Total
6931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-46535 | 2025-04-29 | N/A | 5.4 MEDIUM | ||
|
Missing Authorization vulnerability in AlphaEfficiencyTeam Custom Login and Registration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Custom Login and Registration: from n/a through 1.0.0.
|
|||||
| CVE-2025-46489 | 2025-04-29 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in vinodvaswani9 Bulk Assign Linked Products For WooCommerce allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Bulk Assign Linked Products For WooCommerce: from n/a through 2.1.
|
|||||
| CVE-2025-46519 | 2025-04-29 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in Michael Revellin-Clerc Media Library Downloader allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Media Library Downloader: from n/a through 1.3.1.
|
|||||
| CVE-2025-39390 | 2025-04-29 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in magepeopleteam Booking and Rental Manager allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Booking and Rental Manager: from n/a through 2.3.8.
|
|||||
| CVE-2025-39385 | 2025-04-29 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in VW Themes Sirat allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sirat: from n/a through 1.5.1.
|
|||||
| CVE-2025-1279 | 2025-04-29 | N/A | 8.8 HIGH | ||
|
The BM Content Builder plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ux_cb_tools_import_item_ajax AJAX action in all versions up to, and including, 3.16.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable ...
Show More |
|||||
| CVE-2025-3912 | 2025-04-29 | N/A | 5.3 MEDIUM | ||
|
The WS Form LITE – Drag & Drop Contact Form Builder for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_config' function in all versions up to, and including, 1.10.35. This makes it possible for unauthenticated attackers to read the value of the plugin's settings, including API keys for integrated services.
|
|||||
| CVE-2025-46485 | 2025-04-29 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in Carlo La Pera WP Customize Login Page allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WP Customize Login Page: from n/a through 1.6.5.
|
|||||
| CVE-2025-3997 | 2025-04-29 | 5.0 MEDIUM | 4.3 MEDIUM | ||
|
A vulnerability classified as problematic has been found in dazhouda lecms 3.0.3. This affects an unknown part of the file /index.php?my-profile-ajax-1 of the component Personal Information Page. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-39367 | 2025-04-29 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in SeventhQueen Kleo.This issue affects Kleo: from n/a before 5.4.4.
|
|||||
| CVE-2025-3906 | 2025-04-29 | N/A | 8.8 HIGH | ||
|
The Integração entre Eduzz e Woocommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wep_opcoes' function in all versions up to, and including, 1.7.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit the default registration role within the plugin's registration flow to Administrator, which allows any user to create an Administrator account.
|
|||||
| CVE-2022-43685 | 1 Okfn | 1 Ckan | 2025-04-29 | N/A | 8.8 HIGH |
|
CKAN through 2.9.6 account takeovers by unauthenticated users when an existing user id is sent via an HTTP POST request. This allows a user to take over an existing account including superuser accounts.
|
|||||
| CVE-2024-42453 | 1 Veeam | 1 Veeam Backup \& Replication | 2025-04-24 | N/A | 8.1 HIGH |
|
A vulnerability Veeam Backup & Replication allows low-privileged users to control and modify configurations on connected virtual infrastructure hosts. This includes the ability to power off virtual machines, delete files in storage, and make configuration changes, potentially leading to Denial of Service (DoS) and data integrity issues. The vulnerability is caused by improper permission checks in methods accessed via management services.
|
|||||
| CVE-2022-41807 | 1 Kyocera | 80 Ecosys M2535dn, Ecosys M2535dn Firmware, Ecosys M6526cdn and 77 more | 2025-04-24 | N/A | 6.5 MEDIUM |
|
Missing authorization vulnerability exists in Kyocera Document Solutions MFPs and printers, which may allow a network-adjacent attacker to alter the product settings without authentication by sending a specially crafted request. Affected products/versions are as follows: TASKalfa 7550ci/6550ci, TASKalfa 5550ci/4550ci/3550ci/3050ci, TASKalfa 255c/205c, TASKalfa 256ci/206ci, ECOSYS M6526cdn/M6526cidn, FS-C2126MFP/C2126MFP+/C2026MFP/C2026MFP+, TASKalfa 8000i/6500i, TASKalfa 5500i/4500i/3500i, TASKa ...
Show More |
|||||
| CVE-2022-44009 | 1 Stackstorm | 1 Stackstorm | 2025-04-24 | N/A | 7.5 HIGH |
|
Improper access control in Key-Value RBAC in StackStorm version 3.7.0 didn't check the permissions in Jinja filters, allowing attackers to access K/V pairs of other users, potentially leading to the exposure of sensitive Information.
|
|||||
| CVE-2022-39102 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-04-24 | N/A | 7.8 HIGH |
|
In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed.
|
|||||
| CVE-2022-39101 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-04-24 | N/A | 7.8 HIGH |
|
In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed.
|
|||||
| CVE-2022-39100 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-04-24 | N/A | 7.8 HIGH |
|
In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed.
|
|||||
| CVE-2022-42766 | 2 Google, Unisoc | 14 Android, S8011, Sc7731e and 11 more | 2025-04-23 | N/A | 5.5 MEDIUM |
|
In wlan driver, there is a possible missing permission check, This could lead to local information disclosure.
|
|||||
| CVE-2024-3893 | 1 Radiustheme | 1 Classified Listing | 2025-04-23 | N/A | 5.3 MEDIUM |
|
The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the rtcl_fb_gallery_image_delete AJAX action in all versions up to, and including, 3.0.10.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary attachements.
|
|||||
| CVE-2022-42782 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-04-23 | N/A | 5.5 MEDIUM |
|
In wlan driver, there is a possible missing permission check, This could lead to local information disclosure.
|
|||||
| CVE-2022-42778 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-04-23 | N/A | 7.8 HIGH |
|
In windows manager service, there is a missing permission check. This could lead to set up windows manager service with no additional execution privileges needed.
|
|||||
| CVE-2022-42777 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-04-23 | N/A | 7.8 HIGH |
|
In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed.
|
|||||
| CVE-2022-42776 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-04-23 | N/A | 7.8 HIGH |
|
In UscAIEngine service, there is a missing permission check. This could lead to set up UscAIEngine service with no additional execution privileges needed.
|
|||||
| CVE-2025-26853 | 1 Descor | 1 Infocad | 2025-04-23 | N/A | 10.0 CRITICAL |
|
DESCOR INFOCAD 3.5.1 and before and fixed in v.3.5.2.0 has a broken authorization schema.
|
|||||
| CVE-2024-33606 | 1 Microdicom | 1 Dicom Viewer | 2025-04-23 | N/A | 8.8 HIGH |
|
An attacker could retrieve sensitive files (medical images) as well as plant new medical images or overwrite existing medical images on a MicroDicom DICOM Viewer system. User interaction is required to exploit this vulnerability.
|
|||||
| CVE-2022-39099 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-04-23 | N/A | 7.8 HIGH |
|
In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed.
|
|||||
| CVE-2022-39098 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-04-23 | N/A | 7.8 HIGH |
|
In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed.
|
|||||
| CVE-2022-39097 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-04-23 | N/A | 7.8 HIGH |
|
In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed.
|
|||||
| CVE-2022-39096 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-04-23 | N/A | 7.8 HIGH |
|
In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed.
|
|||||
| CVE-2022-39095 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-04-23 | N/A | 7.8 HIGH |
|
In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed.
|
|||||
| CVE-2022-39094 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-04-23 | N/A | 7.8 HIGH |
|
In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed.
|
|||||
| CVE-2022-39093 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-04-23 | N/A | 7.8 HIGH |
|
In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed.
|
|||||
| CVE-2022-39092 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-04-23 | N/A | 7.8 HIGH |
|
In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed.
|
|||||
| CVE-2022-39091 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-04-23 | N/A | 7.8 HIGH |
|
In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed.
|
|||||
| CVE-2022-39090 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-04-23 | N/A | 7.8 HIGH |
|
In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed.
|
|||||
| CVE-2025-2298 | 2025-04-23 | N/A | N/A | ||
|
An improper authorization vulnerability in Dremio Software allows authenticated users to delete arbitrary files that the system has access to, including system files and files stored in remote locations such as S3, Azure Blob Storage, and local filesystems. This vulnerability exists due to insufficient access controls on an API endpoint, enabling any authenticated user to specify and delete files outside their intended scope. Exploiting this flaw could lead to data loss, denial of service (DoS), ...
Show More |
|||||
| CVE-2022-3946 | 1 Welcart | 1 Welcart E-commerce | 2025-04-22 | N/A | 6.5 MEDIUM |
|
The Welcart e-Commerce WordPress plugin before 2.8.4 does not have authorisation and CSRF in an AJAX action, allowing any logged-in user to create, update and delete shipping methods.
|
|||||
| CVE-2022-20240 | 1 Google | 1 Android | 2025-04-22 | N/A | 2.3 LOW |
|
In sOpAllowSystemRestrictionBypass of AppOpsManager.java, there is a possible leak of location information due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12 Android-12LAndroid ID: A-231496105
|
|||||
| CVE-2024-20032 | 2 Google, Mediatek | 36 Android, Mt6580, Mt6739 and 33 more | 2025-04-22 | N/A | 6.7 MEDIUM |
|
In aee, there is a possible permission bypass due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08487630; Issue ID: MSV-1020.
|
|||||