8.1

CVSS3.1

CVE-2024-6862 - Cross-Site Request Forgery (CSRF) in lunary-ai/lunary

A Cross-Site Request Forgery (CSRF) vulnerability exists in lunary-ai/lunary version 1.2.34 due to overly permissive CORS settings. This vulnerability allows an attacker to sign up for and create projects or use the instance as if they were a user with local access. The main attack vector is for in…

πŸ“… Published: Sept. 13, 2024, 4:13 p.m. πŸ”„ Last Modified: Sept. 19, 2024, 6:37 p.m.

6.5

CVSS3.1

CVE-2024-6867 - Information Disclosure in lunary-ai/lunary

An information disclosure vulnerability exists in the lunary-ai/lunary, specifically in the `runs/{run_id}/related` endpoint. This endpoint does not verify that the user has the necessary access rights to the run(s) they are accessing. As a result, it returns not only the specified run but also all…

πŸ“… Published: Sept. 13, 2024, 4:13 p.m. πŸ”„ Last Modified: Sept. 19, 2024, 6:28 p.m.

6.5

CVSS3.1

CVE-2024-6087 - Improper Access Control in lunary-ai/lunary

An improper access control vulnerability exists in lunary-ai/lunary at the latest commit (a761d83) on the main branch. The vulnerability allows an attacker to use the auth tokens issued by the 'invite user' functionality to obtain valid JWT tokens. These tokens can be used to compromise target user…

πŸ“… Published: Sept. 13, 2024, 4:12 p.m. πŸ”„ Last Modified: Oct. 15, 2025, 1:15 p.m.

4.3

CVSS3.1

CVE-2024-6582 - Broken Access Control in lunary-ai/lunary

A broken access control vulnerability exists in the latest version of lunary-ai/lunary. The `saml.ts` file allows a user from one organization to update the Identity Provider (IDP) settings and view the SSO metadata of another organization. This vulnerability can lead to unauthorized access and pot…

πŸ“… Published: Sept. 13, 2024, 4:11 p.m. πŸ”„ Last Modified: Nov. 3, 2024, 6:27 p.m.

7.5

CVSS3.1

CVE-2024-6587 - SSRF in berriai/litellm

A Server-Side Request Forgery (SSRF) vulnerability exists in berriai/litellm version 1.38.10. This vulnerability allows users to specify the `api_base` parameter when making requests to `POST /chat/completions`, causing the application to send the request to the domain specified by `api_base`. This…

πŸ“… Published: Sept. 13, 2024, 3:59 p.m. πŸ”„ Last Modified: Sept. 20, 2024, 2:55 p.m.

7.8

CVSS3.1

CVE-2024-42025 -

A Command Injection vulnerability found in a Self-Hosted UniFi Network Servers (Linux) with UniFi Network Application (Version 8.3.32 and earlier) allows a malicious actor with unifi user shell access to escalate privileges to root on the host device.

πŸ“… Published: Sept. 13, 2024, 3:47 p.m. πŸ”„ Last Modified: Sept. 28, 2024, 6:35 p.m.

4.3

CVSS3.1

CVE-2024-8242 - MStore API – Create Native Android & iOS Apps On The Cloud <= 4.15.3 - Authenticated (Subscriber+) …

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_user_profile() function in all versions up to, and including, 4.15.3. This makes it possible for authenticated attackers, wit…

πŸ“… Published: Sept. 13, 2024, 3:10 p.m. πŸ”„ Last Modified: April 8, 2026, 5:35 p.m.

6.4

CVSS3.1

CVE-2024-5870 - Tweaker5 <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Shortcode

The Tweaker5 theme for WordPress is vulnerable to Stored Cross-Site Scripting via the β€˜url’ parameter within the theme's Button shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Co…

πŸ“… Published: Sept. 13, 2024, 3:10 p.m. πŸ”„ Last Modified: April 8, 2026, 5:33 p.m.

6.4

CVSS3.1

CVE-2024-5869 - Neighborly <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Shortcode

The Neighborly theme for WordPress is vulnerable to Stored Cross-Site Scripting via the β€˜url’ parameter within the theme's Button shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with …

πŸ“… Published: Sept. 13, 2024, 3:10 p.m. πŸ”„ Last Modified: April 8, 2026, 5:33 p.m.

7.2

CVSS3.1

CVE-2022-2446 - WP Editor <= 1.2.9 - Authenticated (Admin+) PHAR Deserialization

The WP Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the 'current_theme_root' parameter in versions up to, and including 1.2.9. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deseri…

πŸ“… Published: Sept. 13, 2024, 3:10 p.m. πŸ”„ Last Modified: April 8, 2026, 5:32 p.m.
Total resulsts: 349182
Page 8569 of 34,919
Β« previous page Β» next page
Filters