Critical Flaw in ProjectSend Under Active Exploitation Against Public-Facing Servers

A critical security flaw impacting the ProjectSend open-source file-sharing application has likely come under active exploitation in the wild, according to findings from VulnCheck. The vulnerability, originally patched over a year-and-a-half ago as part of a commit pushed in May 2023, was not...

CVE-2024-2098

CVE-2024-2098 affects the WordPress Download Manager plugin. The flaw is an improper authorization check in protectMediaLibrary, impacting all versions up to and including 3.2.89 and enables unauthenticated attackers to download password‑protected files. A fixed release exists (3.2.90) per Patchs...

CVE-2023-40610 Apache Superset: Privilege escalation with default examples database

Improper authorization check and possible privilege escalation on Apache Superset up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset's metadata database, an attacker using a specially crafted CTE SQL stateme...

CVE-2023-40610

CVE-2023-40610 affects Apache Superset prior to version 2.1.2. The issue is an improper authorization check that enables privilege escalation when using the default examples database connection, which can grant access to both the examples schema and Superset metadata DB. A specially crafted CTE S...

An attacker can view private posts

Description The bookmark saving functionality performs improper authorization check. To exploit this, an attacker is required to know the target post ID. This is done via share link or by less possibly brute-forcing. Proof of Concept 1. victim Create a new post whose visibility is Followers Only...

CVE-2022-31589

CVE-2022-31589 impact details from a PT-Security note describe an improper authorization check affecting the SHAAM program’s Israeli File usage, specifically the /ATL/VQ23 transaction (API Endpoint). This can grant business users more than requested permissions, potentially allowing access to dat...

Improper Authorization in Applinks - CVE-2019-20105

The Application links plugin used in Atlassian Jira Server and Data Center before version 7.13.12, from version 8.0.0 before version 8.5.4 and from version 8.6.0 before version 8.6.1 allows remote attackers with administrator privileges to edit existing applinks without passing WebSudo via an...

CVE-2017-18376

An improper authorization check in the User API in TheHive before 2.13.4 and 3.x before 3.3.1 allows users with read-only or read/write access to escalate their privileges to the administrator's privileges. This affects app/controllers/UserCtrl.scala...

CVE-2017-18376

An improper authorization check in the User API in TheHive before 2.13.4 and 3.x before 3.3.1 allows users with read-only or read/write access to escalate their privileges to the administrator's privileges. This affects app/controllers/UserCtrl.scala...

CVE-2017-18376

The Hive vulnerability CVE-2017-18376 is an improper authorization check in the User API (app/controllers/UserCtrl.scala) that lets users with read-only or read/write access escalate to administrator privileges. Affected versions are TheHive before 2.13.4 and 3.x before 3.3.1. Impact details indi...

Microsoft Windows NtApphelpCacheControl Improper Authorization Check Exploit

Exploit for windows platform in category remote exploits This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' require 'msf/core/post/windows/reflectivedllinjection' class Metasploit3 'Microsoft Windows...