Total
2555 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-23739 | 1 Github | 1 Enterprise Server | 2025-04-08 | N/A | 9.8 CRITICAL |
|
An incorrect authorization vulnerability was identified in GitHub Enterprise Server, allowing for escalation of privileges in GraphQL API requests from GitHub Apps. This vulnerability allowed an app installed on an organization to gain access to and modify most organization-level resources that are not tied to a repository regardless of granted permissions, such as users and organization-wide projects. Resources associated with repositories were not impacted, such as repository file content, rep ...
Show More |
|||||
| CVE-2024-1307 | 1 Rednao | 1 Smart Forms | 2025-04-08 | N/A | 6.5 MEDIUM |
|
The Smart Forms WordPress plugin before 2.6.94 does not have proper authorization in some actions, which could allow users with a role as low as a subscriber to call them and perform unauthorized actions
|
|||||
| CVE-2025-31331 | 2025-04-08 | N/A | 4.3 MEDIUM | ||
|
SAP NetWeaver allows an attacker to bypass authorization checks, enabling them to view portions of ABAP code that would normally require additional validation. Once logged into the ABAP system, the attacker can run a specific transaction that exposes sensitive system code without proper authorization. This vulnerability compromises the confidentiality.
|
|||||
| CVE-2022-4167 | 1 Gitlab | 1 Gitlab | 2025-04-08 | N/A | 5.3 MEDIUM |
|
Incorrect Authorization check affecting all versions of GitLab EE from 13.11 prior to 15.5.7, 15.6 prior to 15.6.4, and 15.7 prior to 15.7.2 allows group access tokens to continue working even after the group owner loses the ability to revoke them.
|
|||||
| CVE-2025-31481 | 2025-04-08 | N/A | 7.5 HIGH | ||
|
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Using the Relay special node type you can bypass the configured security on an operation. This vulnerability is fixed in 4.0.22 and 3.4.17.
|
|||||
| CVE-2023-22945 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2025-04-07 | N/A | 4.3 MEDIUM |
|
In the GrowthExperiments extension for MediaWiki through 1.39, the growthmanagementorlist API allows blocked users (blocked in ApiManageMentorList) to enroll as mentors or edit any of their mentorship-related properties.
|
|||||
| CVE-2024-38392 | 2025-04-07 | N/A | 9.1 CRITICAL | ||
|
Pexip Infinity Connect before 1.13.0 lacks sufficient authenticity checks during the loading of resources, and thus remote attackers can cause the application to run untrusted code.
|
|||||
| CVE-2024-54530 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2025-04-04 | N/A | 9.1 CRITICAL |
|
The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.2, watchOS 11.2, visionOS 2.2, iOS 18.2 and iPadOS 18.2. Password autofill may fill in passwords after failing authentication.
|
|||||
| CVE-2005-2136 | 1 Raritan | 10 Dominion Sx16, Dominion Sx16 Firmware, Dominion Sx32 and 7 more | 2025-04-03 | 4.6 MEDIUM | N/A |
|
Raritan Dominion SX (DSX) Console Servers DSX16, DSX32, DSX4, DSX8, and DSXA-48 set (1) world-readable permissions for /etc/shadow and (2) world-writable permissions for /bin/busybox, which allows local users to obtain hashed passwords or execute arbitrary code as other users.
|
|||||
| CVE-2001-1155 | 1 Freebsd | 1 Freebsd | 2025-04-03 | 7.5 HIGH | 9.8 CRITICAL |
|
TCP Wrappers (tcp_wrappers) in FreeBSD 4.1.1 through 4.3 with the PARANOID ACL option enabled does not properly check the result of a reverse DNS lookup, which could allow remote attackers to bypass intended access restrictions via DNS spoofing.
|
|||||
| CVE-2024-20466 | 1 Cisco | 1 Identity Services Engine | 2025-03-31 | N/A | 6.5 MEDIUM |
|
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to obtain sensitive information from an affected device.
This vulnerability is due to improper enforcement of administrative privilege levels for high-value sensitive data. An attacker with read-only Administrator privileges for the web-based management interface on an affected device could exploit this vulnerability by browsing to a page that contains s ...
Show More |
|||||
| CVE-2024-0043 | 1 Google | 1 Android | 2025-03-29 | N/A | 7.8 HIGH |
|
In multiple locations, there is a possible notification listener grant to an app running in the work profile due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
|
|||||
| CVE-2024-31402 | 1 Cybozu | 1 Garoon | 2025-03-28 | N/A | 4.3 MEDIUM |
|
Incorrect authorization vulnerability in Cybozu Garoon 5.0.0 to 5.15.2 allows a remote authenticated attacker to delete the data of Shared To-Dos.
|
|||||
| CVE-2025-2003 | 1 Devolutions | 1 Devolutions Server | 2025-03-28 | N/A | 7.1 HIGH |
|
Incorrect authorization in PAM vaults in Devolutions Server 2024.3.12 and earlier allows an authenticated user to bypass the 'add in root' permission.
|
|||||
| CVE-2024-12148 | 1 Devolutions | 1 Devolutions Server | 2025-03-28 | N/A | 4.3 MEDIUM |
|
Incorrect authorization in permission validation component in Devolutions Server 2024.3.6.0 and earlier allows an authenticated user to access some reporting endpoints.
|
|||||
| CVE-2024-12196 | 1 Devolutions | 1 Devolutions Server | 2025-03-28 | N/A | 6.5 MEDIUM |
|
Incorrect authorization in the permission component in Devolutions Server 2024.3.7.0 and earlier allows an authenticated user to view the password history of an entry without the view password permission.
|
|||||
| CVE-2024-11670 | 1 Devolutions | 1 Remote Desktop Manager | 2025-03-28 | N/A | 5.4 MEDIUM |
|
Incorrect authorization in the permission validation component of Devolutions Remote Desktop Manager 2024.2.21 and earlier on Windows allows a malicious authenticated user to bypass the "View Password" permission via specific actions.
|
|||||
| CVE-2024-11672 | 1 Devolutions | 1 Remote Desktop Manager | 2025-03-28 | N/A | 4.3 MEDIUM |
|
Incorrect authorization in the add permission component in Devolutions Remote Desktop Manager 2024.2.21 and earlier on Windows allows an authenticated malicious user to bypass the "Add" permission via the import in vault feature.
|
|||||
| CVE-2024-2915 | 1 Devolutions | 1 Devolutions Server | 2025-03-27 | N/A | 8.8 HIGH |
|
Improper access control in PAM JIT elevation in Devolutions Server 2024.1.6 and earlier allows an attacker with access to the PAM JIT elevation feature to elevate themselves to unauthorized groups via a specially crafted request.
|
|||||
| CVE-2022-45172 | 1 Liveboxcloud | 1 Vdesk | 2025-03-27 | N/A | 9.8 CRITICAL |
|
An issue was discovered in LIVEBOX Collaboration vDesk before v018. Broken Access Control can occur under the /api/v1/registration/validateEmail endpoint, the /api/v1/vdeskintegration/user/adduser endpoint, and the /api/v1/registration/changePasswordUser endpoint. The web application is affected by flaws in authorization logic, through which a malicious user (with no privileges) is able to perform privilege escalation to the administrator role, and steal the accounts of any users on the system.
|
|||||
| CVE-2023-24829 | 1 Apache | 1 Iotdb | 2025-03-27 | N/A | 8.8 HIGH |
|
Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.This issue affects the iotdb-web-workbench component from 0.13.0 before 0.13.3. iotdb-web-workbench is an optional component of IoTDB, providing a web console of the database.
This problem is fixed from version 0.13.3 of iotdb-web-workbench onwards.
|
|||||
| CVE-2025-30741 | 2025-03-27 | N/A | 4.3 MEDIUM | ||
|
Pixelfed before 0.12.5 allows anyone to follow private accounts and see private posts on other Fediverse servers. This affects users elsewhere in the Fediverse, if they otherwise have any followers from a Pixelfed instance.
|
|||||
| CVE-2023-50811 | 1 Seling | 1 Visual Access Manager | 2025-03-27 | N/A | 6.5 MEDIUM |
|
An issue discovered in SELESTA Visual Access Manager 4.38.6 allows attackers to modify the “computer” POST parameter related to the ID of a specific reception by POST HTTP request interception. Iterating that parameter, it has been possible to access to the application and take control of many other receptions in addition the assigned one.
|
|||||
| CVE-2025-25274 | 1 Mattermost | 1 Mattermost Server | 2025-03-27 | N/A | 4.3 MEDIUM |
|
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to restrict command execution in archived channels, which allows authenticated users to run commands in archived channels.
|
|||||
| CVE-2025-27715 | 1 Mattermost | 1 Mattermost Server | 2025-03-27 | N/A | 3.3 LOW |
|
Mattermost versions 9.11.x <= 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them.
|
|||||
| CVE-2025-27933 | 1 Mattermost | 1 Mattermost Server | 2025-03-27 | N/A | 5.4 MEDIUM |
|
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to fail to enforce channel conversion restrictions, which allows members with permission to convert public channels to private ones to also convert private ones to public
|
|||||
| CVE-2025-30179 | 1 Mattermost | 1 Mattermost Server | 2025-03-27 | N/A | 4.3 MEDIUM |
|
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to enforce MFA on certain search APIs, which allows authenticated attackers to bypass MFA protections via user search, channel search, or team search queries.
|
|||||
| CVE-2025-24920 | 1 Mattermost | 1 Mattermost Server | 2025-03-27 | N/A | 4.3 MEDIUM |
|
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to restrict bookmark creation and updates in archived channels, which allows authenticated users created or update bookmarked in archived channels
|
|||||
| CVE-2023-24029 | 1 Progress | 1 Ws Ftp Server | 2025-03-26 | N/A | 7.2 HIGH |
|
In Progress WS_FTP Server before 8.8, it is possible for a host administrator to elevate their privileges via the administrative interface due to insufficient authorization controls applied on user modification workflows.
|
|||||
| CVE-2023-23751 | 1 Joomla | 1 Joomla\! | 2025-03-26 | N/A | 4.3 MEDIUM |
|
An issue was discovered in Joomla! 4.0.0 through 4.2.4. A missing ACL check allows non super-admin users to access com_actionlogs.
|
|||||
| CVE-2023-52538 | 1 Huawei | 2 Emui, Harmonyos | 2025-03-25 | N/A | 9.1 CRITICAL |
|
Vulnerability of package name verification being bypassed in the HwIms module.
Impact: Successful exploitation of this vulnerability will affect availability.
|
|||||
| CVE-2024-40530 | 2025-03-24 | N/A | 7.5 HIGH | ||
|
A vulnerability in Pantera CRM versions 401.152 and 402.072 allows unauthorized attackers to bypass IP-based access controls by manipulating the X-Forwarded-For header.
|
|||||
| CVE-2024-44305 | 1 Apple | 1 Macos | 2025-03-24 | N/A | 7.8 HIGH |
|
This issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sonoma 14.6. An app may be able to gain root privileges.
|
|||||
| CVE-2025-24099 | 1 Apple | 1 Macos | 2025-03-24 | N/A | 5.1 MEDIUM |
|
The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.3, macOS Ventura 13.7.3, macOS Sonoma 14.7.3. A local attacker may be able to elevate their privileges.
|
|||||
| CVE-2024-44136 | 1 Apple | 2 Ipados, Iphone Os | 2025-03-22 | N/A | 4.6 MEDIUM |
|
This issue was addressed through improved state management. This issue is fixed in iOS 17.5 and iPadOS 17.5. An attacker with physical access to a device may be able to disable Stolen Device Protection.
|
|||||
| CVE-2024-2098 | 1 W3eden | 1 Download Manager | 2025-03-21 | N/A | 7.5 HIGH |
|
The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to an improper authorization check on the 'protectMediaLibrary' function in all versions up to, and including, 3.2.89. This makes it possible for unauthenticated attackers to download password-protected files.
|
|||||
| CVE-2025-27138 | 1 Dataease | 1 Dataease | 2025-03-21 | N/A | 9.8 CRITICAL |
|
DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.6, there is a flaw in the authentication in the io.dataease.auth.filter.TokenFilter class, which may cause the risk of unauthorized access. The vulnerability has been fixed in v2.10.6. No known workarounds are available.
|
|||||
| CVE-2023-0133 | 1 Google | 2 Android, Chrome | 2025-03-20 | N/A | 6.5 MEDIUM |
|
Inappropriate implementation in in Permission prompts in Google Chrome on Android prior to 109.0.5414.74 allowed a remote attacker to bypass main origin permission delegation via a crafted HTML page. (Chromium security severity: Medium)
|
|||||
| CVE-2022-45168 | 1 Liveboxcloud | 1 Vdesk | 2025-03-20 | N/A | 6.5 MEDIUM |
|
An issue was discovered in LIVEBOX Collaboration vDesk through v018. A Bypass of Two-Factor Authentication can occur under the /login/backup_code endpoint and the /api/v1/vdeskintegration/createbackupcodes endpoint, because the application allows a user to generate or regenerate the backup codes before checking the TOTP.
|
|||||
| CVE-2024-36265 | 1 Apache | 1 Submarine | 2025-03-19 | N/A | 9.8 CRITICAL |
|
** UNSUPPORTED WHEN ASSIGNED ** Incorrect Authorization vulnerability in Apache Submarine Server Core.
This issue affects Apache Submarine Server Core: from 0.8.0.
As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
|
|||||