Total
4885 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-5129 | 1 Lunary | 1 Lunary | 2024-11-21 | N/A | 8.2 HIGH |
| A Privilege Escalation Vulnerability exists in lunary-ai/lunary version 1.2.2, where any user can delete any datasets due to missing authorization checks. The vulnerability is present in the dataset deletion functionality, where the application fails to verify if the user requesting the deletion has the appropriate permissions. This allows unauthorized users to send a DELETE request to the server and delete any dataset by specifying its ID. The issue is located in the datasets.delete function within the datasets index file. | |||||
| CVE-2024-5127 | 1 Lunary | 1 Lunary | 2024-11-21 | N/A | 5.4 MEDIUM |
| In lunary-ai/lunary versions 1.2.2 through 1.2.25, an improper access control vulnerability allows users on the Free plan to invite other members and assign them any role, including those intended for Paid and Enterprise plans only. This issue arises due to insufficient backend validation of roles and permissions, enabling unauthorized users to join a project and potentially exploit roles and permissions not intended for their use. The vulnerability specifically affects the Team feature, where the backend fails to validate whether a user has paid for a plan before allowing them to send invite links with any role assigned. This could lead to unauthorized access and manipulation of project settings or data. | |||||
| CVE-2024-5087 | 1 Webfactoryltd | 1 Minimal Coming Soon \& Maintenance Mode | 2024-11-21 | N/A | 6.3 MEDIUM |
| The Minimal Coming Soon – Coming Soon Page plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the validate_ajax, deactivate_ajax, and save_ajax functions in all versions up to, and including, 2.38. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit the license key, which could disable features of the plugin. | |||||
| CVE-2024-4898 | 1 Instawp | 1 Instawp Connect | 2024-11-21 | N/A | 9.8 CRITICAL |
| The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to connect the site to InstaWP API, edit arbitrary site options and create administrator accounts. | |||||
| CVE-2024-4888 | 1 Litellm | 1 Litellm | 2024-11-21 | N/A | 8.1 HIGH |
| BerriAI's litellm, in its latest version, is vulnerable to arbitrary file deletion due to improper input validation on the `/audio/transcriptions` endpoint. An attacker can exploit this vulnerability by sending a specially crafted request that includes a file path to the server, which then deletes the specified file without proper authorization or validation. This vulnerability is present in the code where `os.remove(file.filename)` is used to delete a file, allowing any user to delete critical files on the server such as SSH keys, SQLite databases, or configuration files. | |||||
| CVE-2024-4788 | 1 Woostify | 1 Boostify Header Footer Builder For Elementor | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Boostify Header Footer Builder for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create_bhf_post function in all versions up to, and including, 1.3.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to create pages or posts with arbitrary content. | |||||
| CVE-2024-4746 | 1 Netgsm | 1 Netgsm | 2024-11-21 | N/A | 4.3 MEDIUM |
| Missing Authorization vulnerability in Netgsm.This issue affects Netgsm: from n/a through 2.9.16. | |||||
| CVE-2024-4745 | 1 Seedprod | 1 Rafflepress | 2024-11-21 | N/A | 4.3 MEDIUM |
| Missing Authorization vulnerability in RafflePress Giveaways and Contests by RafflePress.This issue affects Giveaways and Contests by RafflePress: from n/a through 1.12.4. | |||||
| CVE-2024-4744 | 1 Ipages Flipbook Project | 1 Ipages Flipbook | 2024-11-21 | N/A | 5.3 MEDIUM |
| Missing Authorization vulnerability in Avirtum iPages Flipbook.This issue affects iPages Flipbook: from n/a through 1.5.1. | |||||
| CVE-2024-4661 | 1 Webfactoryltd | 1 Wp Reset | 2024-11-21 | N/A | 4.3 MEDIUM |
| The WP Reset plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_ajax function in all versions up to, and including, 2.02. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the value fo the 'License Key' field for the 'Activate Pro License' setting. | |||||
| CVE-2024-4660 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 6.5 MEDIUM |
| An issue has been discovered in GitLab EE affecting all versions starting from 11.2 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2. It was possible for a guest to read the source code of a private project by using group templates. | |||||
| CVE-2024-4468 | 1 Salonbookingsystem | 1 Salon Booking System | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Salon booking system plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on several functions hooked into admin_init in all versions up to, and including, 9.9. This makes it possible for authenticated attackers with subscriber access or higher to modify plugin settings and view discount codes intended for other users. | |||||
| CVE-2024-4450 | 1 Ali2woo | 1 Aliexpress Dropshipping With Alinext | 2024-11-21 | N/A | 6.3 MEDIUM |
| The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ImportAjaxController.php file in all versions up to, and including, 3.3.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several actions like importing and modifying products. | |||||
| CVE-2024-4410 | 2024-11-21 | N/A | 5.4 MEDIUM | ||
| The IgnitionDeck Crowdfunding Platform plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.9.8. This is due to missing capability checks on various functions called via AJAX actions in the ~/classes/class-idf-wizard.php file. This makes it possible for authenticated attackers, with subscriber access or higher, to execute various AJAX actions. This includes actions to change the permalink structure, plugin settings and others. | |||||
| CVE-2024-4233 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in Tyche Softwares Print Invoice & Delivery Notes for WooCommerce, Tyche Softwares Arconix Shortcodes, Tyche Softwares Arconix FAQ.This issue affects Print Invoice & Delivery Notes for WooCommerce: from n/a through 4.8.1; Arconix Shortcodes: from n/a through 2.1.10; Arconix FAQ: from n/a through 1.9.3. | |||||
| CVE-2024-4163 | 2024-11-21 | N/A | 8.0 HIGH | ||
| The Skylab IGX IIoT Gateway allowed users to connect to it via a limited shell terminal (IGX). However, it was discovered that the process was running under root privileges. This allowed the attacker to read, write, and modify any file in the operating system by utilizing the limited shell file exec and download functions. By replacing the /etc/passwd file with a new root user entry, the attacker was able to breakout from the limited shell and login to a unrestricted shell with root access. With the root access, the attacker will be able take full control of the IIoT Gateway. | |||||
| CVE-2024-4139 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
| Manage Bank Statement ReProcessing Rules does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, an attacker can delete rules of other users affecting the integrity of the application. Confidentiality and Availability are not affected. | |||||
| CVE-2024-4138 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
| Manage Bank Statement ReProcessing Rules does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, an attacker can enable/disable the sharing rule of other users affecting the integrity of the application. Confidentiality and Availability are not affected. | |||||
| CVE-2024-4088 | 1 Wpattire | 1 Attire Blocks | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Gutenberg Blocks and Page Layouts – Attire Blocks plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the disable_fe_assets function in all versions up to, and including, 1.9.2. This makes it possible for authenticated attackers, with subscriber access or above, to change the plugin's settings. Additionally, no nonce check is performed resulting in a CSRF vulnerability. | |||||
| CVE-2024-3961 | 1 Convertkit | 1 Convertkit - Email Marketing\, Email Newsletter And Landing Pages | 2024-11-21 | N/A | 5.3 MEDIUM |
| The ConvertKit – Email Newsletter, Email Marketing, Subscribers and Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tag_subscriber function in all versions up to, and including, 2.4.9. This makes it possible for unauthenticated attackers to subscribe users to tags. Financial damages may occur to site owners if their API quota is exceeded. | |||||