Total
541 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-40430 | 1 Sftpgo Project | 1 Sftpgo | 2024-07-25 | N/A | 5.3 MEDIUM |
| In SFTPGO 2.6.2, the JWT implementation lacks cerrtain security measures, such as using JWT ID (JTI) claims, nonces, and proper expiration and invalidation mechanisms. | |||||
| CVE-2018-20405 | 1 Bigtreecms | 1 Bigtree | 2024-07-23 | 4.0 MEDIUM | 2.7 LOW |
| BigTree 4.3 allows full path disclosure via authenticated admin/news/ input that triggers a syntax error. NOTE: This has been disputed with the following reasoning: "The issue reported requires full developer level access to the content management system where cross site scripting is not an issue -- you already have full control of the CMS including running arbitrary PHP. | |||||
| CVE-2024-38701 | 2024-07-22 | N/A | 4.3 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Academy LMS.This issue affects Academy LMS: from n/a through 2.0.4. | |||||
| CVE-2024-5977 | 1 Givewp | 1 Givewp | 2024-07-19 | N/A | 5.4 MEDIUM |
| The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.13.0 via the 'handleRequest' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with GiveWP Worker-level access and above, to delete and update arbitrary posts. | |||||
| CVE-2024-5619 | 2024-07-19 | N/A | 9.6 CRITICAL | ||
| Authorization Bypass Through User-Controlled Key vulnerability in PruvaSoft Informatics Apinizer Management Console allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Apinizer Management Console: before 2024.05.1. | |||||
| CVE-2024-39901 | 2024-07-18 | N/A | 4.2 MEDIUM | ||
| OpenSearch Observability is collection of plugins and applications that visualize data-driven events. An issue in the OpenSearch observability plugins allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the resource author when accessing resources in a private tenant, leading to potential data being revealed. The patches are included in OpenSearch 2.14. | |||||
| CVE-2024-39897 | 2024-07-11 | N/A | 4.3 MEDIUM | ||
| zot is an OCI image registry. Prior to 2.1.0, the cache driver `GetBlob()` allows read access to any blob without access control check. If a Zot `accessControl` policy allows users read access to some repositories but restricts read access to other repositories and `dedupe` is enabled (it is enabled by default), then an attacker who knows the name of an image and the digest of a blob (that they do not have read access to), they may maliciously read it via a second repository they do have read access to. This attack is possible because [`ImageStore.CheckBlob()` calls `checkCacheBlob()`](https://github.com/project-zot/zot/blob/v2.1.0-rc2/pkg/storage/imagestore/imagestore.go#L1158-L1159) to find the blob a global cache by searching for the digest. If it is found, it is copied to the user requested repository with `copyBlob()`. The attack may be mitigated by configuring "dedupe": false in the "storage" settings. The vulnerability is fixed in 2.1.0. | |||||
| CVE-2024-39900 | 2024-07-11 | N/A | 5.4 MEDIUM | ||
| OpenSearch Dashboards Reports allows ‘Report Owner’ export and share reports from OpenSearch Dashboards. An issue in the OpenSearch reporting plugin allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the resource author when accessing resources in a private tenant, leading to potential data being revealed. The patches are included in OpenSearch 2.14. | |||||
| CVE-2023-38050 | 2024-07-09 | N/A | 9.1 CRITICAL | ||
| A BOLA vulnerability in GET, PUT, DELETE /webhooks/{webhookId} allows a low privileged user to fetch, modify or delete a webhook of any user (including admin). This results in unauthorized access and unauthorized data manipulation. | |||||
| CVE-2023-38051 | 2024-07-09 | N/A | 9.9 CRITICAL | ||
| A BOLA vulnerability in GET, PUT, DELETE /secretaries/{secretaryId} allows a low privileged user to fetch, modify or delete a low privileged user (secretary). This results in unauthorized access and unauthorized data manipulation. | |||||
| CVE-2023-3287 | 2024-07-09 | N/A | 9.9 CRITICAL | ||
| A BOLA vulnerability in POST /admins allows a low privileged user to create a high privileged user (admin) in the system. This results in privilege escalation. | |||||
| CVE-2023-38054 | 2024-07-09 | N/A | 9.9 CRITICAL | ||
| A BOLA vulnerability in GET, PUT, DELETE /customers/{customerId} allows a low privileged user to fetch, modify or delete a low privileged user (customer). This results in unauthorized access and unauthorized data manipulation. | |||||
| CVE-2023-38052 | 2024-07-09 | N/A | 9.9 CRITICAL | ||
| A BOLA vulnerability in GET, PUT, DELETE /admins/{adminId} allows a low privileged user to fetch, modify or delete a high privileged user (admin). This results in unauthorized access and unauthorized data manipulation. | |||||
| CVE-2023-38047 | 2024-07-09 | N/A | 8.5 HIGH | ||
| A BOLA vulnerability in GET, PUT, DELETE /categories/{categoryId} allows a low privileged user to fetch, modify or delete the category of any user (including admin). This results in unauthorized access and unauthorized data manipulation. | |||||
| CVE-2023-38048 | 2024-07-09 | N/A | 9.9 CRITICAL | ||
| A BOLA vulnerability in GET, PUT, DELETE /providers/{providerId} allows a low privileged user to fetch, modify or delete a privileged user (provider). This results in unauthorized access and unauthorized data manipulation. | |||||
| CVE-2023-3285 | 2024-07-09 | N/A | 7.7 HIGH | ||
| A BOLA vulnerability in POST /appointments allows a low privileged user to create an appointment for any user in the system (including admin). This results in unauthorized data manipulation. | |||||
| CVE-2023-3286 | 2024-07-09 | N/A | 7.7 HIGH | ||
| A BOLA vulnerability in POST /secretaries allows a low privileged user to create a low privileged user (secretary) in the system. This results in unauthorized data manipulation. | |||||
| CVE-2023-3288 | 2024-07-09 | N/A | 8.5 HIGH | ||
| A BOLA vulnerability in POST /providers allows a low privileged user to create a privileged user (provider) in the system. This results in privilege escalation. | |||||
| CVE-2023-38055 | 2024-07-09 | N/A | 9.6 CRITICAL | ||
| A BOLA vulnerability in GET, PUT, DELETE /services/{serviceId} allows a low privileged user to fetch, modify or delete the services of any user (including admin). This results in unauthorized access and unauthorized data manipulation. | |||||
| CVE-2023-3289 | 2024-07-09 | N/A | 7.7 HIGH | ||
| A BOLA vulnerability in POST /services allows a low privileged user to create a service for any user in the system (including admin). This results in unauthorized data manipulation. | |||||