Filtered by CWE-862
Total 5093 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-0791 1 Pluginus 1 Wolf - Wordpress Posts Bulk Editor And Products Manager Professional 2025-04-24 4.3 Medium
The WOLF – WordPress Posts Bulk Editor and Manager Professional plugin for WordPress is vulnerable to unauthorized access, modification or loss of data due to a missing capability check on the wpbe_create_new_term, wpbe_update_tax_term, and wpbe_delete_tax_term functions in all versions up to, and including, 1.0.8.1. This makes it possible for authenticated attackers, with subscriber access or higher, to create, delete or modify taxonomy terms.
CVE-2024-0595 1 Getawesomesupport 1 Awesome Support 2025-04-24 4.3 Medium
The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpas_get_users() function hooked via AJAX in all versions up to, and including, 6.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve user data such as emails.
CVE-2022-41807 1 Kyocera 80 Ecosys M2535dn, Ecosys M2535dn Firmware, Ecosys M6526cdn and 77 more 2025-04-24 6.5 Medium
Missing authorization vulnerability exists in Kyocera Document Solutions MFPs and printers, which may allow a network-adjacent attacker to alter the product settings without authentication by sending a specially crafted request. Affected products/versions are as follows: TASKalfa 7550ci/6550ci, TASKalfa 5550ci/4550ci/3550ci/3050ci, TASKalfa 255c/205c, TASKalfa 256ci/206ci, ECOSYS M6526cdn/M6526cidn, FS-C2126MFP/C2126MFP+/C2026MFP/C2026MFP+, TASKalfa 8000i/6500i, TASKalfa 5500i/4500i/3500i, TASKalfa 305/255, TASKalfa 306i/256i, LS-3140MFP/3140MFP+/3640MFP, ECOSYS M2535dn, LS-1135MFP/1035MFP, LS-C8650DN/C8600DN, ECOSYS P6026cdn, FS-C5250DN, LS-4300DN/4200DN/2100DN, ECOSYS P4040dn, ECOSYS P2135dn, and FS-1370DN.
CVE-2024-1389 2 Cozmoslabs, Iovamihai 2 Membership \& Content Restriction - Paid Member Subscriptions, Paid Membership Subscriptions Effortless Memberships Recurring Payments And Content Restriction 2025-04-24 5.3 Medium
The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pms_stripe_connect_handle_authorization_return function in all versions up to, and including, 2.11.1. This makes it possible for unauthenticated attackers to change the Stripe payment keys.
CVE-2022-44009 1 Stackstorm 1 Stackstorm 2025-04-24 7.5 High
Improper access control in Key-Value RBAC in StackStorm version 3.7.0 didn't check the permissions in Jinja filters, allowing attackers to access K/V pairs of other users, potentially leading to the exposure of sensitive Information.
CVE-2022-39102 2 Google, Unisoc 14 Android, S8000, Sc7731e and 11 more 2025-04-24 7.8 High
In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed.
CVE-2022-39101 2 Google, Unisoc 14 Android, S8000, Sc7731e and 11 more 2025-04-24 7.8 High
In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed.
CVE-2022-39100 2 Google, Unisoc 14 Android, S8000, Sc7731e and 11 more 2025-04-24 7.8 High
In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed.
CVE-2022-42766 2 Google, Unisoc 14 Android, S8011, Sc7731e and 11 more 2025-04-23 6.6 Medium
In wlan driver, there is a possible missing permission check, This could lead to local information disclosure.
CVE-2024-3893 1 Radiustheme 1 Classified Listing 2025-04-23 5.3 Medium
The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the rtcl_fb_gallery_image_delete AJAX action in all versions up to, and including, 3.0.10.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary attachements.
CVE-2022-42782 2 Google, Unisoc 14 Android, S8000, Sc7731e and 11 more 2025-04-23 5.5 Medium
In wlan driver, there is a possible missing permission check, This could lead to local information disclosure.
CVE-2022-42778 2 Google, Unisoc 14 Android, S8000, Sc7731e and 11 more 2025-04-23 7.8 High
In windows manager service, there is a missing permission check. This could lead to set up windows manager service with no additional execution privileges needed.
CVE-2022-42777 2 Google, Unisoc 14 Android, S8000, Sc7731e and 11 more 2025-04-23 7.8 High
In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed.
CVE-2022-42776 2 Google, Unisoc 14 Android, S8000, Sc7731e and 11 more 2025-04-23 7.8 High
In UscAIEngine service, there is a missing permission check. This could lead to set up UscAIEngine service with no additional execution privileges needed.
CVE-2025-26853 1 Descor 1 Infocad 2025-04-23 10 Critical
DESCOR INFOCAD 3.5.1 and before and fixed in v.3.5.2.0 has a broken authorization schema.
CVE-2022-21707 1 Wasmcloud 1 Host Runtime 2025-04-23 6.3 Medium
wasmCloud Host Runtime is a server process that securely hosts and provides dispatch for web assembly (WASM) actors and capability providers. In versions prior to 0.52.2 actors can bypass capability authorization. Actors are normally required to declare their capabilities for inbound invocations, but with this vulnerability actor capability claims are not verified upon receiving invocations. This compromises the security model for actors as they can receive unauthorized invocations from linked capability providers. The problem has been patched in versions `0.52.2` and greater. There is no workaround and users are advised to upgrade to an unaffected version as soon as possible.
CVE-2022-23617 1 Xwiki 1 Xwiki 2025-04-23 6.5 Medium
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit right can copy the content of a page it does not have access to by using it as template of a new page. This issue has been patched in XWiki 13.2CR1 and 12.10.6. Users are advised to update. There are no known workarounds for this issue.
CVE-2022-23621 1 Xwiki 1 Xwiki 2025-04-23 5.5 Medium
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can read any file located in the XWiki WAR (for example xwiki.cfg and xwiki.properties) through XWiki#invokeServletAndReturnAsString as `$xwiki.invokeServletAndReturnAsString("/WEB-INF/xwiki.cfg")`. This issue has been patched in XWiki versions 12.10.9, 13.4.3 and 13.7-rc-1. Users are advised to update. The only workaround is to limit SCRIPT right.
CVE-2021-41112 1 Pagerduty 1 Rundeck 2025-04-23 8.1 High
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In versions prior to 3.4.5, authenticated users could craft a request to modify or delete System or Project level Calendars, without appropriate authorization. Modifying or removing calendars could cause Scheduled Jobs to execute, or not execute on desired calendar days. Severity depends on trust level of authenticated users and impact of running or not running scheduled jobs on days governed by calendar definitions. Version 3.4.5 contains a patch for this issue. There are currently no known workarounds.
CVE-2021-41239 1 Nextcloud 1 Nextcloud Server 2025-04-23 5.3 Medium
Nextcloud server is a self hosted system designed to provide cloud style services. In affected versions the User Status API did not consider the user enumeration settings by the administrator. This allowed a user to enumerate other users on the instance, even when user listings where disabled. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. There are no known workarounds.