Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2021-24842

Summary
Assigner-WPScan
Assigner Org ID-1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81
Published At-29 Nov, 2021 | 08:25
Updated At-03 Aug, 2024 | 19:42
Rejected At-
Credits

Bulk Datetime Change < 1.12 - Missing Authorisation

The Bulk Datetime Change WordPress plugin before 1.12 does not enforce capability checks which allows users with Contributor roles to 1) list private post titles of other users and 2) change the posted date of other users' posts.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:WPScan
Assigner Org ID:1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81
Published At:29 Nov, 2021 | 08:25
Updated At:03 Aug, 2024 | 19:42
Rejected At:
▼CVE Numbering Authority (CNA)
Bulk Datetime Change < 1.12 - Missing Authorisation

The Bulk Datetime Change WordPress plugin before 1.12 does not enforce capability checks which allows users with Contributor roles to 1) list private post titles of other users and 2) change the posted date of other users' posts.

Affected Products
Vendor
Unknown
Product
Bulk Datetime Change
Versions
Affected
  • From 1.12 before 1.12 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862 Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862 Missing Authorization
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

apple502j
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://wpscan.com/vulnerability/054bd981-dbdd-47dd-bad0-fa327e5860a2
x_refsource_MISC
https://plugins.trac.wordpress.org/changeset/2618982
x_refsource_CONFIRM
Hyperlink: https://wpscan.com/vulnerability/054bd981-dbdd-47dd-bad0-fa327e5860a2
Resource:
x_refsource_MISC
Hyperlink: https://plugins.trac.wordpress.org/changeset/2618982
Resource:
x_refsource_CONFIRM
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://wpscan.com/vulnerability/054bd981-dbdd-47dd-bad0-fa327e5860a2
x_refsource_MISC
x_transferred
https://plugins.trac.wordpress.org/changeset/2618982
x_refsource_CONFIRM
x_transferred
Hyperlink: https://wpscan.com/vulnerability/054bd981-dbdd-47dd-bad0-fa327e5860a2
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://plugins.trac.wordpress.org/changeset/2618982
Resource:
x_refsource_CONFIRM
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:contact@wpscan.com
Published At:29 Nov, 2021 | 09:15
Updated At:24 Oct, 2022 | 16:33

The Bulk Datetime Change WordPress plugin before 1.12 does not enforce capability checks which allows users with Contributor roles to 1) list private post titles of other users and 2) change the posted date of other users' posts.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary2.05.5MEDIUM
AV:N/AC:L/Au:S/C:P/I:P/A:N
Type: Primary
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Type: Primary
Version: 2.0
Base score: 5.5
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:S/C:P/I:P/A:N
CPE Matches

bulk_datetime_change_project
bulk_datetime_change_project
>>bulk_datetime_change>>Versions before 1.12(exclusive)
cpe:2.3:a:bulk_datetime_change_project:bulk_datetime_change:*:*:*:*:*:wordpress:*:*
Weaknesses
CWE IDTypeSource
CWE-863Primarynvd@nist.gov
CWE-862Secondarycontact@wpscan.com
CWE ID: CWE-863
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-862
Type: Secondary
Source: contact@wpscan.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://plugins.trac.wordpress.org/changeset/2618982contact@wpscan.com
Release Notes
Third Party Advisory
https://wpscan.com/vulnerability/054bd981-dbdd-47dd-bad0-fa327e5860a2contact@wpscan.com
Exploit
Third Party Advisory
Hyperlink: https://plugins.trac.wordpress.org/changeset/2618982
Source: contact@wpscan.com
Resource:
Release Notes
Third Party Advisory
Hyperlink: https://wpscan.com/vulnerability/054bd981-dbdd-47dd-bad0-fa327e5860a2
Source: contact@wpscan.com
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

197Records found

CVE-2025-21539
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-5.4||MEDIUM
EPSS-0.05% / 14.35%
||
7 Day CHG+0.01%
Published-21 Jan, 2025 | 20:53
Updated-20 Jun, 2025 | 16:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the PeopleSoft Enterprise FIN eSettlements product of Oracle PeopleSoft (component: eSettlements). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise FIN eSettlements. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise FIN eSettlements accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise FIN eSettlements accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).

Action-Not Available
Vendor-Oracle Corporation
Product-peoplesoft_enterprise_fin_esettlementsPeopleSoft Enterprise FIN eSettlements
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-21561
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-5.4||MEDIUM
EPSS-0.05% / 14.35%
||
7 Day CHG+0.01%
Published-21 Jan, 2025 | 20:53
Updated-20 Jun, 2025 | 16:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the PeopleSoft Enterprise SCM Purchasing product of Oracle PeopleSoft (component: Purchasing). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise SCM Purchasing. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise SCM Purchasing accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise SCM Purchasing accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).

Action-Not Available
Vendor-Oracle Corporation
Product-peoplesoft_enterprise_scm_purchasingPeopleSoft Enterprise SCM Purchasing
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-21540
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-5.4||MEDIUM
EPSS-0.05% / 14.64%
||
7 Day CHG~0.00%
Published-21 Jan, 2025 | 20:53
Updated-22 Jan, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).

Action-Not Available
Vendor-Oracle Corporation
Product-MySQL Server
CWE ID-CWE-863
Incorrect Authorization
CVE-2022-46840
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.09% / 26.81%
||
7 Day CHG+0.01%
Published-13 Dec, 2024 | 14:22
Updated-13 Dec, 2024 | 21:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JS Help Desk plugin <= 2.7.1 - Broken Access Control

Missing Authorization vulnerability in JS Help Desk JS Help Desk – Best Help Desk & Support Plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JS Help Desk – Best Help Desk & Support Plugin: from n/a through 2.7.1.

Action-Not Available
Vendor-JS Help Desk
Product-JS Help Desk – Best Help Desk & Support Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2022-45841
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.06% / 17.86%
||
7 Day CHG+0.01%
Published-13 Dec, 2024 | 14:22
Updated-13 Dec, 2024 | 20:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Robo Gallery plugin <= 3.2.9 - Auth. Broken Access Control vulnerability

Missing Authorization vulnerability in RoboSoft Robo Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Robo Gallery: from n/a through 3.2.9.

Action-Not Available
Vendor-RoboSoft
Product-Robo Gallery
CWE ID-CWE-862
Missing Authorization
CVE-2025-0237
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.14% / 34.93%
||
7 Day CHG~0.00%
Published-07 Jan, 2025 | 16:07
Updated-03 Apr, 2025 | 16:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxthunderbirdFirefox ESRFirefoxThunderbird
CWE ID-CWE-863
Incorrect Authorization
CVE-2022-42909
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-6.5||MEDIUM
EPSS-0.07% / 20.67%
||
7 Day CHG~0.00%
Published-03 Feb, 2023 | 00:00
Updated-26 Mar, 2025 | 15:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

WEPA Print Away does not verify that a user has authorization to access documents before generating print orders and associated release codes. This could allow an attacker to generate print orders and release codes for documents they don´t own and print hem without authorization. In order to exploit this vulnerability, the user must have an account with wepanow.com or any of the institutions they serve, and be logged in.

Action-Not Available
Vendor-wepanowWEPA
Product-print_awayWepa Print Away
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-862
Missing Authorization
CVE-2022-41242
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-5.4||MEDIUM
EPSS-0.65% / 69.91%
||
7 Day CHG~0.00%
Published-21 Sep, 2022 | 15:46
Updated-28 May, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins extreme-feedback Plugin 1.7 and earlier allows attackers with Overall/Read permission to discover information about job names attached to lamps, discover MAC and IP addresses of existing lamps, and rename lamps.

Action-Not Available
Vendor-Jenkins
Product-extreme-feedbackJenkins extreme-feedback Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2022-39233
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 43.62%
||
7 Day CHG~0.00%
Published-19 Oct, 2022 | 00:00
Updated-22 Apr, 2025 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tuleap subject to Missing Authorization allowing for branch prefix modification

Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In versions 12.9.99.228 and above, prior to 14.0.99.24, authorizations are not properly verified when updating the branch prefix used by the GitLab repository integration. Authenticated users can change the branch prefix of any of the GitLab repository integration they can see vie the REST endpoint `PATCH /gitlab_repositories/{id}`. This action should be restricted to Git administrators. This issue is patched in Tuleap Community Edition 14.0.99.24 and Tuleap Enterprise Edition 14.0-3. There are no known workarounds.

Action-Not Available
Vendor-Enalean SAS
Product-tuleaptuleap
CWE ID-CWE-862
Missing Authorization
CVE-2022-39302
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.02% / 2.31%
||
7 Day CHG~0.00%
Published-13 Oct, 2022 | 00:00
Updated-23 Apr, 2025 | 16:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ree6 may bypass webhook protection

Ree6 is a moderation bot. This vulnerability would allow other server owners to create configurations such as "Better-Audit-Logging" which contain a channel from another server as a target. This would mean you could send log messages to another Guild channel and bypass raid and webhook protections. A specifically crafted log message could allow spamming and mass advertisements. This issue has been patched in version 1.9.9. There are currently no known workarounds.

Action-Not Available
Vendor-ree6Ree6-Applications
Product-ree6Ree6
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-2716
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.10% / 28.41%
||
7 Day CHG~0.00%
Published-20 May, 2023 | 02:03
Updated-13 Jan, 2025 | 16:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Groundhogg plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'ajax_upload_file' function in versions up to, and including, 2.7.9.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload a file to the contact, and then lists all the other uploaded files related to the contact.

Action-Not Available
Vendor-trainingbusinessprosGroundhogg (Groundhogg Inc.)
Product-groundhoggWordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
CWE ID-CWE-862
Missing Authorization
CVE-2022-36910
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-5.4||MEDIUM
EPSS-0.31% / 53.33%
||
7 Day CHG~0.00%
Published-27 Jul, 2022 | 14:26
Updated-03 Aug, 2024 | 10:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Lucene-Search Plugin 370.v62a5f618cd3a and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to reindex the database and to obtain information about jobs otherwise inaccessible to them.

Action-Not Available
Vendor-Jenkins
Product-lucene-searchJenkins Lucene-Search Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2024-50419
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.83%
||
7 Day CHG+0.03%
Published-30 Oct, 2024 | 15:01
Updated-28 May, 2025 | 21:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Greenshift plugin <= 9.7 - Broken Access Control vulnerability

Incorrect Authorization vulnerability in Wpsoul Greenshift – animation and page builder blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Greenshift – animation and page builder blocks: from n/a through 9.7.

Action-Not Available
Vendor-greenshiftwpWpsoul
Product-greenshift_-_animation_and_page_builder_blocksGreenshift – animation and page builder blocks
CWE ID-CWE-863
Incorrect Authorization
CVE-2024-50456
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.17% / 38.71%
||
7 Day CHG+0.02%
Published-29 Oct, 2024 | 21:00
Updated-07 Nov, 2024 | 17:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress SEOPress plugin <= 8.1.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in The SEO Guys at SEOPress SEOPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SEOPress: from n/a through 8.1.1.

Action-Not Available
Vendor-seopressThe SEO Guys at SEOPress
Product-seopressSEOPress
CWE ID-CWE-862
Missing Authorization
CVE-2022-31597
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.14% / 35.29%
||
7 Day CHG~0.00%
Published-12 Jul, 2022 | 20:27
Updated-03 Aug, 2024 | 07:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Within SAP S/4HANA - versions S4CORE 101, 102, 103, 104, 105, 106, SAPSCORE 127, the application business partner extension for Spain/Slovakia does not perform necessary authorization checks for a low privileged authenticated user over the network, resulting in escalation of privileges leading to low impact on confidentiality and integrity of the data.

Action-Not Available
Vendor-SAP SE
Product-sapscores\/4hanaSAP S/4HANA
CWE ID-CWE-862
Missing Authorization
CVE-2022-31168
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.27% / 50.51%
||
7 Day CHG-0.06%
Published-22 Jul, 2022 | 13:05
Updated-23 Apr, 2025 | 17:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Zulip Server insufficient authorization for changing bot roles

Zulip is an open source team chat tool. Due to an incorrect authorization check in Zulip Server 5.4 and earlier, a member of an organization could craft an API call that grants organization administrator privileges to one of their bots. The vulnerability is fixed in Zulip Server 5.5. Members who don’t own any bots, and lack permission to create them, can’t exploit the vulnerability. As a workaround for the vulnerability, an organization administrator can restrict the `Who can create bots` permission to administrators only, and change the ownership of existing bots.

Action-Not Available
Vendor-Kandra Labs, Inc. (Zulip)
Product-zulipzulip
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-863
Incorrect Authorization
CVE-2024-43268
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.07% / 23.15%
||
7 Day CHG+0.01%
Published-01 Nov, 2024 | 14:17
Updated-01 Nov, 2024 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Backup and Restore WordPress plugin <= 1.50 - Broken Access Control vulnerability

Access Control vulnerability in WPBackItUp Backup and Restore WordPress allows . This issue affects Backup and Restore WordPress: from n/a through 1.50.

Action-Not Available
Vendor-WPBackItUp
Product-Backup and Restore WordPress
CWE ID-CWE-862
Missing Authorization
CVE-2020-26830
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-7.6||HIGH
EPSS-0.25% / 48.57%
||
7 Day CHG~0.00%
Published-09 Dec, 2020 | 16:29
Updated-04 Aug, 2024 | 16:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Solution Manager 7.2 (User Experience Monitoring), version - 7.2, does not perform necessary authorization checks for an authenticated user. Due to inadequate access control, a network attacker authenticated as a regular user can use operations which should be restricted to administrators. These operations can be used to Change the User Experience Monitoring configuration, obtain details about the configured SAP Solution Manager agents, Deploy a malicious User Experience Monitoring script.

Action-Not Available
Vendor-SAP SE
Product-solution_managerSAP Solution Manager (User Experience Monitoring)
CWE ID-CWE-862
Missing Authorization
CVE-2024-39871
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-5.3||MEDIUM
EPSS-0.13% / 32.76%
||
7 Day CHG~0.00%
Published-09 Jul, 2024 | 12:05
Updated-27 Aug, 2025 | 20:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). Affected applications do not properly separate the rights to edit device settings and to edit settings for communication relations. This could allow an authenticated attacker with the permission to manage devices to gain access to participant groups that the attacked does not belong to.

Action-Not Available
Vendor-Siemens AG
Product-sinema_remote_connect_serverSINEMA Remote Connect Server
CWE ID-CWE-863
Incorrect Authorization
CVE-2024-3942
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.3||MEDIUM
EPSS-0.06% / 18.94%
||
7 Day CHG~0.00%
Published-02 May, 2024 | 16:52
Updated-21 Jan, 2025 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on several functions in versions up to, and including, 3.3.8. This makes it possible for authenticated attackers, with subscriber level permissions and above, to read and modify content such as course questions, post titles, and taxonomies.

Action-Not Available
Vendor-stylemixthemesstylemix
Product-masterstudy_lmsMasterStudy LMS WordPress Plugin – for Online Courses and Education
CWE ID-CWE-862
Missing Authorization
CVE-2020-24401
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-6.5||MEDIUM
EPSS-0.28% / 51.40%
||
7 Day CHG~0.00%
Published-09 Nov, 2020 | 00:39
Updated-16 Sep, 2024 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect permissions following the deletion of a user role or deactivation of a user

Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect authorization vulnerability. A user can still access resources provisioned under their old role after an administrator removes the role or disables the user's account.

Action-Not Available
Vendor-magentoAdobe Inc.
Product-magentoMagento Commerce
CWE ID-CWE-863
Incorrect Authorization
CVE-2024-38737
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.07% / 23.15%
||
7 Day CHG+0.01%
Published-01 Nov, 2024 | 14:18
Updated-01 Nov, 2024 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ReDi Restaurant Reservation plugin <= 24.0422 - Broken Access Control vulnerability

Missing Authorization vulnerability in Reservation Diary ReDi Restaurant Reservation allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects ReDi Restaurant Reservation: from n/a through 24.0422.

Action-Not Available
Vendor-Reservation Diary
Product-ReDi Restaurant Reservation
CWE ID-CWE-862
Missing Authorization
CVE-2024-37250
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.07% / 23.15%
||
7 Day CHG+0.01%
Published-01 Nov, 2024 | 14:18
Updated-01 Nov, 2024 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Advanced Custom Fields Pro plugin < 6.3.2 - Subscriber+ Broken Access Control vulnerability

Missing Authorization vulnerability in WPEngine Inc. Advanced Custom Fields PRO allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Custom Fields PRO: from n/a through 6.3.1.

Action-Not Available
Vendor-WPEngine Inc.
Product-Advanced Custom Fields PRO
CWE ID-CWE-862
Missing Authorization
CVE-2024-37483
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.07% / 23.15%
||
7 Day CHG+0.01%
Published-01 Nov, 2024 | 14:18
Updated-01 Nov, 2024 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress The Post Grid plugin <= 7.7.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in Post Grid Team by RadiusTheme The Post Grid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Post Grid: from n/a through 7.7.4.

Action-Not Available
Vendor-Post Grid Team by RadiusTheme
Product-The Post Grid
CWE ID-CWE-862
Missing Authorization
CVE-2020-2204
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-5.4||MEDIUM
EPSS-0.03% / 7.08%
||
7 Day CHG~0.00%
Published-02 Jul, 2020 | 14:55
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Fortify on Demand Plugin 5.0.1 and earlier allows attackers with Overall/Read permission to connect to the globally configured Fortify on Demand endpoint using attacker-specified credentials IDs.

Action-Not Available
Vendor-Jenkins
Product-fortify_on_demandJenkins Fortify on Demand Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2020-1998
Matching Score-4
Assigner-Palo Alto Networks, Inc.
ShareView Details
Matching Score-4
Assigner-Palo Alto Networks, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.16% / 37.26%
||
7 Day CHG~0.00%
Published-13 May, 2020 | 19:07
Updated-16 Sep, 2024 | 23:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PAN-OS: Improper SAML SSO authorization of shared local users

An improper authorization vulnerability in PAN-OS that mistakenly uses the permissions of local linux users instead of the intended SAML permissions of the account when the username is shared for the purposes of SSO authentication. This can result in authentication bypass and unintended resource access for the user. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.6; PAN-OS 9.1 versions earlier than 9.1.1; All versions of PAN-OS 8.0.

Action-Not Available
Vendor-Palo Alto Networks, Inc.
Product-pan-osPAN-OS
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-863
Incorrect Authorization
CVE-2020-2091
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-8.1||HIGH
EPSS-0.19% / 41.09%
||
7 Day CHG~0.00%
Published-15 Jan, 2020 | 00:00
Updated-04 Aug, 2024 | 06:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.

Action-Not Available
Vendor-Jenkins
Product-amazon_ec2Jenkins Amazon EC2 Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2020-1725
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.11% / 30.85%
||
7 Day CHG~0.00%
Published-28 Jan, 2021 | 19:05
Updated-04 Aug, 2024 | 06:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token.

Action-Not Available
Vendor-n/aRed Hat, Inc.
Product-keycloakkeycloak
CWE ID-CWE-863
Incorrect Authorization
CVE-2017-2599
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.06% / 19.61%
||
7 Day CHG~0.00%
Published-11 Apr, 2018 | 16:00
Updated-05 Aug, 2024 | 14:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins before versions 2.44 and 2.32.2 is vulnerable to an insufficient permission check. This allows users with permissions to create new items (e.g. jobs) to overwrite existing items they don't have access to (SECURITY-321).

Action-Not Available
Vendor-[UNKNOWN]Jenkins
Product-jenkinsjenkins
CWE ID-CWE-863
Incorrect Authorization
CVE-2024-27970
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.17% / 38.99%
||
7 Day CHG~0.00%
Published-21 Mar, 2024 | 15:25
Updated-02 Aug, 2024 | 00:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP SendFox plugin <= 1.3.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in BogdanFix WP SendFox.This issue affects WP SendFox: from n/a through 1.3.0.

Action-Not Available
Vendor-BogdanFix
Product-WP SendFox
CWE ID-CWE-862
Missing Authorization
CVE-2024-28003
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.19% / 41.12%
||
7 Day CHG~0.00%
Published-28 Mar, 2024 | 05:52
Updated-08 Aug, 2024 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Max Mega Menu plugin <= 3.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in Megamenu Max Mega Menu.This issue affects Max Mega Menu: from n/a through 3.3.

Action-Not Available
Vendor-Megamenu
Product-Max Mega Menu
CWE ID-CWE-862
Missing Authorization
CVE-2024-27950
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.08% / 23.96%
||
7 Day CHG~0.00%
Published-01 Mar, 2024 | 07:46
Updated-08 Aug, 2024 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Sirv Plugin <= 7.2.0 is vulnerable to Broken Access Control

Missing Authorization vulnerability in sirv.Com Image Optimizer, Resizer and CDN – Sirv.This issue affects Image Optimizer, Resizer and CDN – Sirv: from n/a through 7.2.0.

Action-Not Available
Vendor-sirv.com
Product-Image Optimizer, Resizer and CDN – Sirv
CWE ID-CWE-862
Missing Authorization
CVE-2024-20438
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-6.3||MEDIUM
EPSS-0.07% / 23.15%
||
7 Day CHG~0.00%
Published-02 Oct, 2024 | 16:53
Updated-08 Oct, 2024 | 13:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Nexus Dashboard Fabric Controller Unauthorized REST API Vulnerability

A vulnerability in the REST API endpoints of Cisco NDFC could allow an authenticated, low-privileged, remote attacker to read or write files on an affected device. This vulnerability exists because of missing authorization controls on some REST API endpoints. An attacker could exploit this vulnerability by sending crafted API requests to an affected endpoint. A successful exploit could allow the attacker to perform limited network-admin functions such as reading device configuration information, uploading files, and modifying uploaded files. Note: This vulnerability only affects a subset of REST API endpoints and does not affect the web-based management interface.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-nexus_dashboard_fabric_controllernexus_dashboardCisco Data Center Network Manager
CWE ID-CWE-693
Protection Mechanism Failure
CWE ID-CWE-862
Missing Authorization
CVE-2013-4862
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-7.94% / 91.71%
||
7 Day CHG~0.00%
Published-28 Jan, 2020 | 16:09
Updated-06 Aug, 2024 | 16:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

MiCasaVerde VeraLite with firmware 1.5.408 does not properly restrict access, which allows remote authenticated users to (1) update the firmware via the squashfs parameter to upgrade_step2.sh or (2) obtain hashed passwords via the cgi-bin/cmh/backup.sh page.

Action-Not Available
Vendor-micasaverden/a
Product-veraliteveralite_firmwaren/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2021-31552
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.11% / 29.84%
||
7 Day CHG~0.00%
Published-22 Apr, 2021 | 02:29
Updated-03 Aug, 2024 | 23:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It incorrectly executed certain rules related to blocking accounts after account creation. Such rules would allow for user accounts to be created while blocking only the IP address used to create an account (and not the user account itself). Such rules could also be used by a nefarious, unprivileged user to catalog and enumerate any number of IP addresses related to these account creations.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2018-2419
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-3.7||LOW
EPSS-0.18% / 40.17%
||
7 Day CHG~0.00%
Published-09 May, 2018 | 20:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Enterprise Financial Services (SAPSCORE 1.11, 1.12; S4CORE 1.01, 1.02; EA-FINSERV 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

Action-Not Available
Vendor-SAP SE
Product-sapscores4coreea-finservSAP Enterprise Financial Services (S4CORE)SAP Enterprise Financial Services (SAPSCORE)SAP Enterprise Financial Services (EA-FINSERV)
CWE ID-CWE-862
Missing Authorization
CVE-2022-31128
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.16% / 37.02%
||
7 Day CHG~0.00%
Published-01 Aug, 2022 | 16:20
Updated-23 Apr, 2025 | 17:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Fine grained permissions are not checked in Tuleap

Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In affected versions Tuleap does not properly verify permissions when creating branches with the REST API in Git repositories using the fine grained permissions. Users can create branches via the REST endpoint `POST git/:id/branches` regardless of the permissions set on the repository. This issue has been fixed in version 13.10.99.82 Tuleap Community Edition as well as in version 13.10-3 of Tuleap Enterprise Edition. Users are advised to upgrade. There are no known workarounds for this issue.

Action-Not Available
Vendor-Enalean SAS
Product-tuleaptuleap
CWE ID-CWE-862
Missing Authorization
CVE-2024-50573
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-4.3||MEDIUM
EPSS-0.00% / 0.08%
||
7 Day CHG~0.00%
Published-28 Oct, 2024 | 12:55
Updated-29 Oct, 2024 | 17:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains Hub before 2024.3.47707 improper access control allowed users to generate permanent tokens for unauthorized services

Action-Not Available
Vendor-JetBrains s.r.o.
Product-hubHub
CWE ID-CWE-862
Missing Authorization
CVE-2024-49293
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 23.15%
||
7 Day CHG~0.00%
Published-21 Oct, 2024 | 11:12
Updated-29 Oct, 2024 | 15:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP VR plugin <= 8.5.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in Rextheme WP VR allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP VR: from n/a through 8.5.4.

Action-Not Available
Vendor-rexthemeRextheme
Product-wp_vrWP VR
CWE ID-CWE-862
Missing Authorization
CVE-2024-47172
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.09% / 27.12%
||
7 Day CHG~0.00%
Published-30 Sep, 2024 | 15:00
Updated-30 Oct, 2024 | 18:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Computer Vision Annotation Tool (CVAT) access control is broken in several PATCH endpoints

Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. An attacker with a CVAT account may retrieve certain information about any project, task, job or membership resource on the CVAT instance. The information exposed in this way is the same as the information returned on a GET request to the resource. In addition, the attacker can also alter the default source and target storage associated with any project or task. Upgrade to CVAT 2.19.1 or any later version to fix the issue.

Action-Not Available
Vendor-cvatcvat-ai
Product-computer_vision_annotation_toolcvat
CWE ID-CWE-863
Incorrect Authorization
CVE-2021-31554
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.12% / 31.73%
||
7 Day CHG~0.00%
Published-22 Apr, 2021 | 02:29
Updated-03 Aug, 2024 | 23:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It improperly handled account blocks for certain automatically created MediaWiki user accounts, thus allowing nefarious users to remain unblocked.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2024-4468
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.57% / 67.65%
||
7 Day CHG+0.15%
Published-08 Jun, 2024 | 07:37
Updated-31 Oct, 2024 | 18:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Salon booking system <= 9.9 - Missing Authorization

The Salon booking system plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on several functions hooked into admin_init in all versions up to, and including, 9.9. This makes it possible for authenticated attackers with subscriber access or higher to modify plugin settings and view discount codes intended for other users.

Action-Not Available
Vendor-salonbookingsystemwordpresschef
Product-salon_booking_systemSalon Booking System
CWE ID-CWE-862
Missing Authorization
CVE-2024-45131
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-5.4||MEDIUM
EPSS-0.11% / 30.13%
||
7 Day CHG~0.00%
Published-10 Oct, 2024 | 09:57
Updated-14 Oct, 2024 | 11:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Adobe Commerce | Incorrect Authorization (CWE-863)

Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and have a low impact on confidentiality and integrity. Exploitation of this issue does not require user interaction.

Action-Not Available
Vendor-Adobe Inc.
Product-magentocommercecommerce_b2bAdobe Commerce
CWE ID-CWE-863
Incorrect Authorization
CVE-2021-20179
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-8.1||HIGH
EPSS-0.40% / 59.83%
||
7 Day CHG~0.00%
Published-15 Mar, 2021 | 12:01
Updated-03 Aug, 2024 | 17:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw was found in pki-core. An attacker who has successfully compromised a key could use this flaw to renew the corresponding certificate over and over again, as long as it is not explicitly revoked. The highest threat from this vulnerability is to data confidentiality and integrity.

Action-Not Available
Vendor-dogtagpkin/aRed Hat, Inc.Fedora Project
Product-certificate_systementerprise_linuxdogtagpkifedorapki-core
CWE ID-CWE-863
Incorrect Authorization
CVE-2024-31246
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.29% / 51.90%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 08:55
Updated-05 Oct, 2024 | 01:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX plugin <= 3.2.3 - Author+ Post/Page Duplication vulnerability

Missing Authorization vulnerability in Post Grid Team by WPXPO PostX – Gutenberg Blocks for Post Grid.This issue affects PostX – Gutenberg Blocks for Post Grid: from n/a through 3.2.3.

Action-Not Available
Vendor-wpxpoPost Grid Team by WPXPO
Product-postxPostX – Gutenberg Blocks for Post Grid
CWE ID-CWE-862
Missing Authorization
CVE-2020-6212
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.13% / 32.62%
||
7 Day CHG~0.00%
Published-24 Apr, 2020 | 22:18
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Egypt localized withholding tax reports Clearing of Liabilities and Remittance Statement and Summary in SAP ERP (versions 618, 730, EAPPLGLO 607) and S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user, allowing reading or modification of some tax reports, due to Missing Authorization Check.

Action-Not Available
Vendor-SAP SE
Product-erps\/4hanaSAP S/4 HANASAP ERP
CWE ID-CWE-862
Missing Authorization
CVE-2020-6199
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.12% / 31.03%
||
7 Day CHG~0.00%
Published-10 Mar, 2020 | 20:18
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The view FIMENAV_COMPCERT in SAP ERP (MENA Certificate Management), EAPPGLO version 607, SAP_FIN versions- 618, 730 and SAP S/4HANA (MENA Certificate Management), S4CORE versions- 100, 101, 102, 103, 104; does not have any authorization check to it due to which an attacker without an authorization group can maintain any company certificate, leading to Missing Authorization Check.

Action-Not Available
Vendor-SAP SE
Product-erpSAP ERP (EAPPGLO)SAP ERP (SAP_FIN)SAP S/4HANA (S4CORE)
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • 3
  • 4
  • Next
Details not found