21 matches found
Security Bulletin: Vault KVv2 Metadata and Secret Deletion Policy Bypass Denial-of-Service
Summary An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any...
CVE-2026-3605 Vault KVv2 Metadata and Secret Deletion Policy Bypass Denial-of-Service
An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret...
CVE-2026-3155
The CVE refers to the OneSignal – Web Push Notifications plugin for WordPress, vulnerable to an authorization bypass through versions up to 3.8.0 caused by improper verification of user authorization. This enables authenticated attackers with subscriber-level access and above to delete OneSignal ...
CVE-2026-0942
The Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clearOrderLogs function in all versions up to, and including, 5.1.2. This makes it possible for unauthenticated...
EUVD-2021-22761
Malware in sbrugna...
[SECURITY] Fedora 43 Update: exiv2-0.28.6-2.fc43
A command line utility to access image metadata, allowing one to: print the Exif metadata of Jpeg images as summary info, interpreted values, or the plain data for each tag print the Iptc metadata of Jpeg images print the Jpeg comment of Jpeg images set, add and delete Exif and Iptc metadata of...
CVE-2024-13229
The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the updatemetadata function in all versions up to, and including, 1.0.235. This makes it possible for authenticated attackers, with...
CVE-2024-13229 Rank Math SEO <= 1.0.235 - Missing Authorization to Authenticated (Contributor+) Arbitrary Schema Deletion
The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the updatemetadata function in all versions up to, and including, 1.0.235. This makes it possible for authenticated attackers, with...
CVE-2024-9161
The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'updatemetadata' function in all versions up to, and including, 1.0.228. This makes it possible for unauthenticated...
BIT-MEDIAWIKI-2021-36129
An issue was discovered in the Translate extension in MediaWiki through 1.36. The Aggregategroups Action API module does not validate the parameter for aggregategroup when action=remove is set, thus allowing users with the translate-manage right to silently delete various groups' metadata...
CVE-2021-24790
The Contact Form Advanced Database WordPress plugin through 1.0.8 does not have any authorisation as well as CSRF checks in its deletecf7data and exportcf7data AJAX actions, available to any authenticated users, which could allow users with a role as low as subscriber to call them. The...
Cross site request forgery (csrf)
The Contact Form Advanced Database WordPress plugin through 1.0.8 does not have any authorisation as well as CSRF checks in its deletecf7data and exportcf7data AJAX actions, available to any authenticated users, which could allow users with a role as low as subscriber to call them. The...
CVE-2021-24790 Contact Form Advanced Database <= 1.0.8 - Unauthorised AJAX Calls
The Contact Form Advanced Database WordPress plugin through 1.0.8 does not have any authorisation as well as CSRF checks in its deletecf7data and exportcf7data AJAX actions, available to any authenticated users, which could allow users with a role as low as subscriber to call them. The...
PT-2021-16285 · WordPress · Contact Form Advanced Database
Name of the Vulnerable Software and Affected Versions: Contact Form Advanced Database WordPress plugin versions 1.0.8 and earlier Description: The issue concerns the lack of authorization and CSRF checks in the delete cf7 data and export cf7 data AJAX actions, which are accessible to any...
Contact Form Advanced Database <= 1.0.8 - Unauthorised AJAX Calls
The plugin does not have any authorisation as well as CSRF checks in its deletecf7data and exportcf7data AJAX actions, available to any authenticated users, which could allow users with a role as low as subscriber to call them. The deletecf7data would lead to arbitrary metadata deletion, as well ...
Contact Form Advanced Database <= 1.0.8 - Unauthorised AJAX Calls
The plugin does not have any authorisation as well as CSRF checks in its deletecf7data and exportcf7data AJAX actions, available to any authenticated users, which could allow users with a role as low as subscriber to call them. The deletecf7data would lead to arbitrary metadata deletion, as well ...
Unspecified vulnerability in MediaWiki (CNVD-2021-49057)
MediaWiki is a suite of free and freely available web-based Wiki engines from the MediaWiki Foundation. It can be used to deploy in-house knowledge management and content management systems. A security vulnerability exists in MediaWiki 1.36, which stems from the fact that the Aggregategroups Acti...
Code injection
An issue was discovered in the Translate extension in MediaWiki through 1.36. The Aggregategroups Action API module does not validate the parameter for aggregategroup when action=remove is set, thus allowing users with the translate-manage right to silently delete various groups' metadata...
CVE-2021-36129
An issue was discovered in the Translate extension in MediaWiki through 1.36. The Aggregategroups Action API module does not validate the parameter for aggregategroup when action=remove is set, thus allowing users with the translate-manage right to silently delete various groups' metadata...
CVE-2019-14914
An issue was discovered in PRiSE adAS 1.7.0. The path is not properly escaped in the medatadatadel method, leading to an arbitrary file read and deletion via Directory Traversal...