| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Missing Authorization in GitHub repository answerdev/answer prior to 1.0.9. |
| The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to unauthorized modification of data|loss of data due to a missing capability check on the 'ajax_dismiss' function in versions up to, and including, 2.5.2. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to update options such as users_can_register, which can lead to unauthorized user registration. |
| In dialer service, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges. |
| In dialer service, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges. |
| In audio service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges. |
| In telephony service, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges. |
| Vendor Master Hierarchy - versions SAP_APPL 500, SAP_APPL 600, SAP_APPL 602, SAP_APPL 603, SAP_APPL 604, SAP_APPL 605, SAP_APPL 606, SAP_APPL 616, SAP_APPL 617, SAP_APPL 618, S4CORE 100, does not perform necessary authorization checks for an authenticated user to access some of its function. This could lead to modification of data impacting the integrity of the system.
|
| `org.xwiki.commons:xwiki-commons-xml` is an XML library used by the open-source wiki platform XWiki. The HTML sanitizer, introduced in version 14.6-rc-1, allows the injection of arbitrary HTML code and thus cross-site scripting via invalid data attributes. This vulnerability does not affect restricted cleaning in HTMLCleaner as there attributes are cleaned and thus characters like `/` and `>` are removed in all attribute names. This problem has been patched in XWiki 14.10.4 and 15.0 RC1 by making sure that data attributes only contain allowed characters. There are no known workarounds apart from upgrading to a version including the fix. |
| In srtd service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges. |
| .In srtd service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges. |
| In dialer service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges. |
| In engineermode service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges. |
| In dialer service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges. |
| In dialer service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges. |
| In contacts service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges. |
| The Colibri Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the callActivateLicenseEndpoint function in all versions up to, and including, 1.0.260. This makes it possible for authenticated attackers, with subscriber access or higher, to update the license key. |
| Missing Authorization vulnerability in ExtendThemes Colibri Page Builder.This issue affects Colibri Page Builder: from n/a through 1.0.248.
|
| In powerEx service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges. |
| In phoneEx service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges. |
| DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.36 branch and prior to versions 2.37.9.1, 2.38.3.1, and 2.39.1.2, using object model traversal in the payload of a PATCH request, authenticated users with write access to an object may be able to modify related objects that they should not have access to. DHIS2 implementers should upgrade to a supported version of DHIS2 to receive a patch: 2.37.9.1, 2.38.3.1, or 2.39.1.2. It is possible to work around this issue by blocking all PATCH requests on a reverse proxy, but this may cause some issues with the functionality of built-in applications using legacy PATCH requests. |
