Total
1221 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-48777 | 2024-10-15 | N/A | 7.5 HIGH | ||
| LEDVANCE com.ledvance.smartplus.eu 2.1.10 allows a remote attacker to obtain sensitive information via the firmware update process. | |||||
| CVE-2024-9522 | 1 Lagunaisw | 1 Wp Users Masquerade | 2024-10-15 | N/A | 8.8 HIGH |
| The WP Users Masquerade plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.0.0. This is due to incorrect authentication and capability checking in the 'ajax_masq_login' function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator. | |||||
| CVE-2024-8530 | 2024-10-15 | N/A | 5.9 MEDIUM | ||
| CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause exposure of private data when an already generated “logcaptures” archive is accessed directly by HTTPS. | |||||
| CVE-2024-9164 | 2024-10-15 | N/A | 9.6 CRITICAL | ||
| An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches. | |||||
| CVE-2024-9137 | 2024-10-15 | N/A | 9.4 CRITICAL | ||
| The affected product lacks an authentication check when sending commands to the server via the Moxa service. This vulnerability allows an attacker to execute specified commands, potentially leading to unauthorized downloads or uploads of configuration files and system compromise. | |||||
| CVE-2024-3777 | 2024-10-14 | N/A | 9.8 CRITICAL | ||
| The password reset feature of Ai3 QbiBot lacks proper access control, allowing unauthenticated remote attackers to reset any user's password. | |||||
| CVE-2024-3774 | 2024-10-14 | N/A | 5.3 MEDIUM | ||
| aEnrich Technology a+HRD's functionality for front-end retrieval of system configuration values lacks proper restrictions on a specific parameter, allowing attackers to modify this parameter to access certain sensitive system configuration values. | |||||
| CVE-2024-26263 | 2024-10-14 | N/A | 5.3 MEDIUM | ||
| EBM Technologies RISWEB's specific URL path is not properly controlled by permission, allowing attackers to browse specific pages and query sensitive data without login. | |||||
| CVE-2023-5716 | 1 Asus | 1 Armoury Crate | 2024-10-14 | N/A | 9.8 CRITICAL |
| ASUS Armoury Crate has a vulnerability in arbitrary file write and allows remote attackers to access or modify arbitrary files by sending specific HTTP requests without permission. | |||||
| CVE-2023-39380 | 1 Huawei | 2 Emui, Harmonyos | 2024-10-10 | N/A | 7.5 HIGH |
| Permission control vulnerability in the audio module. Successful exploitation of this vulnerability may cause audio devices to perform abnormally. | |||||
| CVE-2024-47555 | 2024-10-10 | N/A | 8.3 HIGH | ||
| Missing Authentication - User & System Configuration | |||||
| CVE-2024-9289 | 1 Redefiningtheweb | 1 Affiliate Pro | 2024-10-07 | N/A | 9.8 CRITICAL |
| The WordPress & WooCommerce Affiliate Program plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 8.4.1. This is due to the rtwwwap_login_request_callback() function not properly validating a user's identity prior to authenticating them to the site. This makes it possible for unauthenticated attackers to log in as any user, including administrators, granted they have access to the administrator's email. | |||||
| CVE-2017-10271 | 1 Oracle | 1 Weblogic Server | 2024-10-07 | 5.0 MEDIUM | 7.5 HIGH |
| Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). | |||||
| CVE-2024-8456 | 1 Planet | 4 Gs-4210-24p2s, Gs-4210-24p2s Firmware, Gs-4210-24pl4c and 1 more | 2024-10-04 | N/A | 9.8 CRITICAL |
| Certain switch models from PLANET Technology lack proper access control in firmware upload and download functionality, allowing unauthenticated remote attackers to download and upload firmware and system configurations, ultimately gaining full control of the devices. | |||||
| CVE-2024-46293 | 2024-10-04 | N/A | 9.8 CRITICAL | ||
| Sourcecodester Online Medicine Ordering System 1.0 is vulnerable to Incorrect Access Control. There is a lack of authorization checks for admin operations. Specifically, an attacker can perform admin-level actions without possessing a valid session token. The application does not verify whether the user is logged in as an admin or even check for a session token at all. | |||||
| CVE-2024-35294 | 2024-10-04 | N/A | 6.5 MEDIUM | ||
| An unauthenticated remote attacker may use the devices traffic capture without authentication to grab plaintext administrative credentials. | |||||
| CVE-2024-35293 | 2024-10-04 | N/A | 9.1 CRITICAL | ||
| An unauthenticated remote attacker may use a missing authentication for critical function vulnerability to reboot or erase the affected devices resulting in data loss and/or a DoS. | |||||
| CVE-2024-41988 | 2024-10-04 | N/A | N/A | ||
| TEM Opera Plus FM Family Transmitter allows access to an unprotected endpoint that allows MPFS File System binary image upload without authentication. This file system serves as the basis for the HTTP2 web server module but is also used by the SNMP module and is available to other applications that require basic read-only storage capabilities. This can be exploited to overwrite the flash program memory that holds the web server's main interfaces and execute arbitrary code. | |||||
| CVE-2024-38279 | 1 Motorola | 2 Vigilant Fixed Lpr Coms Box, Vigilant Fixed Lpr Coms Box Firmware | 2024-10-03 | N/A | 4.6 MEDIUM |
| The affected product is vulnerable to an attacker modifying the bootloader by using custom arguments to bypass authentication and gain access to the file system and obtain password hashes. | |||||
| CVE-2024-7781 | 1 Artbees | 1 Jupiter X Core | 2024-10-02 | N/A | 9.8 CRITICAL |
| The Jupiter X Core plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.7.5. This is due to improper authentication via the Social Login widget. This makes it possible for unauthenticated attackers to log in as the first user to have logged in with a social media account, including administrator accounts. Attackers can exploit the vulnerability even if the Social Login element has been disabled, as long as it was previously enabled and used. The vulnerability was partially patched in version 4.7.5, and fully patched in version 4.7.8. | |||||