Export limit exceeded: 359549 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (8277 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-47822 | 1 Sonaar | 1 Mp3 Audio Player For Music\, Radio \& Podcast | 2025-01-22 | 5.4 Medium |
| Missing Authorization vulnerability in Sonaar Music MP3 Audio Player for Music, Radio & Podcast by Sonaar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MP3 Audio Player for Music, Radio & Podcast by Sonaar: from n/a through 4.10. | ||||
| CVE-2023-33252 | 1 0kims | 1 Snarkjs | 2025-01-21 | 7.5 High |
| iden3 snarkjs through 0.6.11 allows double spending because there is no validation that the publicSignals length is less than the field modulus. | ||||
| CVE-2024-31981 | 1 Xwiki | 1 Xwiki | 2025-01-21 | 10 Critical |
| XWiki Platform is a generic wiki platform. Starting in version 3.0.1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, remote code execution is possible via PDF export templates. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10-rc-1. If PDF templates are not typically used on the instance, an administrator can create the document `XWiki.PDFClass` and block its edition, after making sure that it does not contain a `style` attribute. Otherwise, there are no known workarounds aside from upgrading. | ||||
| CVE-2024-31983 | 1 Xwiki | 1 Xwiki | 2025-01-21 | 10 Critical |
| XWiki Platform is a generic wiki platform. In multilingual wikis, translations can be edited by any user who has edit right, circumventing the rights that are normally required for authoring translations (script right for user-scope translations, wiki admin for translations on the wiki). Starting in version 4.3-milestone-2 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, this can be exploited for remote code execution if the translation value is not properly escaped where it is used. This has been patched in XWiki 14.10.20, 15.5.4 and 15.10RC1. As a workaround, one may restrict edit rights on documents that contain translations. | ||||
| CVE-2024-31987 | 1 Xwiki | 1 Xwiki | 2025-01-21 | 10 Critical |
| XWiki Platform is a generic wiki platform. Starting in version 6.4-milestone-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, any user who can edit any page like their profile can create a custom skin with a template override that is executed with programming right, thus allowing remote code execution. This has been patched in XWiki 14.10.19, 15.5.4 and 15.10RC1. No known workarounds are available except for upgrading. | ||||
| CVE-2024-45393 | 1 Cvat | 1 Computer Vision Annotation Tool | 2025-01-21 | 6.4 Medium |
| Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. An attacker with a CVAT account can access webhook delivery information for any webhook registered on the CVAT instance, including that of other users. For each delivery, this contains information about the event that caused the delivery, typically including full details about the object on which an action was performed (such as the task for an "update:task" event), and the user who performed the action. In addition, the attacker can redeliver any past delivery of any webhook, and trigger a ping event for any webhook. Upgrade to CVAT 2.18.0 or any later version. | ||||
| CVE-2023-31826 | 1 Skyscreamer | 1 Nevado Jms | 2025-01-17 | 7.8 High |
| Skyscreamer Open Source Nevado JMS v1.3.2 does not perform security checks when receiving messages. This allows attackers to execute arbitrary commands via supplying crafted data. | ||||
| CVE-2023-27304 | 1 Cybozu | 1 Garoon | 2025-01-17 | 4.3 Medium |
| Operation restriction bypass vulnerability in Message and Bulletin of Cybozu Garoon 4.6.0 to 5.9.2 allows a remote authenticated attacker to alter the data of Message and/or Bulletin. | ||||
| CVE-2023-33983 | 1 Briarproject | 1 Briar | 2025-01-16 | 7.4 High |
| The Introduction Client in Briar through 1.5.3 does not implement out-of-band verification for the public keys of introducees. An introducer can launch man-in-the-middle attacks against later private communication between two introduced parties. | ||||
| CVE-2023-5611 | 1 S-sols | 1 Seraphinite Accelerator | 2025-01-16 | 5.3 Medium |
| The Seraphinite Accelerator WordPress plugin before 2.20.32 does not have authorisation and CSRF checks when resetting and importing its settings, allowing unauthenticated users to reset them | ||||
| CVE-2023-32316 | 1 Fit2cloud | 1 Cloudexplorer | 2025-01-14 | 7.1 High |
| CloudExplorer Lite is an open source cloud management tool. In affected versions users can add themselves to any organization in CloudExplorer Lite. This is due to a missing permission check on the user profile. It is recommended to upgrade the version to v1.1.0. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-32311 | 1 Fit2cloud | 1 Cloudexplorer | 2025-01-14 | 7.1 High |
| CloudExplorer Lite is an open source cloud management platform. In CloudExplorer Lite prior to version 1.1.0 users organization/workspace permissions are not properly checked. This allows users to add themselves to any organization. This vulnerability has been fixed in v1.1.0. Users are advised to upgrade. There are no known workarounds for this issue. | ||||
| CVE-2024-29229 | 1 Synology | 2 Diskstation Manager, Surveillance Station | 2025-01-14 | 7.7 High |
| Missing authorization vulnerability in GetLiveViewPath webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain sensitive information via unspecified vectors. | ||||
| CVE-2024-29228 | 1 Synology | 2 Diskstation Manager, Surveillance Station | 2025-01-14 | 7.7 High |
| Missing authorization vulnerability in GetStmUrlPath webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain sensitive information via unspecified vectors. | ||||
| CVE-2023-2945 | 1 Open-emr | 1 Openemr | 2025-01-14 | 5.4 Medium |
| Missing Authorization in GitHub repository openemr/openemr prior to 7.0.1. | ||||
| CVE-2023-24605 | 1 Open-xchange | 1 Ox App Suite | 2025-01-14 | 4.2 Medium |
| OX App Suite before backend 7.10.6-rev37 does not enforce 2FA for all endpoints, e.g., reading from a drive, reading contact data, and renaming tokens. | ||||
| CVE-2022-4937 | 1 Wclovers | 1 Frontend Manager For Woocommerce Along With Bookings Subscription Listings Compatible | 2025-01-13 | 6.3 Medium |
| The WCFM Frontend Manager plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 6.6.0 due to missing capability checks on various AJAX actions. This makes it possible for authenticated attackers, with minimal permissions such as subscribers, to perform a wide variety of actions such as modifying knowledge bases, modifying notices, modifying payments, managing vendors, capabilities, and so much more. There were hundreds of AJAX endpoints affected. | ||||
| CVE-2023-2547 | 1 Featherplugins | 1 Feather Login Page | 2025-01-13 | 5.4 Medium |
| The Feather Login Page plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'deleteUser' function in versions starting from 1.0.7 up to, and including, 1.1.1. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete the temp user generated by the plugin. | ||||
| CVE-2023-2545 | 1 Featherplugins | 1 Feather Login Page | 2025-01-13 | 8.1 High |
| The Feather Login Page plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'getListOfUsers' function in versions starting from 1.0.7 up to, and including, 1.1.1. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to access the login links, which can be used for privilege escalation. | ||||
| CVE-2024-23493 | 1 Mattermost | 1 Mattermost Server | 2025-01-10 | 4.3 Medium |
| Mattermost fails to properly authorize the requests fetching team associated AD/LDAP groups, allowing a user to fetch details of AD/LDAP groups of a team that they are not a member of. | ||||