6611 matches found
CVE-2022-41831
CVE-2022-41831 affects the TCBarrett WP Glossary WordPress plugin up to version 3.1.2. An Auth. (contributor+) Cross-Site Scripting (XSS) vulnerability exists, with exploitability reported for users with contributor or higher permissions. Some sources note no patched version is available; others ...
CVE-2023-22680
CVE-2023-22680 affects the WordPress plugin No API Amazon Affiliate (Altanic No API Amazon Affiliate) 4.2.2 (4.4.0) with low severity. No public exploit details are provided in the connected documents. Remediation: upgrade to a version greater than 4.2.2 (e.g., 4.4.0+). If upgrading is not feasib...
CVE-2023-22679
CVE-2023-22679 affects the WordPress WP Better Emails plugin, version
CVE-2023-25064
CVE-2023-25064 affects the WordPress plugin WP htpasswd (Plugin
CVE-2023-25782
CVE-2023-25782 affects the WordPress plugin Service Area Postcode Checker ≤ 2.0.8. The issue is an authentication-related Cross‑Site Scripting flaw that can be triggered with admin+ privileges, per CVE and vendor records. Root cause described in related advisories is insufficient sanitization/esc...
SEO Panel 4.8.0 - Blind SQL Injection
SEO Panel 4.8.0 is susceptible to time-based blind SQL injection via the ordercol parameter in archive.php. An attacker can potentially retrieve all databases and thus obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected...
Cross-Site Request Forgery (CSRF)
next-auth is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability exists due to the missing state, nonce, and PKCE checks for OAuth authentication, which allows an attacker to bypass the CSRF protection...
@app-box/web (=1.0.0), @chirpy-dev/analytics (=0.0.1) +46 more potentially affected by CVE-2023-27490 via next-auth (>=0.0.0-manual.83c4ebd1 <=4.1.2)
next-auth NPM version =0.0.0-manual.83c4ebd1, =3.0.0-canary.160.0, =2.0.1-canary.24.0, =4.0.0-alpha.24, =4.0.0-alpha.1, =4.0.0-alpha.6, =1.0.99-0.next12, =0.1.0, =0.46.0, =0.30.0, =0.3.0, =0.10.0, =0.13.3 and more Source cves: CVE-2023-27490 Source advisory: OSV:GHSA-7R7X-4C4Q-C4QF...
GHSA-7R7X-4C4Q-C4QF Missing proper state, nonce and PKCE checks for OAuth authentication
Impact next-auth applications using OAuth provider versions before v4.20.1 are affected. A bad actor who can spy on the victim's network or able to social engineer the victim to click a manipulated login link could intercept and tamper with the authorization URL to log in as the victim, bypassing...
Missing proper state, nonce and PKCE checks for OAuth authentication
Impact next-auth applications using OAuth provider versions before v4.20.1 are affected. A bad actor who can spy on the victim's network or able to social engineer the victim to click a manipulated login link could intercept and tamper with the authorization URL to log in as the victim, bypassing...
Debian: Security Advisory (DLA-3359-1)
The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
[SECURITY] [DLA 3359-1] libapache2-mod-auth-mellon security update
----------------------------------------------------------------------- Debian LTS Advisory DLA-3359-1 [email protected] https://www.debian.org/lts/security/ Utkarsh Gupta March 13, 2023 https://wiki.debian.org/LTS -...
Debian dla-3359 : libapache2-mod-auth-mellon - security update
The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-3359 advisory. - ----------------------------------------------------------------------- Debian LTS Advisory DLA-3359-1 [email protected]...
CVE-2023-24999
HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability is fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above...
CVE-2023-24999
HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability is fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above...
Denial of service
HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability is fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above...
CVE-2023-24774
Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the selectFields parameter at \controller\auth\Auth.php...
CVE-2023-0328 WPCode < 2.0.7 - Contributor+ WPCode Library Auth Key Update/Deletion
The WPCode WordPress plugin before 2.0.7 does not have adequate privilege checks in place for several AJAX actions, only checking the nonce. This may lead to allowing any authenticated user who can edit posts to call the endpoints related to WPCode Library authentication such as update and delete...
SUSE CVE-2019-11494
In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login service crashes when the client disconnects prematurely during the AUTH command...
Real Estate CRM Pro 5.7 SQL Injection
==================================================================================================================================== | Title : Real Estate CRM Pro v 5.7 Auth By Pass Vulnerability | | Author : indoushka | | Tested on : windows 10 Français V.Pro / browser : Mozilla firefox 69.032-b...