| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, jb child processes can include an update_event key in their JSON output. The server applies this directly to the parent event's stored configuration without any authorization check. A low-privilege user who can create and run events can modify any event property, including webhook URLs and notification emails. This vulnerability is fixed in 0.9.111. |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET /sessions/:objectId endpoints correctly strip protected fields. This vulnerability is fixed in 9.8.0-alpha.7 and 8.6.75. |
| The Backup Migration plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.0.0. This is due to a missing capability check on the 'initializeOfflineAjax' function and lack of proper nonce verification. The endpoint only validates against hardcoded tokens which are publicly exposed in the plugin's JavaScript. This makes it possible for unauthenticated attackers to trigger the backup upload queue processing, potentially causing unexpected backup transfers to configured cloud storage targets and resource exhaustion. |
| An issue that allowed administrators to create and update users outside of their authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N (5.8 Medium). This issue was fixed in version 4.0.260203.0 of the runZero Platform. |
| An issue that could allow an authorized user to view the clear-text secrets for a subset of credential types and fields has been resolved. This is an instance of CWE-522: Insufficiently Protected Credentials, and has an estimated CVSS score of
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N (5.3 Medium). This issue was fixed in version 4.0.260204.2 of the runZero Platform. |
| An issue that allowed MCP agents to access remediation and asset information from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N (5.8 Medium). This issue was fixed in version 4.0.260202.0 of the runZero Platform. |
| Genealogy is a family tree PHP application. Prior to 5.9.1, a critical broken access control vulnerability in the genealogy application allows any authenticated user to transfer ownership of arbitrary non-personal teams to themselves. This enables complete takeover of other users’ team workspaces and unrestricted access to all genealogy data associated with the compromised team. This vulnerability is fixed in 5.9.1. |
| RustFS is a distributed object storage system built in Rust. Prior to alpha.90, RustFS contains a missing authorization check in the multipart copy path (UploadPartCopy). A low-privileged user who cannot read objects from a victim bucket can still exfiltrate victim objects by copying them into an attacker-controlled multipart upload and completing the upload. This breaks tenant isolation in multi-user / multi-tenant deployments. This vulnerability is fixed in alpha.90. |
| An issue that could expose task information outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N (2.2 Low). This issue was fixed in version 4.0.260205.0 of the runZero Platform. |
| @delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The access option passed to createPuckPlugin() and any access rules defined on Puck-registered collections were silently ignored on these endpoints. This vulnerability is fixed in 0.6.23. |
| An issue that could allow access to Explorer groups from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L (4.4 Medium). This issue was fixed in version 4.0.260208.0 of the runZero Explorer. |
| Missing Authorization vulnerability in Razorpay Razorpay for WooCommerce woo-razorpay allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Razorpay for WooCommerce: from n/a through <= 4.8.2. |
| Missing Authorization vulnerability in Coding Panda Panda Pods Repeater Field panda-pods-repeater-field allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Panda Pods Repeater Field: from n/a through <= 1.5.12. |
| Missing Authorization vulnerability in AA Web Servant 12 Step Meeting List 12-step-meeting-list allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 12 Step Meeting List: from n/a through <= 3.19.9. |
| The MainWP Child Reports plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 2.2.6. This is due to a missing capability check in the heartbeat_received() function in the Live_Update class. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain MainWP Child Reports activity log entries (including action summaries, user information, IP addresses, and contextual data) via the WordPress Heartbeat API by sending a crafted heartbeat request with the 'wp-mainwp-stream-heartbeat' data key. |
| The LTL Freight Quotes – R+L Carriers Edition plugin for WordPress is vulnerable to Missing Authorization via the plugin's webhook handler in all versions up to, and including, 3.3.13. This is due to missing authentication, authorization, and nonce verification on a standalone PHP file that directly processes GET parameters and updates WordPress options. This makes it possible for unauthenticated attackers to modify the plugin's subscription plan settings, effectively downgrading the store from a paid plan to the Trial Plan, changing the store type, and manipulating subscription expiration dates, potentially disabling premium features such as Dropship and Hazardous Material handling. |
| Missing Authorization vulnerability in Arraytics Booktics booktics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booktics: from n/a through <= 1.0.16. |
| The Smart Slider 3 plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple wp_ajax_smart-slider3 controller actions in all versions up to, and including, 3.5.1.33. The display_admin_ajax() method does not call checkForCap() (which requires unfiltered_html capability), and several controller actions only validate the nonce (validateToken()) without calling validatePermission(). This makes it possible for authenticated attackers, with Contributor-level access and above, to enumerate slider metadata and create, modify, and delete image storage records by obtaining the nextend_nonce exposed on post editor pages. |
| Missing Authorization vulnerability in Wpbens Filter Plus filter-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Filter Plus: from n/a through <= 1.1.17. |
| Missing Authorization vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Feedback: from n/a through <= 1.10.1. |
