| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Missing Authorization vulnerability in tychesoftwares Arconix FAQ allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Arconix FAQ: from n/a through 1.9.6. |
| Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. Prior to STS version 2.31.0 and LTS version 2.27.7, if a Portainer administrator can be convinced to register a malicious container registry, or an existing container registry can be taken over, HTTP Headers (including registry authentication credentials or Portainer session tokens) may be leaked to that registry. This issue has been patched in STS version 2.31.0 and LTS version 2.27.7. |
| The JobSearch WP Job Board plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.9.2. This is due to improper configurations in the 'jobsearch_xing_response_data_callback', 'set_access_tokes', and 'google_callback' functions. This makes it possible for unauthenticated attackers to log in as the first connected Xing user, or any connected Xing user if the Xing id is known. It is also possible for unauthenticated attackers to log in as the first connected Google user if the user has logged in, without subsequently logging out, in thirty days. The vulnerability was partially patched in version 2.8.4. |
| Reflected Cross-Site Scripting (XSS) in osCommerce v4. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the name of any parameter in /watch/en/about-us. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. |
| Para is a multitenant backend server/framework for object persistence and retrieval. A vulnerability that exists in versions prior to 1.50.8 in `FacebookAuthFilter.java` results in a full request URL being logged during a failed request to a Facebook user profile. The log includes the user's access token in plain text. Since WARN-level logs are often retained in production and accessible to operators or log aggregation systems, this poses a risk of token exposure. Version 1.50.8 fixes the issue. |
| Lychee is a free photo-management tool. In versions starting from 6.6.6 to before 6.6.10, an attacker can leak local files including environment variables, nginx logs, other user's uploaded images, and configuration secrets due to a path traversal exploit in SecurePathController.php. This issue has been patched in version 6.6.10. |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. |
| ** REJECT ** DO NOT USE THIS CVE ID NUMBER. The Rejected CVE Record is a duplicate of CVE-2024-45436. Notes: All CVE users should reference CVE-2024-45436 instead of this CVE Record. All references and descriptions in this candidate have been removed to prevent accidental usage. |
| Missing Authorization vulnerability in WPExperts.io myCred allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects myCred: from n/a through 2.9.4.2. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brian Mutende Noptin allows Stored XSS. This issue affects Noptin: from n/a through 3.8.7. |
| URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FunnelKit Automation By Autonami allows Phishing. This issue affects Automation By Autonami: from n/a through 3.6.0. |
| Cross-Site Request Forgery (CSRF) vulnerability in Helmut Wandl Advanced Settings allows Cross Site Request Forgery. This issue affects Advanced Settings: from n/a through 3.0.1. |
| Missing Authorization vulnerability in AFS Analytics AFS Analytics allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects AFS Analytics: from n/a through 4.21. |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Anh Tran Slim SEO allows SQL Injection. This issue affects Slim SEO: from n/a through 4.5.4. |
| Deserialization of Untrusted Data vulnerability in impleCode eCommerce Product Catalog allows Object Injection. This issue affects eCommerce Product Catalog: from n/a through 3.4.3. |
| Deserialization of Untrusted Data vulnerability in CRM Perks Integration for Contact Form 7 and Zoho CRM, Bigin allows Object Injection. This issue affects Integration for Contact Form 7 and Zoho CRM, Bigin: from n/a through 1.3.0. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saleswonder Team Tobias WP2LEADS allows Reflected XSS. This issue affects WP2LEADS: from n/a through 3.5.0. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeRevolution Echo RSS Feed Post Generator Plugin for WordPress allows Reflected XSS. This issue affects Echo RSS Feed Post Generator Plugin for WordPress: from n/a through 5.4.8.1. |
| CyberData
011209
Intercom exposes features that could allow an unauthenticated to gain
access and cause a denial-of-service condition or system disruption. |
| Allocation of Resources Without Limits or Throttling vulnerability in Drupal Admin Audit Trail allows Excessive Allocation.This issue affects Admin Audit Trail: from 0.0.0 before 1.0.5. |
