289 matches found
CVE-2024-13771
The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.4. This is due to a lack of user validation before changing a password. This makes it possible for unauthenticated attackers to change...
CVE-2024-13771
The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.4. This is due to a lack of user validation before changing a password. This makes it possible for unauthenticated attackers to change...
CVE-2024-13771
CVE-2024-13771 affects the Civi - Job Board & Freelance Marketplace WordPress Theme (
CVE-2024-8682
The JNews - WordPress Newspaper Magazine Blog AMP Theme theme for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 11.6.6. This is due to the plugin not properly validate if the user can register option is enabled prior to creating a user though the...
DRUPAL-CONTRIB-2025-019
The Cache Utility module provides an ability to view status and flush various caches. The module doesn't sufficiently protect against Cross Site Request Forgery CSRF attacks by validating user identity and intent when flushing a cache...
CVE-2024-13677
The GetBookingsWP – Appointments Booking Calendar Plugin For WordPress plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.27. This is due to the plugin not properly validating a user's identity prior to updating their details...
CVE-2022-43644
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-825 1.0.9/EE routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Dreambox plugin for the xupnpd service, which listens on T...
CVE-2020-15430
This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajaxlistaccounts.php. When parsing the username parameter, the proces...
GHSA-9WMC-988H-2MV2 TeamPass privileges issue
TeamPass before 3.1.3.1 does not properly prevent a user from acting with the privileges of a different userid...
CVE-2024-11103
The Contest Gallery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 24.0.7. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated...
CVE-2023-52333
CVE-2023-52333 affects Allegra via the saveFile directory traversal vulnerability. The flaw arises from insufficient validation of a user-supplied path used in file operations, enabling remote code execution in the LOCAL SERVICE context. The initial description notes that authentication is requir...
Improper Authorization
symfony/security-bundle is vulnerable to Improper Authorization. The vulnerability is due to the Security::login method not calling the configured userchecker, preventing proper user validation and allowing unauthorized logins...
CVE-2020-3420 Cisco Unified Communications Manager Stored Cross-Site Scripting Vulnerability
A vulnerability in the web-based management interface of Cisco Unified Communications Manager Unified CM and Cisco Unified Communications Manager Session Management Edition Unified CM SME could allow an authenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of...
CVE-2024-10174
The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.6.13 via the 'AbstractPermission' class due to missing validation on the 'useri...
CVE-2024-20533
Cisco CVE-2024-20533 affects the web UI of Cisco Desk Phone 9800 Series, IP Phones 6800/7800/8800, and Video Phone 8875 with Multiplatform Firmware. The issue is stored XSS arising from improper validation of user input in the web UI, allowing an authenticated remote attacker to inject script via...
CVE-2024-9988
The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.15. This is due to missing validation on the user being supplied in the 'cryptoconnectajaxprocess::register' function. This makes it possible for unauthenticated attackers to log in as any...
CVE-2024-9637
CVE-2024-9637 concerns the WordPress plugin School Management System – WPSchoolPress . The vulnerability is an Insecure Direct Object Reference (IDOR) that enables privilege escalation via account takeover. An authenticated user with teacher-level access or above can alter other users’ emails (in...
Cisco NX-OS Protection Mechanism Failure (CVE-2024-20284)
A vulnerability in the Python interpreter of Cisco NX-OS Software could allow an authenticated, low-privileged, local attacker to escape the Python sandbox and gain unauthorized access to the underlying operating system of the device. The vulnerability is due to insufficient validation of...
CVE-2024-6482
CVE-2024-6482 : The WordPress plugin Login with phone number (versions
CVE-2024-8428
The ForumWP – Forum & Discussion Board Plugin plugin for WordPress is vulnerable to Privilege Escalation via Insecure Direct Object Reference in all versions up to, and including, 2.0.2 via the submitformhandler due to missing validation on the 'userid' user controlled key. This makes it possible...