Total
2257 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-30918 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-12-10 | N/A | 5.5 MEDIUM |
In telephony service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. | |||||
CVE-2023-28672 | 1 Jenkins | 1 Octoperf Load Testing | 2023-12-10 | N/A | 6.5 MEDIUM |
Jenkins OctoPerf Load Testing Plugin Plugin 4.5.1 and earlier does not perform a permission check in a connection test HTTP endpoint, allowing attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
CVE-2020-36721 | 3 Colorlib, Cpothemes, Machothemes | 15 Activello, Bonkers, Illdy and 12 more | 2023-12-10 | N/A | 6.5 MEDIUM |
The Brilliance <= 1.2.7, Activello <= 1.4.0, and Newspaper X <= 1.3.1 themes for WordPress are vulnerable to Plugin Activation/Deactivation. This is due to the 'activello_activate_plugin' and 'activello_deactivate_plugin' functions in the 'inc/welcome-screen/class-activello-welcome.php' file missing capability and security checks/nonces. This makes it possible for unauthenticated attackers to activate and deactivate arbitrary plugins installed on a vulnerable site. | |||||
CVE-2023-2787 | 1 Mattermost | 1 Mattermost | 2023-12-10 | N/A | 6.5 MEDIUM |
Mattermost fails to check channel membership when accessing message threads, allowing an attacker to access arbitrary posts by using the message threads API. | |||||
CVE-2023-30518 | 1 Jenkins | 1 Thycotic Secret Server | 2023-12-10 | N/A | 4.3 MEDIUM |
A missing permission check in Jenkins Thycotic Secret Server Plugin 1.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||||
CVE-2022-48379 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-12-10 | N/A | 5.5 MEDIUM |
In dialer service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges. | |||||
CVE-2021-4351 | 1 Najeebmedia | 1 Frontend File Manager Plugin | 2023-12-10 | N/A | 5.3 MEDIUM |
The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Post Meta Change in versions up to, and including, 18.2. This is due to lacking authentication protections, capability checks, and sanitization, all on the wpfm_file_meta_update AJAX action. This makes it possible for unauthenticated attackers to change the meta data of certain posts and pages. | |||||
CVE-2020-36697 | 1 Appsaloon | 1 Wp Gdpr | 2023-12-10 | N/A | 6.5 MEDIUM |
The WP GDPR plugin for WordPress is vulnerable to authorization bypass due to a missing capability check in versions up to, and including, 2.1.1. This makes it possible for unauthenticated attackers to delete any comment and modify the plugin’s settings. | |||||
CVE-2022-48247 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-12-10 | N/A | 7.8 HIGH |
In audio service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges. | |||||
CVE-2023-30522 | 1 Jenkins | 1 Fogbugz | 2023-12-10 | N/A | 4.3 MEDIUM |
A missing permission check in Jenkins Fogbugz Plugin 2.2.17 and earlier allows attackers with Item/Read permission to trigger builds of jobs specified in a 'jobname' request parameter. | |||||
CVE-2019-25143 | 1 Mooveagency | 1 Gdpr Cookie Compliance | 2023-12-10 | N/A | 4.3 MEDIUM |
The GDPR Cookie Compliance plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the gdpr_cookie_compliance_reset_settings AJAX action in versions up to, and including, 4.0.2. This makes it possible for authenticated attackers to reset all of the settings. | |||||
CVE-2023-21185 | 1 Google | 1 Android | 2023-12-10 | N/A | 7.8 HIGH |
In multiple functions of WifiNetworkFactory.java, there is a missing permission check. This could lead to local escalation of privilege from the guest user with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-266700762 | |||||
CVE-2022-48491 | 1 Huawei | 1 Emui | 2023-12-10 | N/A | 5.3 MEDIUM |
Vulnerability of missing authentication on certain HUAWEI phones.Successful exploitation of this vulnerability can lead to ads and other windows to display at any time. | |||||
CVE-2021-4347 | 1 Zorem | 1 Advanced Shipment Tracking For Woocommerce | 2023-12-10 | N/A | 6.5 MEDIUM |
The function update_shipment_status_email_status_fun in the plugin Advanced Shipment Tracking for WooCommerce in versions up to 3.2.6 is vulnerable to authenticated arbitrary options update. The function allows attackers (including those at customer level) to update any WordPress option in the database. Version 3.2.5 was initially released as a fix, but doesn't fully address the issue. | |||||
CVE-2022-48375 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-12-10 | N/A | 5.5 MEDIUM |
In contacts service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges. | |||||
CVE-2023-1414 | 1 Coderex | 1 Wp Vr | 2023-12-10 | N/A | 4.3 MEDIUM |
The WP VR WordPress plugin before 8.3.0 does not have authorisation and CSRF checks in various AJAX actions, one in particular could allow any authenticated users, such as subscriber to update arbitrary tours | |||||
CVE-2023-2786 | 1 Mattermost | 1 Mattermost | 2023-12-10 | N/A | 4.3 MEDIUM |
Mattermost fails to properly check the permissions when executing commands allowing a member with no permissions to post a message in a channel to actually post it by executing channel commands. | |||||
CVE-2022-38685 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-12-10 | N/A | 5.5 MEDIUM |
In bluetooth service, there is a possible missing permission check. This could lead to local denial of service in bluetooth service with no additional execution privileges needed. | |||||
CVE-2022-48248 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2023-12-10 | N/A | 7.8 HIGH |
In audio service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges. | |||||
CVE-2023-2299 | 1 Vcita | 1 Online Booking \& Scheduling Calendar For Wordpress | 2023-12-10 | N/A | 5.3 MEDIUM |
The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized medication of data via the /wp-json/vcita-wordpress/v1/actions/auth REST-API endpoint in versions up to, and including, 4.2.10 due to a missing capability check on the processAction function. This makes it possible for unauthenticated attackers modify the plugin's settings. |