630 matches found
CVE-2024-3761
In lunary-ai/lunary, version 1.2.2 contains an unauthorized deletion vulnerability on the DELETE endpoint at packages/backend/src/api/v1/datasets due to missing authorization/authentication. This allows any user (no token required) to delete a dataset, potentially causing data loss or service dis...
WordPress Password Protected plugin <= 2.6.6 - Missing Authorization to Sensitive Information Exposure vulnerability
Missing Authorization to Sensitive Information Exposure vulnerability discovered by Francesco Carlucci in WordPress Plugin Password Protected versions = 2.6.6...
Acronis Cyber Protect 安全漏洞
Acronis Cyber Protect is an all-in-one cyber protection solution for business and enterprise from Acronis Singapore. Combining backup, anti-malware, cybersecurity and endpoint management features such as vulnerability assessment, URL filtering, patch management, and more. A security vulnerability...
CVE-2024-2838
CVE-2024-2838 affects WPC Composite Products for WooCommerce (WordPress) up to version 7.2.7, enabling Stored Cross-Site Scripting via the wooco_components[0][name] parameter due to insufficient input sanitization/output escaping and missing authorization on ajax_save_components. The vulnerabilit...
PT-2024-18176 · Lunary Ai · Lunary
Name of the Vulnerable Software and Affected Versions: lunary-ai/lunary version 0.3.0 Description: An Insecure Direct Object Reference IDOR vulnerability exists, allowing unauthorized deletion of any organization's project. The issue is due to insufficient authorization checks in the project...
WordPress plugin Shortcodes and extra features for Phlox theme 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability in the WordPress...
CVE-2024-25643
The SAP Fiori app My Overtime Request - version 605, does not perform the necessary authorization checks for an authenticated user which may result in an escalation of privileges. It is possible to manipulate the URLs of data requests to access information that the user should not have access to...
PT-2024-10361 · Drupal · Drupal Entity Delete Log
Name of the Vulnerable Software and Affected Versions: Drupal Entity Delete Log versions 0.0.0 through 1.1.1 Description: The issue is related to a lack of authorization in the Drupal Entity Delete Log, which allows for forceful browsing. This can enable a remote attacker to bypass security...
PT-2024-14858 · WordPress · Eazydocs
Name of the Vulnerable Software and Affected Versions: EazyDocs WordPress plugin versions prior to 2.3.6 Description: The issue allows unauthenticated users to delete arbitrary posts, as well as add and delete documents/sections, due to the lack of authorization and CSRF checks when handling...
PT-2024-14841 · WordPress · Demomentsomtres Wordpress Export Posts With Images
Name of the Vulnerable Software and Affected Versions: DeMomentSomTres WordPress Export Posts With Images WordPress plugin through 20220825 Description: The issue allows any logged-in user, such as subscribers, to export the contents of the blog, including restricted and unpublished posts, as wel...
CVE-2023-6955
A missing authorization check vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group...
CVE-2024-21736
SAP S/4HANA Finance for Advanced Payment Management - versions SAPSCORE 128, S4CORE 107, does not perform necessary authorization checks. A function import could be triggered allowing the attacker to create in-house bank accounts leading to low impact on the confidentiality of the application...
CVE-2023-6529
The WP VR WordPress plugin before 8.3.15 does not authorisation and CSRF in a function hooked to admininit, allowing unauthenticated users to downgrade the plugin, thus leading to Reflected or Stored XSS, as previous versions have such vulnerabilities...
Peplink Balance Security Breach
Peplink Balance is a router from Peplink. A security vulnerability exists in Peplink Balance Two versions prior to 8.4.0, which stems from a lack of authorization checking in the administration web service that allows read-only, unprivileged users to access sensitive information about the device'...
CVE-2023-5991
The Hotel Booking Lite WordPress plugin before 4.8.5 does not validate file paths provided via user input, as well as does not have proper CSRF and authorisation checks, allowing unauthenticated users to download and delete arbitrary files on the server...
PT-2023-30938 · Unknown · Participants Database
Name of the Vulnerable Software and Affected Versions: Participants Database versions n/a through 2.5.5 Description: The issue affects the Participants Database, allowing access to functionality not properly constrained by ACLs due to a Missing Authorization and Cross-Site Request Forgery CSRF...
PT-2023-30802 · Unknown · Smartstar Software Cws
Name of the Vulnerable Software and Affected Versions: SmartStar Software CWS affected versions not specified Description: The issue is related to missing authorization in the SmartStar Software CWS web-based integration platform. This allows users to access data or perform actions that they shou...
CVE-2023-5611
The Seraphinite Accelerator WordPress plugin before 2.20.32 does not have authorisation and CSRF checks when resetting and importing its settings, allowing unauthenticated users to reset them...
WordPress Plugin WP Hotel Booking Security Vulnerability
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in WordPres...
CVE-2023-30969
The Palantir Tiles1 service was found to be vulnerable to an API wide issue where the service was not performing authentication/authorization on all the endpoints...