Total
455 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-2276 | 1 Wclovers | 1 Wcfm Membership | 2024-02-04 | N/A | 9.8 CRITICAL |
| The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 2.10.7. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. | |||||
| CVE-2023-3066 | 1 Mobatime | 1 Amxgt 100 | 2024-02-04 | N/A | 8.1 HIGH |
| Incorrect Authorization vulnerability in Mobatime mobile application AMXGT100 allows a low-privileged user to impersonate anyone else, including administratorsThis issue affects Mobatime mobile application AMXGT100: through 1.3.20. | |||||
| CVE-2023-37242 | 1 Huawei | 2 Emui, Harmonyos | 2024-02-04 | N/A | 9.8 CRITICAL |
| Vulnerability of commands from the modem being intercepted in the atcmdserver module. Attackers may exploit this vulnerability to rewrite the non-volatile random-access memory (NVRAM), or facilitate the exploitation of other vulnerabilities. | |||||
| CVE-2023-3133 | 1 Themeum | 1 Tutor Lms | 2024-02-04 | N/A | 7.5 HIGH |
| The Tutor LMS WordPress plugin before 2.2.1 does not implement adequate permission checks for REST API endpoints, allowing unauthenticated attackers to access information from Lessons that should not be publicly available. | |||||
| CVE-2023-3105 | 1 Learndash | 1 Learndash | 2024-02-04 | N/A | 8.8 HIGH |
| The LearnDash LMS plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for attackers with with existing account access at any level, to change user passwords and potentially take over administrator accounts. | |||||
| CVE-2023-1129 | 1 Wp Fevents Book Project | 1 Wp Fevents Book | 2024-02-04 | N/A | 6.5 MEDIUM |
| The WP FEvents Book WordPress plugin through 0.46 does not ensures that bookings to be updated belong to the user making the request, allowing any authenticated user to book, add notes, or cancel booking on behalf of other users. | |||||
| CVE-2023-2702 | 1 Finexmedia | 1 Competition Management System | 2024-02-04 | N/A | 8.8 HIGH |
| Authorization Bypass Through User-Controlled Key vulnerability in Finex Media Competition Management System allows Authentication Abuse, Authentication Bypass.This issue affects Competition Management System: before 23.07. | |||||
| CVE-2023-0688 | 1 Wpmet | 1 Metform Elementor Contact Form Builder | 2024-02-04 | N/A | 6.5 MEDIUM |
| The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_thankyou' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about form submissions, including payment status, and transaction ID. | |||||
| CVE-2018-17449 | 1 Gitlab | 1 Gitlab | 2024-02-04 | N/A | 7.5 HIGH |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. Remote attackers could obtain sensitive information about issues, comments, and project titles via events API insecure direct object reference. | |||||
| CVE-2023-3219 | 1 Myeventon | 1 Eventon | 2024-02-04 | N/A | 5.3 MEDIUM |
| The EventON WordPress plugin before 2.1.2 does not validate that the event_id parameter in its eventon_ics_download ajax action is a valid Event, allowing unauthenticated visitors to access any Post (including unpublished or protected posts) content via the ics export functionality by providing the numeric id of the post. | |||||
| CVE-2023-0693 | 1 Wpmet | 1 Metform Elementor Contact Form Builder | 2024-02-04 | N/A | 4.3 MEDIUM |
| The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_transaction_id' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about the transaction ids of arbitrary form submissions that included payment. | |||||
| CVE-2023-26428 | 1 Open-xchange | 1 Open-xchange Appsuite Backend | 2024-02-04 | N/A | 6.5 MEDIUM |
| Attackers can successfully request arbitrary snippet IDs, including E-Mail signatures of other users within the same context. Signatures of other users could be read even though they are not explicitly shared. We improved permission handling when requesting snippets that are not explicitly shared with other users. No publicly available exploits are known. | |||||
| CVE-2023-32310 | 1 Dataease | 1 Dataease | 2024-02-04 | N/A | 8.1 HIGH |
| DataEase is an open source data visualization and analysis tool. The API interface for DataEase delete dashboard and delete system messages is vulnerable to insecure direct object references (IDOR). This could result in a user deleting another user's dashboard or messages or interfering with the interface for marking messages read. The vulnerability has been fixed in v1.18.7. There are no known workarounds aside from upgrading. | |||||
| CVE-2023-0985 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2024-02-04 | N/A | 8.8 HIGH |
| An Authorization Bypass vulnerability was found in MB Connect Lines mbCONNECT24, mymbCONNECT24 and Helmholz' myREX24 and myREX24.virtual version <= 2.13.3. An authenticated remote user with low privileges can change the password of any user in the same account. This allows to take over the admin user and therefore fully compromise the account. | |||||
| CVE-2023-28656 | 1 F5 | 3 Nginx Api Connectivity Manager, Nginx Instance Manager, Nginx Security Monitoring | 2024-02-04 | N/A | 8.1 HIGH |
| NGINX Management Suite may allow an authenticated attacker to gain access to configuration objects outside of their assigned environment. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2023-2713 | 1 Rental Module Project | 1 Rental Module | 2024-02-04 | N/A | 9.8 CRITICAL |
| Authorization Bypass Through User-Controlled Key vulnerability in "Rental Module" developed by third-party for Ideasoft's E-commerce Platform allows Authentication Abuse, Authentication Bypass.This issue affects Rental Module: before 23.05.15. | |||||
| CVE-2023-0692 | 1 Wpmet | 1 Metform Elementor Contact Form Builder | 2024-02-04 | N/A | 4.3 MEDIUM |
| The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_payment_status' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about the payment status of arbitrary form submissions. | |||||
| CVE-2023-34000 | 2024-02-04 | N/A | 7.5 HIGH | ||
| Unauth. IDOR vulnerability leading to PII Disclosure in WooCommerce Stripe Payment Gateway plugin <= 7.4.0 versions. | |||||
| CVE-2023-1125 | 1 Wpruby | 1 Ruby Help Desk | 2024-02-04 | N/A | 6.5 MEDIUM |
| The Ruby Help Desk WordPress plugin before 1.3.4 does not ensure that the ticket being modified belongs to the user making the request, allowing an attacker to close and/or add files and replies to tickets other than their own. | |||||
| CVE-2023-3525 | 1 Getnet Argentina Para Woocommerce Project | 1 Getnet Argentina Para Woocommerce | 2024-02-04 | N/A | 7.5 HIGH |
| The Getnet Argentina para Woocommerce plugin for WordPress is vulnerable to authorization bypass due to missing validation on the 'webhook' function in versions up to, and including, 0.0.4. This makes it possible for unauthenticated attackers to set their payment status to 'APPROVED' without payment. | |||||