Total
2221 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-31997 | 2024-04-11 | N/A | 9.9 CRITICAL | ||
| XWiki Platform is a generic wiki platform. Prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, parameters of UI extensions are always interpreted as Velocity code and executed with programming rights. Any user with edit right on any document like the user's own profile can create UI extensions. This allows remote code execution and thereby impacts the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.19, 15.5.4 and 15.9-RC1. No known workarounds are available. | |||||
| CVE-2023-32295 | 2024-04-11 | N/A | 6.3 MEDIUM | ||
| Missing Authorization vulnerability in Alex Tselegidis Easy!Appointments.This issue affects Easy!Appointments: from n/a through 1.3.2. | |||||
| CVE-2024-0570 | 1 Totolink | 2 N350rt, N350rt Firmware | 2024-04-11 | 7.5 HIGH | 9.1 CRITICAL |
| A vulnerability classified as critical was found in Totolink N350RT 9.3.5u.6265. This vulnerability affects unknown code of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. It is recommended to upgrade the affected component. VDB-250786 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-0569 | 1 Totolink | 2 T8, T8 Firmware | 2024-04-11 | 4.0 MEDIUM | 9.1 CRITICAL |
| A vulnerability classified as problematic has been found in Totolink T8 4.1.5cu.833_20220905. This affects the function getSysStatusCfg of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. The manipulation of the argument ssid/key leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.5cu.862_B20230228 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-250785 was assigned to this vulnerability. | |||||
| CVE-2023-4468 | 1 Poly | 4 Lens, Trio 8800, Trio 8800 Firmware and 1 more | 2024-04-11 | 4.6 MEDIUM | 7.6 HIGH |
| A vulnerability was found in Poly Trio 8500, Trio 8800 and Trio C60. It has been classified as problematic. This affects an unknown part of the component Poly Lens Management Cloud Registration. The manipulation leads to missing authorization. It is possible to launch the attack on the physical device. The exploit has been disclosed to the public and may be used. The identifier VDB-249261 was assigned to this vulnerability. | |||||
| CVE-2022-3007 | 1 Syska | 2 Sw100 Smartwatch, Sw100 Smartwatch Firmware | 2024-04-11 | N/A | 8.1 HIGH |
| The vulnerability exists in Syska SW100 Smartwatch due to an improper implementation and/or configuration of Nordic Device Firmware Update (DFU) which is used for performing Over-The-Air (OTA) firmware updates on the Bluetooth Low Energy (BLE) devices. An unauthenticated attacker could exploit this vulnerability by setting arbitrary values to handle on the vulnerable device over Bluetooth. Successful exploitation of this vulnerability could allow the attacker to perform firmware update, device reboot or data manipulation on the target device. | |||||
| CVE-2021-41554 | 1 Archibus | 1 Web Central | 2024-04-11 | 6.5 MEDIUM | 8.8 HIGH |
| ARCHIBUS Web Central 21.3.3.815 (a version from 2014) does not properly validate requests for access to data and functionality in these affected endpoints: /archibus/schema/ab-edit-users.axvw, /archibus/schema/ab-data-dictionary-table.axvw, /archibus/schema/ab-schema-add-field.axvw, /archibus/schema/ab-core/views/process-navigator/ab-my-user-profile.axvw. By not verifying the permissions for access to resources, it allows a potential attacker to view pages that are not allowed. Specifically, it was found that any authenticated user can reach the administrative console for user management by directly requesting access to the page via URL. This allows a malicious user to modify all users' profiles, to elevate any privileges to administrative ones, or to create or delete any type of user. It is also possible to modify the emails of other users, through a misconfiguration of the username parameter, on the user profile page. This is fixed in all recent versions, such as version 26. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Version 21.3 was officially de-supported by the end of 2020 | |||||
| CVE-2021-28154 | 1 Camunda | 1 Modeler | 2024-04-11 | 6.4 MEDIUM | 9.1 CRITICAL |
| Camunda Modeler (aka camunda-modeler) through 4.6.0 allows arbitrary file access. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which manipulates the readFile and writeFile APIs. NOTE: the vendor states "The way we secured the app is that it does not allow any remote scripts to be opened, no unsafe scripts to be evaluated, no remote sites to be browsed. | |||||
| CVE-2021-28141 | 1 Telerik | 1 Ui For Asp.net Ajax | 2024-04-11 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Progress Telerik UI for ASP.NET AJAX 2021.1.224. It allows unauthorized access to MicrosoftAjax.js through the Telerik.Web.UI.WebResource.axd file. This may allow the attacker to gain unauthorized access to the server and execute code. To exploit, one must use the parameter _TSM_HiddenField_ and inject a command at the end of the URI. NOTE: the vendor states that this is not a vulnerability. The request's output does not indicate that a "true" command was executed on the server, and the request's output does not leak any private source code or data from the server | |||||
| CVE-2020-11967 | 1 Evenroute | 2 Iqrouter, Iqrouter Firmware | 2024-04-11 | 9.0 HIGH | 9.8 CRITICAL |
| In IQrouter through 3.3.1, remote attackers can control the device (restart network, reboot, upgrade, reset) because of Incorrect Access Control. Note: The vendor claims that this vulnerability can only occur on a brand-new network that, after initiating the forced initial configuration (which has a required step for setting a secure password on the system), makes this CVE invalid. This vulnerability is “true for any unconfigured release of OpenWRT, and true of many other new Linux distros prior to being configured for the first time” | |||||
| CVE-2024-31343 | 2024-04-10 | N/A | 7.5 HIGH | ||
| Missing Authorization vulnerability in Sonaar Music MP3 Audio Player for Music, Radio & Podcast by Sonaar.This issue affects MP3 Audio Player for Music, Radio & Podcast by Sonaar: from n/a through 4.10.1. | |||||
| CVE-2024-31358 | 2024-04-10 | N/A | 7.5 HIGH | ||
| Missing Authorization vulnerability in Saleswonder.Biz 5 Stars Rating Funnel.This issue affects 5 Stars Rating Funnel: from n/a through 1.2.67. | |||||
| CVE-2024-31230 | 2024-04-10 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in ShortPixel ShortPixel Adaptive Images.This issue affects ShortPixel Adaptive Images: from n/a through 3.8.2. | |||||
| CVE-2024-31342 | 2024-04-10 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in WPcloudgallery WordPress Gallery Exporter.This issue affects WordPress Gallery Exporter: from n/a through 1.3. | |||||
| CVE-2024-31242 | 2024-04-10 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in Bricksforge.This issue affects Bricksforge: from n/a through 2.0.17. | |||||
| CVE-2024-31297 | 2024-04-10 | N/A | 7.5 HIGH | ||
| Missing Authorization vulnerability in WPExperts Wholesale For WooCommerce.This issue affects Wholesale For WooCommerce: from n/a through 2.3.0. | |||||
| CVE-2024-30217 | 2024-04-09 | N/A | 4.3 MEDIUM | ||
| Cash Management in SAP S/4 HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, an attacker can approve or reject a bank account application affecting the integrity of the application. Confidentiality and Availability are not impacted. | |||||
| CVE-2024-28167 | 2024-04-09 | N/A | 6.5 MEDIUM | ||
| SAP Group Reporting Data Collection does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. On successful exploitation, specific data can be changed via the Enter Package Data app although the user does not have sufficient authorization causing high impact on Integrity of the appliction. | |||||
| CVE-2024-31366 | 2024-04-09 | N/A | 7.1 HIGH | ||
| Missing Authorization vulnerability in Themify Post Type Builder (PTB).This issue affects Post Type Builder (PTB): from n/a through 2.0.8. | |||||
| CVE-2024-31368 | 2024-04-09 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in PenciDesign Soledad.This issue affects Soledad: from n/a through 8.4.2. | |||||