Total
5196 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-3961 | 1 Convertkit | 1 Convertkit - Email Marketing\, Email Newsletter And Landing Pages | 2024-11-21 | N/A | 5.3 MEDIUM |
| The ConvertKit – Email Newsletter, Email Marketing, Subscribers and Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tag_subscriber function in all versions up to, and including, 2.4.9. This makes it possible for unauthenticated attackers to subscribe users to tags. Financial damages may occur to site owners if their API quota is exceeded. | |||||
| CVE-2024-3627 | 1 Kraftplugins | 1 Wheel Of Life | 2024-11-21 | N/A | 5.4 MEDIUM |
| The Wheel of Life: Coaching and Assessment Tool for Life Coach plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on several functions in the AjaxFunctions.php file in all versions up to, and including, 1.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary posts and modify settings. | |||||
| CVE-2024-3610 | 1 Wensolutions | 1 Wp Child Theme Generator | 2024-11-21 | N/A | 5.3 MEDIUM |
| The WP Child Theme Generator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wctg_easy_child_theme() function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to create a blank child theme and activate it cause the site to whitescreen. | |||||
| CVE-2024-3602 | 1 Promolayer | 1 Popup Builder | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Pop ups, Exit intent popups, email popups, banners, bars, countdowns and cart savers – Promolayer plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the disconnect_promolayer function in all versions up to, and including, 1.1.0. This makes it possible for authenticated attackers, with subscriber access or higher, to remove the Promolayer connection. | |||||
| CVE-2024-3115 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 4.3 MEDIUM |
| An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows an attacker to access issues and epics without having an SSO session using Duo Chat. | |||||
| CVE-2024-3097 | 1 Imagely | 1 Nextgen Gallery | 2024-11-21 | N/A | 5.3 MEDIUM |
| The WordPress Gallery Plugin – NextGEN Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_item function in versions up to, and including, 3.59. This makes it possible for unauthenticated attackers to extract sensitive data including EXIF and other metadata of any image uploaded through the plugin. | |||||
| CVE-2024-39596 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
| Due to missing authorization checks, SAP Enable Now allows an author to escalate privileges to access information which should otherwise be restricted. On successful exploitation, the attacker can cause limited impact on confidentiality of the application. | |||||
| CVE-2024-39592 | 1 Sap | 2 S4core, S4coreop | 2024-11-21 | N/A | 7.7 HIGH |
| Elements of PDCE does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This allows an attacker to read sensitive information causing high impact on the confidentiality of the application. | |||||
| CVE-2024-38506 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | N/A | 6.3 MEDIUM |
| In JetBrains YouTrack before 2024.2.34646 user without appropriate permissions could enable the auto-attach option for workflows | |||||
| CVE-2024-38504 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | N/A | 4.3 MEDIUM |
| In JetBrains YouTrack before 2024.2.34646 the Guest User Account was enabled for attaching files to articles | |||||
| CVE-2024-37544 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in Tobias Conrad Get Better Reviews for WooCommerce.This issue affects Get Better Reviews for WooCommerce: from n/a through 4.0.6. | |||||
| CVE-2024-37542 | 1 Wpdevart | 1 Gallery | 2024-11-21 | N/A | 5.4 MEDIUM |
| Missing Authorization vulnerability in WpDevArt Responsive Image Gallery, Gallery Album.This issue affects Responsive Image Gallery, Gallery Album: from n/a through 2.0.3. | |||||
| CVE-2024-37317 | 1 Nextcloud | 1 Notes | 2024-11-21 | N/A | 4.6 MEDIUM |
| The Nextcloud Notes app is a distraction free notes taking app for Nextcloud. If an attacker managed to share a folder called `Notes/` with a newly created user before they logged in, the Notes app would use that folder store the personal notes. It is recommended that the Nextcloud Notes app is upgraded to 4.9.3. | |||||
| CVE-2024-37314 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | N/A | 3.5 LOW |
| Nextcloud Photos is a photo management app. Users can remove photos from the album of registered users. It is recommended that the Nextcloud Server is upgraded to 25.0.7 or 26.0.2 and the Nextcloud Enterprise Server is upgraded to 25.0.7 or 26.0.2. | |||||
| CVE-2024-37296 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
| The Aimeos HTML client provides Aimeos HTML components for e-commerce projects. Starting in version 2020.04.1 and prior to versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5, digital downloads sold in online shops can be downloaded without valid payment, e.g. if the payment didn't succeed. Versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5 fix this issue. | |||||
| CVE-2024-37202 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in BinaryCarpenter Ultimate Custom Add To Cart Button (Ajax) For WooCommerce by Binary Carpenter allows Cross-Site Scripting (XSS).This issue affects Ultimate Custom Add To Cart Button (Ajax) For WooCommerce by Binary Carpenter: from n/a through 1.222.16. | |||||
| CVE-2024-37176 | 1 Sap | 1 Bw\/4hana | 2024-11-21 | N/A | 5.5 MEDIUM |
| SAP BW/4HANA Transformation and Data Transfer Process (DTP) allows an authenticated attacker to gain higher access levels than they should have by exploiting improper authorization checks. This results in escalation of privileges. It has no impact on the confidentiality of data but may have low impacts on the integrity and availability of the application. | |||||
| CVE-2024-37175 | 1 Sap | 2 Customer Relationship Management S4fnd, Customer Relationship Management Webclient Ui | 2024-11-21 | N/A | 4.3 MEDIUM |
| SAP CRM WebClient does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to access some sensitive information. | |||||
| CVE-2024-37172 | 1 Sap | 2 S4core, S\/4hana | 2024-11-21 | N/A | 5.4 MEDIUM |
| SAP S/4HANA Finance (Advanced Payment Management) does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. As a result, it has a low impact to confidentiality and availability but there is no impact on the integrity. | |||||
| CVE-2024-37111 | 1 Wishlistmember | 1 Wishlist Member X | 2024-11-21 | N/A | 7.5 HIGH |
| Missing Authorization vulnerability in Membership Software WishList Member X.This issue affects WishList Member X: from n/a before 3.26.7. | |||||