Total
319 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-0512 | 1 Url-parse Project | 1 Url-parse | 2023-02-22 | 5.0 MEDIUM | 5.3 MEDIUM |
| Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6. | |||||
| CVE-2023-25160 | 1 Nextcloud | 1 Mail | 2023-02-22 | N/A | 5.3 MEDIUM |
| Nextcloud Mail is an email app for the Nextcloud home server platform. Prior to versions 2.2.1, 1.14.5, 1.12.9, and 1.11.8, an attacker can access the mail box by ID getting the subjects and the first characters of the emails. Users should upgrade to Mail 2.2.1 for Nextcloud 25, Mail 1.14.5 for Nextcloud 22-24, Mail 1.12.9 for Nextcloud 21, or Mail 1.11.8 for Nextcloud 20 to receive a patch. No known workarounds are available. | |||||
| CVE-2021-4142 | 1 Candlepinproject | 1 Candlepin | 2023-02-12 | N/A | 5.5 MEDIUM |
| The Candlepin component of Red Hat Satellite was affected by an improper authentication flaw. Few factors could allow an attacker to use the SCA (simple content access) certificate for authentication with Candlepin. | |||||
| CVE-2022-34138 | 1 Biltema | 4 Baby Camera, Baby Camera Firmware, Ip Camera and 1 more | 2023-02-09 | N/A | 7.5 HIGH |
| Insecure direct object references (IDOR) in the web server of Biltema IP and Baby Camera Software v124 allows attackers to access sensitive information. | |||||
| CVE-2023-0550 | 1 Thingsforrestaurants | 1 Quick Restaurant Menu | 2023-02-07 | N/A | 4.3 MEDIUM |
| The Quick Restaurant Menu plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the fact that during menu item deletion/modification, the plugin does not verify that the post ID provided to the AJAX action is indeed a menu item. This makes it possible for authenticated attackers, with subscriber-level access or higher, to modify or delete arbitrary posts. | |||||
| CVE-2022-4794 | 1 Getaawp | 1 Amazon Affiliate Wordpress Plugin | 2023-02-06 | N/A | 7.5 HIGH |
| The AAWP WordPress plugin before 3.12.3 can be used to abuse trusted domains to load malware or other files through it (Reflected File Download) to bypass firewall rules in companies. | |||||
| CVE-2023-0558 | 1 Contentstudio | 1 Contentstudio | 2023-02-06 | N/A | 9.8 CRITICAL |
| The ContentStudio plugin for WordPress is vulnerable to authorization bypass due to an unsecure token check that is susceptible to type juggling in versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to execute functions intended for use by users with proper API keys. | |||||
| CVE-2021-24374 | 1 Automattic | 1 Jetpack | 2023-02-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Jetpack Carousel module of the JetPack WordPress plugin before 9.8 allows users to create a "carousel" type image gallery and allows users to comment on the images. A security vulnerability was found within the Jetpack Carousel module by nguyenhg_vcs that allowed the comments of non-published page/posts to be leaked. | |||||
| CVE-2022-43326 | 1 Telosalliance | 2 Omnia Mpx Node, Omnia Mpx Node Firmware | 2023-02-01 | N/A | 7.5 HIGH |
| An Insecure Direct Object Reference (IDOR) vulnerability in the password reset function of Telos Alliance Omnia MPX Node 1.0.0-1.4.[*] allows attackers to arbitrarily change user and Administrator account passwords. | |||||
| CVE-2022-2808 | 1 Algan | 1 Prens Student Information System | 2023-02-01 | N/A | 8.8 HIGH |
| Algan Yaz?l?m Prens Student Information System product has an authenticated Insecure Direct Object Reference (IDOR) vulnerability. | |||||
| CVE-2019-9921 | 1 Harmistechnology | 1 Je Messenger | 2023-01-31 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in the Harmis JE Messenger component 1.2.2 for Joomla!. It is possible to read information that should only be accessible by a different user. | |||||
| CVE-2022-45927 | 1 Opentext | 1 Opentext Extended Ecm | 2023-01-30 | N/A | 8.8 HIGH |
| An issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803). The Java application server can be used to bypass the authentication of the QDS endpoints of the Content Server. These endpoints can be used to create objects and execute arbitrary code. | |||||
| CVE-2022-40319 | 1 Lsoft | 1 Listserv | 2023-01-25 | N/A | 7.5 HIGH |
| The LISTSERV 17 web interface allows remote attackers to conduct Insecure Direct Object References (IDOR) attacks via a modified email address in a wa.exe URL. The impact is unauthorized modification of a victim's LISTSERV account. | |||||
| CVE-2019-14725 | 1 Control-webpanel | 1 Webpanel | 2023-01-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to change the e-mail usage value of a victim account via an attacker account. | |||||
| CVE-2019-13360 | 1 Control-webpanel | 1 Webpanel | 2023-01-24 | 7.5 HIGH | 9.8 CRITICAL |
| In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, remote attackers can bypass authentication in the login process by leveraging knowledge of a valid username. | |||||
| CVE-2019-13605 | 1 Control-webpanel | 1 Webpanel | 2023-01-24 | 6.5 MEDIUM | 8.8 HIGH |
| In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.838 to 0.9.8.846, remote attackers can bypass authentication in the login process by leveraging the knowledge of a valid username. The attacker must defeat an encoding that is not equivalent to base64, and thus this is different from CVE-2019-13360. | |||||
| CVE-2019-14721 | 1 Control-webpanel | 1 Webpanel | 2023-01-24 | 5.5 MEDIUM | 6.5 MEDIUM |
| In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to remove a target user from phpMyAdmin via an attacker account. | |||||
| CVE-2019-14724 | 1 Control-webpanel | 1 Webpanel | 2023-01-24 | 5.0 MEDIUM | 7.5 HIGH |
| In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to edit an e-mail forwarding destination of a victim's account via an attacker account. | |||||
| CVE-2023-22471 | 1 Nextcloud | 1 Deck | 2023-01-24 | N/A | 4.3 MEDIUM |
| Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Broken access control allows a user to delete attachments of other users. There are currently no known workarounds. It is recommended that the Nextcloud Deck app is upgraded to 1.6.5 or 1.7.3 or 1.8.2. | |||||
| CVE-2022-32277 | 1 Squiz | 1 Matrix | 2023-01-18 | N/A | 5.3 MEDIUM |
| ** DISPUTED ** Squiz Matrix CMS 6.20 is vulnerable to an Insecure Direct Object Reference caused by failure to correctly validate authorization when submitting a request to change a user's contact details. NOTE: this is disputed by both the vendor and the original discoverer because it is a site-specific finding, not a finding about the Squiz Matrix CMS product. | |||||