Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-51650

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-22 Dec, 2023 | 20:56
Updated At-23 Apr, 2025 | 16:17
Rejected At-
Credits

Unauthorized access vulnerability on three interfaces

Hertzbeat is an open source, real-time monitoring system. Prior to version 1.4.1, Spring Boot permission configuration issues caused unauthorized access vulnerabilities to three interfaces. This could result in disclosure of sensitive server information. Version 1.4.1 fixes this issue.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:22 Dec, 2023 | 20:56
Updated At:23 Apr, 2025 | 16:17
Rejected At:
▼CVE Numbering Authority (CNA)
Unauthorized access vulnerability on three interfaces

Hertzbeat is an open source, real-time monitoring system. Prior to version 1.4.1, Spring Boot permission configuration issues caused unauthorized access vulnerabilities to three interfaces. This could result in disclosure of sensitive server information. Version 1.4.1 fixes this issue.

Affected Products
Vendor
dromara
Product
hertzbeat
Versions
Affected
  • < 1.4.1
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862: Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862: Missing Authorization
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/dromara/hertzbeat/security/advisories/GHSA-rrc5-qpxr-5jm2
x_refsource_CONFIRM
https://github.com/dromara/hertzbeat/releases/tag/v1.4.1
x_refsource_MISC
Hyperlink: https://github.com/dromara/hertzbeat/security/advisories/GHSA-rrc5-qpxr-5jm2
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/dromara/hertzbeat/releases/tag/v1.4.1
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/dromara/hertzbeat/security/advisories/GHSA-rrc5-qpxr-5jm2
x_refsource_CONFIRM
x_transferred
https://github.com/dromara/hertzbeat/releases/tag/v1.4.1
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/dromara/hertzbeat/security/advisories/GHSA-rrc5-qpxr-5jm2
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://github.com/dromara/hertzbeat/releases/tag/v1.4.1
Resource:
x_refsource_MISC
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:22 Dec, 2023 | 21:15
Updated At:28 Aug, 2024 | 15:44

Hertzbeat is an open source, real-time monitoring system. Prior to version 1.4.1, Spring Boot permission configuration issues caused unauthorized access vulnerabilities to three interfaces. This could result in disclosure of sensitive server information. Version 1.4.1 fixes this issue.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Secondary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Type: Primary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CPE Matches

The Apache Software Foundation
apache
>>hertzbeat>>Versions before 1.4.1(exclusive)
cpe:2.3:a:apache:hertzbeat:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-862Primarysecurity-advisories@github.com
CWE ID: CWE-862
Type: Primary
Source: security-advisories@github.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/dromara/hertzbeat/releases/tag/v1.4.1security-advisories@github.com
Release Notes
https://github.com/dromara/hertzbeat/security/advisories/GHSA-rrc5-qpxr-5jm2security-advisories@github.com
Exploit
Vendor Advisory
Hyperlink: https://github.com/dromara/hertzbeat/releases/tag/v1.4.1
Source: security-advisories@github.com
Resource:
Release Notes
Hyperlink: https://github.com/dromara/hertzbeat/security/advisories/GHSA-rrc5-qpxr-5jm2
Source: security-advisories@github.com
Resource:
Exploit
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

302Records found

CVE-2023-32520
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.33% / 54.90%
||
7 Day CHG+0.05%
Published-13 Dec, 2024 | 14:23
Updated-13 Dec, 2024 | 18:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WCP Contact Form plugin <= 3.1.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Webcodin WCP Contact Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WCP Contact Form: from n/a through 3.1.0.

Action-Not Available
Vendor-Webcodin
Product-WCP Contact Form
CWE ID-CWE-862
Missing Authorization
CVE-2024-44265
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-7.5||HIGH
EPSS-0.12% / 31.92%
||
7 Day CHG+0.02%
Published-28 Oct, 2024 | 21:08
Updated-30 Oct, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The issue was addressed by restricting options offered on a locked device. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. An attacker with physical access can input Game Controller events to apps running on a locked device.

Action-Not Available
Vendor-Apple Inc.
Product-macosmacOSmacos
CWE ID-CWE-862
Missing Authorization
CVE-2020-14969
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.28% / 50.97%
||
7 Day CHG~0.00%
Published-22 Jun, 2020 | 11:48
Updated-04 Aug, 2024 | 13:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

app/Model/Attribute.php in MISP 2.4.127 lacks an ACL lookup on attribute correlations. This occurs when querying the attribute restsearch API, revealing metadata about a correlating but unreachable attribute.

Action-Not Available
Vendor-mispn/a
Product-mispn/a
CWE ID-CWE-862
Missing Authorization
CVE-2024-43158
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.10%
||
7 Day CHG+0.08%
Published-01 Nov, 2024 | 14:17
Updated-28 May, 2025 | 20:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Masteriyo LMS plugin <= 1.11.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in Masteriyo Masteriyo - LMS allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Masteriyo - LMS: from n/a through 1.11.4.

Action-Not Available
Vendor-masteriyoMasteriyomasteriyo
Product-masteriyoMasteriyo - LMSmasteriyo
CWE ID-CWE-862
Missing Authorization
CVE-2020-14520
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.5||HIGH
EPSS-0.22% / 44.15%
||
7 Day CHG~0.00%
Published-31 Jul, 2020 | 12:30
Updated-04 Aug, 2024 | 12:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The affected product is vulnerable to an information leak, which may allow an attacker to obtain sensitive information on the Ignition 8 (all versions prior to 8.0.13).

Action-Not Available
Vendor-inductiveautomationn/a
Product-ignition_gatewayIgnition 8
CWE ID-CWE-862
Missing Authorization
CVE-2024-40852
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-7.5||HIGH
EPSS-0.12% / 31.60%
||
7 Day CHG~0.00%
Published-16 Sep, 2024 | 23:23
Updated-19 Mar, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This issue was addressed by restricting options offered on a locked device. This issue is fixed in iOS 18 and iPadOS 18. An attacker may be able to see recent photos without authentication in Assistive Access.

Action-Not Available
Vendor-Apple Inc.
Product-ipadosiphone_osiOS and iPadOSios_and_ipados
CWE ID-CWE-862
Missing Authorization
CVE-2022-4972
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-1.26% / 78.60%
||
7 Day CHG~0.00%
Published-16 Oct, 2024 | 06:43
Updated-30 Oct, 2024 | 16:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Download Monitor <= 4.7.51 - Missing Authorization to Unauthenticated Data Export

The Download Monitor plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several REST-API routes related to reporting in versions up to, and including, 4.7.51. This makes it possible for unauthenticated attackers to view user data and other sensitive information intended for administrators.

Action-Not Available
Vendor-wpchillwpchillwpchill
Product-download_monitorDownload Monitordownload_monitor
CWE ID-CWE-862
Missing Authorization
CVE-2023-30195
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.08% / 24.74%
||
7 Day CHG~0.00%
Published-06 Jul, 2023 | 00:00
Updated-20 Nov, 2024 | 21:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In the module "Detailed Order" (lgdetailedorder) in version up to 1.1.20 from Linea Grafica for PrestaShop, a guest can download personal informations without restriction formatted in json.

Action-Not Available
Vendor-lineagrafican/a
Product-lgdetailedordern/a
CWE ID-CWE-862
Missing Authorization
CVE-2020-11463
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.43% / 61.36%
||
7 Day CHG~0.00%
Published-01 Apr, 2020 | 20:52
Updated-04 Aug, 2024 | 11:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Deskpro before 2019.8.0. The /api/email_accounts endpoint failed to properly validate a user's privilege, allowing an attacker to retrieve cleartext credentials of all helpdesk email accounts, including incoming and outgoing email credentials. This enables an attacker to get full access to all emails sent or received by the system including password reset emails, making it possible to reset any user's password.

Action-Not Available
Vendor-deskpron/a
Product-deskpron/a
CWE ID-CWE-862
Missing Authorization
CVE-2020-10187
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.43% / 61.38%
||
7 Day CHG~0.00%
Published-04 May, 2020 | 13:19
Updated-04 Aug, 2024 | 10:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Doorkeeper version 5.0.0 and later contains an information disclosure vulnerability that allows an attacker to retrieve the client secret only intended for the OAuth application owner. After authorizing the application and allowing access, the attacker simply needs to request the list of their authorized applications in a JSON format (usually GET /oauth/authorized_applications.json). An application is vulnerable if the authorized applications controller is enabled.

Action-Not Available
Vendor-doorkeeper_projectn/a
Product-doorkeepern/a
CWE ID-CWE-862
Missing Authorization
CVE-2024-38810
Matching Score-4
Assigner-VMware by Broadcom
ShareView Details
Matching Score-4
Assigner-VMware by Broadcom
CVSS Score-6.5||MEDIUM
EPSS-0.29% / 51.64%
||
7 Day CHG~0.00%
Published-20 Aug, 2024 | 03:35
Updated-28 Feb, 2025 | 22:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization When Using @AuthorizeReturnObject

Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-spring_securityspring security
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-862
Missing Authorization
CVE-2023-27963
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-7.5||HIGH
EPSS-0.13% / 32.62%
||
7 Day CHG~0.00%
Published-08 May, 2023 | 00:00
Updated-29 Jan, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The issue was addressed with additional permissions checks. This issue is fixed in macOS Ventura 13.3, iOS 16.4 and iPadOS 16.4, iOS 15.7.4 and iPadOS 15.7.4, macOS Monterey 12.6.4, tvOS 16.4, watchOS 9.4. A shortcut may be able to use sensitive data with certain actions without prompting the user.

Action-Not Available
Vendor-Apple Inc.
Product-ipadosiphone_oswatchosmacosiOS and iPadOSwatchOSmacOStvOS
CWE ID-CWE-862
Missing Authorization
CVE-2023-25714
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.25% / 47.75%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 11:31
Updated-09 Dec, 2024 | 18:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Quick Paypal Payments plugin <= 5.7.25 - Broken Access Control vulnerability

Missing Authorization vulnerability in Fullworks Quick Paypal Payments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quick Paypal Payments: from n/a through 5.7.25.

Action-Not Available
Vendor-Fullworksfullworksplugins
Product-Quick Paypal Paymentsquick_paypal_payments
CWE ID-CWE-862
Missing Authorization
CVE-2024-32777
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.36% / 57.07%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 13:10
Updated-02 Aug, 2024 | 02:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress BizPrint plugin <= 4.3.39 - Broken Access Control vulnerability

Missing Authorization vulnerability in BizSwoop a CPF Concepts, LLC Brand BizPrint.This issue affects BizPrint: from n/a through 4.3.39.

Action-Not Available
Vendor-BizSwoop (CPF Concepts, LLC)
Product-BizPrint
CWE ID-CWE-862
Missing Authorization
CVE-2024-31343
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.85% / 73.96%
||
7 Day CHG~0.00%
Published-10 Apr, 2024 | 16:12
Updated-17 Jan, 2025 | 19:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress MP3 Audio Player for Music, Radio & Podcast by Sonaar plugin <= 4.10.1 - Arbitrary File Download vulnerability

Missing Authorization vulnerability in Sonaar Music MP3 Audio Player for Music, Radio & Podcast by Sonaar.This issue affects MP3 Audio Player for Music, Radio & Podcast by Sonaar: from n/a through 4.10.1.

Action-Not Available
Vendor-sonaarSonaar Musicsonaar
Product-mp3_audio_player_for_music\,_radio_\&_podcastMP3 Audio Player for Music, Radio & Podcast by Sonaarmp3_audio_player_for_music\,_radio_\&_podcast
CWE ID-CWE-862
Missing Authorization
CVE-2021-27656
Matching Score-4
Assigner-Johnson Controls
ShareView Details
Matching Score-4
Assigner-Johnson Controls
CVSS Score-5.3||MEDIUM
EPSS-0.25% / 47.74%
||
7 Day CHG~0.00%
Published-18 Mar, 2021 | 17:58
Updated-17 Sep, 2024 | 03:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
exacqVision Web Services - Information Exposure

A vulnerability in exacqVision Web Service 20.12.2.0 and prior could allow an unauthenticated attacker to view system-level information about the exacqVision Web Service and the operating system.

Action-Not Available
Vendor-johnsoncontrolsJohnson Controls
Product-exacqvision_web_serviceexacqVision Web Service version 20.12.2.0 and prior
CWE ID-CWE-862
Missing Authorization
CVE-2019-5470
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.27% / 50.04%
||
7 Day CHG~0.00%
Published-28 Jan, 2020 | 02:49
Updated-04 Aug, 2024 | 19:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An information disclosure issue was discovered GitLab versions < 12.1.2, < 12.0.4, and < 11.11.6 in the security dashboard which could result in disclosure of vulnerability feedback information.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-862
Missing Authorization
CVE-2024-27911
Matching Score-4
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-4
Assigner-Lenovo Group Ltd.
CVSS Score-7.5||HIGH
EPSS-0.14% / 34.67%
||
7 Day CHG+0.04%
Published-05 Apr, 2024 | 20:47
Updated-02 Aug, 2024 | 00:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability was reported in some Lenovo Printers that could allow an unauthenticated attacker to obtain the administrator password.

Action-Not Available
Vendor-Lenovo Group Limited
Product-Printerslingxlang_g262dn_firmwarelingxlang_g336dn_firmwarelj2310n_firmwarelingxlang_gm337dn_firmwarelingxlang_gm265dn_firmwarelingxlang_lj2320dn_firmware
CWE ID-CWE-862
Missing Authorization
CVE-2024-28215
Matching Score-4
Assigner-Naver Corporation
ShareView Details
Matching Score-4
Assigner-Naver Corporation
CVSS Score-7.5||HIGH
EPSS-0.33% / 55.27%
||
7 Day CHG-0.10%
Published-07 Mar, 2024 | 04:50
Updated-07 May, 2025 | 15:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

nGrinder before 3.5.9 allows an attacker to create or update webhook configuration due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery.

Action-Not Available
Vendor-naverNAVERnaver
Product-ngrindernGrinderngrinder
CWE ID-CWE-862
Missing Authorization
CVE-2025-6253
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.08% / 23.99%
||
7 Day CHG~0.00%
Published-12 Aug, 2025 | 05:27
Updated-12 Aug, 2025 | 14:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
UiCore Elements <= 1.3.0 - Missing Authorization to Unauthenticated Arbitrary File Read

The UiCore Elements – Free Elementor widgets and templates plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.3.0 via the prepare_template() function due to a missing capability check and insufficient controls on the filename specified. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

Action-Not Available
Vendor-uicore
Product-UiCore Elements – Free Elementor widgets and templates
CWE ID-CWE-862
Missing Authorization
CVE-2019-3399
Matching Score-4
Assigner-Atlassian
ShareView Details
Matching Score-4
Assigner-Atlassian
CVSS Score-7.5||HIGH
EPSS-0.57% / 67.70%
||
7 Day CHG~0.00%
Published-30 Apr, 2019 | 15:28
Updated-16 Sep, 2024 | 17:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check.

Action-Not Available
Vendor-Atlassian
Product-jira_serverjiraJira
CWE ID-CWE-863
Incorrect Authorization
CWE ID-CWE-862
Missing Authorization
CVE-2024-21246
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-7.5||HIGH
EPSS-0.09% / 26.21%
||
7 Day CHG~0.00%
Published-15 Oct, 2024 | 19:52
Updated-18 Oct, 2024 | 19:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the Oracle Service Bus product of Oracle Fusion Middleware (component: OSB Core Functionality). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Service Bus. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Service Bus accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Action-Not Available
Vendor-Oracle Corporation
Product-service_busOracle Service Bus
CWE ID-CWE-862
Missing Authorization
CVE-2024-21234
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-7.5||HIGH
EPSS-0.51% / 65.48%
||
7 Day CHG~0.00%
Published-15 Oct, 2024 | 19:52
Updated-18 Oct, 2024 | 19:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Action-Not Available
Vendor-Oracle Corporation
Product-weblogic_serverOracle WebLogic Server
CWE ID-CWE-862
Missing Authorization
CVE-2025-47558
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.05% / 14.02%
||
7 Day CHG~0.00%
Published-23 May, 2025 | 12:43
Updated-03 Jul, 2025 | 10:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress MapSVG plugin < 8.6.13 - Broken Access Control vulnerability

Missing Authorization vulnerability in PT Norther Lights Production MapSVG allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects MapSVG: from n/a before 8.6.13.

Action-Not Available
Vendor-PT Norther Lights Production
Product-MapSVG
CWE ID-CWE-862
Missing Authorization
CVE-2025-7717
Matching Score-4
Assigner-Drupal.org
ShareView Details
Matching Score-4
Assigner-Drupal.org
CVSS Score-7.5||HIGH
EPSS-0.05% / 14.20%
||
7 Day CHG~0.00%
Published-21 Jul, 2025 | 16:37
Updated-26 Aug, 2025 | 20:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
File Download - Moderately critical - Access bypass - SA-CONTRIB-2025-089

Missing Authorization vulnerability in Drupal File Download allows Forceful Browsing.This issue affects File Download: from 0.0.0 before 1.9.0, from 2.0.0 before 2.0.1.

Action-Not Available
Vendor-file_download_projectThe Drupal Association
Product-file_downloadFile Download
CWE ID-CWE-862
Missing Authorization
CVE-2024-35237
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.09% / 27.03%
||
7 Day CHG~0.00%
Published-27 May, 2024 | 17:07
Updated-02 Aug, 2024 | 03:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MIT IdentiBot User-Kerberos Mapping Publicly Available

MIT IdentiBot is an open-source Discord bot written in Node.js that verifies individuals' affiliations with MIT, grants them roles in a Discord server, and stores information about them in a database backend. A vulnerability that exists prior to commit 48e3e5e7ead6777fa75d57c7711c8e55b501c24e impacts all users who have performed verification with an instance of MIT IdentiBot that meets the following conditions: The instance of IdentiBot is tied to a "public" Discord application—i.e., users other than the API access registrant can add it to servers; *and* the instance has not yet been patched. In affected versions, IdentiBot does not check that a server is authorized before allowing members to execute slash and user commands in that server. As a result, any user can join IdentiBot to their server and then use commands (e.g., `/kerbid`) to reveal the full name and other information about a Discord user who has verified their affiliation with MIT using IdentiBot. The latest version of MIT IdentiBot contains a patch for this vulnerability (implemented in commit 48e3e5e7ead6777fa75d57c7711c8e55b501c24e). There is no way to prevent exploitation of the vulnerability without the patch. To prevent exploitation of the vulnerability, all vulnerable instances of IdentiBot should be taken offline until they have been updated.

Action-Not Available
Vendor-ZelnickBzelnickb
Product-mit-identibotmit_identibot
CWE ID-CWE-862
Missing Authorization
CVE-2025-6814
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.08% / 24.23%
||
7 Day CHG~0.00%
Published-04 Jul, 2025 | 01:44
Updated-08 Jul, 2025 | 16:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Booking X 1.0 - 1.1.2 - Missing Authorization to Unauthenticated Sensitive Information Disclosure via export_now() Function

The Booking X plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_now() function in versions 1.0 to 1.1.2. This makes it possible for unauthenticated attackers to download all plugin data, including user accounts, user meta, and PayPal credentials, by issuing a crafted POST request.

Action-Not Available
Vendor-dunskii
Product-Booking X – Appointment and Reservation Availability Calendar
CWE ID-CWE-862
Missing Authorization
CVE-2025-39449
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.05% / 14.02%
||
7 Day CHG~0.00%
Published-19 May, 2025 | 18:50
Updated-21 May, 2025 | 20:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetWooBuilder <= 2.1.18 - Broken Access Control Vulnerability

Missing Authorization vulnerability in Crocoblock JetWooBuilder allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JetWooBuilder: from n/a through 2.1.18.

Action-Not Available
Vendor-Crocoblock
Product-JetWooBuilder
CWE ID-CWE-862
Missing Authorization
CVE-2024-12614
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.10% / 27.56%
||
7 Day CHG~0.00%
Published-16 Jan, 2025 | 09:39
Updated-17 Jan, 2025 | 22:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Passwords Manager <= 1.4.8 - Missing Authorization to Authenticated (Subscriber+) Add Password + Update Encryption Key

The Passwords Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'pms_save_setting' and 'post_new_pass' AJAX actions in all versions up to, and including, 1.4.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugins settings and add passwords.

Action-Not Available
Vendor-hirewebxpertscoder426
Product-passwords_managerPasswords Manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE ID-CWE-862
Missing Authorization
CVE-2025-39447
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.05% / 14.02%
||
7 Day CHG~0.00%
Published-19 May, 2025 | 18:51
Updated-21 May, 2025 | 20:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetElements For Elementor <= 2.7.4.1 - Broken Access Control Vulnerability

Missing Authorization vulnerability in Crocoblock JetElements For Elementor allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JetElements For Elementor: from n/a through 2.7.4.1.

Action-Not Available
Vendor-Crocoblock
Product-JetElements For Elementor
CWE ID-CWE-862
Missing Authorization
CVE-2024-12812
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-7.5||HIGH
EPSS-0.06% / 19.12%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-27 Aug, 2025 | 12:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP ERP < 1.13.4 - Custom+ Unauthorized Access to Terminated Employee Information

The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting WordPress plugin before 1.13.4 is affected by an IDOR issue where employees can manipulate parameters to access the data of terminated employees.

Action-Not Available
Vendor-UnknownweDevs Pte. Ltd.
Product-wp_erpWP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CWE ID-CWE-862
Missing Authorization
CVE-2025-54692
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.04% / 11.59%
||
7 Day CHG~0.00%
Published-14 Aug, 2025 | 10:34
Updated-14 Aug, 2025 | 17:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Membership For WooCommerce Plugin <= 2.9.0 - Broken Access Control Vulnerability

Missing Authorization vulnerability in WP Swings Membership For WooCommerce allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Membership For WooCommerce: from n/a through 2.9.0.

Action-Not Available
Vendor-WP Swings
Product-Membership For WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2021-21246
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.6||HIGH
EPSS-1.21% / 78.17%
||
7 Day CHG~0.00%
Published-15 Jan, 2021 | 20:10
Updated-03 Aug, 2024 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pre-Auth Access token leak

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/{id}` endpoint there are no security checks enforced so it is possible to retrieve arbitrary user details including their Access Tokens! These access tokens can be used to access the API or clone code in the build spec via the HTTP(S) protocol. It has permissions to all projects accessible by the user account. This issue may lead to `Sensitive data leak` and leak the Access Token which can be used to impersonate the administrator or any other users. This issue was addressed in 4.0.3 by removing user info from restful api.

Action-Not Available
Vendor-onedev_projecttheonedev
Product-onedevonedev
CWE ID-CWE-862
Missing Authorization
CVE-2025-32544
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.06% / 17.98%
||
7 Day CHG~0.00%
Published-17 Apr, 2025 | 15:47
Updated-17 Apr, 2025 | 20:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WooCommerce Loyal Customers plugin <= 2.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in The Right Software WooCommerce Loyal Customers allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WooCommerce Loyal Customers: from n/a through 2.6.

Action-Not Available
Vendor-The Right Software
Product-WooCommerce Loyal Customers
CWE ID-CWE-862
Missing Authorization
CVE-2019-13408
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-7.5||HIGH
EPSS-0.45% / 62.58%
||
7 Day CHG~0.00%
Published-29 Aug, 2019 | 00:18
Updated-17 Sep, 2024 | 01:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advan VD-1 allows users to download arbitrary files

A relative path traversal vulnerability found in Advan VD-1 firmware versions up to 230. It allows attackers to download arbitrary files via url cgibin/ExportSettings.cgi?Download=filepath, without any authentication.

Action-Not Available
Vendor-geovisionandrovideoAndroVideo
Product-gv-vd8700gv-vd8700_firmwarevd_1vd_1_firmwaregv-vr360gv-vr360_firmwareAdvan VD-1 firmware
CWE ID-CWE-23
Relative Path Traversal
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-52731
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.04% / 11.59%
||
7 Day CHG~0.00%
Published-14 Aug, 2025 | 10:34
Updated-14 Aug, 2025 | 14:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WordPress Event Manager, Event Calendar and Booking Plugin Plugin <= 4.0.24 - Arbitrary Content Deletion Vulnerability

Missing Authorization vulnerability in themefunction WordPress Event Manager, Event Calendar and Booking Plugin allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WordPress Event Manager, Event Calendar and Booking Plugin: from n/a through 4.0.24.

Action-Not Available
Vendor-themefunction
Product-WordPress Event Manager, Event Calendar and Booking Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2024-12269
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.12% / 31.07%
||
7 Day CHG+0.01%
Published-30 Jan, 2025 | 13:41
Updated-31 Jan, 2025 | 19:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Safe Ai Malware Protection for WP <= 1.0.17 - Missing Authorization to Unauthenticated Database Export

The Safe Ai Malware Protection for WP plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_db() function in all versions up to, and including, 1.0.17. This makes it possible for unauthenticated attackers to retrieve a complete dump of the site's database.

Action-Not Available
Vendor-wpmessiahenamulwp
Product-safe_ai_malware_protection_for_wpSafe Ai Malware Protection for WP
CWE ID-CWE-862
Missing Authorization
CVE-2024-10813
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.34% / 55.99%
||
7 Day CHG~0.00%
Published-23 Nov, 2024 | 03:25
Updated-12 Jul, 2025 | 00:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Product Table for WooCommerce by CodeAstrology (wooproducttable.com) <= 3.5.1 - Information Exposure

The Product Table for WooCommerce by CodeAstrology (wooproducttable.com) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.1 via the var_dump_table parameter. This makes it possible for unauthenticated attackers var data.

Action-Not Available
Vendor-codeastrologycodersaifulcodeastrology
Product-woo_product_tableProduct Table for WooCommerce by CodeAstrology (wooproducttable.com)woo_product_table
CWE ID-CWE-862
Missing Authorization
CVE-2019-10184
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.68% / 70.64%
||
7 Day CHG~0.00%
Published-25 Jul, 2019 | 20:35
Updated-04 Aug, 2024 | 22:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api.

Action-Not Available
Vendor-undertow-ioRed Hat, Inc.NetApp, Inc.
Product-jboss_data_gridsingle_sign-onopenshift_application_runtimesenterprise_linuxactive_iq_unified_managerundertowjboss_enterprise_application_platformundertow
CWE ID-CWE-862
Missing Authorization
CVE-2025-49265
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.05% / 14.02%
||
7 Day CHG~0.00%
Published-09 Jun, 2025 | 15:53
Updated-12 Jun, 2025 | 16:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Membership For WooCommerce <= 2.8.1 - Broken Access Control Vulnerability

Missing Authorization vulnerability in WP Swings Membership For WooCommerce allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Membership For WooCommerce: from n/a through 2.8.1.

Action-Not Available
Vendor-WP Swings
Product-Membership For WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2023-25573
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.6||HIGH
EPSS-93.04% / 99.77%
||
7 Day CHG~0.00%
Published-09 Mar, 2023 | 16:33
Updated-25 Feb, 2025 | 14:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper access control to download file in metersphere

metersphere is an open source continuous testing platform. In affected versions an improper access control vulnerability exists in `/api/jmeter/download/files`, which allows any user to download any file without authentication. This issue may expose all files available to the running process. This issue has been addressed in version 1.20.20 lts and 2.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-MeterSphere (FIT2CLOUD Inc.)
Product-meterspheremetersphere
CWE ID-CWE-862
Missing Authorization
CVE-2022-27480
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-7.5||HIGH
EPSS-0.45% / 62.64%
||
7 Day CHG~0.00%
Published-12 Apr, 2022 | 09:08
Updated-03 Aug, 2024 | 05:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in SICAM A8000 CP-8031 (All versions < V4.80), SICAM A8000 CP-8050 (All versions < V4.80). Affected devices do not require an user to be authenticated to access certain files. This could allow unauthenticated attackers to download these files.

Action-Not Available
Vendor-Siemens AG
Product-sicam_a8000_cp-8031sicam_a8000_cp-8050sicam_a8000_cp-8031_firmwaresicam_a8000_cp-8050_firmwareSICAM A8000 CP-8050SICAM A8000 CP-8031
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-425
Direct Request ('Forced Browsing')
CVE-2025-30716
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-7.5||HIGH
EPSS-0.07% / 21.55%
||
7 Day CHG~0.00%
Published-15 Apr, 2025 | 20:31
Updated-21 Apr, 2025 | 19:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the Oracle Common Applications product of Oracle E-Business Suite (component: CRM User Management Framework). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Common Applications. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Common Applications accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Action-Not Available
Vendor-Oracle Corporation
Product-common_applicationsOracle Common Applications
CWE ID-CWE-862
Missing Authorization
CVE-2020-5228
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.6||HIGH
EPSS-0.34% / 55.85%
||
7 Day CHG~0.00%
Published-30 Jan, 2020 | 19:50
Updated-04 Aug, 2024 | 08:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Opencast allows unauthorized public access via OAI-PMH

Opencast before 8.1 and 7.6 allows unauthorized public access to all media and metadata by default via OAI-PMH. OAI-PMH is part of the default workflow and is activated by default, requiring active user intervention of users to protect media. This leads to users unknowingly handing out public access to events without their knowledge. The problem has been addressed in Opencast 7.6 and 8.1 where the OAI-PMH endpoint is configured to require users with `ROLE_ADMIN` by default. In addition to this, Opencast 9 removes the OAI-PMH publication from the default workflow, making the publication a conscious decision users have to make by updating their workflows.

Action-Not Available
Vendor-apereoopencast
Product-opencastopencast
CWE ID-CWE-862
Missing Authorization
CVE-2022-27658
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-7.5||HIGH
EPSS-0.24% / 47.19%
||
7 Day CHG~0.00%
Published-28 Mar, 2022 | 18:52
Updated-03 Aug, 2024 | 05:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Under certain conditions, SAP Innovation management - version 2.0, allows an attacker to access information which could lead to information gathering for further exploits and attacks.

Action-Not Available
Vendor-SAP SE
Product-innovation_managementSAP Innovation management
CWE ID-CWE-862
Missing Authorization
CVE-2022-27669
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-7.5||HIGH
EPSS-0.70% / 71.11%
||
7 Day CHG~0.00%
Published-12 Apr, 2022 | 16:11
Updated-03 Aug, 2024 | 05:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unauthenticated user can use functions of XML Data Archiving Service of SAP NetWeaver Application Server for Java - version 7.50, to which access should be restricted. This may result in an escalation of privileges.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_for_javaSAP NetWeaver Application Server for Java
CWE ID-CWE-862
Missing Authorization
CVE-2025-29000
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.04% / 13.20%
||
7 Day CHG~0.00%
Published-16 Jul, 2025 | 11:28
Updated-16 Jul, 2025 | 14:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Multi-language Responsive Contact Form plugin <= 2.8 - Broken Access Control Vulnerability

Missing Authorization vulnerability in August Infotech Multi-language Responsive Contact Form allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Multi-language Responsive Contact Form: from n/a through 2.8.

Action-Not Available
Vendor-August Infotech
Product-Multi-language Responsive Contact Form
CWE ID-CWE-862
Missing Authorization
CVE-2020-36696
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.35% / 56.96%
||
7 Day CHG~0.00%
Published-07 Jun, 2023 | 01:51
Updated-28 Dec, 2024 | 00:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Product Input Fields for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the handle_downloads() function in versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to download files from the vulnerable service.

Action-Not Available
Vendor-tychesoftwarestychesoftwares
Product-product_input_fields_for_woocommerceProduct Input Fields for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2022-26423
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-8.2||HIGH
EPSS-0.15% / 35.73%
||
7 Day CHG~0.00%
Published-21 Oct, 2022 | 15:38
Updated-17 Apr, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MISSING AUTHORIZATION CWE-862

Aethon TUG Home Base Server versions prior to version 24 are affected by un unauthenticated attacker who can freely access hashed user credentials.

Action-Not Available
Vendor-Aethon, Inc.
Product-tug_home_base_serverTUG Home Base Server
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-862
Missing Authorization
CVE-2017-1002151
Matching Score-4
Assigner-Fedora Project
ShareView Details
Matching Score-4
Assigner-Fedora Project
CVSS Score-7.5||HIGH
EPSS-0.28% / 51.18%
||
7 Day CHG~0.00%
Published-14 Sep, 2017 | 13:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Pagure 3.3.0 and earlier is vulnerable to loss of confidentially due to improper authorization

Action-Not Available
Vendor-Pagure ProjectRed Hat, Inc.
Product-pagurePagure
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • Next
Details not found