4960 matches found
CVE-2024-29897
CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. It is possible for users with delete or suppressrevision on any wiki in the farm to access suppressed wiki requests by going to the request's entry on Special:RequestWikiQueue on the wiki where they have these rights. T...
CVE-2024-29897 CreateWiki Leak of suppressed wiki requests outside of `CreateWikiGlobalWiki`
CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. It is possible for users with delete or suppressrevision on any wiki in the farm to access suppressed wiki requests by going to the request's entry on Special:RequestWikiQueue on the wiki where they have these rights. T...
CVE-2024-29897 CreateWiki Leak of suppressed wiki requests outside of `CreateWikiGlobalWiki`
CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. It is possible for users with delete or suppressrevision on any wiki in the farm to access suppressed wiki requests by going to the request's entry on Special:RequestWikiQueue on the wiki where they have these rights. T...
WP ERP <= 1.12.9 - Authenticated (Accounting Manager+) SQL Injection
Description The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is vulnerable to time-based SQL Injection via the erp/v1/accounting/v1/transactions/sales REST API endpoint in all versions up to, and including, 1.12.9 due to...
Elasticsearch Incorrect Authorization vulnerability
Incorrect Authorization issue exists in the API key based security model for Remote Cluster Security, which is currently in Beta, in Elasticsearch 8.10.0 and before 8.13.0. This allows a malicious user with a valid API key for a remote cluster configured to use the new Remote Cluster Security to...
GHSA-R3HX-QFH5-R9M7 Elasticsearch Incorrect Authorization vulnerability
Incorrect Authorization issue exists in the API key based security model for Remote Cluster Security, which is currently in Beta, in Elasticsearch 8.10.0 and before 8.13.0. This allows a malicious user with a valid API key for a remote cluster configured to use the new Remote Cluster Security to...
CVE-2024-23451 Elasticsearch Incorrect Authorization in the Remote Cluster Security API key based security model
Incorrect Authorization issue exists in the API key based security model for Remote Cluster Security, which is currently in Beta, in Elasticsearch 8.10.0 and before 8.13.0. This allows a malicious user with a valid API key for a remote cluster configured to use the new Remote Cluster Security to...
GeoServer Arbitrary File Upload Vulnerability
GeoServer is an open source software server written in Java. Allows users to share and edit geospatial data. An arbitrary file upload vulnerability exists in GeoServer versions prior to 2.23.4 and 2.24.1, which stems from the application's lack of effective authentication of uploaded files. An...
CVE-2023-51445
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting XSS vulnerability exists in versions prior to 2.23.3 and 2.24.0 that enables an authenticated administrator with workspace-level privileges to store a...
CVE-2024-23634 GeoServer arbitrary file renaming vulnerability in REST Coverage/Data Store API
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. An arbitrary file renaming vulnerability exists in versions prior to 2.23.5 and 2.24.2 that enables an authenticated administrator with permissions to modify stores through the REST...
CVE-2024-23634
CVE-2024-23634 (GeoServer) affects GeoServer versions prior to 2.23.5 and 2.24.2. An authenticated administrator with REST Coverage/Data Store API file-store permissions can rename arbitrary files/directories to names not ending in .zip. External uploads are particularly susceptible, risking deni...
CVE-2024-23634 GeoServer arbitrary file renaming vulnerability in REST Coverage/Data Store API
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. An arbitrary file renaming vulnerability exists in versions prior to 2.23.5 and 2.24.2 that enables an authenticated administrator with permissions to modify stores through the REST...
CVE-2024-23634 GeoServer arbitrary file renaming vulnerability in REST Coverage/Data Store API
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. An arbitrary file renaming vulnerability exists in versions prior to 2.23.5 and 2.24.2 that enables an authenticated administrator with permissions to modify stores through the REST...
CVE-2023-51445 GeoServer Stored Cross-Site Scripting (XSS) vulnerability in REST Resources API
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting XSS vulnerability exists in versions prior to 2.23.3 and 2.24.0 that enables an authenticated administrator with workspace-level privileges to store a...
CVE-2023-51444 GeoServer arbitrary file upload vulnerability in REST Coverage Store API
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. An arbitrary file upload vulnerability exists in versions prior to 2.23.4 and 2.24.1 that enables an authenticated administrator with permissions to modify coverage stores through the...
CVE-2023-51444 GeoServer arbitrary file upload vulnerability in REST Coverage Store API
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. An arbitrary file upload vulnerability exists in versions prior to 2.23.4 and 2.24.1 that enables an authenticated administrator with permissions to modify coverage stores through the...
GHSA-75M5-HH4R-Q9GX GeoServer Arbitrary file renaming vulnerability in REST Coverage/Data Store API
Summary An arbitrary file renaming vulnerability exists that enables an authenticated administrator with permissions to modify stores through the REST Coverage Store or Data Store API to rename arbitrary files and directories with a name that does not end in ".zip". Details Store file uploads...
GeoServer Arbitrary file renaming vulnerability in REST Coverage/Data Store API
Summary An arbitrary file renaming vulnerability exists that enables an authenticated administrator with permissions to modify stores through the REST Coverage Store or Data Store API to rename arbitrary files and directories with a name that does not end in ".zip". Details Store file uploads...
Stored Cross-Site Scripting (XSS) vulnerability in GeoServer's REST Resources API
Summary A stored cross-site scripting XSS vulnerability exists that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in uploaded style/legend resources that will execute in the context of another administrator's browser when viewed in the REST...
CVE-2024-1473
The Coming Soon & Maintenance Mode by Colorlib plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.99 via the REST API. This makes it possible for unauthenticated attackers to obtain post and page contents via REST API thus bypassing maintenance mo...