Total
4055 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-7856 | 1 Sonaar | 1 Mp3 Audio Player For Music\, Radio \& Podcast | 2024-09-13 | N/A | 8.1 HIGH |
| The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to unauthorized arbitrary file deletion due to a missing capability check on the removeTempFiles() function and insufficient path validation on the 'file' parameter in all versions up to, and including, 5.7.0.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files which can make remote code execution possible when wp-config.php is deleted. | |||||
| CVE-2024-37930 | 1 Theme-sphere | 1 Smartmag | 2024-09-12 | N/A | 7.5 HIGH |
| Exposure of Sensitive Information to an Unauthorized Actor, Missing Authorization vulnerability in ThemeSphere SmartMag allows Excavation, Accessing Functionality Not Properly Constrained by ACLs.This issue affects SmartMag: from n/a through 9.3.0. | |||||
| CVE-2024-6631 | 1 Imagerecycle | 1 Imagerecycle Pdf \& Image Compression | 2024-09-12 | N/A | 4.3 MEDIUM |
| The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several AJAX actions in all versions up to, and including, 3.1.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform unauthorized actions, such as updating plugin settings. | |||||
| CVE-2023-4027 | 1 Softlabbd | 1 Radio Player | 2024-09-12 | N/A | 5.3 MEDIUM |
| The Radio Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_settings function in versions up to, and including, 2.0.73. This makes it possible for unauthenticated attackers to update plugin settings. | |||||
| CVE-2024-42470 | 1 Openhab | 1 Openhab | 2024-09-12 | N/A | 9.1 CRITICAL |
| openHAB, a provider of open-source home automation software, has add-ons including the visualization add-on CometVisu. Several endpoints in versions prior to 4.2.1 of the CometVisu add-on of openHAB don't require authentication. This makes it possible for unauthenticated attackers to modify or to steal sensitive data. This issue may lead to sensitive information disclosure. Users should upgrade to version 4.2.1 of the CometVisu add-on of openHAB to receive a patch. | |||||
| CVE-2024-33005 | 1 Sap | 4 Content Server, Netweaver Abap, Netweaver Java and 1 more | 2024-09-12 | N/A | 6.3 MEDIUM |
| Due to the missing authorization checks in the local systems, the admin users of SAP Web Dispatcher, SAP NetWeaver Application Server (ABAP and Java), and SAP Content Server can impersonate other users and may perform some unintended actions. This could lead to a low impact on confidentiality and a high impact on the integrity and availability of the applications. | |||||
| CVE-2024-7605 | 1 Helloasso | 1 Helloasso | 2024-09-12 | N/A | 4.3 MEDIUM |
| The HelloAsso plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ha_ajax' function in all versions up to, and including, 1.1.10. This makes it possible for authenticated attackers, with Contributor-level access and above, to update plugin options, potentially disrupting the service. | |||||
| CVE-2024-43214 | 1 Mycred | 1 Mycred | 2024-09-12 | N/A | 5.3 MEDIUM |
| Missing Authorization vulnerability in myCred.This issue affects myCred: from n/a through 2.7.2. | |||||
| CVE-2024-41730 | 1 Sap | 1 Business Objects Business Intelligence Platform | 2024-09-12 | N/A | 9.8 CRITICAL |
| In SAP BusinessObjects Business Intelligence Platform, if Single Signed On is enabled on Enterprise authentication, an unauthorized user can get a logon token using a REST endpoint. The attacker can fully compromise the system resulting in High impact on confidentiality, integrity and availability. | |||||
| CVE-2024-42376 | 1 Sap | 1 Shared Service Framework | 2024-09-12 | N/A | 6.5 MEDIUM |
| SAP Shared Service Framework does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. On successful exploitation, an attacker can cause a high impact on confidentiality of the application. | |||||
| CVE-2024-42377 | 1 Sap | 1 Shared Service Framework | 2024-09-12 | N/A | 4.3 MEDIUM |
| SAP shared service framework allows an authenticated non-administrative user to call a remote-enabled function, which will allow them to insert value entries into a non-sensitive table, causing low impact on integrity of the application | |||||
| CVE-2024-39591 | 1 Sap | 1 Document Builder | 2024-09-12 | N/A | 5.3 MEDIUM |
| SAP Document Builder does not perform necessary authorization checks for one of the function modules resulting in escalation of privileges causing low impact on confidentiality of the application. | |||||
| CVE-2024-41734 | 1 Sap | 1 Netweaver Application Server Abap | 2024-09-12 | N/A | 4.3 MEDIUM |
| Due to missing authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform, an authenticated attacker could call an underlying transaction, which leads to disclosure of user related information. There is no impact on integrity or availability. | |||||
| CVE-2024-42373 | 1 Sap | 1 Student Life Cycle Management | 2024-09-12 | N/A | 5.4 MEDIUM |
| SAP Student Life Cycle Management (SLcM) fails to conduct proper authorization checks for authenticated users, leading to the potential escalation of privileges. On successful exploitation it could allow an attacker to delete non-sensitive report variants that are typically restricted, causing minimal impact on the integrity of the application. | |||||
| CVE-2024-6332 | 1 Tmsproducts | 1 Amelia | 2024-09-12 | N/A | 6.5 MEDIUM |
| The Booking for Appointments and Events Calendar – Amelia Premium and Lite plugins for WordPress are vulnerable to unauthorized access of data due to a missing capability check on the 'ameliaButtonCommand' function in all versions up to, and including, Premium 7.7 and Lite 1.2.3. This makes it possible for unauthenticated attackers to access employee calendar details, including Google Calendar OAuth tokens in the premium version. | |||||
| CVE-2024-8427 | 1 Wpshuffle | 1 Frontend Post Submission Manager | 2024-09-11 | N/A | 4.3 MEDIUM |
| The Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_global_settings and process_form_edit functions in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings and forms. | |||||
| CVE-2024-5309 | 1 Wpvibes | 1 Form Vibes | 2024-09-11 | N/A | 5.4 MEDIUM |
| The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the fv_export_csv, reset_settings, save_settings, save_columns_settings, get_analytics_data, get_event_logs_data, delete_submissions, and get_submissions functions in all versions up to, and including, 1.4.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform multiple unauthorized actions. NOTE: This vulnerability is partially fixed in version 1.4.12. | |||||
| CVE-2024-44408 | 1 Dlink | 2 Dir-823g, Dir-823g Firmware | 2024-09-10 | N/A | 7.5 HIGH |
| D-Link DIR-823G v1.0.2B05_20181207 is vulnerable to Information Disclosure. The device allows unauthorized configuration file downloads, and the downloaded configuration files contain plaintext user passwords. | |||||
| CVE-2024-44115 | 2024-09-10 | N/A | 4.3 MEDIUM | ||
| The RFC enabled function module allows a low privileged user to add URLs to any user's workplace favourites. This vulnerability could be utilized to identify usernames and access information about targeted user's workplaces, and nodes. There is low impact on integrity of the application | |||||
| CVE-2024-44113 | 2024-09-10 | N/A | 4.3 MEDIUM | ||
| Due to missing authorization checks, SAP Business Warehouse (BEx Analyzer) allows an authenticated attacker to access information over the network which is otherwise restricted. On successful exploitation the attacker can enumerate information causing a limited impact on confidentiality of the application. | |||||