Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-39592

Summary
Assigner-sap
Assigner Org ID-e4686d1a-f260-4930-ac4c-2f5c992778dd
Published At-09 Jul, 2024 | 03:45
Updated At-02 Aug, 2024 | 04:26
Rejected At-
Credits

[CVE-2024-39592] Missing Authorization check in SAP PDCE

Elements of PDCE does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This allows an attacker to read sensitive information causing high impact on the confidentiality of the application.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:sap
Assigner Org ID:e4686d1a-f260-4930-ac4c-2f5c992778dd
Published At:09 Jul, 2024 | 03:45
Updated At:02 Aug, 2024 | 04:26
Rejected At:
▼CVE Numbering Authority (CNA)
[CVE-2024-39592] Missing Authorization check in SAP PDCE

Elements of PDCE does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This allows an attacker to read sensitive information causing high impact on the confidentiality of the application.

Affected Products
Vendor
SAP SESAP_SE
Product
SAP PDCE
Default Status
unaffected
Versions
Affected
  • S4CORE 102
  • S4CORE 103
  • S4COREOP 104
  • S4COREOP 105
  • S4COREOP 106
  • S4COREOP 107
  • S4COREOP 108
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862: Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862: Missing Authorization
Metrics
VersionBase scoreBase severityVector
3.17.7HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Version: 3.1
Base score: 7.7
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://url.sap/sapsecuritypatchday
N/A
https://me.sap.com/notes/3483344
N/A
Hyperlink: https://url.sap/sapsecuritypatchday
Resource: N/A
Hyperlink: https://me.sap.com/notes/3483344
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Vendor
SAP SEsap_se
Product
sap_pdce
CPEs
  • cpe:2.3:a:sap_se:sap_pdce:*:*:*:*:*:*:*:*
Default Status
unaffected
Versions
Affected
  • S4CORE 102
  • S4CORE 103
  • S4COREOP 104
  • S4COREOP 105
  • S4COREOP 106
  • S4COREOP 107
  • S4COREOP 108
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://url.sap/sapsecuritypatchday
x_transferred
https://me.sap.com/notes/3483344
x_transferred
Hyperlink: https://url.sap/sapsecuritypatchday
Resource:
x_transferred
Hyperlink: https://me.sap.com/notes/3483344
Resource:
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@sap.com
Published At:09 Jul, 2024 | 04:15
Updated At:29 Aug, 2024 | 19:25

Elements of PDCE does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This allows an attacker to read sensitive information causing high impact on the confidentiality of the application.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Secondary3.17.7HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Type: Primary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 7.7
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CPE Matches

SAP SE
sap
>>s4core>>102
cpe:2.3:a:sap:s4core:102:*:*:*:*:*:*:*
SAP SE
sap
>>s4core>>103
cpe:2.3:a:sap:s4core:103:*:*:*:*:*:*:*
SAP SE
sap
>>s4coreop>>104
cpe:2.3:a:sap:s4coreop:104:*:*:*:*:*:*:*
SAP SE
sap
>>s4coreop>>105
cpe:2.3:a:sap:s4coreop:105:*:*:*:*:*:*:*
SAP SE
sap
>>s4coreop>>106
cpe:2.3:a:sap:s4coreop:106:*:*:*:*:*:*:*
SAP SE
sap
>>s4coreop>>107
cpe:2.3:a:sap:s4coreop:107:*:*:*:*:*:*:*
SAP SE
sap
>>s4coreop>>108
cpe:2.3:a:sap:s4coreop:108:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-862Primarycna@sap.com
CWE ID: CWE-862
Type: Primary
Source: cna@sap.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://me.sap.com/notes/3483344cna@sap.com
Permissions Required
https://url.sap/sapsecuritypatchdaycna@sap.com
Vendor Advisory
Hyperlink: https://me.sap.com/notes/3483344
Source: cna@sap.com
Resource:
Permissions Required
Hyperlink: https://url.sap/sapsecuritypatchday
Source: cna@sap.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

349Records found

CVE-2013-4226
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.24% / 46.25%
||
7 Day CHG~0.00%
Published-18 Feb, 2020 | 18:19
Updated-06 Aug, 2024 | 16:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Authenticated User Page Caching (Authcache) module 7.x-1.x before 7.x-1.5 for Drupal does not properly restrict access to cached pages, which allows remote attackers with the same role-combination as the superuser to obtain sensitive information via the cached pages of the superuser.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-authenticated_user_page_cachingAuthenticated User Page Caching (Authcache) module
CWE ID-CWE-862
Missing Authorization
CVE-2025-27103
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.3||HIGH
EPSS-0.07% / 21.69%
||
7 Day CHG~0.00%
Published-13 Mar, 2025 | 16:44
Updated-28 Mar, 2025 | 19:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Dataease Mysql JDBC Connection Parameters Not Being Verified Leads to Arbitrary File Read Vulnerability​

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.6, a bypass for the patch for CVE-2024-55953 allows authenticated users to read and deserialize arbitrary files through the background JDBC connection. The vulnerability has been fixed in v2.10.6. No known workarounds are available.

Action-Not Available
Vendor-DataEase (FIT2CLOUD Inc.)
Product-dataeasedataease
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-26883
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 16.93%
||
7 Day CHG~0.00%
Published-24 Feb, 2025 | 14:49
Updated-24 Feb, 2025 | 16:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Animated Text Block plugin <= 1.0.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in bPlugins Animated Text Block allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Animated Text Block: from n/a through 1.0.7.

Action-Not Available
Vendor-bPlugins
Product-Animated Text Block
CWE ID-CWE-862
Missing Authorization
CVE-2025-26374
Matching Score-4
Assigner-Nozomi Networks Inc.
ShareView Details
Matching Score-4
Assigner-Nozomi Networks Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.06% / 18.25%
||
7 Day CHG~0.00%
Published-12 Feb, 2025 | 13:30
Updated-17 Feb, 2025 | 10:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua (users endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to enumerate users via crafted HTTP requests.

Action-Not Available
Vendor-Q-Free
Product-MaxTime
CWE ID-CWE-862
Missing Authorization
CVE-2025-23763
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 16.93%
||
7 Day CHG~0.00%
Published-03 Mar, 2025 | 13:30
Updated-03 Mar, 2025 | 19:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WAH Forms plugin <= 1.0 - Sensitive Data Exposure vulnerability

Missing Authorization vulnerability in Alex Volkov WAH Forms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WAH Forms: from n/a through 1.0.

Action-Not Available
Vendor-Alex Volkov
Product-WAH Forms
CWE ID-CWE-862
Missing Authorization
CVE-2025-24461
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-6.5||MEDIUM
EPSS-0.00% / 0.01%
||
7 Day CHG~0.00%
Published-21 Jan, 2025 | 17:23
Updated-30 Jan, 2025 | 21:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains TeamCity before 2024.12.1 decryption of connection secrets without proper permissions was possible via Test Connection endpoint

Action-Not Available
Vendor-JetBrains s.r.o.
Product-teamcityTeamCity
CWE ID-CWE-862
Missing Authorization
CVE-2025-2267
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.5||MEDIUM
EPSS-0.06% / 17.65%
||
7 Day CHG~0.00%
Published-15 Mar, 2025 | 03:23
Updated-28 Mar, 2025 | 15:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP01 – Speed, Security, SEO consultant <= 2.6.2 - Authenticated (Subscriber+) Arbitrary File Download

The WP01 plugin for WordPress is vulnerable to Arbitrary File Download in all versions up to, and including, 2.6.2 due to a missing capability check and insufficient restrictions on the make_archive() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to download and read the contents of arbitrary files on the server, which can contain sensitive information.

Action-Not Available
Vendor-wp01ruwp01ru
Product-wp01WP01 – Speed, Security, SEO consultant
CWE ID-CWE-862
Missing Authorization
CVE-2023-38508
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.15% / 35.89%
||
7 Day CHG~0.00%
Published-24 Aug, 2023 | 22:33
Updated-02 Oct, 2024 | 18:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tuleap allows preview of a linked artifact with a type does not respect permissions

Tuleap is an open source suite to improve management of software developments and collaboration. In Tuleap Community Edition prior to version 14.11.99.28 and Tuleap Enterprise Edition prior to versions 14.10-6 and 14.11-3, the preview of an artifact link with a type does not respect the project, tracker and artifact level permissions. The issue occurs on the artifact view (not reproducible on the artifact modal). Users might get access to information they should not have access to. Only the title, status, assigned to and last update date fields as defined by the semantics are impacted. If those fields have strict permissions (e.g. the title is only visible to a specific user group) those permissions are still enforced. Tuleap Community Edition 14.11.99.28, Tuleap Enterprise Edition 14.10-6, and Tuleap Enterprise Edition 14.11-3 contain a fix for this issue.

Action-Not Available
Vendor-Enalean SAS
Product-tuleaptuleap
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-285
Improper Authorization
CVE-2023-37944
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.10% / 28.12%
||
7 Day CHG~0.00%
Published-12 Jul, 2023 | 15:52
Updated-07 Nov, 2024 | 15:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Datadog Plugin 5.4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-datadogJenkins Datadog Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2025-20301
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.04% / 12.44%
||
7 Day CHG~0.00%
Published-14 Aug, 2025 | 16:30
Updated-25 Aug, 2025 | 14:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Secure Firewall Management Center Software Authorization Bypass Vulnerability

A vulnerability in the web-based management interface of Cisco Secure FMC Software could allow an authenticated, low-privileged, remote attacker to access troubleshoot files for a different domain. This vulnerability is due to missing authorization checks. An attacker could exploit this vulnerability by directly accessing a troubleshoot file for a different domain that is managed on the same Cisco Secure FMC instance. A successful exploit could allow the attacker to retrieve a troubleshoot file for a different domain, which could allow the attacker to access sensitive information contained in the troubleshoot file.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-secure_firewall_management_centerCisco Firepower Management Center
CWE ID-CWE-862
Missing Authorization
CVE-2023-35149
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 14.83%
||
7 Day CHG~0.00%
Published-14 Jun, 2023 | 12:53
Updated-30 Dec, 2024 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Digital.ai App Management Publisher Plugin 2.6 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL, capturing credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-digital.ai_app_management_publisherJenkins Digital.ai App Management Publisher Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2025-1504
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 16.42%
||
7 Day CHG~0.00%
Published-08 Mar, 2025 | 02:24
Updated-24 Mar, 2025 | 18:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Post Lockdown <= 4.0.2 - Missing Authorization to Authenticated (Subscriber+) Post Disclosure

The Post Lockdown plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.0.2 via the 'pl_autocomplete' AJAX action due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.

Action-Not Available
Vendor-andypalmerandyexeter
Product-post_lockdownPost Lockdown
CWE ID-CWE-862
Missing Authorization
CVE-2023-33970
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.20% / 41.77%
||
7 Day CHG~0.00%
Published-05 Jun, 2023 | 19:54
Updated-08 Jan, 2025 | 16:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing access control in internal task links feature in Kanboard

Kanboard is open source project management software that focuses on the Kanban methodology. A vulnerability related to a `missing access control` was found, which allows a User with the lowest privileges to leak all the tasks and projects titles within the software, even if they are not invited or it's a personal project. This could also lead to private/critical information being leaked if such information is in the title. This issue has been addressed in version 1.2.30. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-kanboardkanboard
Product-kanboardkanboard
CWE ID-CWE-862
Missing Authorization
CVE-2023-30948
Matching Score-4
Assigner-Palantir Technologies
ShareView Details
Matching Score-4
Assigner-Palantir Technologies
CVSS Score-6.5||MEDIUM
EPSS-0.20% / 42.61%
||
7 Day CHG~0.00%
Published-06 Jun, 2023 | 14:12
Updated-07 Jan, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Retrieval of Attachments to Comments lacks Authorization

A security defect in Foundry's Comments functionality resulted in the retrieval of attachments to comments not being gated by additional authorization checks. This could enable an authenticated user to inject a prior discovered attachment UUID into other arbitrary comments to discover it's content. This defect was fixed in Foundry Comments 2.249.0, and a patch was rolled out to affected Foundry environments. No further intervention is required at this time.

Action-Not Available
Vendor-palantirPalantir
Product-foundry_commentscom.palantir.comments:comments
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-862
Missing Authorization
CVE-2024-9829
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.5||MEDIUM
EPSS-0.33% / 55.28%
||
7 Day CHG~0.00%
Published-23 Oct, 2024 | 05:35
Updated-25 Oct, 2024 | 16:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Download Plugin <= 2.2.0 - Missing Authorization to Authenticated (Subscriber+) User Metadata and Comment Download

The Download Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability checks on the 'dpwap_handle_download_user' and 'dpwap_handle_download_comment' functions in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to download any comment, and download metadata for any user including user PII and sensitive information including username, email, hashed passwords and application passwords, session token information and more depending on set up and additional plugins installed.

Action-Not Available
Vendor-Metagauss Inc.
Product-download_pluginDownload Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2024-9628
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.3||MEDIUM
EPSS-0.17% / 38.40%
||
7 Day CHG~0.00%
Published-25 Oct, 2024 | 07:38
Updated-26 Feb, 2025 | 08:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WPS Telegram Chat <= 4.5.4 - Authenticated (Subscriber+) Unauthorized Access to Telegram Bot API

The WPS Telegram Chat plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'Wps_Telegram_Chat_Admin::checkСonnection' function in versions up to, and including, 4.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to have full access to the Telegram Bot API endpoint and communicate with it.

Action-Not Available
Vendor-wpsolution10Web (TenWeb, Inc.)
Product-wps_telegram_chatWPS Telegram Chat
CWE ID-CWE-862
Missing Authorization
CVE-2023-28672
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.16% / 37.18%
||
7 Day CHG~0.00%
Published-23 Mar, 2023 | 11:26
Updated-25 Feb, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins OctoPerf Load Testing Plugin Plugin 4.5.1 and earlier does not perform a permission check in a connection test HTTP endpoint, allowing attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-octoperf_load_testingJenkins OctoPerf Load Testing Plugin Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2023-2787
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.14% / 34.91%
||
7 Day CHG~0.00%
Published-16 Jun, 2023 | 08:55
Updated-06 Dec, 2024 | 23:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Collapsed Reply Threads APIs leak message contents from private channels

Mattermost fails to check channel membership when accessing message threads, allowing an attacker to access arbitrary posts by using the message threads API.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermostMattermost
CWE ID-CWE-862
Missing Authorization
CVE-2024-7135
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.5||MEDIUM
EPSS-17.30% / 94.78%
||
7 Day CHG~0.00%
Published-31 Jul, 2024 | 10:59
Updated-01 Aug, 2024 | 18:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tainacan <= 0.21.7 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Read

The Tainacan plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_file' function in all versions up to, and including, 0.21.7. The function is also vulnerable to directory traversal. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

Action-Not Available
Vendor-leogermani
Product-Tainacan
CWE ID-CWE-862
Missing Authorization
CVE-2024-57682
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.06% / 17.07%
||
7 Day CHG~0.00%
Published-16 Jan, 2025 | 00:00
Updated-02 May, 2025 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An information disclosure vulnerability in the component d_status.asp of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to access sensitive information via a crafted POST request.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-816dir-816_firmwaren/a
CWE ID-CWE-862
Missing Authorization
CVE-2024-54326
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.17% / 38.59%
||
7 Day CHG+0.02%
Published-13 Dec, 2024 | 14:25
Updated-13 Dec, 2024 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress GEO my WP plugin <= 4.5.0.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in Eyal Fitoussi GEO my WordPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GEO my WordPress: from n/a through 4.5.0.4.

Action-Not Available
Vendor-Eyal Fitoussi
Product-GEO my WordPress
CWE ID-CWE-862
Missing Authorization
CVE-2024-49581
Matching Score-4
Assigner-Palantir Technologies
ShareView Details
Matching Score-4
Assigner-Palantir Technologies
CVSS Score-6.5||MEDIUM
EPSS-0.14% / 34.69%
||
7 Day CHG~0.00%
Published-02 Dec, 2024 | 20:26
Updated-02 Dec, 2024 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Access control issue impacting RV backed objects

Restricted Views backed objects (OSV1) could be bypassed under specific circumstances due to a software bug, this could have allowed users that didn't have permission to see such objects to view them via Object Explorer directly. This software bug did not impact or otherwise make data available across organizational boundaries nor did it allow for data to be viewed or accessed by unauthenticated users. The affected service have been patched and automatically deployed to all Apollo-managed Foundry instances.

Action-Not Available
Vendor-Palantir
Product-com.palantir.gotham:external-artifacts
CWE ID-CWE-862
Missing Authorization
CVE-2024-45732
Matching Score-4
Assigner-Splunk Inc.
ShareView Details
Matching Score-4
Assigner-Splunk Inc.
CVSS Score-7.1||HIGH
EPSS-0.04% / 9.61%
||
7 Day CHG~0.00%
Published-14 Oct, 2024 | 17:03
Updated-28 Feb, 2025 | 11:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Low-privileged user could run search as nobody in SplunkDeploymentServerConfig app

In Splunk Enterprise versions below 9.3.1, and 9.2.0 versions below 9.2.3, and Splunk Cloud Platform versions below 9.2.2403.103, 9.1.2312.200, 9.1.2312.110 and 9.1.2308.208, a low-privileged user that does not hold the "admin" or "power" Splunk roles could run a search as the "nobody" Splunk user in the SplunkDeploymentServerConfig app. This could let the low-privileged user access potentially restricted data.

Action-Not Available
Vendor-Splunk LLC (Cisco Systems, Inc.)
Product-splunksplunk_cloud_platformSplunk Cloud PlatformSplunk Enterprisesplunk_enterprisesplunk_cloud_platform
CWE ID-CWE-862
Missing Authorization
CVE-2024-43932
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.24% / 47.43%
||
7 Day CHG+0.04%
Published-01 Nov, 2024 | 14:17
Updated-13 Nov, 2024 | 01:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress The Plus Addons for Elementor plugin <= 5.6.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in POSIMYTH The Plus Addons for Elementor Page Builder Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Plus Addons for Elementor Page Builder Lite: from n/a through 5.6.2.

Action-Not Available
Vendor-posimythPOSIMYTH
Product-the_plus_addons_for_elementorThe Plus Addons for Elementor Page Builder Lite
CWE ID-CWE-862
Missing Authorization
CVE-2022-38183
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.26% / 49.24%
||
7 Day CHG+0.04%
Published-12 Aug, 2022 | 00:00
Updated-03 Aug, 2024 | 10:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea (there was no permission check for fetching the issue). As a result, the attacker would get access to private issue titles.

Action-Not Available
Vendor-gitean/a
Product-gitean/a
CWE ID-CWE-862
Missing Authorization
CVE-2022-4384
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.58% / 67.83%
||
7 Day CHG~0.00%
Published-06 Feb, 2023 | 19:59
Updated-25 Mar, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stream < 3.9.2 - Subscriber+ Alert Creation

The Stream WordPress plugin before 3.9.2 does not prevent users with little privileges on the site (like subscribers) from using its alert creation functionality, which may enable them to leak sensitive information.

Action-Not Available
Vendor-xwpUnknown
Product-streamStream
CWE ID-CWE-862
Missing Authorization
CVE-2024-3976
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.03% / 5.47%
||
7 Day CHG~0.00%
Published-05 Feb, 2025 | 12:02
Updated-06 Aug, 2025 | 18:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.0 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible to disclose via the UI the confidential issues title and description from a public project to unauthorised instance users.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-862
Missing Authorization
CVE-2022-42909
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-6.5||MEDIUM
EPSS-0.07% / 20.67%
||
7 Day CHG~0.00%
Published-03 Feb, 2023 | 00:00
Updated-26 Mar, 2025 | 15:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

WEPA Print Away does not verify that a user has authorization to access documents before generating print orders and associated release codes. This could allow an attacker to generate print orders and release codes for documents they don´t own and print hem without authorization. In order to exploit this vulnerability, the user must have an account with wepanow.com or any of the institutions they serve, and be logged in.

Action-Not Available
Vendor-wepanowWEPA
Product-print_awayWepa Print Away
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-862
Missing Authorization
CVE-2024-38777
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.36% / 57.34%
||
7 Day CHG+0.15%
Published-01 Nov, 2024 | 14:17
Updated-01 Nov, 2024 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Titan Anti-spam & Security plugin <= 7.3.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in CreativeMotion Titan Anti-spam & Security allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Titan Anti-spam & Security: from n/a through 7.3.6.

Action-Not Available
Vendor-CreativeMotion
Product-Titan Anti-spam & Security
CWE ID-CWE-862
Missing Authorization
CVE-2022-41250
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.43% / 61.74%
||
7 Day CHG~0.00%
Published-21 Sep, 2022 | 15:46
Updated-27 May, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins SCM HttpClient Plugin 1.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-scm_httpclientJenkins SCM HttpClient Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2022-41254
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.39% / 59.23%
||
7 Day CHG~0.00%
Published-21 Sep, 2022 | 15:46
Updated-28 May, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing permission checks in Jenkins CONS3RT Plugin 1.0.0 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-cons3rtJenkins CONS3RT Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2022-41246
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.11% / 30.90%
||
7 Day CHG~0.00%
Published-21 Sep, 2022 | 15:46
Updated-27 May, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Worksoft Execution Manager Plugin 10.0.3.503 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-worksoft_execution_managerJenkins Worksoft Execution Manager Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2024-37363
Matching Score-4
Assigner-Hitachi Vantara
ShareView Details
Matching Score-4
Assigner-Hitachi Vantara
CVSS Score-6.5||MEDIUM
EPSS-0.06% / 20.13%
||
7 Day CHG~0.00%
Published-19 Feb, 2025 | 23:40
Updated-20 Feb, 2025 | 17:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Hitachi Vantara Pentaho Business Analytics Server - Incorrect Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action. (CWE-862)  Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.8, including 8.3.x, do not correctly perform an authorization check in the data source management service. When access control checks are incorrectly applied, users can access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures and denial of service.

Action-Not Available
Vendor-Hitachi Vantara LLC
Product-Pentaho Data Integration & AnalyticsPentaho Business Analytics Server
CWE ID-CWE-862
Missing Authorization
CVE-2022-3961
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.22% / 44.25%
||
7 Day CHG~0.00%
Published-19 Dec, 2022 | 13:41
Updated-17 Apr, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Directorist < 7.4.4 - Subscriber+ Sensitive Information Disclosure

The Directorist WordPress plugin before 7.4.4 does not prevent users with low privileges (like subscribers) from accessing sensitive system information.

Action-Not Available
Vendor-wpwaxUnknown
Product-directoristDirectorist
CWE ID-CWE-862
Missing Authorization
CVE-2023-7068
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.26% / 48.85%
||
7 Day CHG~0.00%
Published-03 Jan, 2024 | 08:29
Updated-17 Jun, 2025 | 13:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on theprint_packinglist action in all versions up to, and including, 4.3.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to export orders which can contain sensitive information.

Action-Not Available
Vendor-webtoffeewebtoffee
Product-woocommerce_pdf_invoices\,_packing_slips\,_delivery_notes_and_shipping_labelsWooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels
CWE ID-CWE-862
Missing Authorization
CVE-2022-36888
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.42% / 61.29%
||
7 Day CHG~0.00%
Published-27 Jul, 2022 | 14:22
Updated-03 Aug, 2024 | 10:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins HashiCorp Vault Plugin 354.vdb_858fd6b_f48 and earlier allows attackers with Overall/Read permission to obtain credentials stored in Vault with attacker-specified path and keys.

Action-Not Available
Vendor-Jenkins
Product-hashicorp_vaultJenkins HashiCorp Vault Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2022-36896
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.42% / 61.29%
||
7 Day CHG~0.00%
Published-27 Jul, 2022 | 14:23
Updated-03 Aug, 2024 | 10:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.12 and earlier allows attackers with Overall/Read permission to enumerate hosts and ports of Compuware configurations and credentials IDs of credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-compuware_source_code_download_for_endevor\,_pds\,_and_ispwJenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2023-6821
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.28% / 51.32%
||
7 Day CHG~0.00%
Published-18 Mar, 2024 | 19:05
Updated-27 Mar, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Error Log Viewer < 1.1.3 - Directory Listing to Sensitive Data Exposure

The Error Log Viewer by BestWebSoft WordPress plugin before 1.1.3 is affected by a Directory Listing issue, allowing users to read and download PHP logs without authorization

Action-Not Available
Vendor-UnknownBestWebSoft
Product-error_log_viewerError Log Viewer by BestWebSoft
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-548
Exposure of Information Through Directory Listing
CVE-2023-6554
Matching Score-4
Assigner-CERT.PL
ShareView Details
Matching Score-4
Assigner-CERT.PL
CVSS Score-6.5||MEDIUM
EPSS-0.18% / 40.30%
||
7 Day CHG~0.00%
Published-11 Jan, 2024 | 15:17
Updated-20 Jun, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing authorisation in TCExam

When access to the "admin" folder is not protected by some external authorization mechanisms e.g. Apache Basic Auth, it is possible for any user to download protected information like exam answers.

Action-Not Available
Vendor-tecnickTecnick.com
Product-tcexamTCExam
CWE ID-CWE-862
Missing Authorization
CVE-2023-6077
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.32% / 54.04%
||
7 Day CHG~0.00%
Published-18 Dec, 2023 | 20:08
Updated-02 Aug, 2024 | 08:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Slider - Ultimate Responsive Image Slider < 3.5.12 - Subscriber+ Arbitrary Post Access

The Slider WordPress plugin before 3.5.12 does not ensure that posts to be accessed via an AJAX action are slides and can be viewed by the user making the request, allowing any authenticated users, such as subscriber to access the content arbitrary post such as private, draft and password protected

Action-Not Available
Vendor-wpfrankUnknown
Product-slider_factory_proSlider
CWE ID-CWE-862
Missing Authorization
CVE-2022-32220
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-6.5||MEDIUM
EPSS-0.23% / 45.27%
||
7 Day CHG~0.00%
Published-23 Sep, 2022 | 18:28
Updated-22 May, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An information disclosure vulnerability exists in Rocket.Chat <v5 due to the getUserMentionsByChannel meteor server method discloses messages from private channels and direct messages regardless of the users access permission to the room.

Action-Not Available
Vendor-rocket.chatn/a
Product-rocket.chatRocket.Chat
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-862
Missing Authorization
CVE-2022-30959
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.81% / 73.21%
||
7 Day CHG~0.00%
Published-17 May, 2022 | 14:06
Updated-03 Aug, 2024 | 07:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins SSH Plugin 2.6.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-sshJenkins SSH Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2022-30955
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.81% / 73.21%
||
7 Day CHG~0.00%
Published-17 May, 2022 | 14:06
Updated-03 Aug, 2024 | 07:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-gitlabJenkins GitLab Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2022-28158
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.40% / 60.04%
||
7 Day CHG~0.00%
Published-29 Mar, 2022 | 12:31
Updated-03 Aug, 2024 | 05:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-pipeline\Jenkins Pipeline: Phoenix AutoTest Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2022-27211
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.75% / 72.22%
||
7 Day CHG~0.00%
Published-15 Mar, 2022 | 16:46
Updated-15 Oct, 2024 | 17:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-kubernetes_continuous_deployJenkins Kubernetes Continuous Deploy Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2022-27209
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.75% / 72.22%
||
7 Day CHG~0.00%
Published-15 Mar, 2022 | 16:45
Updated-03 Aug, 2024 | 05:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-kubernetes_continuous_deployJenkins Kubernetes Continuous Deploy Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2022-25201
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.11% / 30.58%
||
7 Day CHG~0.00%
Published-15 Feb, 2022 | 16:11
Updated-03 Aug, 2024 | 04:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing permission checks in Jenkins Checkmarx Plugin 2022.1.2 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-checkmarxJenkins Checkmarx Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2023-52230
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.28% / 51.34%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 09:08
Updated-02 Aug, 2024 | 22:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Booster Plus for WooCommerce plugin < 7.1.3 - Authenticated Arbitrary WordPress Option Disclosure Vulnerability

Missing Authorization vulnerability in Pluggabl LLC Booster Plus for WooCommerce.This issue affects Booster Plus for WooCommerce: from n/a before 7.1.3.

Action-Not Available
Vendor-boosterPluggabl LLC
Product-booster_for_woocommerceBooster Plus for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2022-25193
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.15% / 36.69%
||
7 Day CHG~0.00%
Published-15 Feb, 2022 | 16:11
Updated-03 Aug, 2024 | 04:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing permission checks in Jenkins Snow Commander Plugin 1.10 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-snow_commanderJenkins Snow Commander Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2025-48242
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.04% / 11.83%
||
7 Day CHG~0.00%
Published-19 May, 2025 | 14:44
Updated-21 May, 2025 | 20:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Legal Pages <= 1.4.5 - Broken Access Control Vulnerability

Missing Authorization vulnerability in wpWax Legal Pages allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Legal Pages: from n/a through 1.4.5.

Action-Not Available
Vendor-wpWax
Product-Legal Pages
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • ...
  • 5
  • 6
  • 7
  • Next
Details not found