Total
2156 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-41554 | 1 Archibus | 1 Web Central | 2024-04-11 | 6.5 MEDIUM | 8.8 HIGH |
| ARCHIBUS Web Central 21.3.3.815 (a version from 2014) does not properly validate requests for access to data and functionality in these affected endpoints: /archibus/schema/ab-edit-users.axvw, /archibus/schema/ab-data-dictionary-table.axvw, /archibus/schema/ab-schema-add-field.axvw, /archibus/schema/ab-core/views/process-navigator/ab-my-user-profile.axvw. By not verifying the permissions for access to resources, it allows a potential attacker to view pages that are not allowed. Specifically, it was found that any authenticated user can reach the administrative console for user management by directly requesting access to the page via URL. This allows a malicious user to modify all users' profiles, to elevate any privileges to administrative ones, or to create or delete any type of user. It is also possible to modify the emails of other users, through a misconfiguration of the username parameter, on the user profile page. This is fixed in all recent versions, such as version 26. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Version 21.3 was officially de-supported by the end of 2020 | |||||
| CVE-2021-28154 | 1 Camunda | 1 Modeler | 2024-04-11 | 6.4 MEDIUM | 9.1 CRITICAL |
| Camunda Modeler (aka camunda-modeler) through 4.6.0 allows arbitrary file access. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which manipulates the readFile and writeFile APIs. NOTE: the vendor states "The way we secured the app is that it does not allow any remote scripts to be opened, no unsafe scripts to be evaluated, no remote sites to be browsed. | |||||
| CVE-2021-28141 | 1 Telerik | 1 Ui For Asp.net Ajax | 2024-04-11 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Progress Telerik UI for ASP.NET AJAX 2021.1.224. It allows unauthorized access to MicrosoftAjax.js through the Telerik.Web.UI.WebResource.axd file. This may allow the attacker to gain unauthorized access to the server and execute code. To exploit, one must use the parameter _TSM_HiddenField_ and inject a command at the end of the URI. NOTE: the vendor states that this is not a vulnerability. The request's output does not indicate that a "true" command was executed on the server, and the request's output does not leak any private source code or data from the server | |||||
| CVE-2020-11967 | 1 Evenroute | 2 Iqrouter, Iqrouter Firmware | 2024-04-11 | 9.0 HIGH | 9.8 CRITICAL |
| In IQrouter through 3.3.1, remote attackers can control the device (restart network, reboot, upgrade, reset) because of Incorrect Access Control. Note: The vendor claims that this vulnerability can only occur on a brand-new network that, after initiating the forced initial configuration (which has a required step for setting a secure password on the system), makes this CVE invalid. This vulnerability is “true for any unconfigured release of OpenWRT, and true of many other new Linux distros prior to being configured for the first time” | |||||
| CVE-2024-31343 | 2024-04-10 | N/A | 7.5 HIGH | ||
| Missing Authorization vulnerability in Sonaar Music MP3 Audio Player for Music, Radio & Podcast by Sonaar.This issue affects MP3 Audio Player for Music, Radio & Podcast by Sonaar: from n/a through 4.10.1. | |||||
| CVE-2024-31358 | 2024-04-10 | N/A | 7.5 HIGH | ||
| Missing Authorization vulnerability in Saleswonder.Biz 5 Stars Rating Funnel.This issue affects 5 Stars Rating Funnel: from n/a through 1.2.67. | |||||
| CVE-2024-31230 | 2024-04-10 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in ShortPixel ShortPixel Adaptive Images.This issue affects ShortPixel Adaptive Images: from n/a through 3.8.2. | |||||
| CVE-2024-31342 | 2024-04-10 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in WPcloudgallery WordPress Gallery Exporter.This issue affects WordPress Gallery Exporter: from n/a through 1.3. | |||||
| CVE-2024-31242 | 2024-04-10 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in Bricksforge.This issue affects Bricksforge: from n/a through 2.0.17. | |||||
| CVE-2024-31297 | 2024-04-10 | N/A | 7.5 HIGH | ||
| Missing Authorization vulnerability in WPExperts Wholesale For WooCommerce.This issue affects Wholesale For WooCommerce: from n/a through 2.3.0. | |||||
| CVE-2024-30217 | 2024-04-09 | N/A | 4.3 MEDIUM | ||
| Cash Management in SAP S/4 HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, an attacker can approve or reject a bank account application affecting the integrity of the application. Confidentiality and Availability are not impacted. | |||||
| CVE-2024-28167 | 2024-04-09 | N/A | 6.5 MEDIUM | ||
| SAP Group Reporting Data Collection does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. On successful exploitation, specific data can be changed via the Enter Package Data app although the user does not have sufficient authorization causing high impact on Integrity of the appliction. | |||||
| CVE-2024-31366 | 2024-04-09 | N/A | 7.1 HIGH | ||
| Missing Authorization vulnerability in Themify Post Type Builder (PTB).This issue affects Post Type Builder (PTB): from n/a through 2.0.8. | |||||
| CVE-2024-31368 | 2024-04-09 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in PenciDesign Soledad.This issue affects Soledad: from n/a through 8.4.2. | |||||
| CVE-2024-31367 | 2024-04-09 | N/A | 7.1 HIGH | ||
| Missing Authorization vulnerability in PenciDesign Soledad.This issue affects Soledad: from n/a through 8.4.2. | |||||
| CVE-2024-30216 | 2024-04-09 | N/A | 4.3 MEDIUM | ||
| Cash Management in SAP S/4 HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, attacker can add notes in the review request with 'completed' status affecting the integrity of the application. Confidentiality and Availability are not impacted. | |||||
| CVE-2024-27910 | 2024-04-08 | N/A | 5.3 MEDIUM | ||
| A vulnerability was reported in some Lenovo Printers that could allow an unauthenticated attacker to reboot the printer without authentication. | |||||
| CVE-2024-27911 | 2024-04-08 | N/A | 7.5 HIGH | ||
| A vulnerability was reported in some Lenovo Printers that could allow an unauthenticated attacker to obtain the administrator password. | |||||
| CVE-2024-31375 | 2024-04-08 | N/A | 5.4 MEDIUM | ||
| Missing Authorization vulnerability in Saleswonder.Biz Team WP2LEADS.This issue affects WP2LEADS: from n/a through 3.2.7. | |||||
| CVE-2024-0394 | 2024-04-03 | N/A | 7.8 HIGH | ||
| Rapid7 Minerva Armor versions below 4.5.5 suffer from a privilege escalation vulnerability whereby an authenticated attacker can elevate privileges and execute arbitrary code with SYSTEM privilege. The vulnerability is caused by the product's implementation of OpenSSL's`OPENSSLDIR` parameter where it is set to a path accessible to low-privileged users. The vulnerability has been remediated and fixed in version 4.5.5. | |||||