Export limit exceeded: 11183 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11183 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-37453 | 1 Metagauss | 1 Profilegrid | 2025-02-10 | 4.3 Medium |
| Missing Authorization vulnerability in ProfileGrid User Profiles ProfileGrid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ProfileGrid: from n/a through 5.8.7. | ||||
| CVE-2023-28634 | 1 Glpi-project | 1 Glpi | 2025-02-10 | 8.8 High |
| GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, a user who has the Technician profile could see and generate a Personal token for a Super-Admin. Using such token it is possible to negotiate a GLPI session and hijack the Super-Admin account, resulting in a Privilege Escalation. Versions 9.5.13 and 10.0.7 contain a patch for this issue. | ||||
| CVE-2023-1782 | 1 Hashicorp | 1 Nomad | 2025-02-10 | 10 Critical |
| HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow unauthenticated users to bypass intended ACL authorizations for clusters where mTLS is not enabled. This issue is fixed in version 1.5.3. | ||||
| CVE-2024-32798 | 1 Wptravelengine | 1 Wp Travel Engine | 2025-02-10 | 7.5 High |
| Missing Authorization vulnerability in WP Travel Engine.This issue affects WP Travel Engine: from n/a through 5.8.0. | ||||
| CVE-2022-0218 | 1 Codemiq | 1 Wordpress Email Template Designer | 2025-02-10 | 8.3 High |
| The WP HTML Mail WordPress plugin is vulnerable to unauthorized access which allows unauthenticated attackers to retrieve and modify theme settings due to a missing capability check on the /themesettings REST-API endpoint found in the ~/includes/class-template-designer.php file, in versions up to and including 3.0.9. This makes it possible for attackers with no privileges to execute the endpoint and add malicious JavaScript to a vulnerable WordPress site. | ||||
| CVE-2022-1329 | 1 Elementor | 1 Website Builder | 2025-02-07 | 8.8 High |
| The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers to modify site data in addition to uploading malicious files that can be used to obtain remote code execution, in versions 3.6.0 to 3.6.2. | ||||
| CVE-2023-1903 | 1 Sap | 1 Hcm Fiori App My Forms | 2025-02-07 | 4.3 Medium |
| SAP HCM Fiori App My Forms (Fiori 2.0) - version 605, does not perform necessary authorization checks for an authenticated user exposing the restricted header data. | ||||
| CVE-2023-30521 | 1 Jenkins | 1 Assembla Merge Request Builder | 2025-02-07 | 5.3 Medium |
| A missing permission check in Jenkins Assembla merge request builder Plugin 1.1.13 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository. | ||||
| CVE-2023-30518 | 1 Jenkins | 1 Thycotic Secret Server | 2025-02-07 | 4.3 Medium |
| A missing permission check in Jenkins Thycotic Secret Server Plugin 1.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | ||||
| CVE-2023-30532 | 1 Jenkins | 1 Turboscript | 2025-02-07 | 6.5 Medium |
| A missing permission check in Jenkins TurboScript Plugin 1.3 and earlier allows attackers with Item/Read permission to trigger builds of jobs corresponding to the attacker-specified repository. | ||||
| CVE-2023-30526 | 1 Jenkins | 1 Report Portal | 2025-02-07 | 6.5 Medium |
| A missing permission check in Jenkins Report Portal Plugin 0.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified bearer token authentication. | ||||
| CVE-2023-30522 | 1 Jenkins | 1 Fogbugz | 2025-02-07 | 4.3 Medium |
| A missing permission check in Jenkins Fogbugz Plugin 2.2.17 and earlier allows attackers with Item/Read permission to trigger builds of jobs specified in a 'jobname' request parameter. | ||||
| CVE-2023-30519 | 1 Jenkins | 1 Quay.io Trigger | 2025-02-07 | 5.3 Medium |
| A missing permission check in Jenkins Quay.io trigger Plugin 0.1 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository. | ||||
| CVE-2024-9654 | 1 Awesomemotive | 1 Easy Digital Downloads | 2025-02-07 | 3.7 Low |
| The Easy Digital Downloads plugin for WordPress is vulnerable to Improper Authorization in versions 3.1 through 3.3.4. This is due to a lack of sufficient validation checks within the 'verify_guest_email' function to ensure the requesting user is the intended recipient of the purchase receipt. This makes it possible for unauthenticated attackers to bypass intended security restrictions and view the receipts of other users, which contains a link to download paid content. Successful exploitation requires knowledge of another customers email address as well as the file ID of the content they purchased. | ||||
| CVE-2024-43162 | 1 Awesomemotive | 1 Easy Digital Downloads | 2025-02-07 | 4.3 Medium |
| Missing Authorization vulnerability in Easy Digital Downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Digital Downloads: from n/a through 3.2.12. | ||||
| CVE-2022-43770 | 1 Hitachivantara | 1 Pentaho Business Analytics | 2025-02-07 | 5.4 Medium |
| Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.4 and 8.3.0.27 does not correctly perform an authorization check in the dashboard editor plugin API. | ||||
| CVE-2024-37463 | 1 Crmperks | 1 Crm Perks Forms | 2025-02-07 | 5.3 Medium |
| Missing Authorization vulnerability in CRM Perks CRM Perks Forms allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects CRM Perks Forms: from n/a through 1.1.5. | ||||
| CVE-2023-29529 | 1 Matrix | 1 Javascript Sdk | 2025-02-06 | 5 Medium |
| matrix-js-sdk is the Matrix Client-Server SDK for JavaScript and TypeScript. An attacker present in a room where an MSC3401 group call is taking place can eavesdrop on the video and audio of participants using matrix-js-sdk, without their knowledge. To affected matrix-js-sdk users, the attacker will not appear to be participating in the call. This attack is possible because matrix-js-sdk's group call implementation accepts incoming direct calls from other users, even if they have not yet declared intent to participate in the group call, as a means of resolving a race condition in call setup. Affected versions do not restrict access to the user's outbound media in this case. Legacy 1:1 calls are unaffected. This is fixed in matrix-js-sdk 24.1.0. As a workaround, users may hold group calls in private rooms where only the exact users who are expected to participate in the call are present. | ||||
| CVE-2024-27939 | 1 Siemens | 1 Ruggedcom Crossbow | 2025-02-06 | 9.8 Critical |
| A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The affected systems allow the upload of arbitrary files of any unauthenticated user. An attacker could leverage this vulnerability and achieve arbitrary code execution with system privileges. | ||||
| CVE-2023-38102 | 1 Netgear | 1 Prosafe Network Management System | 2025-02-06 | 8.8 High |
| NETGEAR ProSAFE Network Management System createUser Missing Authorization Privilege Escalation Vulnerability. This vulnerability allows remote attackers to escalate privileges on affected installations of NETGEAR ProSAFE Network Management System. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the createUser function. The issue results from the lack of authorization prior to allowing access to functionality. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the user. Was ZDI-CAN-19726. | ||||