Total
810 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-42422 | 1 Dell | 1 Networker | 2025-02-03 | N/A | 8.3 HIGH |
| Dell NetWorker, version(s) 19.10, contain(s) an Authorization Bypass Through User-Controlled Key vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure. | |||||
| CVE-2024-12102 | 1 Seventhqueen | 1 Typer Core | 2025-01-31 | N/A | 4.3 MEDIUM |
| The Typer Core plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.9.6 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to. | |||||
| CVE-2024-4154 | 1 Lunary | 1 Lunary | 2025-01-31 | N/A | 6.5 MEDIUM |
| In lunary-ai/lunary version 1.2.2, an incorrect synchronization vulnerability allows unprivileged users to rename projects they do not have access to. Specifically, an unprivileged user can send a PATCH request to the project's endpoint with a new name for a project, despite not having the necessary permissions or being assigned to the project. This issue allows for unauthorized modification of project names, potentially leading to confusion or unauthorized access to project resources. | |||||
| CVE-2024-4151 | 1 Lunary | 1 Lunary | 2025-01-31 | N/A | 8.1 HIGH |
| An Improper Access Control vulnerability exists in lunary-ai/lunary version 1.2.2, where users can view and update any prompts in any projects due to insufficient access control checks in the handling of PATCH and GET requests for template versions. This vulnerability allows unauthorized users to manipulate or access sensitive project data, potentially leading to data integrity and confidentiality issues. | |||||
| CVE-2024-1626 | 1 Lunary | 1 Lunary | 2025-01-31 | N/A | 8.1 HIGH |
| An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary repository, version 0.3.0, within the project update endpoint. The vulnerability allows authenticated users to modify the name of any project within the system without proper authorization checks, by directly referencing the project's ID in the PATCH request to the '/v1/projects/:projectId' endpoint. This issue arises because the endpoint does not verify if the provided project ID belongs to the currently authenticated user, enabling unauthorized modifications across different organizational projects. | |||||
| CVE-2023-1911 | 1 Creativethemes | 1 Blocksy Companion | 2025-01-30 | N/A | 4.3 MEDIUM |
| The Blocksy Companion WordPress plugin before 1.8.82 does not ensure that posts to be accessed via a shortcode are already public and can be viewed, allowing any authenticated users, such as subscriber to access draft posts for example | |||||
| CVE-2023-1125 | 1 Wpruby | 1 Ruby Help Desk | 2025-01-30 | N/A | 6.5 MEDIUM |
| The Ruby Help Desk WordPress plugin before 1.3.4 does not ensure that the ticket being modified belongs to the user making the request, allowing an attacker to close and/or add files and replies to tickets other than their own. | |||||
| CVE-2024-1625 | 1 Lunary | 1 Lunary | 2025-01-30 | N/A | 6.5 MEDIUM |
| An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary application version 0.3.0, allowing unauthorized deletion of any organization's project. The vulnerability is due to insufficient authorization checks in the project deletion endpoint, where the endpoint fails to verify if the project ID provided in the request belongs to the requesting user's organization. As a result, an attacker can delete projects belonging to any organization by sending a crafted DELETE request with the target project's ID. This issue affects the project deletion functionality implemented in the projects.delete route. | |||||
| CVE-2023-30216 | 1 Newbee-mall Project | 1 Newbee-mall | 2025-01-29 | N/A | 5.4 MEDIUM |
| Insecure permissions in the updateUserInfo function of newbee-mall before commit 1f2c2dfy allows attackers to obtain user account information. | |||||
| CVE-2024-10779 | 1 Codeless | 1 Cowidgets Elementor Addons | 2025-01-29 | N/A | 5.3 MEDIUM |
| The Cowidgets – Elementor Addons plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.0 via the 'ce_template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to. | |||||
| CVE-2024-10770 | 1 Envothemes | 1 Envo Extra | 2025-01-29 | N/A | 4.3 MEDIUM |
| The Envo Extra plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.9.3 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to. | |||||
| CVE-2023-30550 | 1 Metersphere | 1 Metersphere | 2025-01-29 | N/A | 6.8 MEDIUM |
| MeterSphere is an open source continuous testing platform, covering functions such as test tracking, interface testing, UI testing, and performance testing. This IDOR vulnerability allows the administrator of a project to modify other projects under the workspace. An attacker can obtain some operating permissions. The issue has been fixed in version 2.9.0. | |||||
| CVE-2024-9862 | 1 Miniorange | 1 Otp Verification With Firebase | 2025-01-28 | N/A | 9.8 CRITICAL |
| The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 3.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources, and the user current password check is missing. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. | |||||
| CVE-2024-38827 | 2025-01-24 | N/A | 4.8 MEDIUM | ||
| The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly. | |||||
| CVE-2025-22608 | 2025-01-24 | N/A | 6.5 MEDIUM | ||
| Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to revoke any team invitations on a Coolify instance by only providing a predictable and incrementing ID, resulting in a Denial-of-Service attack (DOS). Version 4.0.0-beta.361 fixes the issue. | |||||
| CVE-2024-4279 | 1 Themeum | 1 Tutor Lms | 2025-01-24 | N/A | 6.5 MEDIUM |
| The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference to Arbitrary Course Deletion in versions up to, and including, 2.7.0 via the 'tutor_course_delete' function due to missing validation on a user controlled key. This can allow authenticated attackers, with Instructor-level permissions and above, to delete any course. | |||||
| CVE-2024-3139 | 1 Oretnom23 | 1 Computer Laboratory Management System | 2025-01-24 | 5.5 MEDIUM | 5.4 MEDIUM |
| A vulnerability, which was classified as critical, has been found in SourceCodester Computer Laboratory Management System 1.0. Affected by this issue is the function save_users of the file /classes/Users.php?f=save. The manipulation of the argument id leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-258914 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-10868 | 1 Themelooks | 1 Enter Addons | 2025-01-23 | N/A | 4.3 MEDIUM |
| The Enter Addons – Ultimate Template Builder for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.1.9 via the Advanced Tabs widget due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to. | |||||
| CVE-2024-37277 | 1 Strangerstudios | 1 Paid Memberships Pro | 2025-01-22 | N/A | 7.5 HIGH |
| Authorization Bypass Through User-Controlled Key vulnerability in Paid Memberships Pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Paid Memberships Pro: from n/a through 3.0.4. | |||||
| CVE-2024-10497 | 2025-01-17 | N/A | 8.8 HIGH | ||
| CWE-639: Authorization Bypass Through User-Controlled Key vulnerability exists that could allow an authorized attacker to modify values outside those defined by their privileges (Elevation of Privileges) when the attacker sends modified HTTPS requests to the device. | |||||