Total
7706 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-10606 | 1 Wptravelengine | 1 Wp Travel Engine | 2025-02-11 | 4.3 Medium |
| The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpte_onboard_save_function_callback() function in all versions up to, and including, 6.2.1. This makes it possible for authenticated attackers, with contributor-level access and above, to modify several settings that could have an impact such as lost revenue and page updates. | ||||
| CVE-2024-56512 | 1 Apache | 1 Nifi | 2025-02-11 | 5.4 Medium |
| Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context, but in cases where the Process Group did not reference any Parameter values, the framework did not check user authorization for the bound Parameter Context. Missing authorization for a bound Parameter Context enabled clients to download non-sensitive Parameter values after creating the Process Group. Creating a new Process Group can also include referencing existing Controller Services or Parameter Providers. The framework did not check user authorization for referenced Controller Services or Parameter Providers, enabling clients to create Process Groups and use these components that were otherwise unauthorized. This vulnerability is limited in scope to authenticated users authorized to create Process Groups. The scope is further limited to deployments with component-based authorization policies. Upgrading to Apache NiFi 2.1.0 is the recommended mitigation, which includes authorization checking for Parameter and Controller Service references on Process Group creation. | ||||
| CVE-2024-30508 | 1 Thimpress | 1 Wp Hotel Booking | 2025-02-11 | 6.5 Medium |
| Missing Authorization vulnerability in ThimPress WP Hotel Booking.This issue affects WP Hotel Booking: from n/a through 2.0.9.2. | ||||
| CVE-2023-41870 | 1 Themeum | 1 Wp Crowdfunding | 2025-02-11 | 4.3 Medium |
| Missing Authorization vulnerability in Themeum WP Crowdfunding allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Crowdfunding: from n/a through 2.1.5. | ||||
| CVE-2023-37890 | 1 Logon | 1 Kb Support | 2025-02-11 | 4.3 Medium |
| Missing Authorization vulnerability in WPOmnia KB Support – WordPress Help Desk and Knowledge Base allows Accessing Functionality Not Properly Constrained by ACLs. Users with a role as low as a subscriber can view other customers.This issue affects KB Support – WordPress Help Desk and Knowledge Base: from n/a through 1.5.88. | ||||
| CVE-2023-1167 | 1 Gitlab | 1 Gitlab | 2025-02-10 | 5.3 Medium |
| Improper authorization in Gitlab EE affecting all versions from 12.3.0 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1 allows an unauthorized access to security reports in MR. | ||||
| CVE-2024-37453 | 1 Metagauss | 1 Profilegrid | 2025-02-10 | 4.3 Medium |
| Missing Authorization vulnerability in ProfileGrid User Profiles ProfileGrid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ProfileGrid: from n/a through 5.8.7. | ||||
| CVE-2023-1782 | 1 Hashicorp | 1 Nomad | 2025-02-10 | 10 Critical |
| HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow unauthenticated users to bypass intended ACL authorizations for clusters where mTLS is not enabled. This issue is fixed in version 1.5.3. | ||||
| CVE-2024-32798 | 1 Wptravelengine | 1 Wp Travel Engine | 2025-02-10 | 7.5 High |
| Missing Authorization vulnerability in WP Travel Engine.This issue affects WP Travel Engine: from n/a through 5.8.0. | ||||
| CVE-2024-33589 | 1 Logon | 1 Kb Support | 2025-02-10 | 6.5 Medium |
| Missing Authorization vulnerability in WPOmnia KB Support.This issue affects KB Support: from n/a through 1.6.0. | ||||
| CVE-2022-0218 | 1 Codemiq | 1 Wordpress Email Template Designer | 2025-02-10 | 8.3 High |
| The WP HTML Mail WordPress plugin is vulnerable to unauthorized access which allows unauthenticated attackers to retrieve and modify theme settings due to a missing capability check on the /themesettings REST-API endpoint found in the ~/includes/class-template-designer.php file, in versions up to and including 3.0.9. This makes it possible for attackers with no privileges to execute the endpoint and add malicious JavaScript to a vulnerable WordPress site. | ||||
| CVE-2024-32684 | 1 Wpmet | 1 Wp Ultimate Review | 2025-02-09 | 5.3 Medium |
| Missing Authorization vulnerability in Wpmet Wp Ultimate Review.This issue affects Wp Ultimate Review: from n/a through 2.2.5. | ||||
| CVE-2023-50898 | 1 Sirv | 1 Sirv | 2025-02-09 | 5.4 Medium |
| Missing Authorization vulnerability in sirv.Com Sirv.This issue affects Sirv: from n/a through 7.1.2. | ||||
| CVE-2022-1329 | 1 Elementor | 1 Website Builder | 2025-02-07 | 8.8 High |
| The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers to modify site data in addition to uploading malicious files that can be used to obtain remote code execution, in versions 3.6.0 to 3.6.2. | ||||
| CVE-2023-1903 | 1 Sap | 1 Hcm Fiori App My Forms | 2025-02-07 | 4.3 Medium |
| SAP HCM Fiori App My Forms (Fiori 2.0) - version 605, does not perform necessary authorization checks for an authenticated user exposing the restricted header data. | ||||
| CVE-2023-30521 | 1 Jenkins | 1 Assembla Merge Request Builder | 2025-02-07 | 5.3 Medium |
| A missing permission check in Jenkins Assembla merge request builder Plugin 1.1.13 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository. | ||||
| CVE-2023-30518 | 1 Jenkins | 1 Thycotic Secret Server | 2025-02-07 | 4.3 Medium |
| A missing permission check in Jenkins Thycotic Secret Server Plugin 1.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | ||||
| CVE-2023-30532 | 1 Jenkins | 1 Turboscript | 2025-02-07 | 6.5 Medium |
| A missing permission check in Jenkins TurboScript Plugin 1.3 and earlier allows attackers with Item/Read permission to trigger builds of jobs corresponding to the attacker-specified repository. | ||||
| CVE-2023-30526 | 1 Jenkins | 1 Report Portal | 2025-02-07 | 6.5 Medium |
| A missing permission check in Jenkins Report Portal Plugin 0.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified bearer token authentication. | ||||
| CVE-2023-30522 | 1 Jenkins | 1 Fogbugz | 2025-02-07 | 4.3 Medium |
| A missing permission check in Jenkins Fogbugz Plugin 2.2.17 and earlier allows attackers with Item/Read permission to trigger builds of jobs specified in a 'jobname' request parameter. | ||||