CWE:
 

Tytuł
Data
Autor
Med.
CTFd 2.1.5 Administrator Account Takeover
04.01.2020
Social Engineering Neo


Common Weakness Enumeration (CWE)

CVE
Szczegóły
Opis
2022-08-22
Waiting for details
CVE-2022-2544

Updating...
 

 
The Ninja Job Board WordPress plugin before 1.3.3 does not protect the directory where it stores uploaded resumes, making it vulnerable to unauthenticated Directory Listing which allows the download of uploaded resumes.

 
Waiting for details
CVE-2022-2551

Updating...
 

 
The Duplicator WordPress plugin before 1.4.7 discloses the url of the a backup to unauthenticated visitors accessing the main installer endpoint of the plugin, if the installer script has been run once by an administrator, allowing download of the full site backup without authenticating.

 
2022-06-14
Waiting for details
CVE-2022-29238

Updating...
 

 
Jupyter Notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.12, authenticated requests to the notebook server with `ContentsManager.allow_hidden = False` only prevented listing the contents of hidden directories, not accessing individual hidden files or files in hidden directories (i.e. hidden files were 'hidden' but not 'inaccessible'). This could lead to notebook configurations allowing authenticated access to files that may reasonably be expected to be disallowed. Because fully authenticated requests are required, this is of relatively low impact. But if a server's root directory contains sensitive files whose only protection from the server is being hidden (e.g. `~/.ssh` while serving $HOME), then any authenticated requests could access files if their names are guessable. Such contexts also necessarily have full access to the server and therefore execution permissions, which also generally grants access to all the same files. So this does not generally result in any privilege escalation or increase in information access, only an additional, unintended means by which the files could be accessed. Version 6.4.12 contains a patch for this issue. There are currently no known workarounds.

 
2022-06-10
Medium
CVE-2021-44582

Vendor: Money transfer management system project
Software: Money transf...
 

 
A Privilege Escalation vulnerability exists in Sourcecodester Money Transfer Management System 1.0, which allows a remote malicious user to gain elevated privileges to the Admin role via any URL.

 
2022-04-27
Waiting for details
CVE-2021-34588

Updating...
 

 
In Bender/ebee Charge Controllers in multiple versions are prone to unprotected data export. Backup export is protected via a random key. The key is set at user login. It is empty after reboot .

 
2022-03-14
Low
CVE-2022-24385

Vendor: Smartertools
Software: Smartertrack
 

 
A Direct Object Access vulnerability in SmarterTools SmarterTrack leads to information disclosure This issue affects: SmarterTools SmarterTrack 100.0.8019.14010.

 
2022-03-10
Low
CVE-2022-24932

Vendor: Google
Software: Android
 

 
Improper Protection of Alternate Path vulnerability in Setup wizard process prior to SMR Mar-2022 Release 1 allows physical attacker package installation before finishing Setup wizard.

 
2022-01-14
Medium
CVE-2021-24046

Updating...
 

 
A logic flaw in Ray-Ban® Stories device software allowed some parameters like video capture duration limit to be modified through the Facebook View application. This issue affected versions of device software before 2107460.6810.0.

 
2021-10-15
Medium
CVE-2018-16060

Updating...
 

 
Mitsubishi Electric SmartRTU devices allow remote attackers to obtain sensitive information (directory listing and source code) via a direct request to the /web URI.

 
2021-02-16
Medium
CVE-2020-35570

Vendor: Mbconnectline
Software: Mbconnect24
 

 
An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. An unauthenticated attacker is able to access files (that should have been restricted) via forceful browsing.

 

 


Copyright 2022, cxsecurity.com

 

Back to Top