Total
543 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-3219 | 1 Myeventon | 1 Eventon | 2024-02-04 | N/A | 5.3 MEDIUM |
| The EventON WordPress plugin before 2.1.2 does not validate that the event_id parameter in its eventon_ics_download ajax action is a valid Event, allowing unauthenticated visitors to access any Post (including unpublished or protected posts) content via the ics export functionality by providing the numeric id of the post. | |||||
| CVE-2023-0693 | 1 Wpmet | 1 Metform Elementor Contact Form Builder | 2024-02-04 | N/A | 4.3 MEDIUM |
| The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_transaction_id' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about the transaction ids of arbitrary form submissions that included payment. | |||||
| CVE-2023-26428 | 1 Open-xchange | 1 Open-xchange Appsuite Backend | 2024-02-04 | N/A | 6.5 MEDIUM |
| Attackers can successfully request arbitrary snippet IDs, including E-Mail signatures of other users within the same context. Signatures of other users could be read even though they are not explicitly shared. We improved permission handling when requesting snippets that are not explicitly shared with other users. No publicly available exploits are known. | |||||
| CVE-2023-32310 | 1 Dataease | 1 Dataease | 2024-02-04 | N/A | 8.1 HIGH |
| DataEase is an open source data visualization and analysis tool. The API interface for DataEase delete dashboard and delete system messages is vulnerable to insecure direct object references (IDOR). This could result in a user deleting another user's dashboard or messages or interfering with the interface for marking messages read. The vulnerability has been fixed in v1.18.7. There are no known workarounds aside from upgrading. | |||||
| CVE-2023-0985 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2024-02-04 | N/A | 8.8 HIGH |
| An Authorization Bypass vulnerability was found in MB Connect Lines mbCONNECT24, mymbCONNECT24 and Helmholz' myREX24 and myREX24.virtual version <= 2.13.3. An authenticated remote user with low privileges can change the password of any user in the same account. This allows to take over the admin user and therefore fully compromise the account. | |||||
| CVE-2023-28656 | 1 F5 | 3 Nginx Api Connectivity Manager, Nginx Instance Manager, Nginx Security Monitoring | 2024-02-04 | N/A | 8.1 HIGH |
| NGINX Management Suite may allow an authenticated attacker to gain access to configuration objects outside of their assigned environment. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2023-2713 | 1 Rental Module Project | 1 Rental Module | 2024-02-04 | N/A | 9.8 CRITICAL |
| Authorization Bypass Through User-Controlled Key vulnerability in "Rental Module" developed by third-party for Ideasoft's E-commerce Platform allows Authentication Abuse, Authentication Bypass.This issue affects Rental Module: before 23.05.15. | |||||
| CVE-2023-0692 | 1 Wpmet | 1 Metform Elementor Contact Form Builder | 2024-02-04 | N/A | 4.3 MEDIUM |
| The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_payment_status' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about the payment status of arbitrary form submissions. | |||||
| CVE-2023-34000 | 2024-02-04 | N/A | 7.5 HIGH | ||
| Unauth. IDOR vulnerability leading to PII Disclosure in WooCommerce Stripe Payment Gateway plugin <= 7.4.0 versions. | |||||
| CVE-2023-1125 | 1 Wpruby | 1 Ruby Help Desk | 2024-02-04 | N/A | 6.5 MEDIUM |
| The Ruby Help Desk WordPress plugin before 1.3.4 does not ensure that the ticket being modified belongs to the user making the request, allowing an attacker to close and/or add files and replies to tickets other than their own. | |||||
| CVE-2023-3525 | 1 Getnet Argentina Para Woocommerce Project | 1 Getnet Argentina Para Woocommerce | 2024-02-04 | N/A | 7.5 HIGH |
| The Getnet Argentina para Woocommerce plugin for WordPress is vulnerable to authorization bypass due to missing validation on the 'webhook' function in versions up to, and including, 0.0.4. This makes it possible for unauthenticated attackers to set their payment status to 'APPROVED' without payment. | |||||
| CVE-2023-2548 | 1 Metagauss | 1 Registrationmagic | 2024-02-04 | N/A | 7.2 HIGH |
| The RegistrationMagic plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 5.2.0.5. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers, with administrator-level permissions and above, to change user passwords and potentially take over super-administrator accounts in multisite setup. | |||||
| CVE-2022-42175 | 1 Soluslabs | 1 Solusvm | 2024-02-04 | N/A | 8.8 HIGH |
| Insecure Direct Object Reference vulnerability in WHMCS module SolusVM 1 4.1.2 allows an attacker to change the password and hostname of other customer servers without authorization. | |||||
| CVE-2023-1462 | 1 Vadi | 1 Digikent | 2024-02-04 | N/A | 8.8 HIGH |
| Authorization Bypass Through User-Controlled Key vulnerability in Vadi Corporate Information Systems DigiKent allows Authentication Bypass, Authentication Abuse. This issue affects DigiKent: before 23.03.20. | |||||
| CVE-2023-24834 | 1 Wisdomgarden | 1 Tronclass Ilearn | 2024-02-04 | N/A | 6.5 MEDIUM |
| WisdomGarden Tronclass has improper access control when uploading file. An authenticated remote attacker with general user privilege can exploit this vulnerability to access files belonging to other users by modifying the file ID within URL. | |||||
| CVE-2023-28686 | 3 Debian, Dino, Fedoraproject | 3 Debian Linux, Dino, Fedora | 2024-02-04 | N/A | 7.1 HIGH |
| Dino before 0.2.3, 0.3.x before 0.3.2, and 0.4.x before 0.4.2 allows attackers to modify the personal bookmark store via a crafted message. The attacker can change the display of group chats or force a victim to join a group chat; the victim may then be tricked into disclosing sensitive information. | |||||
| CVE-2023-0691 | 1 Wpmet | 1 Metform Elementor Contact Form Builder | 2024-02-04 | N/A | 4.3 MEDIUM |
| The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_last_name' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about arbitrary form submissions, specifically the submitter's last name. | |||||
| CVE-2023-30216 | 1 Newbee-mall Project | 1 Newbee-mall | 2024-02-04 | N/A | 5.4 MEDIUM |
| Insecure permissions in the updateUserInfo function of newbee-mall before commit 1f2c2dfy allows attackers to obtain user account information. | |||||
| CVE-2023-0694 | 1 Wpmet | 1 Metform Elementor Contact Form Builder | 2024-02-04 | N/A | 4.3 MEDIUM |
| The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about any standard form field of any form submission. | |||||
| CVE-2023-31182 | 1 Easytor | 1 Easytor | 2024-02-04 | N/A | 9.8 CRITICAL |
| EasyTor Applications – Authorization Bypass - EasyTor Applications may allow authorization bypass via unspecified method. | |||||