Total
4639 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-2545 | 1 Featherplugins | 1 Feather Login Page | 2024-11-21 | N/A | 8.1 HIGH |
| The Feather Login Page plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'getListOfUsers' function in versions starting from 1.0.7 up to, and including, 1.1.1. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to access the login links, which can be used for privilege escalation. | |||||
| CVE-2023-2494 | 1 Granthweb | 1 Go Pricing | 2024-11-21 | N/A | 4.6 MEDIUM |
| The Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_postdata' function in versions up to, and including, 3.3.19. This makes it possible for authenticated attackers with a role that the administrator previously granted access to the plugin to modify access to the plugin when it should only be the administrator's privilege. | |||||
| CVE-2023-2480 | 1 M-files | 1 M-files | 2024-11-21 | N/A | 7.5 HIGH |
| Missing access permissions checks in M-Files Client before 23.5.12598.0 (excluding 23.2 SR2 and newer) allows elevation of privilege via UI extension applications | |||||
| CVE-2023-2448 | 1 Userproplugin | 1 Userpro | 2024-11-21 | N/A | 6.5 MEDIUM |
| The UserPro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'userpro_shortcode_template' function in versions up to, and including, 5.1.4. This makes it possible for unauthenticated attackers to arbitrary shortcode execution. An attacker can leverage CVE-2023-2446 to get sensitive information via shortcode. | |||||
| CVE-2023-2434 | 1 Kylephillips | 1 Nested Pages | 2024-11-21 | N/A | 3.8 LOW |
| The Nested Pages plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'reset' function in versions up to, and including, 3.2.3. This makes it possible for authenticated attackers, with editor-level permissions and above, to reset plugin settings. | |||||
| CVE-2023-2415 | 1 Vcita | 1 Online Booking \& Scheduling Calendar For Wordpress By Vcita | 2024-11-21 | N/A | 5.4 MEDIUM |
| The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcita_logout_callback function in versions up to, and including, 4.2.10. This makes it possible for authenticated attackers with minimal permissions, such as a subscriber, to logout a vctia connected account which would cause a denial of service on the appointment scheduler. | |||||
| CVE-2023-2299 | 1 Vcita | 1 Online Booking \& Scheduling Calendar For Wordpress | 2024-11-21 | N/A | 5.3 MEDIUM |
| The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized medication of data via the /wp-json/vcita-wordpress/v1/actions/auth REST-API endpoint in versions up to, and including, 4.2.10 due to a missing capability check on the processAction function. This makes it possible for unauthenticated attackers modify the plugin's settings. | |||||
| CVE-2023-2268 | 1 Plane | 1 Plane | 2024-11-21 | N/A | 7.1 HIGH |
| Plane version 0.7.1 allows an unauthenticated attacker to view all stored server files of all users. | |||||
| CVE-2023-2233 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 3.1 LOW |
| An improper authorization issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 16.2.8, all versions starting from 16.3 before 16.3.5 and all versions starting from 16.4 before 16.4.1. It allows a project reporter to leak the owner's Sentry instance projects. | |||||
| CVE-2023-2193 | 1 Mattermost | 1 Mattermost | 2024-11-21 | N/A | 6.5 MEDIUM |
| Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker possessing an authorization code to generate an access token. | |||||
| CVE-2023-2189 | 1 Staxwp | 1 Stax | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Elementor Addons, Widgets and Enhancements – Stax plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the toggle_widget function in versions up to, and including, 1.4.3. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to enable or disable Elementor widgets. | |||||
| CVE-2023-2174 | 1 Badgeos | 1 Badgeos | 2024-11-21 | N/A | 4.3 MEDIUM |
| The BadgeOS plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_badgeos_log_entries function in versions up to, and including, 3.7.1.6. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete the plugin's log entries. | |||||
| CVE-2023-29174 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in NervyThemes SKU Label Changer For WooCommerce.This issue affects SKU Label Changer For WooCommerce: from n/a through 3.0. | |||||
| CVE-2023-28775 | 1 Yoast | 1 Yoast Seo | 2024-11-21 | N/A | 5.3 MEDIUM |
| Missing Authorization vulnerability in Yoast Yoast SEO Premium.This issue affects Yoast SEO Premium: from n/a through 20.4. | |||||
| CVE-2023-28673 | 1 Jenkins | 1 Octoperf Load Testing | 2024-11-21 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||||
| CVE-2023-28640 | 1 Apiman | 1 Apiman | 2024-11-21 | N/A | 6.4 MEDIUM |
| Apiman is a flexible and open source API Management platform. Due to a missing permissions check, an attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not have permission for if they correctly guess the URL, which includes Organisation ID, Client ID, and Client Version of the targeted non-permitted resource. While not trivial to exploit, it could be achieved by brute-forcing or guessing common names. Access to the non-permitted API Keys could allow use of other users' resources without their permission (depending on the specifics of configuration, such as whether an API key is the only form of security). Apiman 3.1.0.Final resolved this issue. Users are advised to upgrade. The only known workaround is to restrict account access. | |||||
| CVE-2023-28623 | 1 Zulip | 1 Zulip | 2024-11-21 | N/A | 6.5 MEDIUM |
| Zulip is an open-source team collaboration tool with unique topic-based threading. In the event that 1: `ZulipLDAPAuthBackend` and an external authentication backend (any aside of `ZulipLDAPAuthBackend` and `EmailAuthBackend`) are the only ones enabled in `AUTHENTICATION_BACKENDS` in `/etc/zulip/settings.py` and 2: The organization permissions don't require invitations to join. An attacker can create a new account in the organization with an arbitrary email address in their control that's not in the organization's LDAP directory. The impact is limited to installations which have this specific combination of authentication backends as described above in addition to having `Invitations are required for joining this organization` organization permission disabled. This issue has been addressed in version 6.2. Users are advised to upgrade. Users unable to upgrade may enable the `Invitations are required for joining this organization` organization permission to prevent this issue. | |||||
| CVE-2023-28494 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in CodePeople Contact Form Email allows Functionality Misuse.This issue affects Contact Form Email: from n/a through 1.3.31. | |||||
| CVE-2023-28492 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in CodePeople CP Multi View Event Calendar allows Functionality Misuse.This issue affects CP Multi View Event Calendar: from n/a through 1.4.10. | |||||
| CVE-2023-27792 | 1 Ixpdata | 1 Easyinstall | 2024-11-21 | N/A | 7.8 HIGH |
| An issue found in IXP Data Easy Install v.6.6.14884.0 allows an attacker to escalate privileges via lack of permissions applied to sub directories. | |||||