Total
4422 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-1595 | 2025-02-23 | 5.0 MEDIUM | 5.3 MEDIUM | ||
|
A vulnerability has been found in Anhui Xufan Information Technology EasyCVR up to 2.7.0 and classified as problematic. This vulnerability affects unknown code of the file /api/v1/getbaseconfig. The manipulation leads to information disclosure. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-1590 | 2025-02-23 | 5.8 MEDIUM | 4.7 MEDIUM | ||
|
A vulnerability was found in SourceCodester E-Learning System 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/modules/lesson/index.php of the component List of Lessons Page. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely.
|
|||||
| CVE-2024-34068 | 1 Pterodactyl | 1 Wings | 2025-02-21 | N/A | 6.4 MEDIUM |
|
Pterodactyl wings is the server control plane for Pterodactyl Panel. An authenticated user who has access to a game server is able to bypass the previously implemented access control (GHSA-6rg3-8h8x-5xfv) that prevents accessing internal endpoints of the node hosting Wings in the pull endpoint. This would allow malicious users to potentially access resources on local networks that would otherwise be inaccessible. This issue has been addressed in version 1.11.2 and users are advised to upgrade. U ...
Show More |
|||||
| CVE-2022-31475 | 1 Givewp | 1 Givewp | 2025-02-20 | N/A | 5.5 MEDIUM |
|
Authenticated (custom plugin role) Arbitrary File Read via Export function vulnerability in GiveWP's GiveWP plugin <= 2.20.2 at WordPress.
|
|||||
| CVE-2022-41652 | 1 Expresstech | 1 Quiz And Survey Master | 2025-02-20 | N/A | 6.5 MEDIUM |
|
Bypass vulnerability in Quiz And Survey Master plugin <= 7.3.10 on WordPress.
|
|||||
| CVE-2022-41155 | 1 Webence | 1 Iq Block Country | 2025-02-20 | N/A | 5.3 MEDIUM |
|
Block BYPASS vulnerability in iQ Block Country plugin <= 1.2.18 on WordPress.
|
|||||
| CVE-2022-40216 | 1 Wordplus | 1 Better Messages | 2025-02-20 | N/A | 4.3 MEDIUM |
|
Auth. (subscriber+) Messaging Block Bypass vulnerability in Better Messages plugin <= 1.9.10.69 on WordPress.
|
|||||
| CVE-2020-35546 | 2025-02-20 | N/A | 9.1 CRITICAL | ||
|
Lexmark MX6500 LW75.JD.P296 and previous devices have Incorrect Access Control via the access control settings.
|
|||||
| CVE-2023-27517 | 1 Intel | 16 Nma1xxd128gpsu4, Nma1xxd128gpsuf, Nma1xxd256gpsu4 and 13 more | 2025-02-20 | N/A | 6.6 MEDIUM |
|
Improper access control in some Intel(R) Optane(TM) PMem software before versions 01.00.00.3547, 02.00.00.3915, 03.00.00.0483 may allow an athenticated user to potentially enable escalation of privilege via local access.
|
|||||
| CVE-2023-22311 | 1 Intel | 7 Nma1xxd128gpsu4, Nma1xxd128gpsuf, Nma1xxd256gpsu4 and 4 more | 2025-02-20 | N/A | 6.7 MEDIUM |
|
Improper access control in some Intel(R) Optane(TM) PMem 100 Series Management Software before version 01.00.00.3547 may allow an authenticated user to potentially enable escalation of privilege via local access.
|
|||||
| CVE-2022-47542 | 1 Red-gate | 1 Sql Monitor | 2025-02-18 | N/A | 8.8 HIGH |
|
Red Gate SQL Monitor 11.0.14 through 12.1.46 has Incorrect Access Control, exploitable remotely for Escalation of Privileges.
|
|||||
| CVE-2025-1165 | 2025-02-18 | 7.5 HIGH | 7.3 HIGH | ||
|
A vulnerability, which was classified as critical, was found in Lumsoft ERP 8. Affected is the function DoUpload/DoWebUpload of the file /Api/FileUploadApi.ashx. The manipulation of the argument file leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2023-29140 | 1 Mediawiki | 1 Mediawiki | 2025-02-18 | N/A | 5.3 MEDIUM |
|
An issue was discovered in the GrowthExperiments extension for MediaWiki through 1.39.3. Attackers might be able to see edits for which the username has been hidden, because there is no check for rev_deleted.
|
|||||
| CVE-2025-1390 | 2025-02-18 | N/A | 6.1 MEDIUM | ||
|
The PAM module pam_cap.so of libcap configuration supports group names starting with “@”, during actual parsing, configurations not starting with “@” are incorrectly recognized as group names. This may result in nonintended users being granted an inherited capability set, potentially leading to security risks. Attackers can exploit this vulnerability to achieve local privilege escalation on systems where /etc/security/capability.conf is used to configure user inherited privileges by constructing ...
Show More |
|||||
| CVE-2023-28877 | 1 Vtex | 1 Apps-graphql | 2025-02-14 | N/A | 7.5 HIGH |
|
The VTEX [email protected] GraphQL API module does not properly restrict unauthorized access to private configuration data. ([email protected] is unaffected by this issue.)
|
|||||
| CVE-2023-2183 | 1 Grafana | 1 Grafana | 2025-02-13 | N/A | 4.1 MEDIUM |
|
Grafana is an open-source platform for monitoring and observability.
The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function.
This might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server.
Use ...
Show More |
|||||
| CVE-2022-43702 | 1 Arm | 6 Arm Compiler, Arm Compiler For Embedded Fusa, Arm Compiler For Functional Safety and 3 more | 2025-02-13 | N/A | 7.8 HIGH |
|
When the directory containing the installer does not have sufficiently restrictive file permissions, an attacker can modify (or replace) the installer to execute malicious code.
|
|||||
| CVE-2024-41934 | 2025-02-12 | N/A | 5.9 MEDIUM | ||
|
Improper access control in some Intel(R) GPA software before version 2024.3 may allow an authenticated user to potentially enable denial of service via local access.
|
|||||
| CVE-2024-39797 | 2025-02-12 | N/A | 6.5 MEDIUM | ||
|
Improper access control in some drivers for Intel(R) Ethernet Connection I219 Series before version 12.19.1.39 may allow an authenticated user to potentially enable denial of service via local access.
|
|||||
| CVE-2024-38310 | 2025-02-12 | N/A | 8.2 HIGH | ||
|
Improper access control in some Intel(R) Graphics Driver software installers may allow an authenticated user to potentially enable escalation of privilege via local access.
|
|||||
| CVE-2024-37355 | 2025-02-12 | N/A | 8.8 HIGH | ||
|
Improper access control in some Intel(R) Graphics software may allow an authenticated user to potentially enable escalation of privilege via local access.
|
|||||
| CVE-2024-30211 | 2025-02-12 | N/A | 6.0 MEDIUM | ||
|
Improper access control in some Intel(R) ME driver pack installer engines before version 2422.6.2.0 may allow an authenticated user to potentially enable escalation of privilege via local access.
|
|||||
| CVE-2023-29164 | 2025-02-12 | N/A | 7.3 HIGH | ||
|
Improper access control in BMC Firmware for the Intel(R) Server Board S2600WF, Intel(R) Server Board S2600ST, Intel(R) Server Board S2600BP, before version 02.01.0017 and Intel(R) Server Board M50CYP and Intel(R) Server Board D50TNP before version R01.01.0009 may allow an authenticated user to enable escalation of privilege via local access.
|
|||||
| CVE-2024-23315 | 1 Automationdirect | 12 P1-540, P1-540 Firmware, P1-550 and 9 more | 2025-02-12 | N/A | 7.5 HIGH |
|
A read-what-where vulnerability exists in the Programming Software Connection IMM 01A1 Memory Read functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted network packet can lead to a disclosure of sensitive information. An attacker can send an unauthenticated packet to trigger this vulnerability.
|
|||||
| CVE-2024-22187 | 1 Automationdirect | 12 P1-540, P1-540 Firmware, P1-550 and 9 more | 2025-02-12 | N/A | 9.1 CRITICAL |
|
A write-what-where vulnerability exists in the Programming Software Connection Remote Memory Diagnostics functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted network packet can lead to an arbitrary write. An attacker can send an unauthenticated packet to trigger this vulnerability.
|
|||||
| CVE-2024-1701 | 1 Keerti1924 | 1 Php Mysql User Signup Login System | 2025-02-12 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A vulnerability has been found in keerti1924 PHP-MYSQL-User-Login-System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /edit.php. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-254389 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-12370 | 1 Thimpress | 1 Wp Hotel Booking | 2025-02-11 | N/A | 5.3 MEDIUM |
|
The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check when adding rooms in all versions up to, and including, 2.1.5. This makes it possible for unauthenticated attackers to add rooms with custom prices.
|
|||||
| CVE-2025-21359 | 2025-02-11 | N/A | 7.8 HIGH | ||
|
Windows Kernel Security Feature Bypass Vulnerability
|
|||||
| CVE-2023-24544 | 1 Buffalo | 24 Bs-gs2008, Bs-gs2008 Firmware, Bs-gs2008p and 21 more | 2025-02-11 | N/A | 8.1 HIGH |
|
Improper access control vulnerability in Buffalo network devices allows a network-adjacent attacker to obtain specific files of the product. As a result, the product settings may be altered. The affected products and versions are as follows: BS-GSL2024 firmware Ver. 1.10-0.03 and earlier, BS-GSL2016P firmware Ver. 1.10-0.03 and earlier, BS-GSL2016 firmware Ver. 1.10-0.03 and earlier, BS-GS2008 firmware Ver. 1.0.10.01 and earlier, BS-GS2016 firmware Ver. 1.0.10.01 and earlier, BS-GS2024 firmware ...
Show More |
|||||
| CVE-2023-0319 | 1 Gitlab | 1 Gitlab | 2025-02-11 | N/A | 5.8 MEDIUM |
|
An issue has been discovered in GitLab affecting all versions starting from 13.6 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1, allowing to read environment names supposed to be restricted to project memebers only.
|
|||||
| CVE-2023-23575 | 1 Contec | 38 Cps-mc341-a1-111, Cps-mc341-a1-111 Firmware, Cps-mc341-adsc1-111 and 35 more | 2025-02-11 | N/A | 4.3 MEDIUM |
|
Improper access control vulnerability in CONPROSYS IoT Gateway products allows a remote authenticated attacker to bypass access restriction and access Network Maintenance page, which may result in obtaining the network information of the product. The affected products and versions are as follows: M2M Gateway with the firmware Ver.3.7.10 and earlier (CPS-MG341-ADSC1-111, CPS-MG341-ADSC1-931, CPS-MG341G-ADSC1-111, CPS-MG341G-ADSC1-930, and CPS-MG341G5-ADSC1-931), M2M Controller Integrated Type wit ...
Show More |
|||||
| CVE-2025-24532 | 2025-02-11 | N/A | 4.3 MEDIUM | ||
|
A vulnerability has been identified in SCALANCE WAB762-1 (6GK5762-1AJ00-6AA0) (All versions < V3.0.0), SCALANCE WAM763-1 (6GK5763-1AL00-7DA0) (All versions < V3.0.0), SCALANCE WAM763-1 (ME) (6GK5763-1AL00-7DC0) (All versions < V3.0.0), SCALANCE WAM763-1 (US) (6GK5763-1AL00-7DB0) (All versions < V3.0.0), SCALANCE WAM766-1 (6GK5766-1GE00-7DA0) (All versions < V3.0.0), SCALANCE WAM766-1 (ME) (6GK5766-1GE00-7DC0) (All versions < V3.0.0), SCALANCE WAM766-1 (US) (6GK5766-1GE00-7DB0) (All versions < V3 ...
Show More |
|||||
| CVE-2024-46948 | 1 Northern.tech | 1 Mender | 2025-02-10 | N/A | 4.3 MEDIUM |
|
Northern.tech Mender before 3.6.5 and 3.7.x before 3.7.5 has Incorrect Access Control.
|
|||||
| CVE-2024-42988 | 2025-02-10 | N/A | 4.3 MEDIUM | ||
|
Lack of access control in ChallengeSolves (/api/v1/challenges/<challenge id>/solves) of CTFd v2.0.0 - v3.7.2 allows authenticated users to retrieve a list of users who have solved the challenge, regardless of the Account Visibility settings. The issue is fixed in v3.7.3+.
|
|||||
| CVE-2024-21150 | 1 Oracle | 1 Jd Edwards Enterpriseone Tools | 2025-02-10 | N/A | 6.1 MEDIUM |
|
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are Prior to 9.2.8.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in JD Edwards EnterpriseOne Tools, attacks may significantly impact additi ...
Show More |
|||||
| CVE-2025-0802 | 1 Mayurik | 1 Best Employee Management System | 2025-02-10 | 7.5 HIGH | 7.3 HIGH |
|
A vulnerability classified as critical was found in SourceCodester Best Employee Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/View_user.php of the component Administrative Endpoint. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-21185 | 1 Microsoft | 1 Edge Chromium | 2025-02-07 | N/A | 6.5 MEDIUM |
|
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
|
|||||
| CVE-2020-36831 | 1 Nextscripts | 1 Social Networks Auto Poster | 2025-02-07 | N/A | 5.0 MEDIUM |
|
The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on multiple user privilege/security functions provided in versions up to, and including 4.3.17. This makes it possible for low-privileged attackers, like subscribers, to perform restricted actions that would be otherwise locked to a administrative-level user.
|
|||||
| CVE-2022-26389 | 2025-02-07 | N/A | 7.7 HIGH | ||
|
An improper access control vulnerability may allow privilege escalation.This issue affects:
* ELI 380 Resting Electrocardiograph:
Versions 2.6.0 and prior;
* ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph:
Versions 2.3.1 and prior;
* ELI 250c/BUR 250c Resting Electrocardiograph: Versions 2.1.2 and prior;
* ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph:
Versions 2.2.0 and prior.
|
|||||
| CVE-2024-13457 | 1 Liquidweb | 1 Event Tickets | 2025-02-07 | N/A | 5.3 MEDIUM |
|
The Event Tickets and Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.18.1 via the tc-order-id parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view order details of orders they did not place, which includes ticket prices, user emails and order date.
|
|||||