Total
454 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-35659 | 2024-06-10 | N/A | 5.3 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in KiviCare.This issue affects KiviCare: from n/a through 3.6.2. | |||||
| CVE-2024-2575 | 2024-06-07 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability, which was classified as critical, has been found in SourceCodester Employee Task Management System 1.0. Affected by this issue is some unknown functionality of the file /task-details.php. The manipulation of the argument task_id leads to authorization bypass. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-257078 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-36399 | 2024-06-07 | N/A | 8.2 HIGH | ||
| Kanboard is project management software that focuses on the Kanban methodology. The vuln is in app/Controller/ProjectPermissionController.php function addUser(). The users permission to add users to a project only get checked on the URL parameter project_id. If the user is authorized to add users to this project the request gets processed. The users permission for the POST BODY parameter project_id does not get checked again while processing. An attacker with the 'Project Manager' on a single project may take over any other project. The vulnerability is fixed in 1.2.37. | |||||
| CVE-2024-33542 | 2024-06-05 | N/A | 4.3 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Fabio Rinaldi Crelly Slider.This issue affects Crelly Slider: from n/a through 1.4.5. | |||||
| CVE-2023-4587 | 1 Zkteco | 2 Zem800, Zem800 Firmware | 2024-06-04 | N/A | 5.5 MEDIUM |
| An IDOR vulnerability has been found in ZKTeco ZEM800 product affecting version 6.60. This vulnerability allows a local attacker to obtain registered user backup files or device configuration files over a local network or through a VPN server. | |||||
| CVE-2024-5258 | 2024-05-24 | N/A | 4.4 MEDIUM | ||
| An authorization vulnerability exists within GitLab from versions 16.10 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1 where an authenticated attacker could utilize a crafted naming convention to bypass pipeline authorization logic. | |||||
| CVE-2023-40720 | 1 Fortinet | 1 Fortivoice | 2024-05-23 | N/A | 7.1 HIGH |
| An authorization bypass through user-controlled key vulnerability [CWE-639] in FortiVoiceEntreprise version 7.0.0 through 7.0.1 and before 6.4.8 allows an authenticated attacker to read the SIP configuration of other users via crafted HTTP or HTTPS requests. | |||||
| CVE-2024-5166 | 2024-05-22 | N/A | 6.5 MEDIUM | ||
| An Insecure Direct Object Reference in Google Cloud's Looker allowed metadata exposure across authenticated Looker users sharing the same LookML model. | |||||
| CVE-2024-2577 | 2024-05-17 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability has been found in SourceCodester Employee Task Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /update-employee.php. The manipulation of the argument admin_id leads to authorization bypass. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257080. | |||||
| CVE-2024-2574 | 2024-05-17 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability classified as critical was found in SourceCodester Employee Task Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /edit-task.php. The manipulation of the argument task_id leads to authorization bypass. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257077 was assigned to this vulnerability. | |||||
| CVE-2024-0264 | 1 Oretnom23 | 1 Clinic Queuing System | 2024-05-17 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability was found in SourceCodester Clinic Queuing System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /LoginRegistration.php. The manipulation of the argument formToken leads to authorization bypass. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249820. | |||||
| CVE-2023-2978 | 1 Abstrium | 1 Pydio Cells | 2024-05-17 | 4.1 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in Abstrium Pydio Cells 4.2.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Change Subscription Handler. The manipulation leads to authorization bypass. Upgrading to version 4.2.1 is able to address this issue. It is recommended to upgrade the affected component. VDB-230210 is the identifier assigned to this vulnerability. | |||||
| CVE-2022-32277 | 1 Squiz | 1 Matrix | 2024-05-17 | N/A | 5.3 MEDIUM |
| ** DISPUTED ** Squiz Matrix CMS 6.20 is vulnerable to an Insecure Direct Object Reference caused by failure to correctly validate authorization when submitting a request to change a user's contact details. NOTE: this is disputed by both the vendor and the original discoverer because it is a site-specific finding, not a finding about the Squiz Matrix CMS product. | |||||
| CVE-2018-20405 | 1 Bigtreecms | 1 Bigtree | 2024-05-17 | 4.0 MEDIUM | 2.7 LOW |
| ** DISPUTED ** BigTree 4.3 allows full path disclosure via authenticated admin/news/ input that triggers a syntax error. NOTE: This has been disputed with the following reasoning: "The issue reported requires full developer level access to the content management system where cross site scripting is not an issue -- you already have full control of the CMS including running arbitrary PHP." | |||||
| CVE-2024-4843 | 2024-05-16 | N/A | 4.3 MEDIUM | ||
| ePO doesn't allow a regular privileged user to delete tasks or assignments. Insecure direct object references that allow a least privileged user to manipulate the client task and client task assignments, hence escalating his/her privilege. | |||||
| CVE-2021-36389 | 1 Yellowfinbi | 1 Yellowfin | 2024-05-14 | 5.0 MEDIUM | 7.5 HIGH |
| In Yellowfin before 9.6.1 it is possible to enumerate and download uploaded images through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIImage.i4". | |||||
| CVE-2021-36388 | 1 Yellowfinbi | 1 Yellowfin | 2024-05-14 | 5.0 MEDIUM | 7.5 HIGH |
| In Yellowfin before 9.6.1 it is possible to enumerate and download users profile pictures through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIIAvatarImage.i4". | |||||
| CVE-2024-34383 | 2024-05-09 | N/A | 5.3 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in The SEO Guys at SEOPress SEOPress.This issue affects SEOPress: from n/a through 7.7.1. | |||||
| CVE-2024-4537 | 2024-05-07 | N/A | 7.5 HIGH | ||
| IDOR vulnerability in Janto Ticketing Software affecting version 4.3r10. This vulnerability could allow a remote user to obtain the download URL of another user to obtain the purchased ticket. | |||||
| CVE-2024-4538 | 2024-05-07 | N/A | 7.5 HIGH | ||
| IDOR vulnerability in Janto Ticketing Software affecting version 4.3r10. This vulnerability could allow a remote user to obtain a user's event ticket by creating a specific request with the ticket reference ID, leading to the exposure of sensitive user data. | |||||