| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Nextcloud Photos is a photo management app. Users can remove photos from the album of registered users. It is recommended that the Nextcloud Server is upgraded to 25.0.7 or 26.0.2 and the Nextcloud Enterprise Server is upgraded to 25.0.7 or 26.0.2. |
| OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. JupyterHub < 5.0, when used with `GlobusOAuthenticator`, could be configured to allow all users from a particular institution only. This worked fine prior to JupyterHub 5.0, because `allow_all` did not take precedence over `identity_provider`. Since JupyterHub 5.0, `allow_all` does take precedence over `identity_provider`. On a hub with the same config, now all users will be allowed to login, regardless of `identity_provider`. `identity_provider` will basically be ignored. This is a documented change in JupyterHub 5.0, but is likely to catch many users by surprise. OAuthenticator 16.3.1 fixes the issue with JupyterHub 5.0, and does not affect previous versions. As a workaround, do not upgrade to JupyterHub 5.0 when using `GlobusOAuthenticator` in the prior configuration. |
| The Aimeos HTML client provides Aimeos HTML components for e-commerce projects. Starting in version 2020.04.1 and prior to versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5, digital downloads sold in online shops can be downloaded without valid payment, e.g. if the payment didn't succeed. Versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5 fix this issue. |
| Missing Authorization vulnerability in BinaryCarpenter Ultimate Custom Add To Cart Button (Ajax) For WooCommerce by Binary Carpenter allows Cross-Site Scripting (XSS).This issue affects Ultimate Custom Add To Cart Button (Ajax) For WooCommerce by Binary Carpenter: from n/a through 1.222.16. |
| SAP BW/4HANA Transformation and Data Transfer
Process (DTP) allows an authenticated attacker to gain higher access levels
than they should have by exploiting improper authorization checks. This results
in escalation of privileges. It has no impact on the confidentiality of data
but may have low impacts on the integrity and availability of the application. |
| SAP CRM WebClient does not
perform necessary authorization check for an authenticated user, resulting in
escalation of privileges. This could allow an attacker to access some sensitive
information. |
| SAP S/4HANA Finance (Advanced Payment
Management) does not perform necessary authorization check for an authenticated
user, resulting in escalation of privileges. As a result, it has a low impact
to confidentiality and availability but there is no impact on the integrity. |
| Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. Users are able to delegate tokens that have not yet been vested. This affects employees and grantees who have funds managed via `ClawbackVestingAccount`. This affects 18.1.0 and earlier. |
| Missing Authorization vulnerability in Membership Software WishList Member X.This issue affects WishList Member X: from n/a before 3.26.7. |
| Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch, version 3.3.0.beta3 on the `beta` branch, and version 3.3.0.beta4-dev on the `tests-passed` branch, a rogue staff user could suspend other staff users preventing them from logging in to the site. The issue is patched in version 3.2.3 on the `stable` branch, version 3.3.0.beta3 on the `beta` branch, and version 3.3.0.beta4-dev on the `tests-passed` branch. No known workarounds are available. |
| Missing Authorization vulnerability in OPMC WooCommerce Dropshipping.This issue affects WooCommerce Dropshipping: from n/a through 5.0.4. |
| Missing Authorization vulnerability in Code Parrots Easy Forms for Mailchimp.This issue affects Easy Forms for Mailchimp: from n/a through 6.9.0. |
| Missing Authorization vulnerability in Awesome Support Team Awesome Support.This issue affects Awesome Support: from n/a through 6.1.7. |
| Missing Authorization vulnerability in CodePeople WP Time Slots Booking Form.This issue affects WP Time Slots Booking Form: from n/a through 1.2.11. |
| Missing Authorization vulnerability in Tickera.This issue affects Tickera: from n/a through 3.5.2.6. |
| Missing Authorization vulnerability in actpro Extra Product Options for WooCommerce.This issue affects Extra Product Options for WooCommerce: from n/a through 3.0.6. |
| Missing Authorization vulnerability in ThemeKraft WooBuddy.This issue affects WooBuddy: from n/a through 3.4.19. |
| Missing Authorization vulnerability in LA-Studio LA-Studio Element Kit for Elementor.This issue affects LA-Studio Element Kit for Elementor: from n/a through 1.3.6. |
| Missing Authorization vulnerability in Bosa Themes Bosa Elementor Addons and Templates for WooCommerce.This issue affects Bosa Elementor Addons and Templates for WooCommerce: from n/a through 1.0.12. |
| Missing Authorization vulnerability in Andrew Rapps Dashboard To-Do List.This issue affects Dashboard To-Do List: from n/a through 1.2.0. |
