Total
145 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2005-1892 | 1 Flatnuke | 1 Flatnuke | 2024-11-20 | 6.4 MEDIUM | N/A |
| FlatNuke 2.5.3 allows remote attackers to cause a denial of service or obtain sensitive information via (1) a direct request to foot_news.php, which triggers an infinite loop, or (2) direct requests to unknown scripts, which reveals the web document root in an error message. | |||||
| CVE-2005-1827 | 1 Dlink | 2 Dsl-504t, Dsl-504t Firmware | 2024-11-20 | 7.5 HIGH | N/A |
| D-Link DSL-504T allows remote attackers to bypass authentication and gain privileges, such as upgrade firmware, restart the router or restore a saved configuration, via a direct request to firmwarecfg. | |||||
| CVE-2005-1698 | 1 Postnuke | 1 Postnuke | 2024-11-20 | 5.0 MEDIUM | N/A |
| PostNuke 0.750 and 0.760RC3 allows remote attackers to obtain sensitive information via a direct request to (1) theme.php or (2) Xanthia.php in the Xanthia module, (3) user.php, (4) thelang.php, (5) text.php, (6) html.php, (7) menu.php, (8) finclude.php, or (9) button.php in the pnblocks directory in the Blocks module, (10) config.php in the NS-Multisites (aka Multisites) module, or (11) xmlrpc.php, which reveals the path in an error message. | |||||
| CVE-2005-1697 | 1 Postnuke | 1 Postnuke | 2024-11-20 | 5.0 MEDIUM | N/A |
| The RSS module in PostNuke 0.750 and 0.760RC2 and RC3 allows remote attackers to obtain sensitive information via a direct request to simple_smarty.php, which reveals the path in an error message. | |||||
| CVE-2005-1688 | 1 Wordpress | 1 Wordpress | 2024-11-20 | 5.0 MEDIUM | N/A |
| Wordpress 1.5 and earlier allows remote attackers to obtain sensitive information via a direct request to files in (1) wp-content/themes/, (2) wp-includes/, or (3) wp-admin/, which reveal the path in an error message. | |||||
| CVE-2005-1685 | 1 Episodex | 1 Episodex Guestbook | 2024-11-20 | 7.5 HIGH | N/A |
| episodex guestbook allows remote attackers to bypass authentication and edit scripts via a direct request to admin.asp. | |||||
| CVE-2005-1668 | 1 Yusasp | 1 Web Asset Manager | 2024-11-20 | 7.5 HIGH | N/A |
| YusASP Web Asset Manager 1.0 allows remote attackers to gain privileges via a direct request to assetmanager.asp. | |||||
| CVE-2005-1654 | 1 Hostingcontroller | 1 Hosting Controller | 2024-11-20 | 7.5 HIGH | N/A |
| Hosting Controller 6.1 Hotfix 1.9 and earlier allows remote attackers to register arbitrary users via a direct request to addsubsite.asp with the loginname and password parameters set. | |||||
| CVE-2004-2257 | 1 Phpmyfaq | 1 Phpmyfaq | 2024-11-20 | 5.0 MEDIUM | N/A |
| phpMyFAQ 1.4.0 allows remote attackers to access the Image Manager to upload or delete images without authorization via a direct request. | |||||
| CVE-2004-2144 | 1 Baalsystems | 1 Baal Smart Forms | 2024-11-20 | 7.5 HIGH | N/A |
| Baal Smart Forms before 3.2 allows remote attackers to bypass authentication and obtain system access via a direct request to regadmin.php. | |||||
| CVE-2002-1798 | 1 Midicart | 3 Midicart Php, Midicart Php Maxi, Midicart Php Plus | 2024-11-20 | 6.4 MEDIUM | 9.1 CRITICAL |
| MidiCart PHP, PHP Plus, and PHP Maxi allows remote attackers to (1) upload arbitrary php files via a direct request to admin/upload.php or (2) access sensitive information via a direct request to admin/credit_card_info.php. | |||||
| CVE-2024-11049 | 2024-11-12 | 2.6 LOW | 3.7 LOW | ||
| A vulnerability classified as problematic has been found in ZKTeco ZKBio Time 9.0.1. Affected is an unknown function of the file /auth_files/photo/ of the component Image File Handler. The manipulation leads to direct request. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-46186 | 1 Ibm | 1 Jazz For Service Management | 2024-10-23 | N/A | 7.5 HIGH |
| IBM Jazz for Service Management 1.1.3.20 could allow an unauthorized user to obtain sensitive file information using forced browsing due to improper access controls. IBM X-Force ID: 269929. | |||||
| CVE-2023-45598 | 2024-10-17 | N/A | 5.3 MEDIUM | ||
| A CWE-425 “Direct Request ('Forced Browsing')” vulnerability in the “measure” functionality of the web application allows a remote unauthenticated attacker to access confidential measure information. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2. | |||||
| CVE-2023-45596 | 2024-10-17 | N/A | 5.3 MEDIUM | ||
| A CWE-425 “Direct Request ('Forced Browsing')” vulnerability in the “file_configuration” functionality of the web application allows a remote unauthenticated attacker to access confidential configuration files. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2. | |||||
| CVE-2024-33897 | 1 Hms-networks | 7 Ewon Cosy\+ 4g Apac, Ewon Cosy\+ 4g Eu, Ewon Cosy\+ 4g Jp and 4 more | 2024-10-10 | N/A | 9.1 CRITICAL |
| A compromised HMS Networks Cosy+ device could be used to request a Certificate Signing Request from Talk2m for another device, resulting in an availability issue. The issue was patched on the Talk2m production server on April 18, 2024. | |||||
| CVE-2024-0861 | 1 Gitlab | 1 Gitlab | 2024-10-03 | N/A | 4.3 MEDIUM |
| An issue has been discovered in GitLab EE affecting all versions starting from 16.4 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. Users with the `Guest` role can change `Custom dashboard projects` settings contrary to permissions. | |||||
| CVE-2024-0456 | 1 Gitlab | 1 Gitlab | 2024-10-03 | N/A | 4.3 MEDIUM |
| An authorization vulnerability exists in GitLab versions 14.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. An unauthorized attacker is able to assign arbitrary users to MRs that they created within the project | |||||
| CVE-2023-4018 | 1 Gitlab | 1 Gitlab | 2024-10-03 | N/A | 5.3 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. Due to improper permission validation it was possible to create model experiments in public projects. | |||||
| CVE-2023-3426 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2024-10-02 | N/A | 4.3 MEDIUM |
| The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations. | |||||