CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote authenticated attacker to modify account properties of other users, potentially leading to account compromise...
CWE-284: Improper Access Control in web services in Progress Sitefinity 15.4.8623 before 15.4.8630 allows a remote unauthenticated attacker to access content that should be restricted, resulting in full compromise of confidentiality, integrity, and availability of affected installations.
CWE-20: Improper Input Validation in web services in Progress Sitefinity 14.1.x through 14.3.x, 14.4.x before 14.4.8152, 15.0.x before 15.0.8234, 15.1.x before 15.1.8335, 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote unauthenticated attacker to comprom...
Missing Authorization vulnerability in Elementor Elementor Website Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Elementor Website Builder: from n/a through 4.1.0.
Path traversal vulnerability in Gleam's dependency management allows arbitrary directory deletion via malicious build/packages/packages.toml content. Package keys read from build/packages/packages.toml by LocalPackages::read_from_disc are passed without validation to paths.build_packages_packa...
Symlink following vulnerability in Gleam's Hex package export allows files outside the project root to be embedded in the generated package tarball. The file collection helpers (gleam_files, native_files, private_files) in compiler-cli/src/fs.rs use follow_links(true) when walking publishable ...
A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions < V4.0). The affected applications stores sensitive information in the browser cache when an authenticated user modify specific configurations. This could allow an authenticated attacker to access sensitive da...
Deserialization of Untrusted Data vulnerability in Elated-Themes Askka allows Object Injection. This issue affects Askka: from n/a through 1.3.1.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes WaveRide allows PHP Local File Inclusion. This issue affects WaveRide: from n/a through 1.4.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Code Supply Co. Blueprint allows PHP Local File Inclusion. This issue affects Blueprint: from n/a before 1.1.5.
A stack-based buffer overflow in the export_language.cgi binary in VIVOTEK FD8136 firmware FD8136-VVTK-0300a allows authenticated remote attackers to execute arbitrary code as root via a crafted POST request to the /cgi-bin/admin/export_language.cgi endpoint. The handler passes the attacker-controll...
Path traversal vulnerability in Gleam's handling of custom documentation pages allows arbitrary file read and file write outside the intended documentation output directory. The documentation.pages entries from gleam.toml are incorporated into filesystem paths without sufficient validation or ...
NamelessMC is website software for Minecraft servers. A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in version 2.2.4 in the id parameter of the endpoint `/index.php?route=/queries/user/`. The application reflects user-supplied input from the id parameter into the HTML response ...
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Emilia Projects Progress Planner allows Stored XSS. This issue affects Progress Planner: from n/a through 1.9.0.
Missing Authorization vulnerability in Sekander Badsha Crew HRM allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Crew HRM: from n/a through 1.2.2.
Improper Authentication in REST API in Collibra Agent, allows a remote unauthenticated attacker to access privileged functionality via exposed '/rest/* endpoints.
Path traversal in restore handler in Collibra Agent, allows an attacker to write arbitrary files via a crafted ZIP archive. Collibra Agent fails to properly validate and canonicalize file path during ZIP extraction, this can allow an attacker to write files outside the intended extraction directory.
An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement. In deployments configured with LdapAuth.mixedAuth=true and Security.require_otp=true, users authenticated through an authentication plugin, such as LDAP, may have their authenticated...
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Racquet allows PHP Local File Inclusion. This issue affects Racquet: from n/a through 1.12.0.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in androThemes Cookiteer allows PHP Local File Inclusion. This issue affects Cookiteer: from n/a through 1.4.8.