Export limit exceeded: 357240 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 357240 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11130 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-8601 | 2 Techexcel, Techexcel Inc. | 2 Back Office Software, Back Office | 2024-09-17 | 6.5 Medium |
| This vulnerability exists in TechExcel Back Office Software versions prior to 1.0.0 due to improper access controls on certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating a parameter through API request URL which could lead to unauthorized access to sensitive information belonging to other users. | ||||
| CVE-2024-8042 | 1 Rapid7 | 1 Insight Platform | 2024-09-17 | 2.4 Low |
| Rapid7 Insight Platform versions between November 2019 and August 14, 2024 suffer from missing authorization issues whereby an attacker can intercept local requests to set the name and description of a new user group. This could potentially lead to an empty user group being added to the incorrect customer. This vulnerability is remediated as of August 14, 2024. | ||||
| CVE-2024-44112 | 1 Sap | 1 Oil \%\/ Gas | 2024-09-16 | 4.3 Medium |
| Due to missing authorization check in SAP for Oil & Gas (Transportation and Distribution), an attacker authenticated as a non-administrative user could call a remote-enabled function which will allow them to delete non-sensitive entries in a user data table. There is no effect on confidentiality or availability. | ||||
| CVE-2024-41728 | 1 Sap | 1 Netweaver Application Server Abap | 2024-09-16 | 2.7 Low |
| Due to missing authorization check, SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker logged in as a developer to read objects contained in a package. This causes an impact on confidentiality, as this attacker would otherwise not have access to view these objects. | ||||
| CVE-2024-44114 | 1 Sap | 1 Netweaver Application Server Abap | 2024-09-16 | 2 Low |
| SAP NetWeaver Application Server for ABAP and ABAP Platform allow users with high privileges to execute a program that reveals data over the network. This results in a minimal impact on confidentiality of the application. | ||||
| CVE-2024-45058 | 1 Portabilis | 1 I-educar | 2024-09-13 | 8.1 High |
| i-Educar is free, fully online school management software that can be used by school secretaries, teachers, coordinators, and area managers. Prior to the 2.9 branch, an attacker with only minimal viewing privileges in the settings section is able to change their user type to Administrator (or another type with super-permissions) through a specifically crafted POST request to `/intranet/educar_usuario_cad.php`, modifying the `nivel_usuario_` parameter. The vulnerability occurs in the file located at `ieducar/intranet/educar_usuario_cad.php`, which does not check the user's current permission level before allowing changes. Commit c25910cdf11ab50e50162a49dd44bef544422b6e contains a patch for the issue. | ||||
| CVE-2024-8195 | 1 Permalink Manager Lite Project | 1 Permalink Manager Lite | 2024-09-13 | 5.3 Medium |
| The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'debug_data', 'debug_query', and 'debug_redirect' functions in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to extract sensitive data including password, title, and content of password-protected posts. | ||||
| CVE-2024-6631 | 1 Imagerecycle | 1 Imagerecycle Pdf \& Image Compression | 2024-09-12 | 5 Medium |
| The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several AJAX actions in all versions up to, and including, 3.1.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform unauthorized actions, such as updating plugin settings. | ||||
| CVE-2024-42470 | 1 Openhab | 2 Openhab, Openhab Webui | 2024-09-12 | 6.5 Medium |
| openHAB, a provider of open-source home automation software, has add-ons including the visualization add-on CometVisu. Several endpoints in versions prior to 4.2.1 of the CometVisu add-on of openHAB don't require authentication. This makes it possible for unauthenticated attackers to modify or to steal sensitive data. This issue may lead to sensitive information disclosure. Users should upgrade to version 4.2.1 of the CometVisu add-on of openHAB to receive a patch. | ||||
| CVE-2024-33005 | 1 Sap | 4 Content Server, Netweaver Abap, Netweaver Java and 1 more | 2024-09-12 | 6.3 Medium |
| Due to the missing authorization checks in the local systems, the admin users of SAP Web Dispatcher, SAP NetWeaver Application Server (ABAP and Java), and SAP Content Server can impersonate other users and may perform some unintended actions. This could lead to a low impact on confidentiality and a high impact on the integrity and availability of the applications. | ||||
| CVE-2024-41730 | 2 Sap, Sap Se | 2 Business Objects Business Intelligence Platform, Sap Business Objects Business Intgelligence Platform | 2024-09-12 | 9.8 Critical |
| In SAP BusinessObjects Business Intelligence Platform, if Single Signed On is enabled on Enterprise authentication, an unauthorized user can get a logon token using a REST endpoint. The attacker can fully compromise the system resulting in High impact on confidentiality, integrity and availability. | ||||
| CVE-2024-42376 | 1 Sap | 1 Shared Service Framework | 2024-09-12 | 6.5 Medium |
| SAP Shared Service Framework does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. On successful exploitation, an attacker can cause a high impact on confidentiality of the application. | ||||
| CVE-2024-42377 | 1 Sap | 1 Shared Service Framework | 2024-09-12 | 4.3 Medium |
| SAP shared service framework allows an authenticated non-administrative user to call a remote-enabled function, which will allow them to insert value entries into a non-sensitive table, causing low impact on integrity of the application | ||||
| CVE-2024-39591 | 1 Sap | 1 Document Builder | 2024-09-12 | 4.3 Medium |
| SAP Document Builder does not perform necessary authorization checks for one of the function modules resulting in escalation of privileges causing low impact on confidentiality of the application. | ||||
| CVE-2024-41734 | 1 Sap | 1 Netweaver Application Server Abap | 2024-09-12 | 4.3 Medium |
| Due to missing authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform, an authenticated attacker could call an underlying transaction, which leads to disclosure of user related information. There is no impact on integrity or availability. | ||||
| CVE-2024-42373 | 1 Sap | 1 Student Life Cycle Management | 2024-09-12 | 4.3 Medium |
| SAP Student Life Cycle Management (SLcM) fails to conduct proper authorization checks for authenticated users, leading to the potential escalation of privileges. On successful exploitation it could allow an attacker to delete non-sensitive report variants that are typically restricted, causing minimal impact on the integrity of the application. | ||||
| CVE-2024-8011 | 1 Logitech | 1 Options\+ | 2024-09-11 | 5.5 Medium |
| Logitech Options+ on MacOS prior 1.72 allows a local attacker to inject dynamic library within Options+ runtime and abuse permissions granted by the user to Options+ such as Camera. | ||||
| CVE-2024-8427 | 1 Wpshuffle | 1 Frontend Post Submission Manager | 2024-09-11 | 4.3 Medium |
| The Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_global_settings and process_form_edit functions in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings and forms. | ||||
| CVE-2024-44408 | 2 D-link, Dlink | 3 Dir-823g, Dir-823g, Dir-823g Firmware | 2024-09-10 | 7.5 High |
| D-Link DIR-823G v1.0.2B05_20181207 is vulnerable to Information Disclosure. The device allows unauthorized configuration file downloads, and the downloaded configuration files contain plaintext user passwords. | ||||
| CVE-2024-45307 | 1 Onesoftnet | 1 Sudobot | 2024-09-07 | 8.8 High |
| SudoBot, a Discord moderation bot, is vulnerable to privilege escalation and exploit of the `-config` command in versions prior to 9.26.7. Anyone is theoretically able to update any configuration of the bot and potentially gain control over the bot's settings. Every version of v9 before v9.26.7 is affected. Other versions (e.g. v8) are not affected. Users should upgrade to version 9.26.7 to receive a patch. A workaround would be to create a command permission overwrite in the Database. A SQL statement provided in the GitHub Security Advisor can be executed to create a overwrite that disallows users without `ManageGuild` permission to run the `-config` command. Run the SQL statement for every server the bot is in, and replace `<guild_id>` with the appropriate Guild ID each time. | ||||