Total
3290 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-39592 | 2 Sap, Sap Se | 3 S4core, S4coreop, Sap Pdce | 2024-08-29 | 7.7 High |
| Elements of PDCE does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This allows an attacker to read sensitive information causing high impact on the confidentiality of the application. | ||||
| CVE-2023-6038 | 1 H2o | 1 H2o | 2024-08-29 | 7.5 High |
| A Local File Inclusion (LFI) vulnerability exists in the h2o-3 REST API, allowing unauthenticated remote attackers to read arbitrary files on the server with the permissions of the user running the h2o-3 instance. This issue affects the default installation and does not require user interaction. The vulnerability can be exploited by making specific GET or POST requests to the ImportFiles and ParseSetup endpoints, respectively. This issue was identified in version 3.40.0.4 of h2o-3. | ||||
| CVE-2023-47112 | 1 Pagerduty | 1 Rundeck | 2024-08-29 | 4.3 Medium |
| Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In affected versions access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which provides a list of job names and groups for any project, without the necessary authorization checks. The output of these endpoints only exposes the name of job groups and the jobs contained within the specified project. The output is read-only and the access does not allow changes to the information. This vulnerability has been patched in version 4.17.3. Users are advised to upgrade. Users unable to upgrade may block access to the two URLs used in either Rundeck Open Source or Process Automation products at a load balancer level. | ||||
| CVE-2023-48222 | 1 Pagerduty | 1 Rundeck | 2024-08-29 | 8.1 High |
| Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In affected versions access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which would allow access to view or delete jobs, without the necessary authorization checks. This issue has been addressed in version 4.17.3. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-39544 | 1 Nec | 2 Expresscluster X, Expresscluster X Singleserversafe | 2024-08-29 | 8.8 High |
| CLUSTERPRO X Ver5.1 and earlier and EXPRESSCLUSTER X 5.1 and earlier, CLUSTERPRO X SingleServerSafe 5.1 and earlier, EXPRESSCLUSTER X SingleServerSafe 5.1 and earlier allows a attacker to log in to the product may execute an arbitrary command. | ||||
| CVE-2023-42712 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2024-08-28 | 5.5 Medium |
| In firewall service, there is a possible way to write permission usage records of an app due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed | ||||
| CVE-2023-42738 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2024-08-28 | 7.8 High |
| In telocom service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed | ||||
| CVE-2023-42749 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2024-08-28 | 5.5 Medium |
| In enginnermode service, there is a possible way to write permission usage records of an app due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed | ||||
| CVE-2023-4024 | 2 Softlab, Softlabbd | 2 Radio Player, Radio Player | 2024-08-28 | 5.3 Medium |
| The Radio Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_player function in versions up to, and including, 2.0.73. This makes it possible for unauthenticated attackers to delete player instances. | ||||
| CVE-2023-4025 | 2 Softlab, Softlabbd | 2 Radio Player, Radio Player | 2024-08-28 | 5.3 Medium |
| The Radio Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_player function in versions up to, and including, 2.0.73. This makes it possible for unauthenticated attackers to update player instances. | ||||
| CVE-2023-2480 | 1 M-files | 1 M-files | 2024-08-28 | 7.5 High |
| Missing access permissions checks in M-Files Client before 23.5.12598.0 (excluding 23.2 SR2 and newer) allows elevation of privilege via UI extension applications | ||||
| CVE-2023-40094 | 1 Google | 1 Android | 2024-08-28 | 7.8 High |
| In keyguardGoingAway of ActivityTaskManagerService.java, there is a possible lock screen bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2024-32691 | 2024-08-28 | 5.3 Medium | ||
| Missing Authorization vulnerability in realmag777 Active Products Tables for WooCommerce.This issue affects Active Products Tables for WooCommerce: from n/a through 1.0.6.2. | ||||
| CVE-2023-51650 | 1 Apache | 1 Hertzbeat | 2024-08-28 | 7.5 High |
| Hertzbeat is an open source, real-time monitoring system. Prior to version 1.4.1, Spring Boot permission configuration issues caused unauthorized access vulnerabilities to three interfaces. This could result in disclosure of sensitive server information. Version 1.4.1 fixes this issue. | ||||
| CVE-2023-47757 | 1 Aweber | 1 Aweber | 2024-08-28 | 4.3 Medium |
| Missing Authorization, Cross-Site Request Forgery (CSRF) vulnerability in AWeber AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth allows Accessing Functionality Not Properly Constrained by ACLs, Cross-Site Request Forgery.This issue affects AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth: from n/a through 7.3.9. | ||||
| CVE-2023-50767 | 1 Jenkins | 1 Nexus Platform | 2024-08-28 | 5.4 Medium |
| Missing permission checks in Jenkins Nexus Platform Plugin 3.18.0-03 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML. | ||||
| CVE-2024-28159 | 2024-08-27 | 4.3 Medium | ||
| A missing permission check in Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier allows attackers with Item/Read permission to trigger a build. | ||||
| CVE-2024-6688 | 2024-08-27 | 4.3 Medium | ||
| The Oxygen Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the oxy_save_css_from_admin AJAX action in all versions up to, and including, 4.8.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update stylesheets. | ||||
| CVE-2024-1122 | 1 Themewinter | 1 Eventin | 2024-08-27 | 5.3 Medium |
| The Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_data() function in all versions up to, and including, 3.3.50. This makes it possible for unauthenticated attackers to export event data. | ||||
| CVE-2024-2216 | 2024-08-26 | 8.8 High | ||
| A missing permission check in an HTTP endpoint in Jenkins docker-build-step Plugin 2.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified TCP or Unix socket URL, and to reconfigure the plugin using the provided connection test parameters, affecting future build step executions. | ||||