Total
2555 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-29827 | 1 Microsoft | 1 Azure Automation | 2025-06-05 | N/A | 9.9 CRITICAL |
|
Improper Authorization in Azure Automation allows an authorized attacker to elevate privileges over a network.
|
|||||
| CVE-2023-6837 | 1 Wso2 | 5 Api Manager, Carbon Identity Application Authentication Endpoint, Carbon Identity Application Authentication Framework and 2 more | 2025-06-05 | N/A | 8.5 HIGH |
|
Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this vulnerability to have any impact on your deployment, following conditions must be met:
* An IDP configured for federated authentication and JIT provisioning enabled with the "Prompt for username, password and consent" option.
* A service provider that uses the above IDP for federated authentication and has the "Assert identity using mapped local subject identif ...
Show More |
|||||
| CVE-2020-16241 | 1 Philips | 2 Suresigns Vs4, Suresigns Vs4 Firmware | 2025-06-04 | 2.1 LOW | 6.3 MEDIUM |
|
Philips SureSigns VS4, A.07.107 and prior
does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
|
|||||
| CVE-2025-48881 | 2025-06-04 | N/A | 8.3 HIGH | ||
|
Valtimo is a platform for Business Process Automation. In versions starting from 11.0.0.RELEASE to 11.3.3.RELEASE and 12.0.0.RELEASE to 12.12.0.RELEASE, all objects for which an object-management configuration exists can be listed, viewed, edited, created or deleted by unauthorised users. If object-urls are exposed via other channels, the contents of these objects can be viewed independent of object-management configurations. This issue has been patched in version 12.13.0.RELEASE. A workaround ...
Show More |
|||||
| CVE-2024-13253 | 1 Advanced Pwa Inc Push Notifications Project | 1 Advanced Pwa Inc Push Notifications | 2025-06-04 | N/A | 9.1 CRITICAL |
|
Incorrect Authorization vulnerability in Drupal Advanced PWA inc Push Notifications allows Forceful Browsing.This issue affects Advanced PWA inc Push Notifications: from 0.0.0 before 1.5.0.
|
|||||
| CVE-2025-25251 | 1 Fortinet | 1 Forticlient | 2025-06-04 | N/A | 7.8 HIGH |
|
An Incorrect Authorization vulnerability [CWE-863] in FortiClient Mac 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14 may allow a local attacker to escalate privileges via crafted XPC messages.
|
|||||
| CVE-2024-13258 | 1 Rest \& Json Api Authentication Project | 1 Rest \& Json Api Authentication | 2025-06-04 | N/A | 9.8 CRITICAL |
|
Incorrect Authorization vulnerability in Drupal Drupal REST & JSON API Authentication allows Forceful Browsing.This issue affects Drupal REST & JSON API Authentication: from 0.0.0 before 2.0.13.
|
|||||
| CVE-2024-13257 | 1 Commerce View Receipt Project | 1 Commerce View Receipt | 2025-06-04 | N/A | 5.3 MEDIUM |
|
Incorrect Authorization vulnerability in Drupal Commerce View Receipt allows Forceful Browsing.This issue affects Commerce View Receipt: from 0.0.0 before 1.0.3.
|
|||||
| CVE-2025-25026 | 1 Ibm | 1 Security Guardium | 2025-06-04 | N/A | 4.3 MEDIUM |
|
IBM Security Guardium 12.0 could allow an authenticated user to obtain sensitive information due to an incorrect authentication check.
|
|||||
| CVE-2025-3260 | 2025-06-02 | N/A | 8.3 HIGH | ||
|
A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1).
Impact:
- Viewers can view all dashboards/folders regardless of permissions
- Editors can view/edit/delete all dashboards/folders regardless of permissions
- Editors can create dashboards in any folder regardless of permissions
- Anonymous users with viewer/editor roles are si ...
Show More |
|||||
| CVE-2025-3475 | 1 Europa | 1 Web-t | 2025-06-02 | N/A | 6.5 MEDIUM |
|
Allocation of Resources Without Limits or Throttling, Incorrect Authorization vulnerability in Drupal WEB-T allows Excessive Allocation, Content Spoofing.This issue affects WEB-T: from 0.0.0 before 1.1.0.
|
|||||
| CVE-2025-31673 | 1 Drupal | 1 Drupal | 2025-06-02 | N/A | 4.6 MEDIUM |
|
Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
|
|||||
| CVE-2023-50726 | 1 Argoproj | 1 Argo Cd | 2025-06-02 | N/A | 6.4 MEDIUM |
|
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. "Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted users, since it allows the user to bypass any merge protections in git. An improper validation bug allows users who have `create` privileges but not `override` privileges to sync local manifests on app creation. All othe ...
Show More |
|||||
| CVE-2022-26767 | 1 Apple | 1 Macos | 2025-05-30 | 4.3 MEDIUM | 5.5 MEDIUM |
|
The issue was addressed with additional permissions checks. This issue is fixed in macOS Monterey 12.4, macOS Big Sur 11.6.6. A malicious application may be able to bypass Privacy preferences.
|
|||||
| CVE-2023-26097 | 1 Telindus | 1 Apsal | 2025-05-30 | N/A | 8.4 HIGH |
|
An issue was discovered in Telindus Apsal 3.14.2022.235 b. Unauthorized actions that could modify the application behaviour may not be blocked.
|
|||||
| CVE-2018-10212 | 1 Vaultize | 1 Enterprise File Sharing | 2025-05-30 | 5.5 MEDIUM | 5.4 MEDIUM |
|
An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is improper authorization leading to creation of folders within another account via a modified device value.
|
|||||
| CVE-2025-1110 | 1 Gitlab | 1 Gitlab | 2025-05-29 | N/A | 2.7 LOW |
|
An issue has been discovered in GitLab CE/EE affecting all versions from 18.0 before 18.0.1. In certain circumstances, a user with limited permissions could access Job Data via a crafted GraphQL query.
|
|||||
| CVE-2024-22938 | 1 Bosscms | 1 Bosscms | 2025-05-29 | N/A | 7.8 HIGH |
|
Insecure Permissions vulnerability in BossCMS v.1.3.0 allows a local attacker to execute arbitrary code and escalate privileges via the init function in admin.class.php component.
|
|||||
| CVE-2024-50419 | 1 Greenshiftwp | 1 Greenshift - Animation And Page Builder Blocks | 2025-05-28 | N/A | 5.4 MEDIUM |
|
Incorrect Authorization vulnerability in Wpsoul Greenshift – animation and page builder blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Greenshift – animation and page builder blocks: from n/a through 9.7.
|
|||||
| CVE-2024-31403 | 1 Cybozu | 1 Garoon | 2025-05-28 | N/A | 5.4 MEDIUM |
|
Incorrect authorization vulnerability in Cybozu Garoon 5.0.0 to 6.0.0 allows a remote authenticated attacker to alter and/or obtain the data of Memo.
|
|||||
| CVE-2024-27138 | 1 Apache | 1 Archiva | 2025-05-28 | N/A | 7.5 HIGH |
|
** UNSUPPORTED WHEN ASSIGNED ** Incorrect Authorization vulnerability in Apache Archiva.
Apache Archiva has a setting to disable user registration, however this restriction can be bypassed. As Apache Archiva has been retired, we do not expect to release a version of Apache Archiva that fixes this issue. You are recommended to look into migrating to a different solution, or isolate your instance from any untrusted users.
NOTE: This vulnerability only affects products that are no longer supporte ...
Show More |
|||||
| CVE-2024-27139 | 1 Apache | 1 Archiva | 2025-05-28 | N/A | 7.5 HIGH |
|
** UNSUPPORTED WHEN ASSIGNED **
Incorrect Authorization vulnerability in Apache Archiva: a vulnerability in Apache Archiva allows an unauthenticated attacker to modify account data, potentially leading to account takeover.
This issue affects Apache Archiva: from 2.0.0.
As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.
NOTE: This vulnerability only affects pro ...
Show More |
|||||
| CVE-2019-15941 | 2 Debian, Lemonldap-ng | 2 Debian Linux, Lemonldap\ | 2025-05-28 | 7.5 HIGH | 9.8 CRITICAL |
|
OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may allow an attacker to bypass access control rules via a crafted OpenID Connect authorization request. To be vulnerable, there must exist an OIDC Relaying party within the LemonLDAP configuration with weaker access control rules than the target RP, and no filtering on redirection URIs.
|
|||||
| CVE-2023-49246 | 1 Huawei | 2 Emui, Harmonyos | 2025-05-28 | N/A | 7.5 HIGH |
|
Unauthorized access vulnerability in the card management module. Successful exploitation of this vulnerability may affect service confidentiality.
|
|||||
| CVE-2025-4101 | 1 Multivendorx | 1 Multivendorx | 2025-05-28 | N/A | 4.3 MEDIUM |
|
The MultiVendorX – WooCommerce Multivendor Marketplace Solutions plugin for WordPress is vulnerable to unauthorized loss of data due to a misconfigured capability check on the 'delete_fpm_product' function in all versions up to, and including, 4.2.22. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary posts, pages, attachments, and products. The vulnerability was partially patched in version 4.2.22.
|
|||||
| CVE-2025-30171 | 2025-05-23 | N/A | 9.0 CRITICAL | ||
|
System File Deletion vulnerabilities in ASPECT provide attackers access to delete system files if session administrator credentials become compromised.
This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03.
|
|||||
| CVE-2024-13947 | 2025-05-23 | N/A | 6.0 MEDIUM | ||
|
Device commissioning parameters in ASPECT may be modified by an external source if administrative credentials become compromisedThis issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*.
|
|||||
| CVE-2023-50777 | 1 Jenkins | 1 Paaslane Estimate | 2025-05-22 | N/A | 4.3 MEDIUM |
|
Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier does not mask PaaSLane authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
|
|||||
| CVE-2023-47320 | 1 Silverpeas | 1 Silverpeas | 2025-05-22 | N/A | 8.1 HIGH |
|
Silverpeas Core 6.3.1 is vulnerable to Incorrect Access Control. An attacker with low privileges is able to execute the administrator-only function of putting the application in "Maintenance Mode" due to broken access control. This makes the application unavailable to all users. This affects Silverpeas Core 6.3.1 and below.
|
|||||
| CVE-2019-10964 | 1 Medtronic | 38 Minimed 508, Minimed 508 Firmware, Minimed Paradigm 511 and 35 more | 2025-05-22 | 5.8 MEDIUM | 7.1 HIGH |
|
Medtronic MiniMed Insulin Pumps
are designed to communicate using a wireless RF with other devices, such as blood glucose meters, glucose sensor transmitters, and CareLink USB devices. This wireless RF communication protocol does not properly implement authentication or authorization. An attacker with adjacent access to one of the affected insulin pump models can inject, replay, modify, and/or intercept data. This vulnerability could also allow attackers to change pump settings and control ins ...
Show More |
|||||
| CVE-2022-3024 | 1 Simple Bitcoin Faucets Project | 1 Simple Bitcoin Faucets | 2025-05-22 | N/A | 5.4 MEDIUM |
|
The Simple Bitcoin Faucets WordPress plugin through 1.7.0 does not have any authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscribers to call it and add/delete/edit Bonds. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues
|
|||||
| CVE-2025-1416 | 2025-05-21 | N/A | N/A | ||
|
In Proget MDM, a low-privileged user can retrieve passwords for managed devices and subsequently use functionalities restricted by the MDM (Mobile Device Management). For it to happen, they must know the UUIDs of targetted devices, which might be obtained by exploiting CVE-2025-1415 or CVE-2025-1417.
This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite).
|
|||||
| CVE-2025-1418 | 2025-05-21 | N/A | N/A | ||
|
A low-privileged user can access information about profiles created in Proget MDM (Mobile Device Management), which contain details about allowed/prohibited functions. The profiles do not reveal any sensitive information (including their usage in connected devices).
This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite).
|
|||||
| CVE-2025-1417 | 2025-05-21 | N/A | N/A | ||
|
In Proget MDM, a low-privileged user can access information about changes contained in backups of all devices managed by the MDM (Mobile Device Management). This information include user ids, email addresses, first names, last names and device UUIDs. The last one can be used for exploitation of CVE-2025-1416.
Successful exploitation requires UUID of a targeted backup, which cannot be brute forced.
This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite).
|
|||||
| CVE-2025-1415 | 2025-05-21 | N/A | N/A | ||
|
A low-privileged user is able to obtain information about tasks executed on devices controlled by Proget MDM (Mobile Device Management), as well as details of the devices like their UUIDs needed for exploitation of CVE-2025-1416.
In order to perform the attack, one has to know a task_id, but since it's a low integer and there is no limit of requests an attacker can perform to a vulnerable endpoint, the task_id might be simply brute forced.
This issue has been fixed in 2.17.5 version of Konsola ...
Show More |
|||||
| CVE-2024-21120 | 1 Oracle | 1 Outside In Technology | 2025-05-21 | N/A | 5.3 MEDIUM |
|
Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: Outside In Core). Supported versions that are affected are 8.5.6 and 8.5.7. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Outside In Technology executes to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Outside In Technolo ...
Show More |
|||||
| CVE-2022-3048 | 2 Fedoraproject, Google | 3 Fedora, Chrome, Chrome Os | 2025-05-21 | N/A | 6.8 MEDIUM |
|
Inappropriate implementation in Chrome OS lockscreen in Google Chrome on Chrome OS prior to 105.0.5195.52 allowed a local attacker to bypass lockscreen navigation restrictions via physical access to the device.
|
|||||
| CVE-2022-40816 | 1 Zammad | 1 Zammad | 2025-05-21 | N/A | 6.5 MEDIUM |
|
Zammad 5.2.1 is vulnerable to Incorrect Access Control. Zammad's asset handling mechanism has logic to ensure that customer users are not able to see personal information of other users. This logic was not effective when used through a web socket connection, so that a logged-in attacker would be able to fetch personal data of other users by querying the Zammad API. This issue is fixed in , 5.2.2.
|
|||||
| CVE-2024-5071 | 1 Wpbookster | 1 Bookster | 2025-05-19 | N/A | 6.5 MEDIUM |
|
The Bookster WordPress plugin through 1.1.0 allows adding sensitive parameters when validating appointments allowing attackers to manipulate the data sent when booking an appointment (the request body) to change its status from pending to approved.
|
|||||
| CVE-2025-43565 | 1 Adobe | 1 Coldfusion | 2025-05-19 | N/A | 8.4 HIGH |
|
ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Incorrect Authorization vulnerability that could lead to arbitrary code execution in the context of the current user. A high-privileged attacker could leverage this vulnerability to bypass security protections and execute code. Exploitation of this issue requires user interaction and scope is changed.
|
|||||