Total
2304 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-0237 | 2 Mozilla, Redhat | 8 Firefox, Thunderbird, Enterprise Linux and 5 more | 2025-04-03 | 5.4 Medium |
| The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6. | ||||
| CVE-2001-1155 | 1 Freebsd | 1 Freebsd | 2025-04-03 | 9.8 Critical |
| TCP Wrappers (tcp_wrappers) in FreeBSD 4.1.1 through 4.3 with the PARANOID ACL option enabled does not properly check the result of a reverse DNS lookup, which could allow remote attackers to bypass intended access restrictions via DNS spoofing. | ||||
| CVE-2005-2136 | 1 Raritan | 10 Dominion Sx16, Dominion Sx16 Firmware, Dominion Sx32 and 7 more | 2025-04-03 | N/A |
| Raritan Dominion SX (DSX) Console Servers DSX16, DSX32, DSX4, DSX8, and DSXA-48 set (1) world-readable permissions for /etc/shadow and (2) world-writable permissions for /bin/busybox, which allows local users to obtain hashed passwords or execute arbitrary code as other users. | ||||
| CVE-2025-21403 | 1 Microsoft | 1 On-prem Data Gateway | 2025-04-02 | 6.4 Medium |
| On-Premises Data Gateway Information Disclosure Vulnerability | ||||
| CVE-2021-34648 | 1 Ninjaforms | 1 Ninja Forms | 2025-03-31 | 6.4 Medium |
| The Ninja Forms WordPress plugin is vulnerable to arbitrary email sending via the trigger_email_action function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to send arbitrary emails from the affected server via the /ninja-forms-submissions/email-action REST API which can be used to socially engineer victims. | ||||
| CVE-2021-34647 | 1 Ninjaforms | 1 Ninja Forms | 2025-03-31 | 6.5 Medium |
| The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulk_export_submissions function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to export all Ninja Forms submissions data via the /ninja-forms-submissions/export REST API which can include personally identifiable information. | ||||
| CVE-2021-39321 | 1 Heateor | 1 Sassy Social Share | 2025-03-31 | 8.8 High |
| Version 3.3.23 of the Sassy Social Share WordPress plugin is vulnerable to PHP Object Injection via the wp_ajax_heateor_sss_import_config AJAX action due to deserialization of unvalidated user supplied inputs via the import_config function found in the ~/admin/class-sassy-social-share-admin.php file. This can be exploited by underprivileged authenticated users due to a missing capability check on the import_config function. | ||||
| CVE-2021-39341 | 1 Optinmonster | 1 Optinmonster | 2025-03-31 | 8.2 High |
| The OptinMonster WordPress plugin is vulnerable to sensitive information disclosure and unauthorized setting updates due to insufficient authorization validation via the logged_in_or_has_api_key function in the ~/OMAPI/RestApi.php file that can used to exploit inject malicious web scripts on sites with the plugin installed. This affects versions up to, and including, 2.6.4. | ||||
| CVE-2024-20466 | 1 Cisco | 1 Identity Services Engine | 2025-03-31 | 6.5 Medium |
| A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to obtain sensitive information from an affected device. This vulnerability is due to improper enforcement of administrative privilege levels for high-value sensitive data. An attacker with read-only Administrator privileges for the web-based management interface on an affected device could exploit this vulnerability by browsing to a page that contains sensitive data. A successful exploit could allow the attacker to collect sensitive information regarding the configuration of the system. | ||||
| CVE-2024-9082 | 2 Oretnom23, Sourcecodester | 2 Online Eyewear Shop, Online Eyewear Shop | 2025-03-31 | 6.3 Medium |
| A vulnerability was found in SourceCodester Online Eyewear Shop 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /classes/Users.php?f=save of the component User Creation Handler. The manipulation of the argument Type with the input 1 leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2023-23751 | 1 Joomla | 1 Joomla\! | 2025-03-29 | 4.3 Medium |
| An issue was discovered in Joomla! 4.0.0 through 4.2.4. A missing ACL check allows non super-admin users to access com_actionlogs. | ||||
| CVE-2024-0043 | 1 Google | 1 Android | 2025-03-29 | 7.8 High |
| In multiple locations, there is a possible notification listener grant to an app running in the work profile due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | ||||
| CVE-2024-31402 | 1 Cybozu | 1 Garoon | 2025-03-28 | 4.3 Medium |
| Incorrect authorization vulnerability in Cybozu Garoon 5.0.0 to 5.15.2 allows a remote authenticated attacker to delete the data of Shared To-Dos. | ||||
| CVE-2025-2003 | 1 Devolutions | 1 Devolutions Server | 2025-03-28 | 7.1 High |
| Incorrect authorization in PAM vaults in Devolutions Server 2024.3.12 and earlier allows an authenticated user to bypass the 'add in root' permission. | ||||
| CVE-2024-12148 | 1 Devolutions | 1 Devolutions Server | 2025-03-28 | 4.3 Medium |
| Incorrect authorization in permission validation component in Devolutions Server 2024.3.6.0 and earlier allows an authenticated user to access some reporting endpoints. | ||||
| CVE-2024-12196 | 1 Devolutions | 1 Devolutions Server | 2025-03-28 | 6.5 Medium |
| Incorrect authorization in the permission component in Devolutions Server 2024.3.7.0 and earlier allows an authenticated user to view the password history of an entry without the view password permission. | ||||
| CVE-2024-11670 | 1 Devolutions | 1 Remote Desktop Manager | 2025-03-28 | 5.4 Medium |
| Incorrect authorization in the permission validation component of Devolutions Remote Desktop Manager 2024.2.21 and earlier on Windows allows a malicious authenticated user to bypass the "View Password" permission via specific actions. | ||||
| CVE-2024-11672 | 1 Devolutions | 1 Remote Desktop Manager | 2025-03-28 | 4.3 Medium |
| Incorrect authorization in the add permission component in Devolutions Remote Desktop Manager 2024.2.21 and earlier on Windows allows an authenticated malicious user to bypass the "Add" permission via the import in vault feature. | ||||
| CVE-2024-6979 | 1 Axis | 1 Axis Os | 2025-03-28 | 6.8 Medium |
| Amin Aliakbari, member of the AXIS OS Bug Bounty Program, has found a broken access control which would lead to less-privileged operator- and/or viewer accounts having more privileges than designed. The risk of exploitation is very low as it requires complex steps to execute, including knowing of account passwords and social engineering attacks in tricking the administrator to perform specific configurations on operator- and/or viewer-privileged accounts. Axis has released patched AXIS OS a version for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. | ||||
| CVE-2025-0359 | 2025-03-28 | 8.5 High | ||
| During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the ACAP Application framework that allowed applications to access restricted D-Bus methods within the framework. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. | ||||