Total
1685 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-7836 | 1 Themify | 1 Builder | 2024-11-20 | N/A | 4.3 MEDIUM |
The Themify Builder plugin for WordPress is vulnerable to unauthorized post duplication due to missing checks on the duplicate_page_ajaxify function in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate and view private or draft posts created by other users that otherwise shouldn't be accessible to them. | |||||
CVE-2024-48897 | 1 Moodle | 1 Moodle | 2024-11-20 | N/A | 4.3 MEDIUM |
A vulnerability was found in Moodle. Additional checks are required to ensure users can only edit or delete RSS feeds that they have permission to modify. | |||||
CVE-2024-48901 | 1 Moodle | 1 Moodle | 2024-11-20 | N/A | 4.3 MEDIUM |
A vulnerability was found in Moodle. Additional checks are required to ensure users can only access the schedule of a report if they have permission to edit that report. | |||||
CVE-2024-11176 | 2024-11-20 | N/A | N/A | ||
Improper access control vulnerability in M-Files Aino in versions before 24.10 allowed an authenticated user to access object information via incorrect calculation of effective permissions. | |||||
CVE-2023-52374 | 2024-11-19 | N/A | 7.5 HIGH | ||
Permission control vulnerability in the package management module.Successful exploitation of this vulnerability may affect service confidentiality. | |||||
CVE-2024-52584 | 2024-11-19 | N/A | N/A | ||
Autolab is a course management service that enables auto-graded programming assignments. There is a vulnerability in version 3.0.1 where CAs can view or edit the grade for any submission ID, even if they are not a CA for the class that has the submission. The endpoints only check that the CAs have the authorization level of a CA in the class in the endpoint, which is not necessarily the class the submission is attached to. Version 3.0.2 contains a patch. No known workarounds are available. | |||||
CVE-2024-21287 | 2024-11-19 | N/A | 7.5 HIGH | ||
Vulnerability in the Oracle Agile PLM Framework product of Oracle Supply Chain (component: Software Development Kit, Process Extension). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM Framework. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Agile PLM Framework accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). | |||||
CVE-2024-25170 | 2024-11-19 | N/A | 9.1 CRITICAL | ||
An issue in Mezzanine v6.0.0 allows attackers to bypass access controls via manipulating the Host header. | |||||
CVE-2023-29381 | 1 Zimbra | 1 Collaboration | 2024-11-19 | N/A | 9.8 CRITICAL |
An issue in Zimbra Collaboration (ZCS) v.8.8.15 and v.9.0 allows a remote attacker to escalate privileges and obtain sensitive information via the password and 2FA parameters. | |||||
CVE-2024-49256 | 1 Wpchill | 1 Htaccess File Editor | 2024-11-19 | N/A | 8.8 HIGH |
Incorrect Authorization vulnerability in WPChill Htaccess File Editor allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Htaccess File Editor: from n/a through 1.0.18. | |||||
CVE-2024-8001 | 1 Viwis | 1 Learning Management System | 2024-11-19 | 5.0 MEDIUM | 4.3 MEDIUM |
A vulnerability was found in VIWIS LMS 9.11. It has been classified as critical. Affected is an unknown function of the component Print Handler. The manipulation leads to missing authorization. It is possible to launch the attack remotely. A user with the role learner can use the administrative print function with an active session before and after an exam slot to access the entire exam including solutions in the web application. It is recommended to apply a patch to fix this issue. | |||||
CVE-2022-31671 | 1 Linuxfoundation | 1 Harbor | 2024-11-19 | N/A | 7.4 HIGH |
Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, malicious authenticated users could read all the job logs stored in the Harbor database. | |||||
CVE-2022-31667 | 1 Linuxfoundation | 1 Harbor | 2024-11-19 | N/A | 6.4 MEDIUM |
Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to. By sending a request that attempts to update a robot account, and specifying a robot account id and robot account name that belongs to a different project that the user doesn’t have access to, it was possible to revoke the robot account permissions. | |||||
CVE-2022-31668 | 1 Linuxfoundation | 1 Harbor | 2024-11-19 | N/A | 7.7 HIGH |
Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects. | |||||
CVE-2022-31670 | 1 Linuxfoundation | 1 Harbor | 2024-11-19 | N/A | 7.7 HIGH |
Harbor fails to validate the user permissions when updating tag retention policies. By sending a request to update a tag retention policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify tag retention policies configured in other projects. | |||||
CVE-2022-31669 | 1 Linuxfoundation | 1 Harbor | 2024-11-19 | N/A | 7.7 HIGH |
Harbor fails to validate the user permissions when updating tag immutability policies. By sending a request to update a tag immutability policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify tag immutability policies configured in other projects. | |||||
CVE-2022-0406 | 1 Janeczku | 1 Calibre-web | 2024-11-19 | 4.0 MEDIUM | 4.3 MEDIUM |
Improper Authorization in GitHub repository janeczku/calibre-web prior to 0.6.16. | |||||
CVE-2024-3379 | 1 Lunary | 1 Lunary | 2024-11-18 | N/A | 8.1 HIGH |
In lunary-ai/lunary versions 1.2.2 through 1.2.6, an incorrect authorization vulnerability allows unprivileged users to re-generate the private key for projects they do not have access to. Specifically, a user with a 'Member' role can issue a request to regenerate the private key of a project without having the necessary permissions or being assigned to that project. This issue was fixed in version 1.2.7. | |||||
CVE-2024-44765 | 2024-11-18 | N/A | 6.5 MEDIUM | ||
An Improper Authorization (Access Control Misconfiguration) vulnerability in MGT-COMMERCE GmbH CloudPanel v2.0.0 to v2.4.2 allows low-privilege users to bypass access controls and gain unauthorized access to sensitive configuration files and administrative functionality. | |||||
CVE-2024-9693 | 2024-11-15 | N/A | 8.5 HIGH | ||
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.0 prior to 17.3.7, starting from 17.4 prior to 17.4.4, and starting from 17.5 prior to 17.5.2, which could have allowed unauthorized access to the Kubernetes agent in a cluster under specific configurations. |