Total
138 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-28365 | 1 Reprisesoftware | 1 Reprise License Manager | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
Reprise License Manager 14.2 is affected by an Information Disclosure vulnerability via a GET request to /goforms/rlminfo. No authentication is required. The information disclosed is associated with software versions, process IDs, network configuration, hostname(s), system architecture, and file/directory details. | |||||
CVE-2022-27480 | 1 Siemens | 4 Sicam A8000 Cp-8031, Sicam A8000 Cp-8031 Firmware, Sicam A8000 Cp-8050 and 1 more | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
A vulnerability has been identified in SICAM A8000 CP-8031 (All versions < V4.80), SICAM A8000 CP-8050 (All versions < V4.80). Affected devices do not require an user to be authenticated to access certain files. This could allow unauthenticated attackers to download these files. | |||||
CVE-2021-42671 | 1 Engineers Online Portal Project | 1 Engineers Online Portal | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
An incorrect access control vulnerability exists in Sourcecodester Engineers Online Portal in PHP in nia_munoz_monitoring_system/admin/uploads. An attacker can leverage this vulnerability in order to bypass access controls and access all the files uploaded to the web server without the need of authentication or authorization. | |||||
CVE-2021-36560 | 1 Phone Shop Sales Management System Project | 1 Phone Shop Sales Management System | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
Phone Shop Sales Managements System using PHP with Source Code 1.0 is vulnerable to authentication bypass which leads to account takeover of the admin. | |||||
CVE-2021-42748 | 1 Fastlinemedia | 1 Beaver Builder | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
In Beaver Builder through 2.5.0.3, attackers can bypass the visibility controls protection mechanism via the REST API. | |||||
CVE-2021-40875 | 1 Gurock | 1 Testrail | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data. | |||||
CVE-2022-23607 | 2 Debian, Twistedmatrix | 2 Debian Linux, Treq | 2024-02-04 | 4.3 MEDIUM | 6.5 MEDIUM |
treq is an HTTP library inspired by requests but written on top of Twisted's Agents. Treq's request methods (`treq.get`, `treq.post`, etc.) and `treq.client.HTTPClient` constructor accept cookies as a dictionary. Such cookies are not bound to a single domain, and are therefore sent to *every* domain ("supercookies"). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should `https://example.com` redirect to `http://cloudstorageprovider.com` the latter will receive the cookie `session`. Treq 2021.1.0 and later bind cookies given to request methods (`treq.request`, `treq.get`, `HTTPClient.request`, `HTTPClient.get`, etc.) to the origin of the *url* parameter. Users are advised to upgrade. For users unable to upgrade Instead of passing a dictionary as the *cookies* argument, pass a `http.cookiejar.CookieJar` instance with properly domain- and scheme-scoped cookies in it. | |||||
CVE-2021-36745 | 1 Trendmicro | 1 Serverprotect | 2024-02-04 | 10.0 HIGH | 9.8 CRITICAL |
A vulnerability in Trend Micro ServerProtect for Storage 6.0, ServerProtect for EMC Celerra 5.8, ServerProtect for Network Appliance Filers 5.8, and ServerProtect for Microsoft Windows / Novell Netware 5.8 could allow a remote attacker to bypass authentication on affected installations. | |||||
CVE-2021-24695 | 1 Tipsandtricks-hq | 1 Simple Download Monitor | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
The Simple Download Monitor WordPress plugin before 3.9.6 saves logs in a predictable location, and does not have any authentication or authorisation in place to prevent unauthenticated users to download and read the logs containing Sensitive Information such as IP Addresses and Usernames | |||||
CVE-2021-24046 | 1 Ray-ban | 8 Stories Rw4002 601\/71 50-22, Stories Rw4002 601\/71 50-22 Firmware, Stories Rw4003 65582v 48-23 and 5 more | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
A logic flaw in Ray-BanĀ® Stories device software allowed some parameters like video capture duration limit to be modified through the Facebook View application. This issue affected versions of device software before 2107460.6810.0. | |||||
CVE-2021-26085 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint. The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3. | |||||
CVE-2021-30144 | 1 Glpi-project | 1 Dashboard | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
The Dashboard plugin through 1.0.2 for GLPI allows remote low-privileged users to bypass access control on viewing information about the last ten events, the connected users, and the users in the tech category. For example, plugins/dashboard/front/main2.php can be used. | |||||
CVE-2021-22180 | 1 Gitlab | 1 Gitlab | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
An issue has been discovered in GitLab affecting all versions starting from 13.4. Improper access control allows unauthorized users to access details on analytic pages. | |||||
CVE-2021-24238 | 1 Purethemes | 2 Findeo, Realteo | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
The Realteo WordPress plugin before 1.2.4, used by the Findeo Theme, did not ensure that the requested property to be deleted belong to the user making the request, allowing any authenticated users to delete arbitrary properties by tampering with the property_id parameter. | |||||
CVE-2021-20114 | 1 Tecnick | 1 Tcexam | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
When installed following the default/recommended settings, TCExam <= 14.8.1 allowed unauthenticated users to access the /cache/backup/ directory, which included sensitive database backup files. | |||||
CVE-2021-28150 | 1 Hongdian | 2 H8922, H8922 Firmware | 2024-02-04 | 2.1 LOW | 5.5 MEDIUM |
Hongdian H8922 3.0.5 devices allow the unprivileged guest user to read cli.conf (with the administrator password and other sensitive data) via /backup2.cgi. | |||||
CVE-2021-24215 | 1 Wpruby | 1 Controlled Admin Access | 2024-02-04 | 10.0 HIGH | 9.8 CRITICAL |
An Improper Access Control vulnerability was discovered in the Controlled Admin Access WordPress plugin before 1.5.2. Uncontrolled access to the website customization functionality and global CMS settings, like /wp-admin/customization.php and /wp-admin/options.php, can lead to a complete compromise of the target resource. | |||||
CVE-2020-35570 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
An issue was discovered in MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual through 2.11.2. An unauthenticated attacker is able to access files (that should have been restricted) via forceful browsing. | |||||
CVE-2019-2388 | 1 Mongodb | 1 Ops Manager | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc. MongoDB Ops Manager 4.0 versions 4.0.9, 4.0.10 and MongoDB Ops Manager 4.1 version 4.1.5. | |||||
CVE-2020-24660 | 2 Debian, Lemonldap-ng | 2 Debian Linux, Lemonldap\ | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI. This also affects versions before 0.5.2 of the "Lemonldap::NG handler for Node.js" package. |