Total
653 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-2958 | 1 Orjinyazilim | 1 Ats Pro | 2024-10-30 | 9.8 Critical |
| Authorization Bypass Through User-Controlled Key vulnerability in Origin Software ATS Pro allows Authentication Abuse, Authentication Bypass.This issue affects ATS Pro: before 20230714. | ||||
| CVE-2024-41254 | 1 Litestream | 1 Litestream | 2024-10-29 | 5.3 Medium |
| An issue was discovered in litestream v0.3.13. The usage of the ssh.InsecureIgnoreHostKey() disables host key verification, possibly allowing attackers to obtain sensitive information via a man-in-the-middle attack. | ||||
| CVE-2023-32189 | 2024-10-29 | 5.9 Medium | ||
| Insecure handling of ssh keys used to bootstrap clients allows local attackers to potentially gain access to the keys | ||||
| CVE-2024-9637 | 1 Jdsofttech | 1 School Management System | 2024-10-28 | 8.8 High |
| The School Management System – WPSchoolPress plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.10. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with teacher-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. | ||||
| CVE-2024-31815 | 1 Totolink | 1 Ex200 Firmware | 2024-10-28 | 9.1 Critical |
| In TOTOLINK EX200 V4.0.3c.7314_B20191204, an attacker can obtain the configuration file without authorization through /cgi-bin/ExportSettings.sh | ||||
| CVE-2019-19755 | 1 Ethos | 1 Ethos | 2024-10-25 | 9.1 Critical |
| ethOS through 1.3.3 ships with SSH host keys baked into the installation image, which allows man-in-the-middle attacks and makes identification of all public IPv4 nodes trivial with Shodan.io. NOTE: as of 2019-12-01, the vendor indicated that they plan to fix this. | ||||
| CVE-2024-39223 | 1 Ginuerzh | 1 Gost | 2024-10-25 | 9.8 Critical |
| An authentication bypass in the SSH service of gost v2.11.5 allows attackers to intercept communications via setting the HostKeyCallback function to ssh.InsecureIgnoreHostKey | ||||
| CVE-2020-6641 | 1 Fortinet | 1 Fortipresence | 2024-10-25 | 4.3 Medium |
| Two authorization bypass through user-controlled key vulnerabilities in the Fortinet FortiPresence 2.1.0 administration interface may allow an attacker to gain access to some user data via portal manager or portal users parameters. | ||||
| CVE-2024-46937 | 1 Mfasoft | 1 Secure Authentication Server | 2024-10-24 | 9.1 Critical |
| An improper access control (IDOR) vulnerability in the /api-selfportal/get-info-token-properties endpoint in MFASOFT Secure Authentication Server (SAS) 1.8.x through 1.9.x before 1.9.040924 allows remote attackers gain access to user tokens without authentication. The is a brute-force attack on the serial parameter by number identifier: GA00001, GA00002, GA00003, etc. | ||||
| CVE-2023-30960 | 1 Palantir | 1 Foundry Job-tracker | 2024-10-23 | 4.3 Medium |
| A security defect was discovered in Foundry job-tracker that enabled users to query metadata related to builds on resources they did not have access to. This defect was resolved with the release of job-tracker 4.645.0. The service was rolled out to all affected Foundry instances. No further intervention is required. | ||||
| CVE-2023-30956 | 1 Palantir | 1 Foundry Comments | 2024-10-23 | 5.3 Medium |
| A security defect was identified in Foundry Comments that enabled a user to discover the contents of an attachment submitted to another comment if they knew the internal UUID of the target attachment. This defect was resolved with the release of Foundry Comments 2.267.0. | ||||
| CVE-2022-39945 | 1 Fortinet | 1 Fortimail | 2024-10-22 | 5.4 Medium |
| An improper access control vulnerability [CWE-284] in FortiMail 7.2.0, 7.0.0 through 7.0.3, 6.4 all versions, 6.2 all versions, 6.0 all versions may allow an authenticated admin user assigned to a specific domain to access and modify other domains information via insecure direct object references (IDOR). | ||||
| CVE-2023-6824 | 1 Marvinlabs | 1 Wp Customer Area | 2024-10-22 | 6.5 Medium |
| The WP Customer Area WordPress plugin before 8.2.1 does not properly validates user capabilities in some of its AJAX actions, allowing any users to retrieve other user's account address. | ||||
| CVE-2023-6384 | 1 Wp-eventmanager | 1 User Profile Avatar | 2024-10-21 | 4.3 Medium |
| The WP User Profile Avatar WordPress plugin before 1.0.1 does not properly check for authorisation, allowing authors to delete and update arbitrary avatar | ||||
| CVE-2023-23679 | 1 Jshelpdesk | 1 Jshelpdesk | 2024-10-18 | 4.6 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in JS Help Desk js-support-ticket allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JS Help Desk: from n/a through 2.7.7. | ||||
| CVE-2024-9263 | 1 Arraytics | 1 Timetics | 2024-10-18 | 9.8 Critical |
| The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to Account Takeover/Privilege Escalation via Insecure Direct Object Reference in all versions up to, and including, 1.0.25 via the save() due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to reset the emails and passwords of arbitrary user accounts, including administrators, which makes account takeover and privilege escalation possible. | ||||
| CVE-2024-9862 | 1 Miniorange | 1 Otp Verification | 2024-10-18 | 9.8 Critical |
| The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 3.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources, and the user current password check is missing. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. | ||||
| CVE-2024-9215 | 1 Publishpress | 1 Authors | 2024-10-18 | 8.8 High |
| The Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors plugin for WordPress is vulnerable to Insecure Direct Object Reference to Privilege Escalation/Account Takeover in all versions up to, and including, 4.7.1 via the action_edited_author() due to missing validation on the 'authors-user_id' user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to update arbitrary user accounts email addresses, including administrators, which can then be leveraged to reset that user's account password and gain access. | ||||
| CVE-2024-9687 | 1 Dueclic | 1 Wp 2fa With Telegram | 2024-10-17 | 8.8 High |
| The WP 2FA with Telegram plugin for WordPress is vulnerable to Authentication Bypass in versions up to, and including, 3.0. This is due to insufficient validation of the user-controlled key on the 'validate_tg' action. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator. | ||||
| CVE-2023-7286 | 2024-10-16 | 6.5 Medium | ||
| The plugin ACF Quick Edit Fields for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.2.2. This makes it possible for attackers without the edit_users capability to access metadata of other users, this includes contributor-level users and above. | ||||