Total
2166 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-25552 | 1 Schneider-electric | 1 Struxureware Data Center Expert | 2023-12-10 | N/A | 8.1 HIGH |
A CWE-862: Missing Authorization vulnerability exists that could allow viewing of unauthorized content, changes or deleting of content, or performing unauthorized functions when tampering the Device File Transfer settings on DCE endpoints. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) | |||||
CVE-2021-4339 | 1 Stylemixthemes | 1 Ulisting | 2023-12-10 | N/A | 5.3 MEDIUM |
The uListing plugin for WordPress is vulnerable to authorization bypass due to a missing capability check in the "ulisting/includes/route.php" file on the /1/api/ulisting-user/search REST-API route in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to retrieve the list of all users and their email address in the database. | |||||
CVE-2023-2494 | 1 Granthweb | 1 Go Pricing | 2023-12-10 | N/A | 8.8 HIGH |
The Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_postdata' function in versions up to, and including, 3.3.19. This makes it possible for authenticated attackers with a role that the administrator previously granted access to the plugin to modify access to the plugin when it should only be the administrator's privilege. | |||||
CVE-2021-4366 | 1 Magazine3 | 1 Pwa For Wp \& Amp | 2023-12-10 | N/A | 4.3 MEDIUM |
The PWA for WP & AMP plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the pwaforwp_update_features_options function in versions up to, and including, 1.7.32. This makes it possible for authenticated attackers to change the otherwise restricted settings within the plugin. | |||||
CVE-2023-30913 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-12-10 | N/A | 5.5 MEDIUM |
In telephony service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. | |||||
CVE-2023-30863 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-12-10 | N/A | 7.8 HIGH |
In Connectivity Service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges. | |||||
CVE-2023-28675 | 1 Jenkins | 1 Octoperf Load Testing | 2023-12-10 | N/A | 4.3 MEDIUM |
A missing permission check in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers to connect to a previously configured Octoperf server using attacker-specified credentials. | |||||
CVE-2022-48388 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-12-10 | N/A | 7.8 HIGH |
In powerEx service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges. | |||||
CVE-2023-3230 | 1 Fossbilling | 1 Fossbilling | 2023-12-10 | N/A | 7.5 HIGH |
Missing Authorization in GitHub repository fossbilling/fossbilling prior to 0.5.0. | |||||
CVE-2023-30918 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-12-10 | N/A | 5.5 MEDIUM |
In telephony service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. | |||||
CVE-2023-28672 | 1 Jenkins | 1 Octoperf Load Testing | 2023-12-10 | N/A | 6.5 MEDIUM |
Jenkins OctoPerf Load Testing Plugin Plugin 4.5.1 and earlier does not perform a permission check in a connection test HTTP endpoint, allowing attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
CVE-2020-36721 | 3 Colorlib, Cpothemes, Machothemes | 15 Activello, Bonkers, Illdy and 12 more | 2023-12-10 | N/A | 6.5 MEDIUM |
The Brilliance <= 1.2.7, Activello <= 1.4.0, and Newspaper X <= 1.3.1 themes for WordPress are vulnerable to Plugin Activation/Deactivation. This is due to the 'activello_activate_plugin' and 'activello_deactivate_plugin' functions in the 'inc/welcome-screen/class-activello-welcome.php' file missing capability and security checks/nonces. This makes it possible for unauthenticated attackers to activate and deactivate arbitrary plugins installed on a vulnerable site. | |||||
CVE-2023-2787 | 1 Mattermost | 1 Mattermost | 2023-12-10 | N/A | 6.5 MEDIUM |
Mattermost fails to check channel membership when accessing message threads, allowing an attacker to access arbitrary posts by using the message threads API. | |||||
CVE-2023-30518 | 1 Jenkins | 1 Thycotic Secret Server | 2023-12-10 | N/A | 4.3 MEDIUM |
A missing permission check in Jenkins Thycotic Secret Server Plugin 1.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||||
CVE-2022-48379 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-12-10 | N/A | 5.5 MEDIUM |
In dialer service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges. | |||||
CVE-2021-4351 | 1 Najeebmedia | 1 Frontend File Manager Plugin | 2023-12-10 | N/A | 5.3 MEDIUM |
The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Post Meta Change in versions up to, and including, 18.2. This is due to lacking authentication protections, capability checks, and sanitization, all on the wpfm_file_meta_update AJAX action. This makes it possible for unauthenticated attackers to change the meta data of certain posts and pages. | |||||
CVE-2020-36697 | 1 Appsaloon | 1 Wp Gdpr | 2023-12-10 | N/A | 6.5 MEDIUM |
The WP GDPR plugin for WordPress is vulnerable to authorization bypass due to a missing capability check in versions up to, and including, 2.1.1. This makes it possible for unauthenticated attackers to delete any comment and modify the plugin’s settings. | |||||
CVE-2022-48247 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-12-10 | N/A | 7.8 HIGH |
In audio service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges. | |||||
CVE-2023-30522 | 1 Jenkins | 1 Fogbugz | 2023-12-10 | N/A | 4.3 MEDIUM |
A missing permission check in Jenkins Fogbugz Plugin 2.2.17 and earlier allows attackers with Item/Read permission to trigger builds of jobs specified in a 'jobname' request parameter. | |||||
CVE-2019-25143 | 1 Mooveagency | 1 Gdpr Cookie Compliance | 2023-12-10 | N/A | 4.3 MEDIUM |
The GDPR Cookie Compliance plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the gdpr_cookie_compliance_reset_settings AJAX action in versions up to, and including, 4.0.2. This makes it possible for authenticated attackers to reset all of the settings. |