| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1. |
| Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorrectly accept a privilege set that differs from the one approved by the user. Plugins that request exactly one privilege are also affected, because no comparison is performed at all. This issue has been patched in version 29.3.1. |
| Unauthenticated PHP Object Injection in Happyforms <= 1.26.13 versions. |
| A flaw was found in assisted-migration-agent. The application hardcodes insecure Transport Layer Security (TLS) connections when communicating with vCenter. This vulnerability allows a Man-in-the-Middle (MITM) attacker to intercept and harvest vCenter administrator credentials. This can lead to unauthorized access to vCenter. |
| Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions. |
| Subscriber Sensitive Data Exposure in WPPizza <= 3.19.9 versions. |
| Unauthenticated Sensitive Data Exposure in Simply Schedule Appointments < 1.6.11.2 versions. |
| Unauthenticated Other Vulnerability Type in WpEvently <= 5.3.3 versions. |
| A flaw was found in migration-planner. A remote authenticated attacker could exploit this vulnerability by uploading a specially crafted RVTools .xlsx file. Due to improper input sanitization, malicious SQL embedded within a spreadsheet cell is executed when cluster names are processed. This SQL Injection allows for arbitrary file reading on the system, potentially exposing sensitive information such as Kubernetes service account tokens and other credentials, which could lead to a full compromise of the SaaS environment. |
| Unauthenticated Broken Authentication in Upsell Order Bump Offer for WooCommerce <= 3.1.4 versions. |
| Subscriber Sensitive Data Exposure in Visual Link Preview <= 2.4.1 versions. |
| Unauthenticated PHP Object Injection in Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.4.3 versions. |
| Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions. |
| Subscriber Cross Site Scripting (XSS) in JupiterX Core <= 4.14.1 versions. |
| Subscriber Cross Site Scripting (XSS) in King Addons for Elementor <= 51.1.62 versions. |
| A flaw was found in migration-planner-ui-app. An attacker can register a malicious discovery agent with a specially crafted credentialUrl containing JavaScript code. When an organizational user clicks this link in the user interface, the embedded malicious code executes within the user's browser session. This cross-site scripting (XSS) vulnerability allows the attacker to compromise the victim's Red Hat Single Sign-On (SSO) session, potentially leading to unauthorized cross-tenant data access and API actions. |
| Subscriber Arbitrary File Upload in WP-BusinessDirectory <= 4.0.0 versions. |
| Unauthenticated Broken Access Control in WP Directory Kit <= 1.5.0 versions. |
| Unauthenticated Broken Access Control in Masteriyo - LMS <= 2.1.5 versions. |
| Unauthenticated SQL Injection in GeoDirectory <= 2.8.152 versions. |
