202 matches found
CVE-2024-11821
CVE-2024-11821 affects langgenius/dify 0.9.1. The issue is a privilege escalation where a normal user can modify Orchestrate instructions for an admin-created chatbot due to improper access control on the endpoint /console/api/apps/{chatbot-id}/model-config. The CVE entry lists a CVSSv3 base scor...
CVE-2025-25585
CVE-2025-25585 affects yimioa prior to v2024.07.04. The vulnerability is in the component /config/WebSecurityConfig.java and is caused by incorrect access control, enabling unauthorized attackers to arbitrarily modify the administrator password. The CVE details from multiple sources align on this...
CVE-2024-56897
Improper access control in the HTTP server in YI Car Dashcam v3.88 allows unrestricted file downloads, uploads, and API commands. API commands can also be made to make unauthorized modifications to the device settings, such as disabling recording, disabling sounds, factory reset...
CVE-2024-56897
Improper access control in the HTTP server in YI Car Dashcam v3.88 allows unrestricted file downloads, uploads, and API commands. API commands can also be made to make unauthorized modifications to the device settings, such as disabling recording, disabling sounds, factory reset...
CVE-2024-56897
Improper access control in the HTTP server in YI Car Dashcam v3.88 allows unrestricted file downloads, uploads, and API commands. API commands can also be made to make unauthorized modifications to the device settings, such as disabling recording, disabling sounds, factory reset...
CVE-2024-56897
Improper access control in the HTTP server in YI Car Dashcam v3.88 allows unrestricted file downloads, uploads, and API commands. API commands can also be made to make unauthorized modifications to the device settings, such as disabling recording, disabling sounds, factory reset...
CVE-2022-29176
Rubygems is a package registry used to supply software for the Ruby language ecosystem. Due to a bug in the yank action, it was possible for any RubyGems.org user to remove and replace certain gems even if that user was not authorized to do so. To be vulnerable, a gem needed: one or more dashes i...
CVE-2022-41937
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The application allows anyone with view access to modify any page of the wiki by importing a crafted XAR package. The problem has been patched in XWiki 14.6RC1, 14.6 and 13.10.8. As a...
CVE-2024-1626
An Insecure Direct Object Reference IDOR vulnerability exists in the lunary-ai/lunary repository, version 0.3.0, within the project update endpoint. The vulnerability allows authenticated users to modify the name of any project within the system without proper authorization checks, by directly...
Oracle Java SE Security Update (Jan 2025) - Linux
Oracle Java SE is prone to an unspecified vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Oracle VirtualBox Security Update (Jan 2025) - Windows
Oracle VirtualBox is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:oracle:vmvirtualbox";...
Oracle Java SE Security Update (Jan 2025) - Windows
Oracle Java SE is prone to an unspecified vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
JetBrains TeamCity < 2024.12 Multiple Vulnerabilities
The version of JetBrains TeamCity installed on the remote host is prior to 2024.12. It is, therefore, affected by multiple vulnerabilities: - In JetBrains TeamCity before 2024.12, Improper access control allowed viewing details of unauthorized agents TW-85841 - In JetBrains TeamCity before 2024.1...
CVE-2024-52294 khoj has an IDOR in subscription management that allows unauthorized subscription modifications
Khoj is a self-hostable artificial intelligence app. Prior to version 1.29.10, an Insecure Direct Object Reference IDOR vulnerability in the updatesubscription endpoint allows any authenticated user to manipulate other users' Stripe subscriptions by simply modifying the email parameter in the...
CVE-2024-52294 khoj has an IDOR in subscription management that allows unauthorized subscription modifications
Khoj is a self-hostable artificial intelligence app. Prior to version 1.29.10, an Insecure Direct Object Reference IDOR vulnerability in the updatesubscription endpoint allows any authenticated user to manipulate other users' Stripe subscriptions by simply modifying the email parameter in the...
GHSA-HQ4H-W933-JM6C khoj has an IDOR in subscription management allows unauthorized subscription modifications
Summary An Insecure Direct Object Reference IDOR vulnerability in the updatesubscription endpoint allows any authenticated user to manipulate other users' Stripe subscriptions by simply modifying the email parameter in the request. Details The vulnerability exists in the subscription endpoint at...
GO-2024-3268 Harbor fails to validate the user permissions when updating p2p preheat policies in github.com/goharbor/harbor
Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in oth...
PT-2024-8801
Name of the Vulnerable Software and Affected Versions ProjectSend versions prior to r1720 Description The issue is related to an improper authentication vulnerability in ProjectSend, allowing remote, unauthenticated attackers to modify the application's configuration by sending crafted HTTP...
CVE-2024-8036 Unauthorized Modifications of Firmware and Configuration
ABB is aware of privately reported vulnerabilities in the product versions referenced in this CVE. An attacker could exploit these vulnerabilities by sending a specially crafted firmware or configuration to the system node, causing the node to stop, become inaccessible, or allowing the attacker t...
CVE-2024-8036
CVE-2024-8036 relates to ABB product families (e.g., Relion protection relays) where the root cause is a data-forgery risk in the firmware/config update process: the vulnerability arises because the firmware or configuration file’s authenticity/integrity is not checked, enabling an attacker to ca...