6.5
CVE-2024-32470 - Tolgee' API keys created by server admin users bypass the permission check
Tolgee is an open-source localization platform. When API key created by admin user is used it bypasses the permission check at all. This error was introduced in v3.57.2 and immediately fixed in v3.57.4.
9.3
CVE-2024-2796 - SSRF in Akana API Platform
A server-side request forgery (SSRF) was discovered in the Akana API Platform in versions prior to and including 2022.1.3. Reported by Jakob Antonsson.
2.7
CVE-2024-32466 - Tolgee's API key scopes not checked when querying translation data
Tolgee is an open-source localization platform. For the `/v2/projects/translations` and `/v2/projects/{projectId}/translations` endpoints, translation data was returned even when API key was missing `translation.view` scope. However, it was impossible to fetch the data when user was missing this scβ¦
3.9
CVE-2024-30257 - 1Panel's password verification is suspected to have a timing attack vulnerability
1Panel is an open source Linux server operation and maintenance management panel. The password verification in the source code uses the != symbol instead hmac.Equal. This may lead to a timing attack vulnerability. This vulnerability is fixed in 1.10.3-lts.
9.1
CVE-2024-29021 - SSRF into Sandbox Escape through Unsafe Default Configuration
Judge0 is an open-source online code execution system. The default configuration of Judge0 leaves the service vulnerable to a sandbox escape via Server Side Request Forgery (SSRF). This allows an attacker with sufficient access to the Judge0 API to obtain unsandboxed code execution as root on the tβ¦
10
CVE-2024-28189 - Judge0 vulnerable to Sandbox Escape Patch Bypass via chown running on Symbolic Link
Judge0 is an open-source online code execution system. The application uses the UNIX chown command on an untrusted file within the sandbox. An attacker can abuse this by creating a symbolic link (symlink) to a file outside the sandbox, allowing the attacker to run chown on arbitrary files outside oβ¦
10
CVE-2024-28185 - Judge0 vulnerable to Sandbox Escape via Symbolic Link
Judge0 is an open-source online code execution system. The application does not account for symlinks placed inside the sandbox directory, which can be leveraged by an attacker to write to arbitrary files and gain code execution outside of the sandbox. When executing a submission, Judge0 writes a `rβ¦
6.4
CVE-2023-6892 - EAN for WooCommerce <= 4.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via alg_wc_β¦
The EAN for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'alg_wc_ean_product_meta' shortcode in all versions up to, and including, 4.8.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible fβ¦
4.3
CVE-2023-6897 - EAN for WooCommerce <= 4.9.2 - Insecure Direct Object Reference to Sensitve Information Exposure viβ¦
The EAN for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.9.2 via the the 'alg_wc_ean_product_meta' shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with conβ¦
6.8
CVE-2023-50885 - WordPress Store Locator WordPress Plugin <= 1.4.14 is vulnerable to Arbitrary File Deletion
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AGILELOGIX Store Locator WordPress.This issue affects Store Locator WordPress: from n/a through 1.4.14.