Total
129 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-28991 | 1 Bdtask | 1 Multi Store Inventory Management System | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Multi Store Inventory Management System v1.0 was discovered to contain an information disclosure vulnerability which allows attackers to access sensitive files. | |||||
CVE-2021-44582 | 1 Money Transfer Management System Project | 1 Money Transfer Management System | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
A Privilege Escalation vulnerability exists in Sourcecodester Money Transfer Management System 1.0, which allows a remote malicious user to gain elevated privileges to the Admin role via any URL. | |||||
CVE-2022-29238 | 1 Jupyter | 1 Notebook | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
Jupyter Notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.12, authenticated requests to the notebook server with `ContentsManager.allow_hidden = False` only prevented listing the contents of hidden directories, not accessing individual hidden files or files in hidden directories (i.e. hidden files were 'hidden' but not 'inaccessible'). This could lead to notebook configurations allowing authenticated access to files that may reasonably be expected to be disallowed. Because fully authenticated requests are required, this is of relatively low impact. But if a server's root directory contains sensitive files whose only protection from the server is being hidden (e.g. `~/.ssh` while serving $HOME), then any authenticated requests could access files if their names are guessable. Such contexts also necessarily have full access to the server and therefore execution permissions, which also generally grants access to all the same files. So this does not generally result in any privilege escalation or increase in information access, only an additional, unintended means by which the files could be accessed. Version 6.4.12 contains a patch for this issue. There are currently no known workarounds. | |||||
CVE-2022-31847 | 1 Wavlink | 2 Wn579x3, Wn579x3 Firmware | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
A vulnerability in /cgi-bin/ExportAllSettings.sh of WAVLINK WN579 X3 M79X3.V5030.180719 allows attackers to obtain sensitive router information via a crafted POST request. | |||||
CVE-2022-1077 | 1 Tem | 4 Flex-1080, Flex-1080 Firmware, Flex-1085 and 1 more | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
A vulnerability was found in TEM FLEX-1080 and FLEX-1085 1.6.0. It has been declared as problematic. This vulnerability log.cgi of the component Log Handler. A direct request leads to information disclosure of hardware information. The attack can be initiated remotely and does not require any form of authentication. | |||||
CVE-2021-24046 | 1 Ray-ban | 8 Stories Rw4002 601\/71 50-22, Stories Rw4002 601\/71 50-22 Firmware, Stories Rw4003 65582v 48-23 and 5 more | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
A logic flaw in Ray-BanĀ® Stories device software allowed some parameters like video capture duration limit to be modified through the Facebook View application. This issue affected versions of device software before 2107460.6810.0. | |||||
CVE-2021-24695 | 1 Tipsandtricks-hq | 1 Simple Download Monitor | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
The Simple Download Monitor WordPress plugin before 3.9.6 saves logs in a predictable location, and does not have any authentication or authorisation in place to prevent unauthenticated users to download and read the logs containing Sensitive Information such as IP Addresses and Usernames | |||||
CVE-2021-36560 | 1 Phone Shop Sales Management System Project | 1 Phone Shop Sales Management System | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Phone Shop Sales Managements System using PHP with Source Code 1.0 is vulnerable to authentication bypass which leads to account takeover of the admin. | |||||
CVE-2021-40875 | 1 Gurock | 1 Testrail | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data. | |||||
CVE-2021-24831 | 1 Rich-web | 1 Tab | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
All AJAX actions of the Tab WordPress plugin before 1.3.2 are available to both unauthenticated and authenticated users, allowing unauthenticated attackers to modify various data in the plugin, such as add/edit/delete arbitrary tabs. | |||||
CVE-2021-42671 | 1 Engineers Online Portal Project | 1 Engineers Online Portal | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
An incorrect access control vulnerability exists in Sourcecodester Engineers Online Portal in PHP in nia_munoz_monitoring_system/admin/uploads. An attacker can leverage this vulnerability in order to bypass access controls and access all the files uploaded to the web server without the need of authentication or authorization. | |||||
CVE-2021-42748 | 1 Fastlinemedia | 1 Beaver Builder | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
In Beaver Builder through 2.5.0.3, attackers can bypass the visibility controls protection mechanism via the REST API. | |||||
CVE-2018-16060 | 1 Mitsubishielectric | 2 Smartrtu, Smartrtu Firmware | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Mitsubishi Electric SmartRTU devices allow remote attackers to obtain sensitive information (directory listing and source code) via a direct request to the /web URI. | |||||
CVE-2021-36745 | 1 Trendmicro | 1 Serverprotect | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
A vulnerability in Trend Micro ServerProtect for Storage 6.0, ServerProtect for EMC Celerra 5.8, ServerProtect for Network Appliance Filers 5.8, and ServerProtect for Microsoft Windows / Novell Netware 5.8 could allow a remote attacker to bypass authentication on affected installations. | |||||
CVE-2021-20114 | 1 Tecnick | 1 Tcexam | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
When installed following the default/recommended settings, TCExam <= 14.8.1 allowed unauthenticated users to access the /cache/backup/ directory, which included sensitive database backup files. | |||||
CVE-2021-24215 | 1 Wpruby | 1 Controlled Admin Access | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
An Improper Access Control vulnerability was discovered in the Controlled Admin Access WordPress plugin before 1.5.2. Uncontrolled access to the website customization functionality and global CMS settings, like /wp-admin/customization.php and /wp-admin/options.php, can lead to a complete compromise of the target resource. | |||||
CVE-2021-24238 | 1 Purethemes | 2 Findeo, Realteo | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
The Realteo WordPress plugin before 1.2.4, used by the Findeo Theme, did not ensure that the requested property to be deleted belong to the user making the request, allowing any authenticated users to delete arbitrary properties by tampering with the property_id parameter. | |||||
CVE-2021-30144 | 1 Glpi-project | 1 Dashboard | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
The Dashboard plugin through 1.0.2 for GLPI allows remote low-privileged users to bypass access control on viewing information about the last ten events, the connected users, and the users in the tech category. For example, plugins/dashboard/front/main2.php can be used. | |||||
CVE-2021-28150 | 1 Hongdian | 2 H8922, H8922 Firmware | 2023-12-10 | 2.1 LOW | 5.5 MEDIUM |
Hongdian H8922 3.0.5 devices allow the unprivileged guest user to read cli.conf (with the administrator password and other sensitive data) via /backup2.cgi. | |||||
CVE-2021-22180 | 1 Gitlab | 1 Gitlab | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
An issue has been discovered in GitLab affecting all versions starting from 13.4. Improper access control allows unauthorized users to access details on analytic pages. |