Authentication Bypass by Spoofing vulnerability in miniorange Malware Scanner allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Malware Scanner: from n/a through 4.7.1.

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. `If-Modified-Since` and `If-Unmodified-Since` headers when used with anonymous requests by sending a random object name requests can be used to determine if an object exists or not on the server on a specific bucket and also gain access to some amount of information such as `Last-Modified (of the latest version)`, `Etag (of the latest version)`, `x-amz-version-id (of the latest version)`, `Expires (metadata value of the latest version)`, `Cache-Control (metadata value of the latest version)`. This conditional check was being honored before validating if the anonymous access is indeed allowed on the metadata of an object. This issue has been addressed in commit `e0fe7cc3917`. Users must upgrade to RELEASE.2024-05-27T19-17-46Z for the fix. There are no known workarounds for this issue.

Improper Privilege Management vulnerability in miniOrange WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) allows Privilege Escalation.This issue affects WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn): from n/a through 7.6.6.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in miniorange Malware Scanner.This issue affects Malware Scanner: from n/a through 4.7.2.

The Web3 WordPress plugin before 3.0.0 is vulnerable to an authentication bypass due to incorrect authentication checking in the login flow in functions 'handle_auth_request' and 'hadle_login_request'. This makes it possible for non authenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.

MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z.

The Staff / Employee Business Directory for Active Directory WordPress plugin before 1.2.3 does not sanitize and escape data returned from the LDAP server before rendering it in the page, allowing users who can control their entries in the LDAP directory to inject malicious javascript which could be used against high-privilege users such as a site admin.

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in miniOrange miniOrange's Google Authenticator – WordPress Two Factor Authentication – 2FA , Two Factor, OTP SMS and Email | Passwordless login.This issue affects miniOrange's Google Authenticator – WordPress Two Factor Authentication – 2FA , Two Factor, OTP SMS and Email | Passwordless login: from n/a through 5.6.1.

The miniOrange's Google Authenticator plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when changing plugin settings in versions up to, and including, 5.6.5. This makes it possible for unauthenticated attackers to change the plugin's settings.

The Active Directory Integration / LDAP Integration WordPress plugin before 4.1.10 stores sensitive LDAP logs in a buffer file when an administrator wants to export said logs. Unfortunately, this log file is never removed, and remains accessible to any users knowing the URL to do so.