|
305041
|
- |
|
-
|
-
|
The Cowidgets – Elementor Addons plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.0 via the 'ce_template' shortcode due to insufficient restriction…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2024-10779
|
2024-11-12 22:56 |
2024-11-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
305042
|
4.3 |
MEDIUM
Network
|
-
|
-
|
The Debug Tool plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the info() function in all versions up to, and including, 2.2. This makes it poss…
|
CWE-862
Missing Authorization
|
CVE-2024-10588
|
2024-11-12 22:56 |
2024-11-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
305043
|
6.5 |
MEDIUM
Network
|
-
|
-
|
The CE21 Suite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ce21_single_sign_on_save_api_settings' function in versions up to, and…
|
CWE-862
Missing Authorization
|
CVE-2024-10294
|
2024-11-12 22:56 |
2024-11-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
305044
|
9.8 |
CRITICAL
Network
|
-
|
-
|
The CE21 Suite plugin for WordPress is vulnerable to sensitive information disclosure via the plugin-log.txt in versions up to, and including, 2.2.0. This makes it possible for unauthenticated attack…
|
CWE-200
Information Exposure
|
CVE-2024-10285
|
2024-11-12 22:56 |
2024-11-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
305045
|
- |
|
-
|
-
|
A data.all admin team member who has access to the customer-owned AWS Account where data.all is deployed may be able to extract user data from data.all application logs in data.all via CloudWatch log…
|
-
|
CVE-2024-52314
|
2024-11-12 22:56 |
2024-11-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
305046
|
- |
|
-
|
-
|
An authenticated data.all user is able to manipulate a getDataset query to fetch additional information regarding the parent Environment resource that the user otherwise would not able to fetch by di…
|
-
|
CVE-2024-52313
|
2024-11-12 22:56 |
2024-11-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
305047
|
- |
|
-
|
-
|
Due to inconsistent authorization permissions, data.all may allow an external actor with an authenticated account to perform restricted operations against DataSets and Environments.
|
-
|
CVE-2024-52312
|
2024-11-12 22:56 |
2024-11-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
305048
|
- |
|
-
|
-
|
Authentication tokens issued via Cognito in data.all are not invalidated on log out, allowing for previously authenticated user to continue execution of authorized API Requests until token is expired.
|
-
|
CVE-2024-52311
|
2024-11-12 22:56 |
2024-11-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
305049
|
- |
|
-
|
-
|
An authenticated data.all user is able to perform mutating UPDATE operations on persisted Notification records in data.all for group notifications that their user is not a member of.
|
-
|
CVE-2024-10953
|
2024-11-12 22:56 |
2024-11-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
305050
|
- |
|
-
|
-
|
Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Atlantis logs contains GitHub credentials (tokens `ghs_...`) when they are rotated. This enab…
|
CWE-532
Inclusion of Sensitive Information in Log Files
|
CVE-2024-52009
|
2024-11-12 22:56 |
2024-11-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
