Total
319 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-0865 | 2023-03-21 | N/A | N/A | ||
The WooCommerce Multiple Customer Addresses & Shipping WordPress plugin before 21.7 does not ensure that the address to add/update/retrieve/delete and duplicate belong to the user making the request, or is from a high privilege users, allowing any authenticated users, such as subscriber to add/update/duplicate/delete as well as retrieve addresses of other users. | |||||
CVE-2022-3343 | 1 2code | 1 Wpqa Builder | 2023-03-17 | N/A | 3.5 LOW |
The WPQA Builder WordPress plugin before 5.9.3 (which is a companion plugin used with Discy and Himer Discy WordPress themes) incorrectly tries to validate that a user already follows another in the wpqa_following_you_ajax action, allowing a user to inflate their score on the site by having another user send repeated follow actions to them. | |||||
CVE-2023-28109 | 2023-03-16 | N/A | N/A | ||
Play With Docker is a browser-based Docker playground. Versions 0.0.2 and prior are vulnerable to domain hijacking. Because CORS configuration was not correct, an attacker could use `play-with-docker.com` as an example and set the origin header in an http request as `evil-play-with-docker.com`. The domain would echo in response header, which successfully bypassed the CORS policy and retrieved basic user information. This issue has been fixed in commit ed82247c9ab7990ad76ec2bf1498c2b2830b6f1a. There are no known workarounds. | |||||
CVE-2021-36400 | 1 Moodle | 1 Moodle | 2023-03-13 | N/A | 5.3 MEDIUM |
In Moodle, insufficient capability checks made it possible to remove other users' calendar URL subscriptions. | |||||
CVE-2023-25403 | 1 Yf-exam Project | 1 Yf-exam | 2023-03-10 | N/A | 7.5 HIGH |
CleverStupidDog yf-exam v 1.8.0 is vulnerable to Authentication Bypass. The program uses a fixed JWT key, and the stored key uses username format characters. Any user who logged in within 24 hours. A token can be forged with his username to bypass authentication. | |||||
CVE-2019-14245 | 1 Centos-webpanel | 1 Centos Web Panel | 2023-03-03 | 5.5 MEDIUM | 6.5 MEDIUM |
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to delete databases (such as oauthv2) from the server via an attacker account. | |||||
CVE-2019-14246 | 1 Centos-webpanel | 1 Centos Web Panel | 2023-03-03 | 4.0 MEDIUM | 6.5 MEDIUM |
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to discover phpMyAdmin passwords (of any user in /etc/passwd) via an attacker account. | |||||
CVE-2023-0453 | 1 Apusthemes | 1 Wp Private Messaging | 2023-03-02 | N/A | 4.3 MEDIUM |
The WP Private Message WordPress plugin (bundled with the Superio theme as a required plugin) before 1.0.6 does not ensure that private messages to be accessed belong to the user making the requests. This allowing any authenticated users to access private messages belonging to other users by tampering the ID. | |||||
CVE-2022-4803 | 1 Usememos | 1 Memos | 2023-03-01 | N/A | 8.8 HIGH |
Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. | |||||
CVE-2022-4799 | 1 Usememos | 1 Memos | 2023-03-01 | N/A | 6.5 MEDIUM |
Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. | |||||
CVE-2022-4812 | 1 Usememos | 1 Memos | 2023-03-01 | N/A | 6.5 MEDIUM |
Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. | |||||
CVE-2022-4806 | 1 Usememos | 1 Memos | 2023-03-01 | N/A | 5.3 MEDIUM |
Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. | |||||
CVE-2022-4802 | 1 Usememos | 1 Memos | 2023-03-01 | N/A | 5.4 MEDIUM |
Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. | |||||
CVE-2022-4798 | 1 Usememos | 1 Memos | 2023-03-01 | N/A | 5.3 MEDIUM |
Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. | |||||
CVE-2019-12252 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2023-03-01 | 4.0 MEDIUM | 6.5 MEDIUM |
In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appending its number to the SDNotify.do?notifyModule=Solution&mode=E-Mail¬ifyTo=SOLFORWARD&id= substring. | |||||
CVE-2023-0882 | 2 Krontech, Microsoft | 2 Single Connect, Windows | 2023-02-27 | N/A | 8.8 HIGH |
Improper Input Validation, Authorization Bypass Through User-Controlled Key vulnerability in Kron Tech Single Connect on Windows allows Privilege Abuse. This issue affects Single Connect: 2.16. | |||||
CVE-2022-1996 | 2 Fedoraproject, Go-restful Project | 2 Fedora, Go-restful | 2023-02-22 | 6.4 MEDIUM | 9.1 CRITICAL |
Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0. | |||||
CVE-2022-0691 | 1 Url-parse Project | 1 Url-parse | 2023-02-22 | 7.5 HIGH | 9.8 CRITICAL |
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9. | |||||
CVE-2022-0686 | 1 Url-parse Project | 1 Url-parse | 2023-02-22 | 6.4 MEDIUM | 9.1 CRITICAL |
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8. | |||||
CVE-2022-0639 | 1 Url-parse Project | 1 Url-parse | 2023-02-22 | 5.0 MEDIUM | 5.3 MEDIUM |
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7. |