Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2019-16698

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-16 Oct, 2019 | 18:45
Updated At-05 Aug, 2024 | 01:17
Rejected At-
Credits

The direct_mail (aka Direct Mail) extension through 5.2.2 for TYPO3 has a missing access check in the backend module, allowing a user (with restricted permissions to the fe_users table) to view and export data of frontend users who are subscribed to a newsletter.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:16 Oct, 2019 | 18:45
Updated At:05 Aug, 2024 | 01:17
Rejected At:
▼CVE Numbering Authority (CNA)

The direct_mail (aka Direct Mail) extension through 5.2.2 for TYPO3 has a missing access check in the backend module, allowing a user (with restricted permissions to the fe_users table) to view and export data of frontend users who are subscribed to a newsletter.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://extensions.typo3.org/extension/direct_mail
x_refsource_MISC
https://typo3.org/security/advisory/typo3-ext-sa-2019-016/
x_refsource_CONFIRM
Hyperlink: https://extensions.typo3.org/extension/direct_mail
Resource:
x_refsource_MISC
Hyperlink: https://typo3.org/security/advisory/typo3-ext-sa-2019-016/
Resource:
x_refsource_CONFIRM
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://extensions.typo3.org/extension/direct_mail
x_refsource_MISC
x_transferred
https://typo3.org/security/advisory/typo3-ext-sa-2019-016/
x_refsource_CONFIRM
x_transferred
Hyperlink: https://extensions.typo3.org/extension/direct_mail
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://typo3.org/security/advisory/typo3-ext-sa-2019-016/
Resource:
x_refsource_CONFIRM
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:16 Oct, 2019 | 19:15
Updated At:21 Jul, 2021 | 11:39

The direct_mail (aka Direct Mail) extension through 5.2.2 for TYPO3 has a missing access check in the backend module, allowing a user (with restricted permissions to the fe_users table) to view and export data of frontend users who are subscribed to a newsletter.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary2.04.0MEDIUM
AV:N/AC:L/Au:S/C:P/I:N/A:N
Type: Primary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Type: Primary
Version: 2.0
Base score: 4.0
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:S/C:P/I:N/A:N
CPE Matches
dkd
dkd
>>direct_mail>>Versions up to 5.2.2(inclusive)
cpe:2.3:a:dkd:direct_mail:*:*:*:*:*:typo3:*:*
Weaknesses
CWE IDTypeSource
CWE-862Primarynvd@nist.gov
CWE ID: CWE-862
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://extensions.typo3.org/extension/direct_mailcve@mitre.org
Third Party Advisory
https://typo3.org/security/advisory/typo3-ext-sa-2019-016/cve@mitre.org
Third Party Advisory
Hyperlink: https://extensions.typo3.org/extension/direct_mail
Source: cve@mitre.org
Resource:
Third Party Advisory
Hyperlink: https://typo3.org/security/advisory/typo3-ext-sa-2019-016/
Source: cve@mitre.org
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

417Records found
CVE-2024-5331
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 27.73%
||
7 Day CHG~0.00%
Published-01 Aug, 2024 | 06:47
Updated-21 Nov, 2024 | 23:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Breakdance <= 1.7.2 - Missing Authorization

The Breakdance plugin for WordPress is vulnerable to unauthorized access of data in all versions up to, and including, 1.7.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to export form submissions.

Action-Not Available
Vendor-SoflyyBreakdance
Product-breakdanceBreakdance
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-862
Missing Authorization
CVE-2024-52549
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 26.58%
||
7 Day CHG+0.01%
Published-13 Nov, 2024 | 20:53
Updated-15 Nov, 2024 | 14:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Script Security Plugin 1367.vdf2fc45f229c and earlier, except 1365.1367.va_3b_b_89f8a_95b_ and 1362.1364.v4cf2dc5d8776, does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files on the controller file system.

Action-Not Available
Vendor-Jenkins
Product-Jenkins Script Security Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2024-51667
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 19.46%
||
7 Day CHG~0.00%
Published-31 Dec, 2024 | 13:52
Updated-31 Dec, 2024 | 15:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Paytium plugin <= 4.4.10 - Broken Access Control vulnerability

Missing Authorization vulnerability in David de Boer Paytium.This issue affects Paytium: from n/a through 4.4.10.

Action-Not Available
Vendor-David de Boer
Product-Paytium
CWE ID-CWE-862
Missing Authorization
CVE-2024-50573
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-4.3||MEDIUM
EPSS-0.00% / 0.07%
||
7 Day CHG~0.00%
Published-28 Oct, 2024 | 12:55
Updated-29 Oct, 2024 | 17:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains Hub before 2024.3.47707 improper access control allowed users to generate permanent tokens for unauthorized services

Action-Not Available
Vendor-JetBrains s.r.o.
Product-hubHub
CWE ID-CWE-862
Missing Authorization
CVE-2024-50455
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 45.84%
||
7 Day CHG+0.03%
Published-29 Oct, 2024 | 21:03
Updated-07 Nov, 2024 | 17:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress SEOPress plugin <= 8.1.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in The SEO Guys at SEOPress SEOPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SEOPress: from n/a through 8.1.1.

Action-Not Available
Vendor-seopressThe SEO Guys at SEOPress
Product-seopressSEOPress
CWE ID-CWE-862
Missing Authorization
CVE-2024-47585
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 20.24%
||
7 Day CHG+0.01%
Published-10 Dec, 2024 | 00:12
Updated-10 Dec, 2024 | 21:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform

SAP NetWeaver Application Server for ABAP and ABAP Platform allows an authenticated attacker to gain higher access levels than they should have by exploiting improper authorization checks, resulting in privilege escalation. While authorizations for import and export are distinguished, a single authorization is applied for both, which may contribute to these risks. On successful exploitation, this can result in potential security concerns. However, it has no impact on the integrity and availability of the application and may have only a low impact on data confidentiality.

Action-Not Available
Vendor-SAP SE
Product-SAP NetWeaver Application Server for ABAP and ABAP Platform
CWE ID-CWE-862
Missing Authorization
CVE-2025-0068
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 15.42%
||
7 Day CHG~0.00%
Published-14 Jan, 2025 | 00:09
Updated-14 Jan, 2025 | 15:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization check in Remote Function Call (RFC) in SAP NetWeaver Application Server ABAP

An obsolete functionality in SAP NetWeaver Application Server ABAP did not perform necessary authorization checks. Because of this, an authenticated attacker could obtain information that would otherwise be restricted. It has no impact on integrity or availability on the application.

Action-Not Available
Vendor-SAP SE
Product-SAP NetWeaver Application Server ABAP
CWE ID-CWE-862
Missing Authorization
CVE-2024-41729
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-4.3||MEDIUM
EPSS-0.08% / 25.49%
||
7 Day CHG~0.00%
Published-10 Sep, 2024 | 02:33
Updated-10 Sep, 2024 | 14:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Information Disclosure vulnerability in the SAP NetWeaver BW (BEx Analyzer)

Due to missing authorization checks, SAP BEx Analyzer allows an authenticated attacker to access information over the network which is otherwise restricted. On successful exploitation the attacker can enumerate information causing a limited impact on confidentiality of the application.

Action-Not Available
Vendor-SAP SE
Product-SAP NetWeaver BW (BEx Analyzer)
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
CVE-2021-27605
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 31.63%
||
7 Day CHG~0.00%
Published-13 Apr, 2021 | 18:44
Updated-03 Aug, 2024 | 21:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP's HCM Travel Management Fiori Apps V2, version - 608, does not perform proper authorization check, allowing an authenticated but unauthorized attacker to read personnel numbers of employees, resulting in escalation of privileges. However, the attacker can only read some information like last name, first name of the employees, so there is some loss of confidential information, Integrity and Availability are not impacted.

Action-Not Available
Vendor-SAP SE
Product-fiori_apps_2.0_for_travel_management_in_sap_erpSAP Fiori Apps 2.0 for Travel Management in SAP ERP
CWE ID-CWE-862
Missing Authorization
CVE-2024-44082
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 32.34%
||
7 Day CHG~0.00%
Published-06 Sep, 2024 | 00:00
Updated-07 Nov, 2024 | 08:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In OpenStack Ironic before 26.0.1 and ironic-python-agent before 9.13.1, there is a vulnerability in image processing, in which a crafted image could be used by an authenticated user to exploit undesired behaviors in qemu-img, including possible unauthorized access to potentially sensitive data. The affected/fixed version details are: Ironic: <21.4.3, >=22.0.0 <23.0.2, >=23.1.0 <24.1.2, >=25.0.0 <26.0.1; Ironic-python-agent: <9.4.2, >=9.5.0 <9.7.1, >=9.8.0 <9.11.1, >=9.12.0 <9.13.1.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-862
Missing Authorization
CVE-2024-43973
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 45.84%
||
7 Day CHG+0.03%
Published-01 Nov, 2024 | 14:17
Updated-08 Nov, 2024 | 20:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Payment forms, Buy now buttons and Invoicing System plugin <= 2.8.11 - Broken Access Control vulnerability

Missing Authorization vulnerability in AyeCode Ltd GetPaid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GetPaid: from n/a through 2.8.11.

Action-Not Available
Vendor-ayecodeAyeCode Ltd
Product-getpaidGetPaid
CWE ID-CWE-862
Missing Authorization
CVE-2024-43162
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.25% / 48.29%
||
7 Day CHG+0.04%
Published-01 Nov, 2024 | 14:17
Updated-07 Feb, 2025 | 16:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Easy Digital Downloads plugin <= 3.2.12 - Broken Access Control vulnerability

Missing Authorization vulnerability in Easy Digital Downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Digital Downloads: from n/a through 3.2.12.

Action-Not Available
Vendor-Sandhills Development, LLC (EasyDigitalDownloads)Awesome Motive Inc.
Product-easy_digital_downloadsEasy Digital Downloads
CWE ID-CWE-862
Missing Authorization
CVE-2024-43157
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 30.05%
||
7 Day CHG+0.02%
Published-01 Nov, 2024 | 14:17
Updated-01 Nov, 2024 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress FormCraft plugin <= 1.2.10 - Broken Access Control vulnerability

Missing Authorization vulnerability in nCrafts FormCraft allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FormCraft: from n/a through 1.2.10.

Action-Not Available
Vendor-nCrafts
Product-FormCraft
CWE ID-CWE-862
Missing Authorization
CVE-2024-41734
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 27.12%
||
7 Day CHG~0.00%
Published-13 Aug, 2024 | 04:18
Updated-12 Sep, 2024 | 13:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform

Due to missing authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform, an authenticated attacker could call an underlying transaction, which leads to disclosure of user related information. There is no impact on integrity or availability.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_abapSAP NetWeaver Application Server ABAP and ABAP Platform
CWE ID-CWE-862
Missing Authorization
CVE-2024-35741
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 25.86%
||
7 Day CHG~0.00%
Published-10 Jun, 2024 | 07:41
Updated-02 Aug, 2024 | 03:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Awesome Support plugin <= 6.1.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in Awesome Support Team Awesome Support.This issue affects Awesome Support: from n/a through 6.1.7.

Action-Not Available
Vendor-getawesomesupportAwesome Support Team
Product-awesome_supportAwesome Support
CWE ID-CWE-862
Missing Authorization
CVE-2024-1539
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 5.97%
||
7 Day CHG~0.00%
Published-05 Feb, 2025 | 09:46
Updated-06 Aug, 2025 | 18:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization in GitLab

An issue has been discovered in GitLab EE affecting all versions starting from 15.2 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible to disclose updates to issues to a banned group member using the API.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-862
Missing Authorization
CVE-2024-13447
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.08% / 23.42%
||
7 Day CHG+0.01%
Published-22 Jan, 2025 | 11:07
Updated-24 Jan, 2025 | 20:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Hotel Booking <= 2.1.6 - Missing Authorization to Authenticated (Subscriber+) User Email Retrieval

The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the hotel_booking_load_order_user AJAX action in all versions up to, and including, 2.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve a list of registered user emails.

Action-Not Available
Vendor-ThimPress (PhysCode)
Product-wp_hotel_bookingWP Hotel Booking
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • ...
  • 7
  • 8
  • 9
  • Next
Details not found