Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-8807

Summary
Assigner-VulDB
Assigner Org ID-1af790b2-7ee1-4545-860a-a788eba489b5
Published At-10 Aug, 2025 | 11:32
Updated At-12 Aug, 2025 | 16:02
Rejected At-
Credits

xujeff tianti 天梯 save authorization

A vulnerability was found in xujeff tianti 天梯 up to 2.3. It has been declared as critical. This vulnerability affects unknown code of the file /tianti-module-admin/user/ajax/save. The manipulation leads to missing authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulDB
Assigner Org ID:1af790b2-7ee1-4545-860a-a788eba489b5
Published At:10 Aug, 2025 | 11:32
Updated At:12 Aug, 2025 | 16:02
Rejected At:
▼CVE Numbering Authority (CNA)
xujeff tianti 天梯 save authorization

A vulnerability was found in xujeff tianti 天梯 up to 2.3. It has been declared as critical. This vulnerability affects unknown code of the file /tianti-module-admin/user/ajax/save. The manipulation leads to missing authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Products
Vendor
xujeff
Product
tianti 天梯
Versions
Affected
  • 2.0
  • 2.1
  • 2.2
  • 2.3
Problem Types
TypeCWE IDDescription
CWECWE-862Missing Authorization
CWECWE-863Incorrect Authorization
Type: CWE
CWE ID: CWE-862
Description: Missing Authorization
Type: CWE
CWE ID: CWE-863
Description: Incorrect Authorization
Metrics
VersionBase scoreBase severityVector
4.05.3MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
3.16.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
3.06.3MEDIUM
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
2.06.5N/A
AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR
Version: 4.0
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
Version: 3.1
Base score: 6.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
Version: 3.0
Base score: 6.3
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
Version: 2.0
Base score: 6.5
Base severity: N/A
Vector:
AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Advisory disclosed2025-08-09 00:00:00
VulDB entry created2025-08-09 02:00:00
VulDB entry last update2025-08-09 09:56:12
Event: Advisory disclosed
Date: 2025-08-09 00:00:00
Event: VulDB entry created
Date: 2025-08-09 02:00:00
Event: VulDB entry last update
Date: 2025-08-09 09:56:12
Replaced By
Rejected Reason
References
HyperlinkResource
https://vuldb.com/?id.319336
vdb-entry
https://vuldb.com/?ctiid.319336
signature
permissions-required
https://vuldb.com/?submit.626344
third-party-advisory
https://github.com/N1n3b9S/cve/issues/15
issue-tracking
https://github.com/N1n3b9S/cve/issues/15#issue-3280910303
exploit
issue-tracking
Hyperlink: https://vuldb.com/?id.319336
Resource:
vdb-entry
Hyperlink: https://vuldb.com/?ctiid.319336
Resource:
signature
permissions-required
Hyperlink: https://vuldb.com/?submit.626344
Resource:
third-party-advisory
Hyperlink: https://github.com/N1n3b9S/cve/issues/15
Resource:
issue-tracking
Hyperlink: https://github.com/N1n3b9S/cve/issues/15#issue-3280910303
Resource:
exploit
issue-tracking
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/N1n3b9S/cve/issues/15
exploit
Hyperlink: https://github.com/N1n3b9S/cve/issues/15
Resource:
exploit
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@vuldb.com
Published At:10 Aug, 2025 | 12:15
Updated At:12 Aug, 2025 | 16:15

A vulnerability was found in xujeff tianti 天梯 up to 2.3. It has been declared as critical. This vulnerability affects unknown code of the file /tianti-module-admin/user/ajax/save. The manipulation leads to missing authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.05.3MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Secondary3.16.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Secondary2.06.5MEDIUM
AV:N/AC:L/Au:S/C:P/I:P/A:P
Type: Secondary
Version: 4.0
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 3.1
Base score: 6.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Type: Secondary
Version: 2.0
Base score: 6.5
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:S/C:P/I:P/A:P
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-862Secondarycna@vuldb.com
CWE-863Secondarycna@vuldb.com
CWE ID: CWE-862
Type: Secondary
Source: cna@vuldb.com
CWE ID: CWE-863
Type: Secondary
Source: cna@vuldb.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/N1n3b9S/cve/issues/15cna@vuldb.com
N/A
https://github.com/N1n3b9S/cve/issues/15#issue-3280910303cna@vuldb.com
N/A
https://vuldb.com/?ctiid.319336cna@vuldb.com
N/A
https://vuldb.com/?id.319336cna@vuldb.com
N/A
https://vuldb.com/?submit.626344cna@vuldb.com
N/A
https://github.com/N1n3b9S/cve/issues/15134c704f-9b21-4f2e-91b3-4a467353bcc0
N/A
Hyperlink: https://github.com/N1n3b9S/cve/issues/15
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://github.com/N1n3b9S/cve/issues/15#issue-3280910303
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/?ctiid.319336
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/?id.319336
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/?submit.626344
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://github.com/N1n3b9S/cve/issues/15
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

0Records found
CVE-2019-0384
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-8.8||HIGH
EPSS-0.35% / 56.88%
||
7 Day CHG~0.00%
Published-17 Dec, 2019 | 19:24
Updated-04 Aug, 2024 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Transaction Management in SAP Treasury and Risk Management (corrected in S4CORE versions 1.01, 1.02, 1.03, 1.04 and EA-FINSERV versions 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary authorization checks for functionalities that require user identity.

Action-Not Available
Vendor-SAP SE
Product-treasury_and_risk_management_\(s4core\)enterprise_extension_financial_servicesSAP Treasury and Risk Management (EA-FINSERV)SAP Treasury and Risk Management (S4CORE)
CWE ID-CWE-863
Incorrect Authorization
CVE-2019-0386
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-6.3||MEDIUM
EPSS-0.25% / 48.30%
||
7 Day CHG~0.00%
Published-13 Nov, 2019 | 22:18
Updated-04 Aug, 2024 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Order processing in SAP ERP Sales (corrected in SAP_APPL 6.0, 6.02, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18) and S4HANA Sales (corrected in S4CORE 1.0, 1.01, 1.02, 1.03, 1.04) does not execute the required authorization checks for an authenticated user, which can result in an escalation of privileges.

Action-Not Available
Vendor-SAP SE
Product-s4hana_saleserp_salesS4HANA Sales (S4CORE)SAP ERP Sales (SAP_APPL)
CWE ID-CWE-862
Missing Authorization
CVE-2019-0258
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-8.8||HIGH
EPSS-0.46% / 63.18%
||
7 Day CHG~0.00%
Published-15 Feb, 2019 | 18:00
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Disclosure Management, version 10.01, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

Action-Not Available
Vendor-SAP SE
Product-disclosure_managementSAP Disclosure Management
CWE ID-CWE-862
Missing Authorization
CVE-2019-0257
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-8.8||HIGH
EPSS-1.10% / 77.14%
||
7 Day CHG~0.00%
Published-15 Feb, 2019 | 18:00
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Customizing functionality of SAP NetWeaver AS ABAP Platform (fixed in versions from 7.0 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.53, from 7.74 to 7.75) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

Action-Not Available
Vendor-SAP SE
Product-netweaver_as_abapnetweaver_application_server_abapABAP Platform(SAP Basis)
CWE ID-CWE-862
Missing Authorization
CVE-2019-0279
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-8.8||HIGH
EPSS-0.34% / 55.67%
||
7 Day CHG~0.00%
Published-10 Apr, 2019 | 20:17
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ABAP BASIS function modules INST_CREATE_R3_RFC_DEST, INST_CREATE_TCPIP_RFCDEST, and INST_CREATE_TCPIP_RFC_DEST in SAP BASIS (fixed in versions 7.0 to 7.02, 7.10 to 7.30, 7.31, 7.40, 7.50 to 7.53) do not perform necessary authorization checks in all circumstances for an authenticated user, resulting in escalation of privileges.

Action-Not Available
Vendor-SAP SE
Product-business_application_software_integrated_solutionSAP BASIS
CWE ID-CWE-862
Missing Authorization
CVE-2019-0276
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-8.8||HIGH
EPSS-0.52% / 65.95%
||
7 Day CHG~0.00%
Published-12 Mar, 2019 | 22:00
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Banking services from SAP 9.0 (FSAPPL version 5) and SAP S/4HANA Financial Products Subledger (S4FPSL, version 1) performs an inadequate authorization check for an authenticated user, potentially resulting in escalation of privileges.

Action-Not Available
Vendor-SAP SE
Product-banking_services_from_saps\/4hana_financial_products_subledgerBanking services from SAP 9.0 (FSAPPL)SAP S/4HANA Financial Products Subledger (S4FPSL)
CWE ID-CWE-863
Incorrect Authorization
CVE-2019-0280
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-8.8||HIGH
EPSS-0.38% / 58.85%
||
7 Day CHG~0.00%
Published-14 May, 2019 | 20:20
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Treasury and Risk Management (EA-FINSERV 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18 and 8.0; S4CORE 1.01, 1.02 and 1.03), does not perform necessary authorization checks for authorization objects T_DEAL_DP and T_DEAL_PD , resulting in escalation of privileges.

Action-Not Available
Vendor-SAP SE
Product-treasury_and_risk_managementSAP Enterprise Financial Services (S4CORE)SAP Treasury and Risk Management(EA-FINSERV)
CWE ID-CWE-862
Missing Authorization
CVE-2019-0349
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-7.2||HIGH
EPSS-0.37% / 58.17%
||
7 Day CHG~0.00%
Published-14 Aug, 2019 | 14:54
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Kernel (ABAP Debugger), versions KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73, KERNEL 7.21, 7.49, 7.53, 7.73, 7.75, 7.76, 7.77, allows a user to execute “Go to statement” without possessing the authorization S_DEVELOP DEBUG 02, resulting in Missing Authorization Check

Action-Not Available
Vendor-SAP SE
Product-advanced_business_application_programming_platform_kernelSAP Kernel (KRNL64UC)SAP Kernel (KRNL64NUC)SAP Kernel (KRNL32UC)SAP Kernel (KRNL32NUC)SAP Kernel (KERNEL)
CWE ID-CWE-862
Missing Authorization
CVE-2019-0243
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-8.8||HIGH
EPSS-0.52% / 65.95%
||
7 Day CHG~0.00%
Published-08 Jan, 2019 | 20:00
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Under some circumstances, masterdata maintenance in SAP BW/4HANA (fixed in DW4CORE version 1.0 (SP08)) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

Action-Not Available
Vendor-SAP SE
Product-bw\/4hanaSAP BW/4HANA (DW4CORE)
CWE ID-CWE-862
Missing Authorization
CVE-2019-0270
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-8.8||HIGH
EPSS-0.46% / 63.18%
||
7 Day CHG~0.00%
Published-12 Mar, 2019 | 22:00
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ABAP Server of SAP NetWeaver and ABAP Platform fail to perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has been corrected in the following versions: KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.74, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73, 7.74, 8.04, KERNEL 7.21, 7.45, 7.49, 7.53, 7.73, 7.74, 7.75, 8.04.

Action-Not Available
Vendor-SAP SE
Product-advanced_business_application_programming_platform_kerneladvanced_business_application_programming_platform_krnl64ucadvanced_business_application_programming_platform_krnl32ucadvanced_business_application_programming_platform_krnl32nucadvanced_business_application_programming_platform_krnl64nucABAP Platform & Server (KRNL32UC)ABAP Platform & Server (KERNEL)ABAP Platform & Server (KRNL64UC)ABAP Platform & Server (KRNL64NUC)ABAP Platform & Server (KRNL32NUC)
CWE ID-CWE-862
Missing Authorization
CVE-2019-0383
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-8.8||HIGH
EPSS-0.41% / 60.22%
||
7 Day CHG~0.00%
Published-17 Dec, 2019 | 19:21
Updated-04 Aug, 2024 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Transaction Management in SAP Treasury and Risk Management (corrected in S4CORE versions 1.01, 1.02, 1.03, 1.04 and EA-FINSERV versions 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

Action-Not Available
Vendor-SAP SE
Product-treasury_and_risk_management_\(s4core\)enterprise_extension_financial_servicesSAP Treasury and Risk Management (EA-FINSERV)SAP Treasury and Risk Management (S4CORE)
CWE ID-CWE-863
Incorrect Authorization
CVE-2018-6980
Matching Score-4
Assigner-VMware by Broadcom
ShareView Details
Matching Score-4
Assigner-VMware by Broadcom
CVSS Score-7.2||HIGH
EPSS-0.30% / 52.80%
||
7 Day CHG~0.00%
Published-13 Nov, 2018 | 22:00
Updated-05 Aug, 2024 | 06:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

VMware vRealize Log Insight (4.7.x before 4.7.1 and 4.6.x before 4.6.2) contains a vulnerability due to improper authorization in the user registration method. Successful exploitation of this issue may allow Admin users with view only permission to perform certain administrative functions which they are not allowed to perform.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-vrealize_log_insightVMware vRealize Log Insight
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-5692
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.3||MEDIUM
EPSS-0.05% / 16.37%
||
7 Day CHG~0.00%
Published-02 Jul, 2025 | 02:03
Updated-27 Aug, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Lead Form Data Collection to CRM <= 3.1 - Missing Authorization to Authenticated (Subscriber+) Many Actions

The Lead Form Data Collection to CRM plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ~/includes/LB_admin_ajax.php file in all versions up to, and including, 3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform several actions like updating settings. Initially this CVE was assigned specifically to all AJAX actions and the doFieldAjaxAction() function, however it was determined that CVE-2025-47690 is assigned to the doFieldAjaxAction() function that leads to arbitrary options updates.

Action-Not Available
Vendor-smackcoderssmackcoders
Product-lead_form_data_collection_to_crmLead Form Data Collection to CRM
CWE ID-CWE-862
Missing Authorization
CVE-2010-3782
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.29% / 51.87%
||
7 Day CHG~0.00%
Published-02 Jan, 2020 | 18:39
Updated-07 Aug, 2024 | 03:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

obs-server before 1.7.7 allows logins by 'unconfirmed' accounts due to a bug in the REST api implementation.

Action-Not Available
Vendor-obs-servern/aSUSE
Product-linux_enterprise_serverobs-servern/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2018-7079
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-7.2||HIGH
EPSS-0.34% / 55.90%
||
7 Day CHG~0.00%
Published-07 Dec, 2018 | 21:00
Updated-05 Aug, 2024 | 06:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Aruba ClearPass Policy Manager guest authorization failure. Certain administrative operations in ClearPass Guest do not properly enforce authorization rules, which allows any authenticated administrative user to execute those operations regardless of privilege level. This could allow low-privilege users to view, modify, or delete guest users. Resolution: Fixed in 6.7.6 and 6.6.10-hotfix.

Action-Not Available
Vendor-Aruba NetworksHewlett Packard Enterprise (HPE)
Product-clearpass_policy_managerAruba ClearPass Policy Manager
CWE ID-CWE-863
Incorrect Authorization
CVE-2018-8028
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-8.8||HIGH
EPSS-0.14% / 34.18%
||
7 Day CHG~0.00%
Published-23 Aug, 2018 | 15:00
Updated-05 Aug, 2024 | 06:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An authenticated user can execute ALTER TABLE EXCHANGE PARTITIONS without being authorized by Apache Sentry before 2.0.1. This can allow an attacker unauthorized access to the partitioned data of a Sentry protected table and can allow an attacker to remove data from a Sentry protected table.

Action-Not Available
Vendor-The Apache Software Foundation
Product-sentryApache Sentry
CWE ID-CWE-862
Missing Authorization
CVE-2009-3168
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-0.90% / 74.69%
||
7 Day CHG~0.00%
Published-11 Sep, 2009 | 20:00
Updated-21 Jan, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Mevin Productions Basic PHP Events Lister 2.0 does not properly restrict access to (1) admin/reset.php and (2) admin/user_add.php, which allows remote authenticated users to reset administrative passwords or add administrators via a direct request.

Action-Not Available
Vendor-mevinn/a
Product-basic_php_events_listern/a
CWE ID-CWE-862
Missing Authorization
CVE-2018-2494
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-8||HIGH
EPSS-0.29% / 52.23%
||
7 Day CHG~0.00%
Published-11 Dec, 2018 | 23:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Necessary authorization checks for an authenticated user, resulting in escalation of privileges, have been fixed in SAP Basis AS ABAP of SAP NetWeaver 700 to 750, from 750 onwards delivered as ABAP Platform.

Action-Not Available
Vendor-SAP SE
Product-business_application_software_integrated_solutionSAP Basis (AS ABAP of SAP NetWeaver)SAP Basis (ABAP Platform)
CWE ID-CWE-863
Incorrect Authorization
CVE-2018-2461
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-8.8||HIGH
EPSS-0.49% / 64.67%
||
7 Day CHG~0.00%
Published-11 Sep, 2018 | 15:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing authorization check in SAP HCM Fiori "People Profile" (GBX01 HR version 6.0) for an authenticated user which may result in an escalation of privileges.

Action-Not Available
Vendor-SAP SE
Product-people_profileGBX01 HR
CWE ID-CWE-862
Missing Authorization
CVE-2022-4974
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.3||MEDIUM
EPSS-0.07% / 22.07%
||
7 Day CHG~0.00%
Published-16 Oct, 2024 | 06:43
Updated-16 Oct, 2024 | 18:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Freemius SDK <= 2.4.2 - Missing Authorization Checks

The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.

Action-Not Available
Vendor-cloudspongethinleekgallerycreatorinfornwebcollizo4skyivanchernyakovshamim51plugins360dudoninjalibsprelcwpcohort/elliotvsmumarym1985galooverwupokitforestsjavedtropicalistamilukove/wpscriptssmartwpresswpdeliciouswebheadllcvanyukovdavidandersontycoon12344jburleigh1cleverpluginsmunirkamalstreamweaselsthemeseiwphrmanagerwordplusedgegallerypluginwpjolijanthielemanndgwyerwpconedevwebba-agencysj_owhiteshadowlinekalsmusman98blockmeistersvenl77rafalosinskinpluginsrichard-bjohnc1979sindyakinsergeianasbinmukimgreenjaymedialivemeshdjenhsebettauhidproinvisnetmaurolopes/sovstacksslzenwpvibessnazzythemespopeatingsmgteambuttonizerkairawptbethereumicoiopmbaldha/modulemastersmantrabrainrankbearuriahs-victorfrostbourntickeraavidthemes/daniyalahmedkggriesserpasyukmcurlymohammedrezqboriscolombier/webmuehlemajickgloriousthemeswpbitsbeeneebstaxwpldninjas/bouncingsproutfrenifycloudlivingclosemarketing/cadudecastroalvesmberdingarabianmidokokomowebpremmercekitthemesmeowcrewtheafricanbossbavokoservicesw3scloudboltonstudiosoceasmaciejbak85toddhalfpennyhiddenpearlsdarellelementinvaderflexithemessamuelsilvaptdeothemesronena100setkalkoudalanfrageformularalex-yexjohnykakdevsmattpramschufercodexonicsmelapressdotsandyabelowtobias_conrad/fsruslanbpluginsdejanmarkovicessekiaweconnectcodetprintyedisonavepatrickposnerdreamfoxbandidosonalsinha21mdedevcromer12benmoreassyntequalizedigitalsurbmakaizencodersgfiremmarviorochawpchillbrandonfirecreativethemeshqannastaajavmahwpgeniuztranzlyjurskikaggdesigngkher/listpluswpeventpartners/muhammad-rehmanmeepluginskylegilmanalexmossmbrown24ivacyjcodexspartacrenaudbodeedeesangarandamian-goramnelson4dotrexmoomooagencywpcohort5starpluginsfullworkspassionatebrainsatakanozpluginswareultimateblocksmulticollabwpschoolcalendaralekvcodeiescommercepunditnitin247getsparrowahmed17halmatdangub86divisumobadhonrocksrafacarvalhidoimtiazrayhanpagebuildersandwichwalkerwpjanwyldam6plrisethemeprasadkirpekarwpexpertsiomaxsdesignvinod-dalviwpdevpowersblockypageversacompvernalh3technologiescypressnorthtripettokartechifyusmanaliqureshijosevegathijziewpmunichprinceahmedvohotv/mikewire_rocksolidsamdaniproteusthemesalanfulleroloyede-jamiuintoxstudiolimbcodeblocksparenasirahmedgiladtakoni9brada6wgaugepagupdaigo75svovafcyberhobozeethememilukovechetmacinputwpseancarricoxplodedthemeslostboy7wpt00lskartikparmaraguilerasoftwpdeverfastaf/royalnavneetwppluginexpertslynn999litonice13clickervoltglowlogixshelob9woodyhaydayivan_paulinbilaltasirkanuupfivsakurapixeljkohlbachnicheaddonsattestdrosendocliffpaulickcarlosmoreiraptsslatlasankitmarubfintalwiserstepsslidedeckpmbaldhakartikparmar/dovypthemestykenanfallonscrollsequencedanielealessandrasebet/codeatlanticmte90blackandwhitedigitalpatrickgarmanstarfishwptheafricanboss/ekanathmasterblockschillichallimatstarsrebelcodedipcodecodesavoryanssilaitilamarcqueraltstylingwebbenpluginandplayappexpertsiothemeythemesjwindactuaryzaskpootlepress/lukeseagerjwebsoljack-kitterhingalphabposerviceinfosatechskymindsolezhyk5therealwebdisruptsalttechnodiviframeworkmojofywpthemelocationskshaikatmikebelsalleythemescebbimohsinofflinevincoitpenguininitiativeswpeka-clubwpmagicshumblethemeswpsoulmihail-barinovultradevsmilmorbestpluginswordpresskhothemesjaydeep-nimavatfoxmoonclosemarketingwoopopsshabtiwebtechstreetco2okoceanwpejslondon/mvvapps/wpenginebycrikiksstudiohqthemetobias_conradkrspzerozendesignparetodigitalshawoninfomatthias-reuterthecodechimepootlepresstonyzeoliunitecmsmhmrajibdanish-aliggeddeibenicpeterschulznlwptravelenginejetixwpelbisnerodvizheniapowerfulwpwordpresschefstevehentytribalnerdwpmoosexyulexpaulio21cmbibby/protectyouruploadswp-makingstevejburgeswitcorptakanakuimaltathemesinterfacelabpippozanardomajick/jamesparkninjagowebsmartyaharonyankkikuchi1220bradvinseezeesyntacticsRoyal Elementor AddonsBdThemesThe Events Calendar (StellarWP)Themeisle
Product-Panorama Viewer- Best Plugin to Display Panoramic Images/VideosWooCommerce Variation Swatches for ProductsEasy Post Views CountWoocommerce Customer Reviews with Artificial Intelligence analyzis, with IBM Watson Tone AnalyzerOcean ExtraCodeKit – Custom Codes EditorForm Vibes – Database Manager for FormsGFireM Advance SearchSTEWoo – Super Transactional Emails for WooCommerceBlockMeister – Block Pattern BuilderWordPress Directory Plugin For Business Listings – WP Local PlusAirpressWP Sessions Time Monitoring Full AutomaticEmails Blacklist for Everest FormsSmart Floating / Sticky Buttons – Call, Sharing, Chat Widgets & More – ButtonizerExpire tagsXT Ajax Add To Cart for WooCommerceBefore and After Product Images for WooCommerceVillarWP Search FilterFunnelmentalsFrontend group restriction for LearnDashSEO BoosterTeam Members – A WordPress Team Plugin with Gallery, Grid, Carousel, Slider, Table, List, and MorePro Broken Links MaintainerPremmerce Product Filter for WooCommerceDancePress (TRWA)Walker CoreBAVOKO SEO Tools – All-in-One WordPress SEOWP Security Safejav&#039;s – WooCommerce and Trello integration WooTrelloWP School CalendarBooking Addon for WooCommerceStation ProProduct Carousel For WooCommerce – WoorouSellCartPops – High Converting Add To Cart Popup For WooCommerceGiveaways for woocommerceBuddyPress WooCommerce My Account Integration. Create WooCommerce Member PagesGreenshift – animation and page builder blocksAtlas – Knowledge BaseWP GratifyBetter Messages – Integration for WC Vendors MarketplaceBlocksy CompanionQyrr – simply and modern QR-Code creationannasta Woocommerce Product FiltersWP Tools Gravity Forms Divi ModuleTablesome – Form DB & Automation – WPForms, Contact Form 7, Elementor, Forminator, Fluent, GravityClimateClick: Climate Action for allA no-code page builder for beautiful performance-based contentArendelleMarket ExporterConnected SermonsLightbox & Modal Popup WordPress Plugin – FooBoxStarfish Review Generation & Marketing for WordPressWooCommerce Disable Payment Methods based on cart conditionsSticky add to cart for WooPost Slider and Post Carousel with Post Vertical Scrolling Widget – A Responsive Post SliderSecurity Ninja – Secure Firewall & Secure Malware ScannerPopOverXYZ – Show Light Weight Beautiful Tool Tips On Any TextEasy Age VerifyNotification Bar, Announcement and Cookie Notice WordPress Plugin – FooBarPremmerce Variation Swatches for WooCommerceProduct Size Charts Plugin for WooCommercePost Carousel DiviAge Verification Screen for WooCommerceSuper Video Player- Best WordPress Video Display Plugin for mp4/OGGSimple Giveaways – Grow your business, email lists and traffic with contestsHQTheme ExtraGlossaryAutomizy Gravity FormsExtend Filter Products By Price WidgetOrder and Inventory Manager for WooCommerceAdvanced Database ReplacerStore Toolkit – WooCommerce Extensions, Quick Enhancements & Handy ToolsLivemesh Addons for Beaver BuilderAbeta Link PunchOutMaster Blocks – Gutenberg Site BuilderPremmerce Permalink Manager for WooCommerceShipping Method Display Style for WooCommerceSpanish Market Enhancements for WooCommerceFeedbackScout: The easiest way to collect, prioritise, manage and track customer feedback.Restaurant & Cafe Addon for ElementorPost Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)WordPress Slider Block GutensliderWP Lead StreamAquarella LiteReally Simple Featured Video – Featured video support for Posts, Pages & WooCommerce ProductsVidSEO | WordPress Video SEO embedder with transcripts (Youtube & Vimeo)WPMailer – The best mail builder, No More Core for your emails support Elementor, CF7 forms etc…Multi Page Auto Advance for Gravity FormsTreePress – Easy Family Trees & Ancestor ProfilesCookie Consent for WP – Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy)3D Viewer – 3D Model Viewer PluginPurusDisplay Eventbrite EventsMedia Cloud for Bunny CDN, Amazon S3, Cloudflare R2, Google Cloud Storage, DigitalOcean and moreAPPExperts – Mobile App Builder for WordPress | WooCommerce to iOS and Android AppsWP Event Partners – WordPress Plugin for Event and Conference ManagementFloating Social Share Icons and Social Share buttons – Next Previous Post Links – FLPortfolio for Elementor & Image Gallery | PowerFolioWidgets for WooCommerce Products on ElementorStoreCustomizer – A plugin to Customize all WooCommerce PagesEmail Tracker – Email Tracking Plugin to track Emails for Open and Email Links Click (Compatible with WooCommerce)Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider)Custom WooCommerce Checkout Fields EditorEqualize Digital Accessibility Checker – Audit Your Website for WCAG, ADA, and Section 508 Accessibility ErrorsSalon Booking SystemWooCommerce EU VAT AssistantThe Events CalendarBulk Attachment DownloadListPlus – Unlimited Listing DirectoryMenu Item SchedulerWP Photo EffectsWordPress Reviews by ReviewPressAuto SEO META keywords (META tags keywords) optimization + WooCommerceJoli Table Of ContentsOne Click LoginEmail Header FooterBulk Auto Image Title Attribute (Image Title tag) optimizer (Image SEO)Woocommerce Customers Order HistoryImage Photo Gallery Final Tiles GridNitek Carousel Slider Cool TransitionsEasy Zillow ReviewsStreamCast – Radio Player for WordPressXT Variation Swatches for WooCommerceMenu Image, Icons made easyCryptocurrency Portfolio TrackerWS BootstrapWP Mobile Menu – The Mobile-Friendly Responsive MenuFast Checkout for WooCommerceSmart Variations Images & Swatches for WooCommerceMailChimp ManagerWp My Admin BarDeals of the Day WooCommerceHasiumResponsive Social Slider WidgetPage Builder Gutenberg Blocks – Kioken BlocksPage Builder Sandwich – Front End WordPress Page Builder PluginLivemesh SiteOrigin WidgetsViralikeCustom Registration and Custom Login Forms with New RecaptchaBattle Suit for DiviJDs PortfolioSV Proven ExpertVO Store Locator – WP Store Locator PluginReset Course Progress For LearnDashFront End PMRecurWP – WordPress Recurly Payment GatewayGlorious Services & SupportShubanIvory Search – WordPress Search PluginServer InfoBlog Sidebar WidgetAgy – Age verification for WooCommerceGoogle Analytics plugin for WordPress by GA4WPWP EasyPay – Square for WordPressWP Munich Blocks – Gutenberg Blocks for WordPressPremmerce Wishlist for WooCommerceNokkeBroadcast LiteWP Conference ScheduleEasy Newsletter SignupsAlley Business ToolkitReplyable – Subscribe to Comments and Reply by EmailNumber ChatCountry Based Payments for WooCommerceWebinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnitionSchema Plugin For Divi, Gutenberg & ShortcodesPower Ups for ElementorWordPress Everse Starter Sites – Elementor TemplatesContact Form 7 Multi-Step FormsAccept Stripe Donation and Payments – AidWPInternal Link Juicer: SEO Auto Linker for WordPressWoo UkrposhtaPage Builder for Gutenberg – StarterBlocksGet feedback from visitors – WP Feedback Suite PluginNEXUSBanner Management For WooCommerceScheduled Notification BarUltimate Blocks – WordPress Blocks PluginGenealogical Tree – WordPress Family TreeLearnMoreMaster Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & AnimationsProduct Author for WooCommerceLightbox – EverlightBox GalleryImpexium Single Sign OnLive TV Player – Worldwide Live TV Channels Player for WordPressPrice Bands for WooCommerceVit Website ReviewsRevolution for ElementorGloriousThemes Starter SitesWordPress Robots.txt optimizer (+ XML Sitemap) – Boost SEO, Traffic & RankingsGallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native galleryGo Fetch Jobs (for WP Job Manager)Geo MashupFive-Star Ratings ShortcodeActivity Log For MainWPContent Aware Sidebars – Fastest Widget Area PluginBaniInsert or Embed Articulate Content into WordPressRadio Station by netmix® – Manage and play your Show Schedule in WordPress!Anfrageformular – Multi Step Drag & Drop Formular Builder – LeadgenerierungTabs with Recommended Posts (Widget)Performance KitWP BugBotTag Groups is the Advanced Way to Display Your Taxonomy TermsRW Divi Unite GalleryWP Get PersonalAdvance Menu ManagerBulk WooCommerce Category CreatorWP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes)LawPress – Law Firm Website ManagementTinyMCE AnnotateElationElements for LifterLMSGFireM FieldsHooked Editable ContentConsultPress LiteFooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & CarouselCategorify – WordPress Media Library Category & File ManagerRestrict User Access – Ultimate Membership & Content ProtectionJustified GalleryLocal Delivery Drivers for WooCommerceStreamWeasels Twitch IntegrationFocus on Reviews for WooCommerceWP Frontend Admin – Display WP Admin Pages in the FrontendSimple Sitemap – Create a Responsive HTML SitemapOpenseaAdd Pinterest conversion tags for Pinterest Ads + Site verificationWordPress Coupon Plugin for Bloggers and Marketers – WP OffersCryptocurrency Product for WooCommerceFast WordPressExtra Fees Plugin for WooCommercePrint My Blog – Print, PDF, & eBook Converter WordPress PluginStreak CRM For Gmail For Contact Form 7 – WordPress PluginSpotlight Social Feeds – Block, Shortcode, and WidgetWP-HR Manager: The Human Resources Plugin for WordPressCAPTCHA 4WP – Antispam CAPTCHA solution for WordPressDeMomentSomTres Grid ArchiveTarot Card OracleIntegrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files into Your WordPress SiteWooCommerce Customers Table: View, Search, Bulk EditorChat Button- Leads and Order over ChatAll in One Invite CodesWP Meta and Date RemoverRating-Widget: Star Review SystemSurbma | GDPR Proof Cookie Consent & Notice BarEasy Code SnippetsComments Not Replied ToImage Carousel For DiviCuisine PalaceWP Radio – Worldwide Online Radio Stations Directory for WordPressElastaDivi CollageSparrow: Product Reviews and Ratings for WooCommerceSV Tracking ManagerUltra Elementor AddonsWooCommerce Next Order CouponWP Contact SliderLive Scores for SportsPressPast Events ExtensionTiered Pricing Table for WooCommerceAnyWhere ElementorWP Coupons and Deals – WordPress Coupon PluginSky Login RedirectWPTools Masonry Gallery & Posts For DiviNugget by Ingot: Easy, automated and native A/B testing for everyoneWP Post BlockEverseProduct Options and Price Calculation Formulas for WooCommerce – Uni CPOFeatured Images in RSS for Mailchimp & MoreFiboSearch – Ajax Search for WooCommercePost Snippets – Custom WordPress Code Snippets CustomizerWP Smart Export (Free)Coinbase Commerce – Crypto Gateway for WooCommerceWP Dev Powers – Display Screen Dimensions to Admin PluginSSL Atlas – Free SSL Certificate & HTTPS Redirect for WordPressWP fail2ban – Advanced Security PluginXT Floating Cart for WooCommerceAuthorize.Net Payment Gateway For WooCommerceDivi Forms Styler – Gravity Forms, Fluent Forms & Contact Form 7Multipurpose Gutenberg BlockFood Store – Online Food Delivery & PickupEthereumICOACF for WooCommerce ProductPremmerce Redirect ManagerDesign for Contact Form 7 Style WordPress Plugin – CF7 WOW StylerKVoucherSheetPress – Manage WordPress Meta data with Google SheetsLive Drag and Drop Builder for Contact Form 7Ultimate Widgets LightPodcast Box – Best Podcasting Plugin for WordPressBlocked in China | Check if your site is available in the Chinese mainlandWP Author BioWooCommerce upcoming ProductsPremmerce Brands for WooCommerceVideo Player for YouTubeDelete All Comments of wordpressDigital Goods for WooCommerce CheckoutBulk Edit Posts and Products in SpreadsheetMarijuana Age VerifyWordPress News Plugin – TopNewsWpPremmerce WooCommerce Customers ManagerCP Simple NewsletterWP Frontend ProfileEasy Smooth Scroll Links – Smooth Scrolling AnchorPremmerce SEO for WooCommerceLittleBot InvoicesFrontend Admin by DynamiAppsInbound BrewCheckout with Venmo on EDDUltimate Post Kit Addons For Elementor – (Post Grid, Post Carousel, Post Slider, Category List, Post Tabs, Timeline, Post Ticker, Tag Cloud)WC Shop Sync – Square Payment Gateway for WooCommerce, Inventory Sync Between Square and WooCommerce, Ultimate WooCommerce Square PluginBulk Auto Image Alt Text (Alt tag, Alt attribute) optimizer (image SEO)Restrict – membership, site, content and user access restrictions for WordPressTK SmugMug Slideshow ShortcodeWP-Cron Status CheckerStrumenti Partita IVA per WoocommerceElementor Addons by LivemeshPrimary Addon for ElementorbbResolutionsNinja Libs Amazon SESWP SPID ItaliaMusic Player for Elementor – Audio Player & Podcast PlayerKnowledge Base documentation & wiki plugin – BasePress DocsModern Addons for Elementor Page BuilderBetter Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBossWP Group PromoterWidgets on PagesSpreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins. Also, Display Google sheet as a Table.SVG Flags – Beautiful Scalable Flags For All Countries!Anti-Spam by Fullworks : GDPR Compliant Spam ProtectionBulk Edit Categories and Tags – Create Thousands Quickly on the EditorDelete old Posts automaticallyPremmerceTop Bar – PopUps – by WPOptinLMS Plugin – eLearning, Online Courses by AttestPost to Google My Business (Google Business Profile)EthPress – Web3 LoginUnakitLicense Manager for WooCommerceSync eCommerce NEOTK Google Fonts GDPR CompliantWP Affiliate DisclosureBlockspare: Gutenberg Blocks & Patterns for Blogs, Magazines, Business Sites – Post Grids, Sliders, Carousels, Counters, Page Builder & Starter Site Imports, No Coding NeededSpeculorDomain Mapping System | Create Microsites with Multiple Alias Domains (multisite optional)Ultimate Gutenberg – Custom Block TemplatesWidgets on Pages and PostsPayment gateway per Product for WooCommerceWP Notification BellConeBlog – Elementor Blog WidgetsWP Free SSL – Free SSL Certificate for WordPress and force HTTPSWP Table Builder – WordPress Table PluginMedia Library File DownloadEasy Social Feed – Social Photos Gallery – Post Feed – Like BoxCheckout with Zelle on WoocommerceWP EmailyUnlimited Elements For Elementor (Free Widgets, Addons, Templates)Frontend Admin – Add and edit posts, pages, users and more all from the frontendNicheBaseLimb Gallery | Create Beautiful Image & Video GalleriesRevivePress – Keep your Old Content EvergreenPixel Manager for WooCommerce – Track Google Analytics, Google Ads, TikTok and morePostcode RedirectW3SCloud Contact Form 7 to Zoho CRMShared Files – Frontend File Upload Form & Secure File SharingGrid & Styler For Contact Form 7 And DiviBlock, Suspend, Report for BuddyPressКнопка ЮMoneyChange Price Title for WooCommerceForceFieldHide Shipping Method For WooCommerceWordPress SEO ChecklistEvents Addon for ElementorSend Prebuilt EmailsWP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect to Force HTTPS, Security+Appointment & Event Booking Calendar Plugin – Webba BookingDelete Duplicate PostsAlt ManagerJoli FAQ SEO – WordPress FAQ PluginChange Prices with Time for WooCommerceAdvanced Page Visit Counter – Most Wanted Analytics Plugin for WordPressKRSP Frontend File UploaderPay For Post with WooCommerceWooCommerce Bulk Edit Coupons – WP Sheet EditorPosts List Designer by Category – List Category Posts Or Recent PostsLocalSEOMapGFireM Action AfterBookPress – For Book AuthorsAdd Expires Headers & Optimized MinifyCoupon Affiliates – Affiliate Plugin for WooCommerceWP Activity LogDivi Content RestrictorCartoon UrlEvents Calendar RegistrationSecure IP LoginsShare This ImageDashy – Google Analytics advanced dashboardAmelaWordPress Dev Powers – ACF Color Coded Field Types PluginGutenberg Blocks – ACF Blocks SuiteScrollsequence – Cinematic Scroll Image Animation PluginPayment Gateway for PayFabricRankBearAwesome SSLFeatured Products First for WooCommerce – A Extension of WooCommerce (WooCommerce Addon Plugin)South Pole: Climate action nowPremmerce User RolesAdd Twitter Pixel for Twitter adsQuote for WooCommerce Lite – Add to Quote Plugin Lets Customers Request Custom Quotes for Products using the Request a Quote Plugin for WooCommerceAvailability datepicker – Integrate with Contact Form 7 and DiviWooCommerce PayPlugWPBITS Addons For Elementor Page BuilderWP SMS Plugin – WordPress SMS Two Factor Authentication – 2FA, Two Factor, OTP SMS and EmailFullscreen MenuFuse Social Floating SidebarVideopackmyCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for GamificationBlock Styler For Gravity FormsPremmerce Wholesale Pricing for WooCommerceBook BuyBack PricesProduct Customer List for WooCommerceGift Message for WooCommerceEasy PrayerPremmerce Multi-currency for WoocommerceQuick Paypal PaymentsMigrate WordPress Website & Backups – Prime MoverIks Menu – WordPress Category Accordion Menu & FAQsContact List – Premium Staff Listing, Business Directory Plugin & Address BookWordPress form builder plugin for contact forms, surveys and quizzes – TripettoUltimeterEthereum WalletSurveyFunnel – Survey Plugin for WordPressClickerVolt – Affiliate Links & Click Tracking for Performance MarketersWordPress Translation plugin for Post, Pages & WooCommerce products. Tranzly IO AI DeepL automatic WordPress Translator.azw woocommerce file uploadsDeMomentSomTres AddressWordPress Persistent LoginDrop Shadow BoxesGenerate Images – Magic Post ThumbnailAdFoxly – Ad Manager, AdSense Ads & Ads.txtRemove Add to Cart WooCommerceDynamic Pricing and Discount Rules for WooCommerceRadio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPressWCC SEO Keyword ResearchFAQ Manager For Divi, Gutenberg Block & ShortcodeAny Popup – Popup Forms, Optins & AdsWadi SurveySlideDeck: Responsive WordPress Slider PluginDocument Viewer- Plugin to Display MS Office DocsXT Quick View for WooCommercePlace Order Without Payment for WooCommerceBetter SharingTeam Collaboration Plugin for WordPress Editorial teams- MulticollabWP Travel Engine – Tour Booking Plugin – Tour Operator SoftwareBetter Elementor AddonsQuick Event ManagerRun Contests, Raffles, and Giveaways with ContestsWPSKT Templates – 100% free Elementor & Gutenberg templatesDelivery for WooCommerceQuick Contact FormFAQ / Accordion / Docs – Helpie WordPress FAQ Accordion pluginRocket Maintenance Mode & Coming Soon PageEther and ERC20 tokens WooCommerce Payment GatewayWPVisitorInfo – Show Visitor Information & Conditional Data Based On That InformationHM Multiple RolesUltimate Carousel For DiviAFI – The Easiest Integration PluginWP MooseFraud Prevention For WooCommerce and EDDBest Responsive Comparison Table for Gutenberg Editor – NicheTableAdd Tiktok Pixel for Tiktok ads (+Woocommerce)Contact Widgets For Elementor all the contact links you need in one placeProtect Uploads with Login – Protect Your UploadsBulk Edit and Create User Profiles – WP Sheet EditorDa ReactionsMass Pages/Posts CreatorWholesale for WooCommerce — This Wholesale Plugin Helps B2B and B2C Businesses Streamline Wholesale Products, Pricing, and User Roles, Automating their WooCommerce Wholesale StoresQuick Affiliate StoreWordPress Animation Plugin – Animated EverythingWPBakery Page Builder Addons by LivemeshProduct Attachment for WooCommerceAnnouncement & Notification Banner – BulletinAll-in-One Video GallerySocial Gallery LiteRun time Image resizingWUPO Group Attributes for WooCommerceMapGeo – Interactive Geo MapsPinblocks — Gutenberg blocks with Pinterest widgetsDivi Torque Lite – Divi Theme and Extra ThemeSocialMark – Easy Watermark/Logo on Social Media Post Link Share PreviewSQL Reporting Services – SSRS Plugin for WordPressGet Directions MapCaxton – Create Pro page layouts in GutenbergAnt Admin Notices for TeamBetter Messages – WCFM IntegrationZip Code RedirectRedirection for Contact Form 7Custom Login Page CustomizerGet Better Reviews for WooCommerceNew User ApproveTurbo WidgetsMobile View for Responsive web design optimization (UX design) + Mobile Friendly TestThank You Page for WooCommerceBuilder for WooCommerce product reviews shortcodes – ReviewShortkk Star Ratings – Rate Post & Collect User FeedbacksLogo Showcase – Responsive Logo Carousel, Logo Slider & Logo GridRaCar Clear Cart for WooCommerceDeMomentSomTres Media Tools AutoWordPress Google TranslateEasy Tiktok FeedModern Designs for Gravity FormsEasy Math Captcha for CF7Filr – Secure document libraryPreloader for DiviMeridiaWidget Detector for ElementorBrandAutomatic YouTube GalleryRest Routes – Custom Endpoints for WordPress REST APIPurosaYatri ToolsWoowGallery – image gallery / content gallery / ecommerce gallery / social gallery / video gallery / album photo galleryWP Required Taxonomies – Categories and Tags MandatoryWordPress Books GalleryWP Disable SitemapAdd Linkedin insight tags for Linkedin adsProduct Image Watermark for WooFooter Plugin for DiviOverlay Image Divi ModuleDuplicate Variations for WoocommerceWooCommerce Google Analytics Integration By Advanced WC AnalyticsDrip Feed Content Extended for LearndashError Log MonitorBlog Grid & Post Grid – Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry, Category Post Grid By News & Blog Designer PackPremmerce Product Search for WooCommerceYASR – Yet Another Star Rating Plugin for WordPressMultisite Robots.txt ManagerInternal Linking for SEO traffic & Ranking – Auto internal links (100% automatic)Woo Admin Product NotesRoyal Elementor Addons and TemplatesSnazzyAdmin WP Admin ThemeSocial KitwGauge – Free VersionElementor Addon ElementsWooCommerce Country Catalogs – Product Country RestrictionsWordPress SEO Audit Plugin – WP Site AuditorWP Tools Divi Product CarouselAds.txt & App-ads.txt Manager for WordPressSimple SponsorshipsKikote – Location Picker at Checkout & Google Address AutoFill Plugin for WooCommerceWP Page TemplatesGuest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front EditorWordPress WooCommerce Sync for Google SheetBooking Calendar | Appointment Booking | BookitFlat Rate Shipping Plugin For WooCommerceGuestofy – Restaurant Reservations Plugin, Room Planer, Reservation FormWP Link BioWordPress Dev Powers – Element Selector jQuery Powers PluginFull Page Blog DesignerTwentyFourth WP ScraperBlock Slider – Responsive Image Slider, Video Slider & Post SliderEnhanced Ecommerce Google Analytics for WooCommerceWidget for Contact form 7Stackable – Page Builder Gutenberg BlocksSimple Feature Requests Free – User Feedback BoardBlockyPage – Gutenberg Based Page BuilderWP AutoMedicGallery PhotoBlocksContact Form 7 – Capsule CRM – IntegrationEvent Tickets and RegistrationEasy Settings for LearnDashWordPress Auto SEO Plugin – Upfiv SEO WizardWP Relevant AdsForms to Zapier, Integromat, IFTTT, Workato, Automate.io, elastic.io, Built.io, APIANT, WebhookUser Menus – Nav Menu VisibilityLittleBot ACH for Stripe + PlaidUnder ConstructionMaster Accordion ( Former WP Awesome FAQ Plugin )XT Points & Rewards for WooCommerceCF7 Constant Contact Fields MappingWP Data Access – WordPress App, Table and Form Builder pluginPassster – Password Protect Pages and ContentOut of stock display for woocommerceClean Social IconsCheckout with Cash App on EDDAutoSave NetSSL Certificate – Free SSL, HTTPS by SSL ZenGateway for PayLate on WooCommerceCourt Reservation – Manage Your Court Bookings OnlineAffiliate Link Builder Plugin for Amazon Associates – Review EngineAdvanced Custom Fields options import/exportRT Easy Builder – Advanced addons for ElementorThe best plugin for restrict content, support all Custom Post Types and Elementor – Password ProtectedChoice Payment Gateway for WooCommerceURL Shortify – Simple, Powerful and Easy URL Shortener Plugin For WordPressWooCommerce Shipping gateway per ProductWP Tools Divi Blog CarouselSimple Social Page Widget & ShortcodeUltimate Bulk SEO Noindex Nofollow – Speed up Penalty Recovery Ultimate SEO BoosterEducation Addon for ElementorAdvanced Classifieds & Directory ProCode ManagerHuCommerce | Magyar WooCommerce kiegészítésekFree Booking Plugin for Hotels, Restaurants and Car Rentals – eaSYNC BookingFeedpress Generator – External RSS Frontend CustomizerSTAX Header BuilderWP Google Street View (with 360° virtual tour) & Google maps + Local SEOUltimate Divi Modules Suite – Divi Sumo LiteWordPress Buffer – HYPESocial. Social Media Auto Post, Social Media Auto Publish and ScheduleFIT: Featured Image ToolkitConversion de moneda WoocommerceWP Adminify – Custom WordPress Dashboard, Login and Admin CustomizerGo Viral – social share, social sharebar, social locker, social chat, open graph, reactions, share & view countersWooCommerce Bulk Edit Products – WP Sheet EditorWP SierraWordPress Gallery Plugin – Edge Photo GalleryPootle Pagebuilder – WordPress Page builderTickera – WordPress Event Ticketing
CWE ID-CWE-862
Missing Authorization
CVE-2024-24704
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.12% / 31.16%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 09:25
Updated-01 Aug, 2024 | 23:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Load More Anything plugin <= 3.3.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in AddonMaster Load More Anything.This issue affects Load More Anything: from n/a through 3.3.3.

Action-Not Available
Vendor-AddonMaster (Akhtarujjaman Shuvo)
Product-load_more_anythingLoad More Anything
CWE ID-CWE-862
Missing Authorization
CVE-2024-24739
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-6.3||MEDIUM
EPSS-0.11% / 29.86%
||
7 Day CHG~0.00%
Published-13 Feb, 2024 | 02:34
Updated-09 May, 2025 | 18:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing authorization check in SAP BAM (Bank Account Management)

SAP Bank Account Management (BAM) allows an authenticated user with restricted access to use functions which can result in escalation of privileges with low impact on confidentiality, integrity and availability of the application.

Action-Not Available
Vendor-SAP SE
Product-bank_account_managementSAP BAM (Bank Account Management)
CWE ID-CWE-862
Missing Authorization
CVE-2018-2454
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-8.8||HIGH
EPSS-0.49% / 64.67%
||
7 Day CHG~0.00%
Published-11 Sep, 2018 | 15:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Enterprise Financial Services, versions 6.05, 6.06, 6.16, 6.17, 6.18, 8.0 (in business function EAFS_BCA_BUSOPR_2) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

Action-Not Available
Vendor-SAP SE
Product-enterprise_financial_servicesSAP Enterprise Financial Services
CWE ID-CWE-862
Missing Authorization
CVE-2024-20438
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-6.3||MEDIUM
EPSS-0.07% / 23.08%
||
7 Day CHG~0.00%
Published-02 Oct, 2024 | 16:53
Updated-08 Oct, 2024 | 13:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Nexus Dashboard Fabric Controller Unauthorized REST API Vulnerability

A vulnerability in the REST API endpoints of Cisco NDFC could allow an authenticated, low-privileged, remote attacker to read or write files on an affected device. This vulnerability exists because of missing authorization controls on some REST API endpoints. An attacker could exploit this vulnerability by sending crafted API requests to an affected endpoint. A successful exploit could allow the attacker to perform limited network-admin functions such as reading device configuration information, uploading files, and modifying uploaded files. Note: This vulnerability only affects a subset of REST API endpoints and does not affect the web-based management interface.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-nexus_dashboard_fabric_controllernexus_dashboardCisco Data Center Network Manager
CWE ID-CWE-693
Protection Mechanism Failure
CWE ID-CWE-862
Missing Authorization
CVE-2018-20501
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.3||MEDIUM
EPSS-0.12% / 31.46%
||
7 Day CHG~0.00%
Published-30 Dec, 2019 | 21:24
Updated-05 Aug, 2024 | 12:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-862
Missing Authorization
CVE-2024-1677
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.3||MEDIUM
EPSS-0.16% / 37.17%
||
7 Day CHG~0.00%
Published-02 May, 2024 | 16:52
Updated-05 Jun, 2025 | 20:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to an improper capability check on 42 separate AJAX functions in all versions up to, and including, 3.4.6. This makes it possible for authenticated attackers, with subscriber access and above, to fully control the plugin which includes the ability to modify plugin settings and profiles, and create, edit, retrieve, and delete templates and barcodes.

Action-Not Available
Vendor-ukrsolutionukrsolution
Product-print_labels_with_barcodesPrint Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce
CWE ID-CWE-863
Incorrect Authorization
CVE-2024-1851
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.3||MEDIUM
EPSS-0.05% / 14.56%
||
7 Day CHG~0.00%
Published-08 Mar, 2024 | 06:58
Updated-16 Apr, 2025 | 15:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The affiliate-toolkit – WordPress Affiliate Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the atkp_create_list() function in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to to perform unauthorized actions such as creating product lists.

Action-Not Available
Vendor-servitcservit
Product-affiliate-toolkitaffiliate-toolkit – WordPress Affiliate Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2024-13361
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.3||MEDIUM
EPSS-0.14% / 34.52%
||
7 Day CHG~0.00%
Published-22 Jan, 2025 | 07:29
Updated-12 Feb, 2025 | 17:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AI Power: Complete AI Pack <= 1.8.96 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution

The AI Power: Complete AI Pack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpaicg_save_image_media function in all versions up to, and including, 1.8.96. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload image files and embed shortcode attributes in the image_alt value that will execute when sending a POST request to the attachment page.

Action-Not Available
Vendor-aipowersenols
Product-aipowerAI Power: Complete AI Pack
CWE ID-CWE-862
Missing Authorization
CVE-2018-2413
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.41% / 60.75%
||
7 Day CHG~0.00%
Published-10 Apr, 2018 | 15:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Disclosure Management 10.1 does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

Action-Not Available
Vendor-SAP SE
Product-disclosure_managementSAP Disclosure Management
CWE ID-CWE-862
Missing Authorization
CVE-2015-8840
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.48% / 63.91%
||
7 Day CHG~0.00%
Published-08 Apr, 2016 | 00:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The XML Data Archiving Service (XML DAS) in SAP NetWeaver AS Java does not check authorization, which allows remote authenticated users to obtain sensitive information, gain privileges, or possibly have unspecified other impact via requests to (1) webcontent/cas/cas_enter.jsp, (2) webcontent/cas/cas_validate.jsp, or (3) webcontent/aas/aas_store.jsp, aka SAP Security Note 1945215.

Action-Not Available
Vendor-n/aSAP SE
Product-netweaver_application_server_javan/a
CWE ID-CWE-862
Missing Authorization
CVE-2018-2381
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-8.8||HIGH
EPSS-0.47% / 63.78%
||
7 Day CHG~0.00%
Published-14 Feb, 2018 | 12:00
Updated-05 Aug, 2024 | 04:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP ERP Financials Information System (SAP_APPL 6.00, 6.02, 6.03, 6.04, 6.05, 6.06, 6.16; SAP_FIN 6.17, 6.18, 7.00, 7.20, 7.30 S4CORE 1.00, 1.01, 1.02) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

Action-Not Available
Vendor-SAP SE
Product-erp_financials_information_systemSAP ERP Financials Information System
CWE ID-CWE-862
Missing Authorization
CVE-2024-10003
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.3||MEDIUM
EPSS-0.33% / 55.55%
||
7 Day CHG~0.00%
Published-22 Oct, 2024 | 04:31
Updated-25 Oct, 2024 | 21:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Rover IDX <= 3.0.0.2903 - Authenticated (Subscriber+) Missing Authorization via Multiple Functions

The Rover IDX plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 3.0.0.2903. This makes it possible for authenticated attackers, with subscriber-level access and above, to add, modify, or delete plugin options.

Action-Not Available
Vendor-roveridxstevemullen
Product-rover_idxRover IDX
CWE ID-CWE-862
Missing Authorization
CVE-2021-36232
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.43% / 61.76%
||
7 Day CHG~0.00%
Published-31 Aug, 2021 | 17:37
Updated-04 Aug, 2024 | 00:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper Authorization in multiple functions in MIK.starlight 7.9.5.24363 allows an authenticated attacker to escalate privileges.

Action-Not Available
Vendor-unit4n/a
Product-mik.starlightn/a
CWE ID-CWE-862
Missing Authorization
CVE-2018-2361
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-8.8||HIGH
EPSS-0.39% / 59.40%
||
7 Day CHG~0.00%
Published-09 Jan, 2018 | 15:00
Updated-05 Aug, 2024 | 04:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In SAP Solution Manager 7.20, the role SAP_BPO_CONFIG gives the Business Process Operations (BPO) configuration user more authorization than required for configuring the BPO tools.

Action-Not Available
Vendor-SAP SE
Product-solution_managerSAP Solution Manager
CWE ID-CWE-863
Incorrect Authorization
CVE-2024-0828
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.11% / 29.66%
||
7 Day CHG~0.00%
Published-13 Mar, 2024 | 15:26
Updated-15 Apr, 2025 | 15:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several functions in all versions up to, and including, 3.6.4. This makes it possible for authenticated attackers, with subscriber access or higher, to delete, retrieve, or modify post metadata, retrieve posts contents of protected posts, modify conversion data and delete article audio.

Action-Not Available
Vendor-hammadhhammadh
Product-play.htPlay.ht – Make Your Blog Posts Accessible With Text to Speech Audio
CWE ID-CWE-862
Missing Authorization
CVE-2025-47565
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.3||MEDIUM
EPSS-0.04% / 12.26%
||
7 Day CHG~0.00%
Published-04 Jul, 2025 | 11:18
Updated-08 Jul, 2025 | 16:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress EventON plugin <= 4.9.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in ashanjay EventON allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects EventON: from n/a through 4.9.9.

Action-Not Available
Vendor-ashanjay
Product-EventON
CWE ID-CWE-862
Missing Authorization
CVE-2018-2484
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-8.8||HIGH
EPSS-0.52% / 65.95%
||
7 Day CHG~0.00%
Published-08 Jan, 2019 | 20:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Enterprise Financial Services (fixed in SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

Action-Not Available
Vendor-SAP SE
Product-sapscores4coreea-finservbank\/cfmSAP Enterprise Financial Services (S4CORE)SAP Enterprise Financial Services (EA-FINSERV)SAP Enterprise Financial Services (SAPSCORE)SAP Enterprise Financial Services (Bank/CFM)
CWE ID-CWE-862
Missing Authorization
CVE-2018-2436
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-8.8||HIGH
EPSS-0.49% / 64.67%
||
7 Day CHG~0.00%
Published-10 Jul, 2018 | 18:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Executing transaction WRCK in SAP R/3 Enterprise Retail (EHP6) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

Action-Not Available
Vendor-SAP SE
Product-r\/3_enterprise_retail SAP R/3 Enterprise Retail
CWE ID-CWE-862
Missing Authorization
CVE-2018-2455
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-8.8||HIGH
EPSS-0.49% / 64.67%
||
7 Day CHG~0.00%
Published-11 Sep, 2018 | 15:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Enterprise Financial Services, versions 6.05, 6.06, 6.16, 6.17, 6.18, 8.0 (in business function EAFS_BCA_BUSOPR_SEPA) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

Action-Not Available
Vendor-SAP SE
Product-enterprise_financial_servicesSAP Enterprise Financial Services
CWE ID-CWE-862
Missing Authorization
CVE-2021-33704
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-6.3||MEDIUM
EPSS-0.22% / 44.77%
||
7 Day CHG~0.00%
Published-15 Sep, 2021 | 18:01
Updated-03 Aug, 2024 | 23:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Service Layer of SAP Business One, version - 10.0, allows an authenticated attacker to invoke certain functions that would otherwise be restricted to specific users. For an attacker to discover the vulnerable function, no in-depth system knowledge is required. Once exploited via Network stack, the attacker may be able to read, modify or delete restricted data. The impact is that missing authorization can result of abuse of functionality usually restricted to specific users.

Action-Not Available
Vendor-SAP SE
Product-business_oneSAP Business One
CWE ID-CWE-862
Missing Authorization
CVE-2018-2412
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-3.8||LOW
EPSS-0.43% / 61.68%
||
7 Day CHG~0.00%
Published-10 Apr, 2018 | 15:00
Updated-05 Aug, 2024 | 04:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Disclosure Management 10.1 does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

Action-Not Available
Vendor-SAP SE
Product-disclosure_managementSAP Disclosure Management
CWE ID-CWE-862
Missing Authorization
CVE-2023-52117
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 31.85%
||
7 Day CHG~0.00%
Published-12 Jun, 2024 | 08:44
Updated-02 Aug, 2024 | 22:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ProfileGrid plugin <= 5.6.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in Metagauss ProfileGrid.This issue affects ProfileGrid: from n/a through 5.6.6.

Action-Not Available
Vendor-Metagauss Inc.
Product-profilegridProfileGridprofilegrid
CWE ID-CWE-862
Missing Authorization
CVE-2023-52177
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.12% / 32.13%
||
7 Day CHG~0.00%
Published-12 Jun, 2024 | 08:42
Updated-01 Nov, 2024 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Integrate Google Drive plugin <= 1.3.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in SoftLab Integrate Google Drive.This issue affects Integrate Google Drive: from n/a through 1.3.3.

Action-Not Available
Vendor-softlabdbSoftLab
Product-integrate_google_driveIntegrate Google Drive
CWE ID-CWE-862
Missing Authorization
CVE-2023-50732
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.3||HIGH
EPSS-1.36% / 79.38%
||
7 Day CHG~0.00%
Published-21 Dec, 2023 | 19:42
Updated-02 Aug, 2024 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Velocity execution without script right through tree macro

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute a Velocity script without script right through the document tree. This has been patched in XWiki 14.10.7 and 15.2RC1.

Action-Not Available
Vendor-XWiki SAS
Product-xwikixwiki-platform
CWE ID-CWE-863
Incorrect Authorization
CVE-2021-33335
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-0.63% / 69.45%
||
7 Day CHG~0.00%
Published-03 Aug, 2021 | 21:03
Updated-13 May, 2025 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Privilege escalation vulnerability in Liferay Portal 7.0.3 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9 allows remote authenticated users with permission to update/edit users to take over a company administrator user account by editing the company administrator user.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaldigital_experience_platformn/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-43007
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-6.3||MEDIUM
EPSS-0.05% / 15.23%
||
7 Day CHG~0.00%
Published-13 May, 2025 | 00:19
Updated-13 May, 2025 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization check in SAP Service Parts Management (SPM)

SAP Service Parts Management (SPM) does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. This has low impact on confidentiality, integrity and availability of the application.

Action-Not Available
Vendor-SAP SE
Product-SAP Service Parts Management (SPM)
CWE ID-CWE-862
Missing Authorization
CVE-2021-32829
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.6||CRITICAL
EPSS-1.39% / 79.55%
||
7 Day CHG~0.00%
Published-17 Aug, 2021 | 16:00
Updated-03 Aug, 2024 | 23:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Post-authentication Remote Code Execution (RCE) in ZStack REST API

ZStack is open source IaaS(infrastructure as a service) software aiming to automate datacenters, managing resources of compute, storage, and networking all by APIs. Affected versions of ZStack REST API are vulnerable to post-authentication Remote Code Execution (RCE) via bypass of the Groovy shell sandbox. The REST API exposes the GET zstack/v1/batch-queries?script endpoint which is backed up by the BatchQueryAction class. Messages are represented by the APIBatchQueryMsg, dispatched to the QueryFacadeImpl facade and handled by the BatchQuery class. The HTTP request parameter script is mapped to the APIBatchQueryMsg.script property and evaluated as a Groovy script in BatchQuery.query the evaluation of the user-controlled Groovy script is sandboxed by SandboxTransformer which will apply the restrictions defined in the registered (sandbox.register()) GroovyInterceptor. Even though the sandbox heavily restricts the receiver types to a small set of allowed types, the sandbox is non effective at controlling any code placed in Java annotations and therefore vulnerable to meta-programming escapes. This issue leads to post-authenticated remote code execution. For more details see the referenced GHSL-2021-065. This issue is patched in versions 3.8.21, 3.10.8, and 4.1.0.

Action-Not Available
Vendor-zstackzstackio
Product-rest_apizstack
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-48761
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.3||MEDIUM
EPSS-0.07% / 23.12%
||
7 Day CHG~0.00%
Published-19 Jun, 2024 | 10:20
Updated-16 Sep, 2024 | 13:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetElements For Elementor plugin <= 2.6.13 - Broken Access Control vulnerability

Missing Authorization vulnerability in Crocoblock JetElements For Elementor.This issue affects JetElements For Elementor: from n/a through 2.6.13.

Action-Not Available
Vendor-crocoblockCrocoblock
Product-jetelementsJetElements For Elementor
CWE ID-CWE-862
Missing Authorization
CVE-2023-47716
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.3||MEDIUM
EPSS-0.02% / 3.12%
||
7 Day CHG~0.00%
Published-01 Mar, 2024 | 02:22
Updated-15 Aug, 2025 | 20:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM FileNet Content Manager privilege escalation

IBM CP4BA - Filenet Content Manager Component 5.5.8.0, 5.5.10.0, and 5.5.11.0 could allow a user to gain the privileges of another user under unusual circumstances. IBM X-Force ID: 271656.

Action-Not Available
Vendor-IBM Corporation
Product-filenet_content_managercp4ba_-_filenet_content_managerFilenet Content Manager
CWE ID-CWE-863
Incorrect Authorization
CVE-2022-44626
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.3||MEDIUM
EPSS-0.06% / 17.45%
||
7 Day CHG~0.00%
Published-25 Mar, 2024 | 11:15
Updated-04 Apr, 2025 | 17:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Squirrly SEO (Peaks) plugin <= 12.1.20 - Broken Access Control vulnerability

Missing Authorization vulnerability in Squirrly SEO Plugin by Squirrly SEO.This issue affects SEO Plugin by Squirrly SEO: from n/a through 12.1.20.

Action-Not Available
Vendor-squirrlySquirrly
Product-seo_plugin_by_squirrly_seoSEO Plugin by Squirrly SEO
CWE ID-CWE-862
Missing Authorization
Details not found