Total
653 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-41796 | 1 Sunshinephotocart | 1 Sunshine Photo Cart | 2024-09-12 | 5.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in WP Sunshine Sunshine Photo Cart: Free Client Galleries for Photographers.This issue affects Sunshine Photo Cart: Free Client Galleries for Photographers: from n/a before 3.0.0. | ||||
| CVE-2024-43916 | 1 Dylanjkotze | 1 Zephyr Project Manager | 2024-09-12 | 4.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Dylan James Zephyr Project Manager.This issue affects Zephyr Project Manager: from n/a through 3.3.102. | ||||
| CVE-2024-8292 | 1 Plechevandrey | 1 Wp-recall | 2024-09-12 | 9.8 Critical |
| The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to privilege escalation/account takeover in all versions up to, and including, 16.26.8. This is due to to plugin not properly verifying a user's identity during new order creation. This makes it possible for unauthenticated attackers to supply any email through the user_email field and update the password for that user during new order creation. This requires the commerce addon to be enabled in order to exploit. | ||||
| CVE-2024-7438 | 1 Simplemachines | 1 Simple Machines Forum | 2024-09-11 | 4.3 Medium |
| A vulnerability has been found in SimpleMachines SMF 2.1.4 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php?action=profile;u=2;area=showalerts;do=read of the component User Alert Read Status Handler. The manipulation of the argument aid leads to improper control of resource identifiers. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-7437 | 1 Simplemachines | 2 Simple Machine Forum, Simple Machines Forum | 2024-09-11 | 5.4 Medium |
| A vulnerability, which was classified as critical, was found in SimpleMachines SMF 2.1.4. Affected is an unknown function of the file /index.php?action=profile;u=2;area=showalerts;do=remove of the component Delete User Handler. The manipulation of the argument aid leads to improper control of resource identifiers. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-45032 | 1 Siemens | 2 Industrial Edge Management Pro, Industrial Edge Management Virtual | 2024-09-10 | 10 Critical |
| A vulnerability has been identified in Industrial Edge Management Pro (All versions < V1.9.5), Industrial Edge Management Virtual (All versions < V2.3.1-1). Affected components do not properly validate the device tokens. This could allow an unauthenticated remote attacker to impersonate other devices onboarded to the system. | ||||
| CVE-2023-46478 | 1 Minical | 1 Minical | 2024-09-09 | 8.8 High |
| An issue in minCal v.1.0.0 allows a remote attacker to execute arbitrary code via a crafted script to the customer_data parameter. | ||||
| CVE-2023-50267 | 1 Metersphere | 1 Metersphere | 2024-09-09 | 4.3 Medium |
| MeterSphere is a one-stop open source continuous testing platform. Prior to 2.10.10-lts, the authenticated attackers can update resources which don't belong to him if the resource ID is known. This issue if fixed in 2.10.10-lts. There are no known workarounds. | ||||
| CVE-2024-21759 | 1 Fortinet | 1 Fortiportal | 2024-09-09 | 3.9 Low |
| An authorization bypass through user-controlled key in Fortinet FortiPortal version 7.2.0, and versions 7.0.0 through 7.0.6 allows attacker to view unauthorized resources via HTTP or HTTPS requests. | ||||
| CVE-2023-45893 | 1 Floorsightsoftware | 1 Customer Portal | 2024-09-06 | 7.5 High |
| An indirect Object Reference (IDOR) in the Order and Invoice pages in Floorsight Customer Portal Q3 2023 allows an unauthenticated remote attacker to view sensitive customer information. | ||||
| CVE-2023-50342 | 1 Hcltech | 1 Dryice Myxalytics | 2024-09-06 | 7.1 High |
| HCL DRYiCE MyXalytics is impacted by an Insecure Direct Object Reference (IDOR) vulnerability. A user can obtain certain details about another user as a result of improper access control. | ||||
| CVE-2024-8123 | 1 Wpextended | 1 Wp Extended | 2024-09-06 | 5.4 Medium |
| The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.0.8 via the duplicate_post function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate posts written by other authors including admins. This includes the ability to duplicate password-protected posts, which reveals their contents. | ||||
| CVE-2023-4099 | 1 Qsige | 1 Qsige | 2024-09-06 | 7.6 High |
| The QSige Monitor application does not have an access control mechanism to verify whether the user requesting a resource has sufficient permissions to do so. As a prerequisite, it is necessary to log into the application. | ||||
| CVE-2023-32669 | 1 Buddyboss | 1 Buddyboss | 2024-09-06 | 5.4 Medium |
| Authorization bypass vulnerability in BuddyBoss 2.2.9 version, the exploitation of which could allow an authenticated user to access and rename other users' albums. This vulnerability can be exploited by changing the album identification (id). | ||||
| CVE-2023-45380 | 1 Silbersaiten | 1 Order Duplicator | 2024-09-05 | 8.8 High |
| In the module "Order Duplicator " Clone and Delete Existing Order" (orderduplicate) in version <= 1.1.7 from Silbersaiten for PrestaShop, a guest can download personal information without restriction. Due to a lack of permissions control, a guest can download personal information from ps_customer/ps_address tables such as name / surname / phone number / full postal address. | ||||
| CVE-2023-38965 | 1 Oretnom23 | 1 Lost And Found Information System | 2024-09-05 | 9.8 Critical |
| Lost and Found Information System 1.0 allows account takeover via username and password to a /classes/Users.php?f=save URI. | ||||
| CVE-2023-7031 | 1 Avaya | 1 Aura Experience Portal | 2024-09-03 | 5.7 Medium |
| Insecure Direct Object Reference vulnerabilities were discovered in the Avaya Aura Experience Portal Manager which may allow partial information disclosure to an authenticated non-privileged user. Affected versions include 8.0.x and 8.1.x, prior to 8.1.2 patch 0402. Versions prior to 8.0 are end of manufacturer support. | ||||
| CVE-2023-43900 | 1 Emsigner | 1 Emsigner | 2024-09-03 | 6.5 Medium |
| Insecure Direct Object References (IDOR) in EMSigner v2.8.7 allow attackers to gain unauthorized access to application content and view sensitive data of other users via manipulation of the documentID and EncryptedDocumentId parameters. | ||||
| CVE-2024-43350 | 1 Propovoice | 1 Propovoice Crm | 2024-09-03 | 5.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Propovoice Propovoice CRM.This issue affects Propovoice CRM: from n/a through 1.7.6.4. | ||||
| CVE-2024-43322 | 2024-09-03 | 5.4 Medium | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Dylan James Zephyr Project Manager.This issue affects Zephyr Project Manager: from n/a through 3.3.100. | ||||