Total
755 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-7438 | 1 Simplemachines | 1 Simple Machines Forum | 2024-09-11 | N/A | 4.3 MEDIUM |
| A vulnerability has been found in SimpleMachines SMF 2.1.4 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php?action=profile;u=2;area=showalerts;do=read of the component User Alert Read Status Handler. The manipulation of the argument aid leads to improper control of resource identifiers. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2023-46478 | 1 Minical | 1 Minical | 2024-09-09 | N/A | 8.8 HIGH |
| An issue in minCal v.1.0.0 allows a remote attacker to execute arbitrary code via a crafted script to the customer_data parameter. | |||||
| CVE-2024-21759 | 1 Fortinet | 1 Fortiportal | 2024-09-09 | N/A | 4.3 MEDIUM |
| An authorization bypass through user-controlled key in Fortinet FortiPortal version 7.2.0, and versions 7.0.0 through 7.0.6 allows attacker to view unauthorized resources via HTTP or HTTPS requests. | |||||
| CVE-2023-45893 | 1 Floorsightsoftware | 1 Customer Portal | 2024-09-06 | N/A | 7.5 HIGH |
| An indirect Object Reference (IDOR) in the Order and Invoice pages in Floorsight Customer Portal Q3 2023 allows an unauthenticated remote attacker to view sensitive customer information. | |||||
| CVE-2024-8123 | 1 Wpextended | 1 Wp Extended | 2024-09-06 | N/A | 5.4 MEDIUM |
| The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.0.8 via the duplicate_post function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate posts written by other authors including admins. This includes the ability to duplicate password-protected posts, which reveals their contents. | |||||
| CVE-2023-45380 | 1 Silbersaiten | 1 Order Duplicator | 2024-09-05 | N/A | 8.8 HIGH |
| In the module "Order Duplicator " Clone and Delete Existing Order" (orderduplicate) in version <= 1.1.7 from Silbersaiten for PrestaShop, a guest can download personal information without restriction. Due to a lack of permissions control, a guest can download personal information from ps_customer/ps_address tables such as name / surname / phone number / full postal address. | |||||
| CVE-2024-45232 | 1 In2code | 1 Powermail | 2024-08-30 | N/A | 5.3 MEDIUM |
| An issue was discovered in powermail extension through 12.3.5 for TYPO3. It fails to validate the mail parameter of the confirmationAction, resulting in Insecure Direct Object Reference (IDOR). An unauthenticated attacker can use this to display the user-submitted data of all forms persisted by the extension. This can only be exploited when the extension is configured to save submitted form data to the database (plugin.tx_powermail.settings.db.enable=1), which however is the default setting of the extension. The fixed versions are 7.5.0, 8.5.0, 10.9.0, and 12.4.0 | |||||
| CVE-2024-3035 | 1 Gitlab | 1 Gitlab | 2024-08-29 | N/A | 8.1 HIGH |
| A permission check vulnerability in GitLab CE/EE affecting all versions starting from 8.12 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allowed for LFS tokens to read and write to the user owned repositories. | |||||
| CVE-2024-42463 | 1 Upkeeper | 1 Upkeeper Manager | 2024-08-28 | N/A | 6.5 MEDIUM |
| Authorization Bypass Through User-Controlled Key vulnerability in upKeeper Solutions product upKeeper Manager allows Utilizing REST's Trust in the System Resource to Obtain Sensitive Data.This issue affects upKeeper Manager: through 5.1.9. | |||||
| CVE-2024-42464 | 1 Upkeeper | 1 Upkeeper Manager | 2024-08-28 | N/A | 6.5 MEDIUM |
| Authorization Bypass Through User-Controlled Key vulnerability in upKeeper Solutions product upKeeper Manager allows Utilizing REST's Trust in the System Resource to Obtain Sensitive Data.This issue affects upKeeper Manager: through 5.1.9. | |||||
| CVE-2023-3289 | 1 Easyappointments | 1 Easyappointments | 2024-08-26 | N/A | 6.5 MEDIUM |
| A BOLA vulnerability in POST /services allows a low privileged user to create a service for any user in the system (including admin). This results in unauthorized data manipulation. | |||||
| CVE-2023-3286 | 1 Easyappointments | 1 Easyappointments | 2024-08-26 | N/A | 6.5 MEDIUM |
| A BOLA vulnerability in POST /secretaries allows a low privileged user to create a low privileged user (secretary) in the system. This results in unauthorized data manipulation. | |||||
| CVE-2023-3287 | 1 Easyappointments | 1 Easyappointments | 2024-08-26 | N/A | 8.8 HIGH |
| A BOLA vulnerability in POST /admins allows a low privileged user to create a high privileged user (admin) in the system. This results in privilege escalation. | |||||
| CVE-2023-3290 | 1 Easyappointments | 1 Easyappointments | 2024-08-26 | N/A | 5.0 MEDIUM |
| A BOLA vulnerability in POST /customers allows a low privileged user to create a low privileged user (customer) in the system. This results in unauthorized data manipulation. | |||||
| CVE-2023-3288 | 1 Easyappointments | 1 Easyappointments | 2024-08-26 | N/A | 8.8 HIGH |
| A BOLA vulnerability in POST /providers allows a low privileged user to create a privileged user (provider) in the system. This results in privilege escalation. | |||||
| CVE-2023-38053 | 1 Easyappointments | 1 Easyappointments | 2024-08-26 | N/A | 8.1 HIGH |
| A BOLA vulnerability in GET, PUT, DELETE /settings/{settingName} allows a low privileged user to fetch, modify or delete the settings of any user (including admin). This results in unauthorized access and unauthorized data manipulation. | |||||
| CVE-2023-38050 | 1 Easyappointments | 1 Easyappointments | 2024-08-26 | N/A | 8.1 HIGH |
| A BOLA vulnerability in GET, PUT, DELETE /webhooks/{webhookId} allows a low privileged user to fetch, modify or delete a webhook of any user (including admin). This results in unauthorized access and unauthorized data manipulation. | |||||
| CVE-2023-38055 | 1 Easyappointments | 1 Easyappointments | 2024-08-26 | N/A | 8.1 HIGH |
| A BOLA vulnerability in GET, PUT, DELETE /services/{serviceId} allows a low privileged user to fetch, modify or delete the services of any user (including admin). This results in unauthorized access and unauthorized data manipulation. | |||||
| CVE-2023-38054 | 1 Easyappointments | 1 Easyappointments | 2024-08-26 | N/A | 8.1 HIGH |
| A BOLA vulnerability in GET, PUT, DELETE /customers/{customerId} allows a low privileged user to fetch, modify or delete a low privileged user (customer). This results in unauthorized access and unauthorized data manipulation. | |||||
| CVE-2023-38051 | 1 Easyappointments | 1 Easyappointments | 2024-08-26 | N/A | 8.1 HIGH |
| A BOLA vulnerability in GET, PUT, DELETE /secretaries/{secretaryId} allows a low privileged user to fetch, modify or delete a low privileged user (secretary). This results in unauthorized access and unauthorized data manipulation. | |||||