Total
6931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-6955 | 1 Gitlab | 1 Gitlab | 2025-05-05 | N/A | 6.6 MEDIUM |
|
A missing authorization check vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group.
|
|||||
| CVE-2024-57682 | 1 Dlink | 2 Dir-816, Dir-816 Firmware | 2025-05-02 | N/A | 6.5 MEDIUM |
|
An information disclosure vulnerability in the component d_status.asp of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to access sensitive information via a crafted POST request.
|
|||||
| CVE-2025-4095 | 2025-05-02 | N/A | N/A | ||
|
Registry Access Management (RAM) is a security feature allowing administrators to restrict access for their developers to only allowed registries. When a MacOS configuration profile is used to enforce organization sign-in, the RAM policies are not being applied, which would allow Docker Desktop users to pull down unapproved, and potentially malicious images from any registry.
|
|||||
| CVE-2025-3953 | 2025-05-02 | N/A | 6.5 MEDIUM | ||
|
The WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'optionUpdater' function in all versions up to, and including, 14.13.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary plugin settings.
|
|||||
| CVE-2025-3746 | 2025-05-02 | N/A | 9.8 CRITICAL | ||
|
The OTP-less one tap Sign in plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 2.0.14 to 2.0.59. This is due to the plugin not properly validating a user's identity prior to updating their details, like email. This makes it possible for unauthenticated attackers to change arbitrary users' email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
Additionally, the plugin returns authentica ...
Show More |
|||||
| CVE-2023-33265 | 1 Hazelcast | 2 Hazelcast, Imdg | 2025-05-02 | N/A | 8.8 HIGH |
|
In Hazelcast through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, executor services don't check client permissions properly, allowing authenticated users to execute tasks on members without the required permissions granted.
|
|||||
| CVE-2025-37087 | 2025-05-01 | N/A | 9.8 CRITICAL | ||
|
A vulnerability in the cmdb service of the HPE Performance Cluster Manager (HPCM) could allow an attacker to gain access to an arbitrary file on the server host.
|
|||||
| CVE-2022-3451 | 1 Addify | 1 Product Stock Manager | 2025-05-01 | N/A | 4.3 MEDIUM |
|
The Product Stock Manager WordPress plugin before 1.0.5 does not have authorisation and proper CSRF checks in multiple AJAX actions, allowing users with a role as low as subscriber to call them. One action in particular could allow to update arbitrary options
|
|||||
| CVE-2023-21244 | 1 Google | 1 Android | 2025-05-01 | N/A | 6.7 MEDIUM |
|
In visitUris of Notification.java, there is a possible bypass of user profile boundaries due to a missing permission check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2022-3489 | 1 Weberge | 1 Wp Hide | 2025-05-01 | N/A | 5.3 MEDIUM |
|
The WP Hide WordPress plugin through 0.0.2 does not have authorisation and CSRF checks in place when updating the custom_wpadmin_slug settings, allowing unauthenticated attackers to update it with a crafted request
|
|||||
| CVE-2022-20446 | 1 Google | 1 Android | 2025-05-01 | N/A | 3.3 LOW |
|
In AlwaysOnHotwordDetector of AlwaysOnHotwordDetector.java, there is a possible way to access the microphone from the background due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-229793943
|
|||||
| CVE-2022-20451 | 1 Google | 1 Android | 2025-05-01 | N/A | 7.8 HIGH |
|
In onCallRedirectionComplete of CallsManager.java, there is a possible permissions bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-235098883
|
|||||
| CVE-2022-20450 | 1 Google | 1 Android | 2025-05-01 | N/A | 7.8 HIGH |
|
In restorePermissionState of PermissionManagerServiceImpl.java, there is a possible way to bypass user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-210065877
|
|||||
| CVE-2024-43431 | 1 Moodle | 1 Moodle | 2025-05-01 | N/A | 7.5 HIGH |
|
A vulnerability was found in Moodle. Insufficient capability checks made it possible to delete badges that a user does not have permission to access.
|
|||||
| CVE-2023-48676 | 2 Acronis, Microsoft | 2 Agent, Windows | 2025-05-01 | N/A | 7.1 HIGH |
|
Sensitive information disclosure and manipulation due to missing authorization. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 36943.
|
|||||
| CVE-2022-44549 | 1 Huawei | 2 Emui, Harmonyos | 2025-05-01 | N/A | 7.5 HIGH |
|
The LBS module has a vulnerability in geofencing API access. Successful exploitation of this vulnerability may cause third-party apps to access the geofencing APIs without authorization, affecting user confidentiality.
|
|||||
| CVE-2022-38651 | 1 Vmware | 1 Hyperic Server | 2025-05-01 | N/A | 9.8 CRITICAL |
|
A security filter misconfiguration exists in VMware Hyperic Server 5.8.6. Exploitation of this vulnerability enables a malicious party to bypass some authentication requirements when issuing requests to Hyperic Server. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
|
|||||
| CVE-2022-2450 | 1 Resmush.it | 1 Resmush.it Image Optimizer | 2025-04-30 | N/A | 4.3 MEDIUM |
|
The reSmush.it : the only free Image Optimizer & compress plugin WordPress plugin before 0.4.4 lacks authorization in various AJAX actions, allowing any logged-in users, such as subscribers to call them.
|
|||||
| CVE-2022-45390 | 1 Jenkins | 1 Loader.io | 2025-04-30 | N/A | 4.3 MEDIUM |
|
A missing permission check in Jenkins loader.io Plugin 1.0.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
|
|||||
| CVE-2022-45389 | 1 Jenkins | 1 Xp-dev | 2025-04-30 | N/A | 5.3 MEDIUM |
|
A missing permission check in Jenkins XP-Dev Plugin 1.0 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to an attacker-specified repository.
|
|||||
| CVE-2022-45385 | 1 Jenkins | 1 Cloudbees Docker Hub\/registry Notification | 2025-04-30 | N/A | 7.5 HIGH |
|
A missing permission check in Jenkins CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.
|
|||||
| CVE-2022-45394 | 1 Jenkins | 1 Delete Log | 2025-04-30 | N/A | 4.3 MEDIUM |
|
A missing permission check in Jenkins Delete log Plugin 1.0 and earlier allows attackers with Item/Read permission to delete build logs.
|
|||||
| CVE-2024-55072 | 1 Mealie | 1 Mealie | 2025-04-30 | N/A | 5.4 MEDIUM |
|
A Broken Object Level Authorization vulnerability in the component /api/users/{user-id} of hay-kot mealie v2.2.0 allows users to edit their own profile in order to give themselves more permissions or to change their household.
|
|||||
| CVE-2025-46232 | 1 Alttext | 1 Alt Text Ai | 2025-04-30 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in alttextai Download Alt Text AI allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Download Alt Text AI: from n/a through 1.9.93.
|
|||||
| CVE-2024-52921 | 1 Bitcoin | 1 Bitcoin Core | 2025-04-30 | N/A | 5.3 MEDIUM |
|
In Bitcoin Core before 25.0, a peer can affect the download state of other peers by sending a mutated block.
|
|||||
| CVE-2022-45399 | 1 Jenkins | 1 Cluster Statistics | 2025-04-30 | N/A | 4.3 MEDIUM |
|
A missing permission check in Jenkins Cluster Statistics Plugin 0.4.6 and earlier allows attackers to delete recorded Jenkins Cluster Statistics.
|
|||||
| CVE-2022-3538 | 1 Webmaster Tools Verification Project | 1 Webmaster Tools Verification | 2025-04-30 | N/A | 6.5 MEDIUM |
|
The Webmaster Tools Verification WordPress plugin through 1.2 does not have authorisation and CSRF checks when disabling plugins, allowing unauthenticated users to disable arbitrary plugins
|
|||||
| CVE-2024-55876 | 1 Xwiki | 1 Xwiki | 2025-04-30 | N/A | 5.4 MEDIUM |
|
XWiki Platform is a generic wiki platform. Starting in version 1.2-milestone-2 and prior to versions 15.10.9 and 16.3.0, any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document `Scheduler.WebHome` in a subwiki. Then, click on any operation (*e.g.,* Trigger) on any job. If the operation is successful, then the instance is vulnerable. This has been patched in XWiki 15.10.9 and 16.3. ...
Show More |
|||||
| CVE-2024-55879 | 1 Xwiki | 1 Xwiki | 2025-04-30 | N/A | 9.1 CRITICAL |
|
XWiki Platform is a generic wiki platform. Starting in version 2.3 and prior to versions 15.10.9, 16.3.0, any user with script rights can perform arbitrary remote code execution by adding instances of `XWiki.ConfigurableClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.10.9 and 16.3.0. No known workarounds are available except upgrading.
|
|||||
| CVE-2022-42903 | 1 Zohocorp | 1 Manageengine Supportcenter Plus | 2025-04-30 | N/A | 3.3 LOW |
|
Zoho ManageEngine SupportCenter Plus through 11024 allows low-privileged users to view the organization users list.
|
|||||
| CVE-2025-46244 | 1 Multidots | 1 Advanced Linked Variations For Woocommerce | 2025-04-29 | N/A | 5.3 MEDIUM |
|
Missing Authorization vulnerability in Dotstore Advanced Linked Variations for Woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Advanced Linked Variations for Woocommerce: from n/a through 1.0.3.
|
|||||
| CVE-2025-46247 | 1 Codepeople | 1 Appointment Booking Calendar | 2025-04-29 | N/A | 5.3 MEDIUM |
|
Missing Authorization vulnerability in codepeople Appointment Booking Calendar allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Appointment Booking Calendar: from n/a through 1.3.92.
|
|||||
| CVE-2022-41326 | 1 Mitel | 1 Micollab | 2025-04-29 | N/A | 9.8 CRITICAL |
|
The web conferencing component of Mitel MiCollab through 9.6.0.13 could allow an unauthenticated attacker to upload arbitrary scripts due to improper authorization controls. A successful exploit could allow remote code execution within the context of the application.
|
|||||
| CVE-2022-24190 | 1 Sz-fujia | 1 Ourphoto | 2025-04-29 | N/A | 7.5 HIGH |
|
The /device/acceptBind end-point for Ourphoto App version 1.4.1 does not require authentication or authorization. The user_token header is not implemented or present on this end-point. An attacker can send a request to bind their account to any users picture frame, then send a POST request to accept their own bind request, without the end-users approval or interaction.
|
|||||
| CVE-2025-31720 | 1 Jenkins | 1 Jenkins | 2025-04-29 | N/A | 4.3 MEDIUM |
|
A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier allows attackers with Computer/Create permission but without Computer/Extended Read permission to copy an agent, gaining access to its configuration.
|
|||||
| CVE-2025-31721 | 1 Jenkins | 1 Jenkins | 2025-04-29 | N/A | 4.3 MEDIUM |
|
A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier allows attackers with Computer/Create permission but without Computer/Configure permission to copy an agent, gaining access to encrypted secrets in its configuration.
|
|||||
| CVE-2024-13307 | 2025-04-29 | N/A | 5.3 MEDIUM | ||
|
The Reales WP - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'reales_delete_file', 'reales_delete_file_plans', 'reales_add_to_favourites', and 'reales_remove_from_favourites' functions in all versions up to, and including, 2.1.2. This makes it possible for unauthenticated attackers to delete arbitrary attachments, and add or remove favorite property listings for any user.
|
|||||
| CVE-2021-47662 | 2025-04-29 | N/A | 7.5 HIGH | ||
|
Due to missing authorization an unauthenticated remote attacker can cause a DoS attack by connecting via HTTPS and triggering the shutdown button.
|
|||||
| CVE-2025-3058 | 2025-04-29 | N/A | 8.8 HIGH | ||
|
The Xelion Webchat plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the xwc_save_settings() function in all versions up to, and including, 9.1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration f ...
Show More |
|||||
| CVE-2025-46470 | 2025-04-29 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in Peter Raschendorfer Smart Hashtags [#hashtagger] allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Smart Hashtags [#hashtagger]: from n/a through 7.2.3.
|
|||||