Total
307012 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-0787 | 1 Phpipam | 1 Phpipam | 2024-11-19 | N/A | 5.9 MEDIUM |
| phpIPAM version 1.5.1 contains a vulnerability where an attacker can bypass the IP block mechanism to brute force passwords for users by using the 'X-Forwarded-For' header. The issue lies in the 'get_user_ip()' function in 'class.Common.php' at lines 1044 and 1045, where the presence of the 'X-Forwarded-For' header is checked and used instead of 'REMOTE_ADDR'. This vulnerability allows attackers to perform brute force attacks on user accounts, including the admin account. The issue is fixed in version 1.7.0. | |||||
| CVE-2024-9059 | 1 Royal-elementor-addons | 1 Royal Elementor Addons | 2024-11-19 | N/A | 5.4 MEDIUM |
| The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Google Maps widget in all versions up to, and including, 1.7.1001 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-10877 | 1 Advancedformintegration | 1 Advanced Form Integration | 2024-11-19 | N/A | 6.1 MEDIUM |
| The AFI – The Easiest Integration Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.92.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-11213 | 1 Mayurik | 1 Best Employee Management System | 2024-11-19 | 5.8 MEDIUM | 7.2 HIGH |
| A vulnerability, which was classified as critical, was found in SourceCodester Best Employee Management System 1.0. This affects an unknown part of the file /admin/edit_role.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-11212 | 1 Mayurik | 1 Best Employee Management System | 2024-11-19 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability, which was classified as critical, has been found in SourceCodester Best Employee Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/fetch_product_details.php. The manipulation of the argument barcode leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-9682 | 1 Royal-elementor-addons | 1 Royal Elementor Addons | 2024-11-19 | N/A | 5.4 MEDIUM |
| The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Form Builder widget in all versions up to, and including, 1.7.1001 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-10571 | 1 Ays-pro | 1 Chartify | 2024-11-19 | N/A | 9.8 CRITICAL |
| The Chartify – WordPress Chart Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.5 via the 'source' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | |||||
| CVE-2024-48284 | 1 Phpgurukul | 1 User Registration \& Login And User Management System | 2024-11-19 | N/A | 4.8 MEDIUM |
| A Reflected Cross-Site Scripting (XSS) vulnerability was found in the /search-result.php page of the PHPGurukul User Registration & Login and User Management System 3.2. This vulnerability allows remote attackers to execute arbitrary scripts via the searchkey parameter in a POST HTTP request. | |||||
| CVE-2021-3987 | 1 Janeczku | 1 Calibre-web | 2024-11-19 | N/A | 4.3 MEDIUM |
| An improper access control vulnerability exists in janeczku/calibre-web. The affected version allows users without public shelf permissions to create public shelves. The vulnerability is due to the `create_shelf` method in `shelf.py` not verifying if the user has the necessary permissions to create a public shelf. This issue can lead to unauthorized actions being performed by users. | |||||
| CVE-2021-3988 | 1 Janeczku | 1 Calibre-web | 2024-11-19 | N/A | 6.1 MEDIUM |
| A Cross-site Scripting (XSS) vulnerability exists in janeczku/calibre-web, specifically in the file `edit_books.js`. The vulnerability occurs when editing book properties, such as uploading a cover or a format. The affected code directly inserts user input into the DOM without proper sanitization, allowing attackers to execute arbitrary JavaScript code. This can lead to various attacks, including stealing cookies. The issue is present in the code handling the `#btn-upload-cover` change event. | |||||
| CVE-2022-31671 | 1 Linuxfoundation | 1 Harbor | 2024-11-19 | N/A | 7.4 HIGH |
| Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, malicious authenticated users could read all the job logs stored in the Harbor database. | |||||
| CVE-2024-11214 | 1 Mayurik | 1 Best Employee Management System | 2024-11-19 | 5.8 MEDIUM | 7.2 HIGH |
| A vulnerability has been found in SourceCodester Best Employee Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/profile.php. The manipulation of the argument website_image leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The initial researcher disclosure contains confusing vulnerability classes. | |||||
| CVE-2024-11028 | 1 Icdsoft | 1 Multimanager Wp | 2024-11-19 | N/A | 9.8 CRITICAL |
| The MultiManager WP – Manage All Your WordPress Sites Easily plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.5. This is due to the user impersonation feature inappropriately determining the current user via user-supplied input. This makes it possible for unauthenticated attackers to generate an impersonation link that will allow them to log in as any existing user, such as an administrator. NOTE: The user impersonation feature was disabled in version 1.1.0 and re-enabled with a patch in version 1.1.2. | |||||
| CVE-2021-3991 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-19 | N/A | 4.3 MEDIUM |
| An Improper Authorization vulnerability exists in Dolibarr versions prior to the 'develop' branch. A user with restricted permissions in the 'Reception' section is able to access specific reception details via direct URL access, bypassing the intended permission restrictions. | |||||
| CVE-2022-1226 | 1 Phpipam | 1 Phpipam | 2024-11-19 | N/A | 4.8 MEDIUM |
| A Cross-Site Scripting (XSS) vulnerability in phpipam/phpipam versions prior to 1.4.7 allows attackers to execute arbitrary JavaScript code in the browser of a victim. This vulnerability affects the import Data set feature via a spreadsheet file upload. The affected endpoints include import-vlan-preview.php, import-subnets-preview.php, import-vrf-preview.php, import-ipaddr-preview.php, import-devtype-preview.php, import-devices-preview.php, and import-l2dom-preview.php. The vulnerability can be exploited by uploading a specially crafted spreadsheet file containing malicious JavaScript payloads, which are then executed in the context of the victim's browser. This can lead to defacement of websites, execution of malicious JavaScript code, stealing of user cookies, and unauthorized access to user accounts. | |||||
| CVE-2022-31667 | 1 Linuxfoundation | 1 Harbor | 2024-11-19 | N/A | 6.4 MEDIUM |
| Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to. By sending a request that attempts to update a robot account, and specifying a robot account id and robot account name that belongs to a different project that the user doesn’t have access to, it was possible to revoke the robot account permissions. | |||||
| CVE-2022-31668 | 1 Linuxfoundation | 1 Harbor | 2024-11-19 | N/A | 7.7 HIGH |
| Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects. | |||||
| CVE-2022-31670 | 1 Linuxfoundation | 1 Harbor | 2024-11-19 | N/A | 7.7 HIGH |
| Harbor fails to validate the user permissions when updating tag retention policies. By sending a request to update a tag retention policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify tag retention policies configured in other projects. | |||||
| CVE-2022-31669 | 1 Linuxfoundation | 1 Harbor | 2024-11-19 | N/A | 7.7 HIGH |
| Harbor fails to validate the user permissions when updating tag immutability policies. By sending a request to update a tag immutability policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify tag immutability policies configured in other projects. | |||||
| CVE-2024-52306 | 1 Backpackforlaravel | 1 Filemanager | 2024-11-19 | N/A | 9.8 CRITICAL |
| FileManager provides a Backpack admin interface for files and folder. Prior to 3.0.9, deserialization of untrusted data from the mimes parameter could lead to remote code execution. This vulnerability is fixed in 3.0.9. | |||||