ReportizFlow
Filtered by vendor
Subscriptions
Total
322438 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-9682 | 1 Royal-elementor-addons | 1 Royal Elementor Addons | 2024-11-19 | 6.4 Medium |
| The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Form Builder widget in all versions up to, and including, 1.7.1001 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-10571 | 1 Ays-pro | 1 Chartify | 2024-11-19 | 9.8 Critical |
| The Chartify – WordPress Chart Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.5 via the 'source' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | ||||
| CVE-2024-48284 | 1 Phpgurukul | 1 User Registration \& Login And User Management System | 2024-11-19 | 6.1 Medium |
| A Reflected Cross-Site Scripting (XSS) vulnerability was found in the /search-result.php page of the PHPGurukul User Registration & Login and User Management System 3.2. This vulnerability allows remote attackers to execute arbitrary scripts via the searchkey parameter in a POST HTTP request. | ||||
| CVE-2021-3987 | 2 Calibre-web Project, Janeczku | 2 Calibre-web, Calibre-web | 2024-11-19 | 4.3 Medium |
| An improper access control vulnerability exists in janeczku/calibre-web. The affected version allows users without public shelf permissions to create public shelves. The vulnerability is due to the `create_shelf` method in `shelf.py` not verifying if the user has the necessary permissions to create a public shelf. This issue can lead to unauthorized actions being performed by users. | ||||
| CVE-2022-31671 | 1 Linuxfoundation | 1 Harbor | 2024-11-19 | 7.4 High |
| Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, malicious authenticated users could read all the job logs stored in the Harbor database. | ||||
| CVE-2024-11214 | 2 Mayurik, Sourcecodester | 2 Best Employee Management System, Best Employee Management System | 2024-11-19 | 4.7 Medium |
| A vulnerability has been found in SourceCodester Best Employee Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/profile.php. The manipulation of the argument website_image leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The initial researcher disclosure contains confusing vulnerability classes. | ||||
| CVE-2024-11028 | 1 Icdsoft | 2 Multimanager Wp, Multimanager Wp Manage All Your Word Press Sites Easily | 2024-11-19 | 9.8 Critical |
| The MultiManager WP – Manage All Your WordPress Sites Easily plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.5. This is due to the user impersonation feature inappropriately determining the current user via user-supplied input. This makes it possible for unauthenticated attackers to generate an impersonation link that will allow them to log in as any existing user, such as an administrator. NOTE: The user impersonation feature was disabled in version 1.1.0 and re-enabled with a patch in version 1.1.2. | ||||
| CVE-2021-3991 | 1 Dolibarr | 2 Dolibarr, Dolibarr Erp\/crm | 2024-11-19 | 4.3 Medium |
| An Improper Authorization vulnerability exists in Dolibarr versions prior to the 'develop' branch. A user with restricted permissions in the 'Reception' section is able to access specific reception details via direct URL access, bypassing the intended permission restrictions. | ||||
| CVE-2022-1226 | 1 Phpipam | 1 Phpipam | 2024-11-19 | 4.8 Medium |
| A Cross-Site Scripting (XSS) vulnerability in phpipam/phpipam versions prior to 1.4.7 allows attackers to execute arbitrary JavaScript code in the browser of a victim. This vulnerability affects the import Data set feature via a spreadsheet file upload. The affected endpoints include import-vlan-preview.php, import-subnets-preview.php, import-vrf-preview.php, import-ipaddr-preview.php, import-devtype-preview.php, import-devices-preview.php, and import-l2dom-preview.php. The vulnerability can be exploited by uploading a specially crafted spreadsheet file containing malicious JavaScript payloads, which are then executed in the context of the victim's browser. This can lead to defacement of websites, execution of malicious JavaScript code, stealing of user cookies, and unauthorized access to user accounts. | ||||
| CVE-2024-9887 | 1 Cyberlord92 | 1 Login Using Wordpress Users | 2024-11-19 | 7.2 High |
| The Login using WordPress Users ( WP as SAML IDP ) plugin for WordPress is vulnerable to time-based SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.15.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2024-52405 | 1 Bikram Joshi | 1 B-banner Slider | 2024-11-19 | 9.9 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Bikram Joshi B-Banner Slider allows Upload a Web Shell to a Web Server.This issue affects B-Banner Slider: from n/a through 1.1. | ||||
| CVE-2022-31667 | 1 Linuxfoundation | 1 Harbor | 2024-11-19 | 6.4 Medium |
| Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to. By sending a request that attempts to update a robot account, and specifying a robot account id and robot account name that belongs to a different project that the user doesn’t have access to, it was possible to revoke the robot account permissions. | ||||
| CVE-2022-31668 | 1 Linuxfoundation | 1 Harbor | 2024-11-19 | 7.4 High |
| Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects. | ||||
| CVE-2024-52400 | 1 Subhasis Laha | 1 Gallerio | 2024-11-19 | 9.9 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Subhasis Laha Gallerio allows Upload a Web Shell to a Web Server.This issue affects Gallerio: from n/a through 1.01. | ||||
| CVE-2024-52399 | 1 Clarisse K | 1 Writer Helper | 2024-11-19 | 9.9 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Clarisse K. Writer Helper allows Upload a Web Shell to a Web Server.This issue affects Writer Helper: from n/a through 3.1.6. | ||||
| CVE-2024-52398 | 1 Halyra | 1 Cdi | 2024-11-19 | 9.1 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Halyra CDI.This issue affects CDI: from n/a through 5.5.3. | ||||
| CVE-2022-31670 | 1 Linuxfoundation | 1 Harbor | 2024-11-19 | 7.7 High |
| Harbor fails to validate the user permissions when updating tag retention policies. By sending a request to update a tag retention policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify tag retention policies configured in other projects. | ||||
| CVE-2024-52397 | 1 Davorzeljkovic | 1 Convert Docx2post | 2024-11-19 | 9.1 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Davor Zeljkovic Convert Docx2post allows Upload a Web Shell to a Web Server.This issue affects Convert Docx2post: from n/a through 1.4. | ||||
| CVE-2022-31669 | 1 Linuxfoundation | 1 Harbor | 2024-11-19 | 6.4 Medium |
| Harbor fails to validate the user permissions when updating tag immutability policies. By sending a request to update a tag immutability policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify tag immutability policies configured in other projects. | ||||
| CVE-2024-10861 | 1 Ays-pro | 1 Popup Box | 2024-11-19 | 5.3 Medium |
| The Popup Box – Create Countdown, Coupon, Video, Contact Form Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_plugin_option() function in all versions up to, and including, 4.9.7. This makes it possible for unauthenticated attackers to update the 'ays_pb_upgrade_plugin' option with arbitrary data. | ||||