Vulnerabilities (CVE)

Filtered by CWE-284
Total 3136 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-43409 1 Ghost 1 Ghost 2024-08-26 N/A 6.5 MEDIUM
Ghost is a Node.js content management system. Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information. This security vulnerability is present in Ghost v4.46.0-v5.89.4. v5.89.5 contains a fix for this issue.
CVE-2024-43397 1 Apolloconfig 1 Apollo 2024-08-26 N/A 4.3 MEDIUM
Apollo is a configuration management system. A vulnerability exists in the synchronization configuration feature that allows users to craft specific requests to bypass permission checks. This exploit enables them to modify a namespace without the necessary permissions. The issue was addressed with an input parameter check which was released in version 2.3.0.
CVE-2024-43377 1 Umbraco 1 Umbraco Cms 2024-08-26 N/A 4.3 MEDIUM
Umbraco CMS is an ASP.NET CMS. An authenticated user can access a few unintended endpoints. This issue is fixed in 14.1.2.
CVE-2024-42766 1 Kjayvik 1 Bus Ticket Reservation System 2024-08-26 N/A 5.4 MEDIUM
Kashipara Bus Ticket Reservation System v1.0 0 is vulnerable to Incorrect Access Control via /deleteTicket.php.
CVE-2024-32939 1 Mattermost 1 Mattermost 2024-08-23 N/A 3.7 LOW
Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2, when shared channels are enabled, fail to redact remote users' original email addresses stored in user props when email addresses are otherwise configured not to be visible in the local server."
CVE-2024-43813 1 Mattermost 1 Mattermost 2024-08-23 N/A 4.3 MEDIUM
Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to enforce proper access controls which allows any authenticated user, including guests, to mark any channel inside any team as read for any user.
CVE-2024-8071 1 Mattermost 1 Mattermost 2024-08-23 N/A 7.2 HIGH
Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to restrict which roles can promote a user as system admin which allows a System Role with edit access to the permissions section of system console to update their role (e.g. member) to include the `manage_system` permission, effectively becoming a System Admin.
CVE-2024-29977 1 Mattermost 1 Mattermost 2024-08-23 N/A 4.3 MEDIUM
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly validate synced reactions, when shared channels are enabled, which allows a malicious remote to create arbitrary reactions on arbitrary posts
CVE-2024-36492 1 Mattermost 1 Mattermost 2024-08-23 N/A 6.4 MEDIUM
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow the modification of local users when syncing users in shared channels. which allows a malicious remote to overwrite an existing local user.
CVE-2024-39274 1 Mattermost 1 Mattermost 2024-08-23 N/A 6.5 MEDIUM
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to properly validate that the channel that comes from the sync message is a shared channel, when shared channels are enabled, which allows a malicious remote to add users to arbitrary teams and channels
CVE-2024-39777 1 Mattermost 1 Mattermost 2024-08-23 N/A 9.6 CRITICAL
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invites to expose access to local channels, when shared channels are enabled, which allows a malicious remote to send an invite with the ID of an existing local channel, and that local channel will then become shared without the consent of the local admin.
CVE-2024-36505 1 Fortinet 1 Fortios 2024-08-22 N/A 5.5 MEDIUM
An improper access control vulnerability [CWE-284] in FortiOS 7.4.0 through 7.4.3, 7.2.5 through 7.2.7, 7.0.12 through 7.0.14 and 6.4.x may allow an attacker who has already successfully obtained write access to the underlying system (via another hypothetical exploit) to bypass the file integrity checking system.
CVE-2024-41332 1 Oretnom23 1 Computer Laboratory Management System 2024-08-21 N/A 6.5 MEDIUM
Incorrect access control in the delete_category function of Sourcecodester Computer Laboratory Management System v1.0 allows authenticated attackers with low-level privileges to arbitrarily delete categories.
CVE-2024-7921 1 Jielink\+ Jsotc2016 Project 1 Jielink\+ Jsotc2016 2024-08-21 4.0 MEDIUM 9.8 CRITICAL
A vulnerability has been found in Anhui Deshun Intelligent Technology Jieshun JieLink+ JSOTC2016 up to 20240805 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /report/ParkOutRecord/GetDataList. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-7920 1 Jielink\+ Jsotc2016 Project 1 Jielink\+ Jsotc2016 2024-08-21 4.0 MEDIUM 9.8 CRITICAL
A vulnerability, which was classified as problematic, was found in Anhui Deshun Intelligent Technology Jieshun JieLink+ JSOTC2016 up to 20240805. Affected is an unknown function of the file /Report/ParkCommon/GetParkInThroughDeivces. The manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-7919 1 Jielink\+ Jsotc2016 Project 1 Jielink\+ Jsotc2016 2024-08-21 5.0 MEDIUM 9.8 CRITICAL
A vulnerability, which was classified as critical, has been found in Anhui Deshun Intelligent Technology Jieshun JieLink+ JSOTC2016 up to 20240805. This issue affects some unknown processing of the file /report/ParkChargeRecord/GetDataList. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-42559 2024-08-20 N/A 9.8 CRITICAL
An issue in the login component (process_login.php) of Hotel Management System commit 79d688 allows attackers to authenticate without providing a valid password.
CVE-2024-29082 1 Vonets 28 Vap11ac, Vap11ac Firmware, Vap11g and 25 more 2024-08-20 N/A 8.6 HIGH
Improper access control vulnerability affecting Vonets industrial wifi bridge relays and wifi bridge repeaters, software versions 3.3.23.6.9 and prior, enables an unauthenticated remote attacker to bypass authentication and factory reset the device via unprotected goform endpoints.
CVE-2024-38162 1 Microsoft 1 Azure Connected Machine Agent 2024-08-16 N/A 7.8 HIGH
Azure Connected Machine Agent Elevation of Privilege Vulnerability
CVE-2024-42480 1 Clastix 1 Kamaji 2024-08-16 N/A 9.9 CRITICAL
Kamaji is the Hosted Control Plane Manager for Kubernetes. In versions 1.0.0 and earlier, Kamaji uses an "open at the top" range definition in RBAC for etcd roles leading to some TCPs API servers being able to read, write, and delete the data of other control planes. This vulnerability is fixed in edge-24.8.2.