Total
6931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-17693 | 1 Techno - Portfolio Management Panel Project | 1 Techno - Portfolio Management Panel | 2025-04-20 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Techno - Portfolio Management Panel through 2017-11-16 does not check authorization for panel/portfolio.php?action=delete requests that remove feedback.
|
|||||
| CVE-2017-6565 | 1 Franklinfueling | 2 Ts-550 Evo, Ts-550 Evo Firmware | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
|
On Franklin Fueling Systems TS-550 evo 2.3.0.7332 devices, the roleDiag user, which can be obtained by exploiting CVE-2013-7247, has the ability to upload files to the server hosting the web service. As no sanitization checks are in place, an attacker can upload a malicious payload.
|
|||||
| CVE-2017-11042 | 1 Google | 1 Android | 2025-04-20 | 4.6 MEDIUM | 7.8 HIGH |
|
In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, ImsService and the IQtiImsExt AIDL APIs are not subject to access control.
|
|||||
| CVE-2017-0554 | 1 Google | 1 Android | 2025-04-20 | 6.8 MEDIUM | 7.8 HIGH |
|
An elevation of privilege vulnerability in the Telephony component could enable a local malicious application to access capabilities outside of its permission levels. This issue is rated as Moderate because it could be used to gain access to elevated capabilities, which are not normally accessible to a third-party application. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-33815946.
|
|||||
| CVE-2017-8083 | 1 Compulab | 4 Intense Pc, Intense Pc Firmware, Mintbox 2 and 1 more | 2025-04-20 | 7.2 HIGH | 6.7 MEDIUM |
|
CompuLab Intense PC and MintBox 2 devices with BIOS before 2017-05-21 do not use the CloseMnf protection mechanism for write protection of flash memory regions, which allows local users to install a firmware rootkit by leveraging administrative privileges.
|
|||||
| CVE-2017-4985 | 1 Emc | 4 Vnx1, Vnx1 Firmware, Vnx2 and 1 more | 2025-04-20 | 7.2 HIGH | 7.8 HIGH |
|
In EMC VNX2 versions prior to OE for File 8.1.9.211 and VNX1 versions prior to OE for File 7.1.80.8, a local authenticated user may potentially escalate their privileges to root due to authorization checks not being performed on certain perl scripts. This may potentially be exploited by an attacker to run arbitrary commands as root on the targeted VNX Control Station system.
|
|||||
| CVE-2017-12582 | 1 Qnap | 2 Ts-212p, Ts-212p Firmware | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
Unprivileged user can access all functions in the Surveillance Station component in QNAP TS212P devices with firmware 4.2.1 build 20160601. Unprivileged user cannot login at front end but with that unprivileged user SID, all function can access at Surveillance Station.
|
|||||
| CVE-2017-1000243 | 1 Jenkins | 1 Favorite Plugin | 2025-04-20 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Jenkins Favorite Plugin 2.1.4 and older does not perform permission checks when changing favorite status, allowing any user to set any other user's favorites
|
|||||
| CVE-2017-5180 | 1 Firejail Project | 1 Firejail | 2025-04-20 | 4.6 MEDIUM | 8.8 HIGH |
|
Firejail before 0.9.44.4 and 0.9.38.x LTS before 0.9.38.8 LTS does not consider the .Xauthority case during its attempt to prevent accessing user files with an euid of zero, which allows local users to conduct sandbox-escape attacks via vectors involving a symlink and the --private option.
|
|||||
| CVE-2017-12084 | 1 Meetcircle | 2 Circle With Disney, Circle With Disney Firmware | 2025-04-20 | 6.0 MEDIUM | 8.0 HIGH |
|
A backdoor vulnerability exists in remote control functionality of Circle with Disney running firmware 2.0.1. A specific set of network packets can remotely start an SSH server on the device, resulting in a persistent backdoor. An attacker can send an API call to enable the SSH server.
|
|||||
| CVE-2017-6564 | 1 Franklinfueling | 2 Ts-550 Evo, Ts-550 Evo Firmware | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
|
On Franklin Fueling Systems TS-550 evo 2.3.0.7332 devices, the Guest user, which contains the lowest privileges, can post to the idSourceFileName parameter found within the /download directory. This ability allows for an attacker to download sensitive system files from the host machine such as databases which contain information that can aid in further attacks.
|
|||||
| CVE-2017-8217 | 1 Tp-link | 4 C2, C20i, C20i Firmware and 1 more | 2025-04-20 | 5.0 MEDIUM | 5.3 MEDIUM |
|
TP-Link C2 and C20i devices through firmware 0.9.1 4.2 v0032.0 Build 160706 Rel.37961n have too permissive iptables rules, e.g., SNMP is not blocked on any interface.
|
|||||
| CVE-2017-17665 | 1 Octopus | 1 Octopus Deploy | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
|
In Octopus Deploy before 4.1.3, the machine update process doesn't check that the user has access to all environments. This allows an access-control bypass because the set of environments to which a machine is scoped may include environments in which the user lacks access.
|
|||||
| CVE-2024-57757 | 1 Jeewms | 1 Jeewms | 2025-04-18 | N/A | 7.5 HIGH |
|
JeeWMS before v2025.01.01 was discovered to contain a permission bypass in the component /interceptors/AuthInterceptor.cava.
|
|||||
| CVE-2022-20556 | 1 Google | 1 Android | 2025-04-18 | N/A | 3.3 LOW |
|
In launchConfigNewNetworkFragment of NetworkProviderSettings.java, there is a possible way for the guest user to add a new WiFi network due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-246301667
|
|||||
| CVE-2022-20537 | 1 Google | 1 Android | 2025-04-18 | N/A | 3.3 LOW |
|
In createDialog of WifiScanModeActivity.java, there is a possible way for a Guest user to enable location-sensitive settings due to a missing permission check. This could lead to local escalation of privilege from the Guest user with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-235601169
|
|||||
| CVE-2022-20536 | 1 Google | 1 Android | 2025-04-18 | N/A | 3.3 LOW |
|
In registerBroadcastReceiver of RcsService.java, there is a possible way to change preferred TTY mode due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-235100180
|
|||||
| CVE-2022-20533 | 1 Google | 1 Android | 2025-04-18 | N/A | 3.3 LOW |
|
In getSlice of WifiSlice.java, there is a possible way to connect a new WiFi network from the guest mode due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-232798363
|
|||||
| CVE-2022-20529 | 1 Google | 1 Android | 2025-04-18 | N/A | 2.4 LOW |
|
In multiple locations of WifiDialogActivity.java, there is a possible limited lockscreen bypass due to a logic error in the code. This could lead to local escalation of privilege in wifi settings with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-231583603
|
|||||
| CVE-2022-20522 | 1 Google | 1 Android | 2025-04-18 | N/A | 7.8 HIGH |
|
In getSlice of ProviderModelSlice.java, there is a missing permission check. This could lead to local escalation of privilege from the guest user with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-227470877
|
|||||
| CVE-2022-20519 | 1 Google | 1 Android | 2025-04-18 | N/A | 3.3 LOW |
|
In onCreate of AddAppNetworksActivity.java, there is a possible way for a guest user to configure WiFi networks due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-224772678
|
|||||
| CVE-2024-1733 | 1 Charlestsmith | 1 Word Replacer Pro | 2025-04-18 | N/A | 5.3 MEDIUM |
|
The Word Replacer Pro plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the word_replacer_ultra() function in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to update arbitrary content on the affected WordPress site.
|
|||||
| CVE-2022-20572 | 1 Google | 1 Android | 2025-04-18 | N/A | 6.7 MEDIUM |
|
In verity_target of dm-verity-target.c, there is a possible way to modify read-only files due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-234475629References: Upstream kernel
|
|||||
| CVE-2025-27310 | 2025-04-17 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in Radius of Thought Page and Post Lister allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Page and Post Lister: from n/a through 1.2.1.
|
|||||
| CVE-2025-31338 | 2025-04-17 | N/A | N/A | ||
|
A missing authorization vulnerability in the retrieve teacher Information function of Wisdom Master Pro versions 5.0 through 5.2 allows remote attackers to obtain partial user data by accessing the API functionality.
|
|||||
| CVE-2025-24737 | 2025-04-17 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in Mat Bao Corporation WP Helper Premium allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WP Helper Premium: from n/a through 4.6.1.
|
|||||
| CVE-2025-23773 | 2025-04-17 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in mingocommerce Delete All Posts allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Delete All Posts: from n/a through 1.1.1.
|
|||||
| CVE-2025-26968 | 2025-04-17 | N/A | 7.5 HIGH | ||
|
Missing Authorization vulnerability in webbernaut Cloak Front End Email allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cloak Front End Email: from n/a through 1.9.5.
|
|||||
| CVE-2025-23958 | 2025-04-17 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in FADI MED Editor Wysiwyg Background Color allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Editor Wysiwyg Background Color: from n/a through 1.0.
|
|||||
| CVE-2025-24583 | 2025-04-17 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in AA Web Servant 12 Step Meeting List allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects 12 Step Meeting List: from n/a through 3.16.5.
|
|||||
| CVE-2025-23906 | 2025-04-17 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in wpseek WordPress Dashboard Tweeter allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WordPress Dashboard Tweeter: from n/a through 1.3.2.
|
|||||
| CVE-2025-24581 | 2025-04-17 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in Themefic Instantio allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Instantio: from n/a through 3.3.7.
|
|||||
| CVE-2025-39559 | 2025-04-17 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in Eivin Landa Bring Fraktguiden for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Bring Fraktguiden for WooCommerce: from n/a through 1.11.4.
|
|||||
| CVE-2025-39532 | 2025-04-17 | N/A | 7.5 HIGH | ||
|
Missing Authorization vulnerability in spicethemes Spice Blocks allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Spice Blocks: from n/a through 2.0.7.1.
|
|||||
| CVE-2025-32620 | 2025-04-17 | N/A | 7.1 HIGH | ||
|
Missing Authorization vulnerability in fromdoppler Doppler Forms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Doppler Forms: from n/a through 2.4.5.
|
|||||
| CVE-2025-39533 | 2025-04-17 | N/A | 8.8 HIGH | ||
|
Missing Authorization vulnerability in Starfish Reviews Starfish Review Generation & Marketing allows Privilege Escalation. This issue affects Starfish Review Generation & Marketing: from n/a through 3.1.14.
|
|||||
| CVE-2025-39580 | 2025-04-17 | N/A | 5.8 MEDIUM | ||
|
Missing Authorization vulnerability in jidaikobo Dashi allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Dashi: from n/a through 3.1.8.
|
|||||
| CVE-2025-39457 | 2025-04-17 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in magepeopleteam Booking and Rental Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Booking and Rental Manager: from n/a through 2.2.8.
|
|||||
| CVE-2025-32544 | 2025-04-17 | N/A | 7.5 HIGH | ||
|
Missing Authorization vulnerability in The Right Software WooCommerce Loyal Customers allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WooCommerce Loyal Customers: from n/a through 2.6.
|
|||||
| CVE-2025-39583 | 2025-04-17 | N/A | 7.1 HIGH | ||
|
Missing Authorization vulnerability in berthaai BERTHA AI allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BERTHA AI: from n/a through 1.12.10.2.
|
|||||