Gianism WordPress plugin through 5.1.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.4AI score0.00372EPSS

OSV•added 2024/05/28 7:15 p.m.•1 views

CVE-2023-43845

Aten PE6208 2.3.228 and 2.4.232 have default credentials for the privileged telnet account. The user is not asked to change the credentials after first login. If not changed, attackers can log in to the telnet console and gain administrator privileges...

9.8CVSS5.8AI score0.00534EPSS

Exploits1References1

WPVulnDB•added 2024/05/24 12:0 a.m.•13 views

LuckyWP Table of Contents <= 2.1.4 - Admin+ Stored XSS

5.5AI score0.00342EPSS

Vulnrichment•added 2024/05/22 4:35 a.m.•11 views

CVE-2024-30420

Server-side request forgery SSRF vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12 and Ver.3.0.x series versions prior to Ver.3.0.32. If this vulnerability is exploited, a user with an administrator or higher privilege who can log in to the product may obtain...

6.8AI score0.00317EPSS

Exploits0References2

NVD•added 2024/05/21 3:15 p.m.•13 views

CVE-2024-33526

A Stored Cross-site Scripting XSS vulnerability in the "Import of user role and title of user role" feature in ILIAS 7 before 7.30 and ILIAS 8 before 8.11 allows remote authenticated attackers with administrative privileges to inject arbitrary web script or HTML via XML file upload...

7.1CVSS5.2AI score0.00507EPSS

NVD•added 2024/05/16 7:15 a.m.•22 views

CVE-2024-4844

Hardcoded credentials vulnerability in Trellix ePolicy Orchestrator ePO on Premise prior to 5.10 Service Pack 1 Update 2 allows an attacker with admin privileges on the ePO server to read the contents of the orion.keystore file, allowing them to access the ePO database encryption key. This was...

7.5CVSS7.5AI score0.00234EPSS

Exploits0References1

OSV•added 2024/05/15 6:15 a.m.•1 views

CVE-2024-3630

The HL Twitter WordPress plugin through 2014.1.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.4CVSS5.8AI score0.00331EPSS

Cvelist•added 2024/05/15 6:0 a.m.•29 views

CVE-2024-3630 HL Twitter <= 2014.1.18 - Admin+ Stored XSS via Widget

5.5AI score0.00331EPSS