Total
3030 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-34068 | 1 Pterodactyl | 1 Wings | 2025-02-21 | N/A | 6.4 MEDIUM |
| Pterodactyl wings is the server control plane for Pterodactyl Panel. An authenticated user who has access to a game server is able to bypass the previously implemented access control (GHSA-6rg3-8h8x-5xfv) that prevents accessing internal endpoints of the node hosting Wings in the pull endpoint. This would allow malicious users to potentially access resources on local networks that would otherwise be inaccessible. This issue has been addressed in version 1.11.2 and users are advised to upgrade. Users unable to upgrade may enable the `api.disable_remote_download` option as a workaround. | |||||
| CVE-2022-31475 | 1 Givewp | 1 Givewp | 2025-02-20 | N/A | 5.5 MEDIUM |
| Authenticated (custom plugin role) Arbitrary File Read via Export function vulnerability in GiveWP's GiveWP plugin <= 2.20.2 at WordPress. | |||||
| CVE-2022-41652 | 1 Expresstech | 1 Quiz And Survey Master | 2025-02-20 | N/A | 6.5 MEDIUM |
| Bypass vulnerability in Quiz And Survey Master plugin <= 7.3.10 on WordPress. | |||||
| CVE-2022-41155 | 1 Webence | 1 Iq Block Country | 2025-02-20 | N/A | 5.3 MEDIUM |
| Block BYPASS vulnerability in iQ Block Country plugin <= 1.2.18 on WordPress. | |||||
| CVE-2022-40216 | 1 Wordplus | 1 Better Messages | 2025-02-20 | N/A | 4.3 MEDIUM |
| Auth. (subscriber+) Messaging Block Bypass vulnerability in Better Messages plugin <= 1.9.10.69 on WordPress. | |||||
| CVE-2020-35546 | 2025-02-20 | N/A | 9.1 CRITICAL | ||
| Lexmark MX6500 LW75.JD.P296 and previous devices have Incorrect Access Control via the access control settings. | |||||
| CVE-2023-27517 | 1 Intel | 16 Nma1xxd128gpsu4, Nma1xxd128gpsuf, Nma1xxd256gpsu4 and 13 more | 2025-02-20 | N/A | 6.6 MEDIUM |
| Improper access control in some Intel(R) Optane(TM) PMem software before versions 01.00.00.3547, 02.00.00.3915, 03.00.00.0483 may allow an athenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2023-22311 | 1 Intel | 7 Nma1xxd128gpsu4, Nma1xxd128gpsuf, Nma1xxd256gpsu4 and 4 more | 2025-02-20 | N/A | 6.7 MEDIUM |
| Improper access control in some Intel(R) Optane(TM) PMem 100 Series Management Software before version 01.00.00.3547 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2024-13854 | 2025-02-19 | N/A | 4.3 MEDIUM | ||
| The Education Addon for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.1 via the naedu_elementor_template shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract information from posts that are not public, including drafts, password protected, and restricted posts. This applies to posts created with Elementor only. | |||||
| CVE-2025-0745 | 2025-02-18 | N/A | 7.5 HIGH | ||
| An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to obtain the backups of the database by requesting the "/embedai/app/uploads/database/<SQL_FILE>" endpoint. | |||||
| CVE-2025-0744 | 2025-02-18 | N/A | 7.5 HIGH | ||
| an Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker change his subscription plan without paying by making a POST request changing the parameters of the "/demos/embedai/pmt_cash_on_delivery/pay" endpoint. | |||||
| CVE-2025-0743 | 2025-02-18 | N/A | 5.3 MEDIUM | ||
| An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to leverage the endpoint "/embedai/visits/show/<VISIT_ID>" to obtain information about the visits made by other users. The information provided by this endpoint includes IP address, userAgent and location of the user that visited the web page. | |||||
| CVE-2025-0742 | 2025-02-18 | N/A | 5.8 MEDIUM | ||
| An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to obtain files stored by others users by changing the "FILE_ID" of the endpoint "/embedai/files/show/<FILE_ID>". | |||||
| CVE-2025-0741 | 2025-02-18 | N/A | 5.8 MEDIUM | ||
| An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to write messages into other users chat by changing the parameter "chat_id" of the POST request "/embedai/chats/send_message". | |||||
| CVE-2022-47542 | 1 Red-gate | 1 Sql Monitor | 2025-02-18 | N/A | 8.8 HIGH |
| Red Gate SQL Monitor 11.0.14 through 12.1.46 has Incorrect Access Control, exploitable remotely for Escalation of Privileges. | |||||
| CVE-2025-1165 | 2025-02-18 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability, which was classified as critical, was found in Lumsoft ERP 8. Affected is the function DoUpload/DoWebUpload of the file /Api/FileUploadApi.ashx. The manipulation of the argument file leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2023-29140 | 1 Mediawiki | 1 Mediawiki | 2025-02-18 | N/A | 5.3 MEDIUM |
| An issue was discovered in the GrowthExperiments extension for MediaWiki through 1.39.3. Attackers might be able to see edits for which the username has been hidden, because there is no check for rev_deleted. | |||||
| CVE-2025-1390 | 2025-02-18 | N/A | 6.1 MEDIUM | ||
| The PAM module pam_cap.so of libcap configuration supports group names starting with “@”, during actual parsing, configurations not starting with “@” are incorrectly recognized as group names. This may result in nonintended users being granted an inherited capability set, potentially leading to security risks. Attackers can exploit this vulnerability to achieve local privilege escalation on systems where /etc/security/capability.conf is used to configure user inherited privileges by constructing specific usernames. | |||||
| CVE-2025-1115 | 2025-02-16 | 1.7 LOW | 3.3 LOW | ||
| A vulnerability classified as problematic was found in RT-Thread up to 5.1.0. Affected by this vulnerability is the function sys_device_close/sys_device_control/sys_device_find/sys_device_init/sys_device_open/sys_device_read/sys_device_register/sys_device_write/sys_event_delete/sys_event_recv/sys_event_send/sys_mb_delete/sys_mb_recv/sys_mb_send/sys_mb_send_wait/sys_mq_recv/sys_mq_send/sys_mq_urgent/sys_mutex_delete/sys_mutex_release/sys_mutex_take/sys_rt_timer_control/sys_rt_timer_delete/sys_rt_timer_start/sys_rt_timer_stop/sys_sem_delete/sys_sem_release/sys_sem_take/sys_shmat/sys_shmdt/sys_thread_create/sys_thread_delete/sys_thread_startup/sys_timer_delete/sys_timer_gettime/sys_timer_settime of the file rt-thread/components/lwp/lwp_syscall.c. The manipulation of the argument arg[0] leads to information disclosure. An attack has to be approached locally. | |||||
| CVE-2023-28877 | 1 Vtex | 1 Apps-graphql | 2025-02-14 | N/A | 7.5 HIGH |
| The VTEX apps-graphql@2.x GraphQL API module does not properly restrict unauthorized access to private configuration data. (apps-graphql@3.x is unaffected by this issue.) | |||||