Total
543 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-0558 | 2024-02-04 | N/A | 9.8 CRITICAL | ||
| The ContentStudio plugin for WordPress is vulnerable to authorization bypass due to an unsecure token check that is susceptible to type juggling in versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to execute functions intended for use by users with proper API keys. | |||||
| CVE-2023-25160 | 1 Nextcloud | 1 Mail | 2024-02-04 | N/A | 5.3 MEDIUM |
| Nextcloud Mail is an email app for the Nextcloud home server platform. Prior to versions 2.2.1, 1.14.5, 1.12.9, and 1.11.8, an attacker can access the mail box by ID getting the subjects and the first characters of the emails. Users should upgrade to Mail 2.2.1 for Nextcloud 25, Mail 1.14.5 for Nextcloud 22-24, Mail 1.12.9 for Nextcloud 21, or Mail 1.11.8 for Nextcloud 20 to receive a patch. No known workarounds are available. | |||||
| CVE-2022-43326 | 1 Telos | 2 Alliance Omnia Mpx Node, Alliance Omnia Mpx Node Firmware | 2024-02-04 | N/A | 7.5 HIGH |
| An Insecure Direct Object Reference (IDOR) vulnerability in the password reset function of Telos Alliance Omnia MPX Node 1.0.0-1.4.[*] allows attackers to arbitrarily change user and Administrator account passwords. | |||||
| CVE-2022-3876 | 2024-02-04 | N/A | 6.5 MEDIUM | ||
| A vulnerability, which was classified as problematic, has been found in Click Studios Passwordstate and Passwordstate Browser Extension Chrome. This issue affects some unknown processing of the file /api/browserextension/UpdatePassword/ of the component API. The manipulation of the argument PasswordID leads to authorization bypass. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. The identifier VDB-216245 was assigned to this vulnerability. | |||||
| CVE-2022-3343 | 1 2code | 1 Wpqa Builder | 2024-02-04 | N/A | 3.5 LOW |
| The WPQA Builder WordPress plugin before 5.9.3 (which is a companion plugin used with Discy and Himer Discy WordPress themes) incorrectly tries to validate that a user already follows another in the wpqa_following_you_ajax action, allowing a user to inflate their score on the site by having another user send repeated follow actions to them. | |||||
| CVE-2021-36400 | 1 Moodle | 1 Moodle | 2024-02-04 | N/A | 5.3 MEDIUM |
| In Moodle, insufficient capability checks made it possible to remove other users' calendar URL subscriptions. | |||||
| CVE-2022-4802 | 1 Usememos | 1 Memos | 2024-02-04 | N/A | 5.4 MEDIUM |
| Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. | |||||
| CVE-2022-4799 | 1 Usememos | 1 Memos | 2024-02-04 | N/A | 6.5 MEDIUM |
| Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. | |||||
| CVE-2022-4505 | 1 Open-emr | 1 Openemr | 2024-02-04 | N/A | 4.3 MEDIUM |
| Authorization Bypass Through User-Controlled Key in GitHub repository openemr/openemr prior to 7.0.0.2. | |||||
| CVE-2023-0550 | 2024-02-04 | N/A | 4.3 MEDIUM | ||
| The Quick Restaurant Menu plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the fact that during menu item deletion/modification, the plugin does not verify that the post ID provided to the AJAX action is indeed a menu item. This makes it possible for authenticated attackers, with subscriber-level access or higher, to modify or delete arbitrary posts. | |||||
| CVE-2023-0453 | 1 Apusthemes | 1 Wp Private Messaging | 2024-02-04 | N/A | 4.3 MEDIUM |
| The WP Private Message WordPress plugin (bundled with the Superio theme as a required plugin) before 1.0.6 does not ensure that private messages to be accessed belong to the user making the requests. This allowing any authenticated users to access private messages belonging to other users by tampering the ID. | |||||
| CVE-2022-3794 | 2024-02-04 | N/A | 4.3 MEDIUM | ||
| The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various AJAX actions in versions up to, and including, 2.5.6. Authenticated users can use an easily available nonce value to create header templates and make additional changes to the site, as the plugin does not use capability checks for this purpose. | |||||
| CVE-2022-4798 | 1 Usememos | 1 Memos | 2024-02-04 | N/A | 5.3 MEDIUM |
| Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. | |||||
| CVE-2022-4794 | 2024-02-04 | N/A | 7.5 HIGH | ||
| The AAWP WordPress plugin before 3.12.3 can be used to abuse trusted domains to load malware or other files through it (Reflected File Download) to bypass firewall rules in companies. | |||||
| CVE-2023-1463 | 1 Teampass | 1 Teampass | 2024-02-04 | N/A | 5.4 MEDIUM |
| Authorization Bypass Through User-Controlled Key in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23. | |||||
| CVE-2022-38765 | 1 Canon | 1 Vitrea View | 2024-02-04 | N/A | 6.5 MEDIUM |
| Canon Medical Informatics Vitrea Vision 7.7.76.1 does not adequately enforce access controls. An authenticated user is able to gain unauthorized access to imaging records by tampering with the vitrea-view/studies/search patientId parameter. | |||||
| CVE-2023-25403 | 1 Yf-exam Project | 1 Yf-exam | 2024-02-04 | N/A | 7.5 HIGH |
| CleverStupidDog yf-exam v 1.8.0 is vulnerable to Authentication Bypass. The program uses a fixed JWT key, and the stored key uses username format characters. Any user who logged in within 24 hours. A token can be forged with his username to bypass authentication. | |||||
| CVE-2022-3589 | 1 Miele | 1 Appwash | 2024-02-04 | N/A | 8.1 HIGH |
| An API Endpoint used by Miele's "AppWash" MobileApp in all versions was vulnerable to an authorization bypass. A low privileged, remote attacker would have been able to gain read and partial write access to other users data by modifying a small part of a HTTP request sent to the API. Reading or changing the password of another user was not possible, thus no impact to Availability. | |||||
| CVE-2022-4803 | 1 Usememos | 1 Memos | 2024-02-04 | N/A | 8.8 HIGH |
| Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. | |||||
| CVE-2022-1579 | 1 Gunkastudios | 1 Login Block Ips | 2024-02-04 | N/A | 7.5 HIGH |
| The function check_is_login_page() uses headers for the IP check, which can be easily spoofed. | |||||