Total
6931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-8840 | 1 Sap | 1 Netweaver Application Server Java | 2025-04-12 | 6.5 MEDIUM | 8.8 HIGH |
|
The XML Data Archiving Service (XML DAS) in SAP NetWeaver AS Java does not check authorization, which allows remote authenticated users to obtain sensitive information, gain privileges, or possibly have unspecified other impact via requests to (1) webcontent/cas/cas_enter.jsp, (2) webcontent/cas/cas_validate.jsp, or (3) webcontent/aas/aas_store.jsp, aka SAP Security Note 1945215.
|
|||||
| CVE-2015-0571 | 1 Linux | 1 Linux Kernel | 2025-04-12 | 9.3 HIGH | 7.8 HIGH |
|
The WLAN (aka Wi-Fi) driver for the Linux kernel 3.x and 4.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not verify authorization for private SET IOCTL calls, which allows attackers to gain privileges via a crafted application, related to wlan_hdd_hostapd.c and wlan_hdd_wext.c.
|
|||||
| CVE-2021-45467 | 1 Control-webpanel | 1 Webpanel | 2025-04-12 | N/A | 9.8 CRITICAL |
|
In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /user/loader.php?api=1&scripts= .%00./.%00./api/account_new_create&acc=guadaapi URI. Any number of %00 instances can be used, e.g., .%00%00%00./.%00%00%00./api/account_new_create could also be used for the scripts parameter.
|
|||||
| CVE-2024-55073 | 1 Mealie | 1 Mealie | 2025-04-11 | N/A | 7.6 HIGH |
|
A Broken Object Level Authorization vulnerability in the component /api/users/{user-id} of hay-kot mealie v2.2.0 allows users to edit their own profile in order to give themselves more permissions or to change their household.
|
|||||
| CVE-2024-55070 | 1 Mealie | 1 Mealie | 2025-04-11 | N/A | 3.1 LOW |
|
A Broken Object Level Authorization vulnerability in the component /households/permissions of hay-kot mealie v2.2.0 allows group managers to edit their own permissions.
|
|||||
| CVE-2025-2832 | 1 Mingyuefusu | 1 Library Management System | 2025-04-11 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was found in mingyuefusu 明月复苏 tushuguanlixitong 图书管理系统 up to d4836f6b49cd0ac79a4021b15ce99ff7229d4694 and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-26888 | 2025-04-11 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in OnTheGoSystems WooCommerce Multilingual & Multicurrency allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Multilingual & Multicurrency: from n/a through 5.3.8.
|
|||||
| CVE-2025-32213 | 2025-04-11 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in flothemesplugins Flo Forms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Flo Forms: from n/a through 1.0.43.
|
|||||
| CVE-2025-3417 | 2025-04-11 | N/A | 8.8 HIGH | ||
|
The Embedder plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ajax_set_global_option() function in versions 1.3 to 1.3.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain ...
Show More |
|||||
| CVE-2025-32221 | 2025-04-11 | N/A | 5.4 MEDIUM | ||
|
Missing Authorization vulnerability in Spider Themes EazyDocs allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects EazyDocs: from n/a through 2.6.4.
|
|||||
| CVE-2025-32210 | 2025-04-11 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in CreativeMindsSolutions CM Registration and Invitation Codes allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CM Registration and Invitation Codes: from n/a through 2.5.2.
|
|||||
| CVE-2025-2719 | 2025-04-11 | N/A | 6.5 MEDIUM | ||
|
The Swatchly – WooCommerce Variation Swatches for Products (product attributes: Image swatch, Color swatches, Label swatches) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_dismiss function in versions 1.2.8 to 1.4.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 1/true on the WordPress site. This can be leveraged to update an option that would create an ...
Show More |
|||||
| CVE-2025-32236 | 2025-04-11 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in Vagonic Woocommerce Products Reorder Drag Drop Multiple Sort – Sortable, Rearrange Products Vagonic. This issue affects Woocommerce Products Reorder Drag Drop Multiple Sort – Sortable, Rearrange Products Vagonic: from n/a through 1.9.
|
|||||
| CVE-2025-32243 | 2025-04-11 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in Toast Plugins Internal Link Optimiser allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Internal Link Optimiser: from n/a through 5.1.2.
|
|||||
| CVE-2025-32244 | 2025-04-11 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in QuantumCloud SEO Help allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SEO Help: from n/a through 6.6.1.
|
|||||
| CVE-2025-32242 | 2025-04-11 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in Hive Support Hive Support allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Hive Support: from n/a through 1.2.2.
|
|||||
| CVE-2025-32542 | 2025-04-11 | N/A | 8.8 HIGH | ||
|
Missing Authorization vulnerability in EazyPlugins Eazy Plugin Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Eazy Plugin Manager: from n/a through 4.3.0.
|
|||||
| CVE-2025-32259 | 2025-04-11 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in Alimir WP ULike. This issue affects WP ULike: from n/a through 4.7.9.1.
|
|||||
| CVE-2025-32216 | 2025-04-11 | N/A | 6.4 MEDIUM | ||
|
Missing Authorization vulnerability in Spider Themes Spider Elements – Addons for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Spider Elements – Addons for Elementor: from n/a through 1.6.2.
|
|||||
| CVE-2025-32260 | 2025-04-11 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in Detheme DethemeKit For Elementor. This issue affects DethemeKit For Elementor: from n/a through 2.1.10.
|
|||||
| CVE-2025-32208 | 2025-04-11 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in Hive Support Hive Support allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hive Support: from n/a through 1.2.2.
|
|||||
| CVE-2025-31041 | 2025-04-11 | N/A | 7.5 HIGH | ||
|
Missing Authorization vulnerability in NotFound AnyTrack Affiliate Link Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects AnyTrack Affiliate Link Manager: from n/a through 1.0.4.
|
|||||
| CVE-2025-32212 | 2025-04-11 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in Specia Theme Specia Companion allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Specia Companion: from n/a through 4.6.
|
|||||
| CVE-2025-32240 | 2025-04-11 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in NotFound Site Notify allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Site Notify: from n/a through 1.0.
|
|||||
| CVE-2024-37255 | 1 Wpmet | 1 Elements Kit Elementor Addons | 2025-04-11 | N/A | 5.3 MEDIUM |
|
Missing Authorization vulnerability in Wpmet Elements kit Elementor addons allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Elements kit Elementor addons: from n/a through 3.1.4.
|
|||||
| CVE-2022-45819 | 1 Code-atlantic | 1 Popup Maker | 2025-04-11 | N/A | 3.5 LOW |
|
Missing Authorization vulnerability in Popup Maker Popup Maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup Maker: from n/a through 1.17.1.
|
|||||
| CVE-2022-45826 | 1 Sunshinephotocart | 1 Sunshine Photo Cart | 2025-04-11 | N/A | 5.4 MEDIUM |
|
Missing Authorization vulnerability in WP Sunshine Sunshine Photo Cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sunshine Photo Cart: from n/a through 2.9.13.
|
|||||
| CVE-2022-47594 | 1 Wpdeveloper | 1 Essential Blocks | 2025-04-11 | N/A | 6.5 MEDIUM |
|
Missing Authorization vulnerability in WPDeveloper Essential Blocks for Gutenberg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Blocks for Gutenberg: from n/a through 3.8.5.
|
|||||
| CVE-2021-35001 | 1 Bmc | 1 Track-it\! | 2025-04-11 | N/A | 6.5 MEDIUM |
|
BMC Track-It! GetData Missing Authorization Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of BMC Track-It!. Authentication is required to exploit this vulnerability.
The specific flaw exists within the GetData endpoint. The issue results from the lack of authorization prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose stored credentials, leading to furth ...
Show More |
|||||
| CVE-2025-32220 | 1 Salonbookingsystem | 1 Salon Booking System | 2025-04-11 | N/A | 5.4 MEDIUM |
|
Missing Authorization vulnerability in Dimitri Grassi Salon booking system allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Salon booking system: from n/a through 10.10.7.
|
|||||
| CVE-2012-4245 | 1 Gimp | 1 Gimp | 2025-04-11 | 6.8 MEDIUM | N/A |
|
The scriptfu network server in GIMP 2.6 does not require authentication, which allows remote attackers to execute arbitrary commands via the python-fu-eval command.
|
|||||
| CVE-2024-7031 | 1 Ninjateam | 1 Filester | 2025-04-10 | N/A | 7.5 HIGH |
|
The File Manager Pro – Filester plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'njt_fs_saveSettingRestrictions' function in all versions up to, and including, 1.8.2. This makes it possible for authenticated attackers, with a role that has been granted permissions by an Administrator, to update the plugin settings for user role restrictions, including allowing file types such as .php to be uploaded.
|
|||||
| CVE-2025-26378 | 1 Q-free | 1 Maxtime | 2025-04-10 | N/A | 8.8 HIGH |
|
A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to reset passwords, including the ones of administrator accounts, via crafted HTTP requests.
|
|||||
| CVE-2025-26367 | 1 Q-free | 1 Maxtime | 2025-04-10 | N/A | 4.3 MEDIUM |
|
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to create arbitrary user groups via crafted HTTP requests.
|
|||||
| CVE-2025-26371 | 1 Q-free | 1 Maxtime | 2025-04-10 | N/A | 8.8 HIGH |
|
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add users to groups via crafted HTTP requests.
|
|||||
| CVE-2025-26376 | 1 Q-free | 1 Maxtime | 2025-04-10 | N/A | 6.5 MEDIUM |
|
A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to modify user data via crafted HTTP requests.
|
|||||
| CVE-2024-33914 | 1 Exclusiveaddons | 1 Exclusive Addons For Elementor | 2025-04-10 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in Exclusive Addons Exclusive Addons Elementor.This issue affects Exclusive Addons Elementor: from n/a through 2.6.9.1.
|
|||||
| CVE-2022-44437 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-04-10 | N/A | 5.5 MEDIUM |
|
In messaging service, there is a missing permission check. This could lead to local denial of service in contacts service with no additional execution privileges needed.
|
|||||
| CVE-2022-3911 | 1 Iubenda | 1 Iubenda-cookie-law-solution | 2025-04-10 | N/A | 8.8 HIGH |
|
The iubenda WordPress plugin before 3.3.3 does does not have authorisation and CSRF in an AJAX action, and does not ensure that the options to be updated belong to the plugin as long as they are arrays. As a result, any authenticated users, such as subscriber can grant themselves any privileges, such as edit_plugins etc
|
|||||
| CVE-2025-26368 | 1 Q-free | 1 Maxtime | 2025-04-10 | N/A | 8.1 HIGH |
|
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove user groups via crafted HTTP requests.
|
|||||