Total
2148 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-31673 | 2025-04-29 | 4.6 Medium | ||
| Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3. | ||||
| CVE-2022-36785 | 1 Dlink | 2 G Integrated Access Device4, G Integrated Access Device4 Firmware | 2025-04-29 | 7.5 High |
| D-Link – G integrated Access Device4 Information Disclosure & Authorization Bypass. *Information Disclosure – file contains a URL with private IP at line 15 "login.asp" A. The window.location.href = http://192.168.1.1/setupWizard.asp" http://192.168.1.1/setupWizard.asp" ; "admin" – contains default username value "login.asp" B. While accessing the web interface, the login form at *Authorization Bypass – URL by "setupWizard.asp' while it blocks direct access to – the web interface does not properly validate user identity variables values located at the client side, it is available to access it without a "login_glag" and "login_status" checking browser and to read the admin user credentials for the web interface. | ||||
| CVE-2022-24189 | 1 Sz-fujia | 1 Ourphoto | 2025-04-29 | 6.5 Medium |
| The user_token authorization header on the Ourphoto App version 1.4.1 /apiv1/* end-points is not implemented properly. Removing the value causes all requests to succeed, bypassing authorization and session management. The impact of this vulnerability allows an attacker POST api calls with other users unique identifiers and enumerate information of all other end-users. | ||||
| CVE-2025-41423 | 2025-04-29 | 3.1 Low | ||
| Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, allowing any user or attacker to delete posts containing actions created by the Playbooks bot, even without channel access or appropriate permissions. | ||||
| CVE-2025-3647 | 2025-04-29 | 4.3 Medium | ||
| A flaw was discovered in Moodle. Additional checks were required to ensure that users can only access cohort data they are authorized to retrieve. | ||||
| CVE-2025-3644 | 2025-04-29 | 4.3 Medium | ||
| A flaw was found in Moodle. Additional checks were required to prevent users from deleting course sections they did not have permission to modify. | ||||
| CVE-2025-46544 | 2025-04-29 | 6.4 Medium | ||
| In Sherpa Orchestrator 141851, a low-privileged user can elevate their privileges by creating new users and roles. | ||||
| CVE-2025-3645 | 2025-04-29 | 4.3 Medium | ||
| A flaw was found in Moodle. Insufficient capability checks in a messaging web service allowed users to view other users' names and online statuses. | ||||
| CVE-2025-3861 | 2025-04-29 | 5.4 Medium | ||
| The Prevent Direct Access – Protect WordPress Files plugin for WordPress is vulnerable to unauthorized access and modification of data| due to a misconfigured capability check on the 'pda_lite_custom_permission_check' function in versions 2.8.6 to 2.8.8.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to access and change the protection status of media. | ||||
| CVE-2025-3963 | 2025-04-29 | 7.3 High | ||
| A vulnerability, which was classified as critical, has been found in withstars Books-Management-System 1.0. This issue affects some unknown processing of the file /admin/article/list of the component Background Interface. The manipulation leads to missing authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2025-3960 | 2025-04-29 | 7.3 High | ||
| A vulnerability was found in withstars Books-Management-System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /allreaders.html of the component Background Interface. The manipulation leads to missing authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2025-43921 | 1 Gnu | 1 Mailman | 2025-04-28 | 5.3 Medium |
| GNU Mailman 2.1.39, as bundled in cPanel (and WHM), allows unauthenticated attackers to create lists via the /mailman/create endpoint. NOTE: multiple third parties report that they are unable to reproduce this, regardless of whether cPanel or WHM is used. | ||||
| CVE-2024-25170 | 1 Jupo | 1 Mezzanine | 2025-04-28 | 9.1 Critical |
| An issue in Mezzanine v6.0.0 allows attackers to bypass access controls via manipulating the Host header. | ||||
| CVE-2025-22228 | 1 Redhat | 1 Apache Camel Spring Boot | 2025-04-25 | 7.4 High |
| BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same. | ||||
| CVE-2024-42451 | 1 Veeam | 1 Veeam Backup \& Replication | 2025-04-24 | 6.5 Medium |
| A vulnerability in Veeam Backup & Replication allows low-privileged users to leak all saved credentials in plaintext. This is achieved by calling a series of methods over an external protocol, ultimately retrieving the credentials using a malicious setup on the attacker's side. This exposes sensitive data, which could be used for further attacks, including unauthorized access to systems managed by the platform. | ||||
| CVE-2024-42452 | 1 Veeam | 2 Agent, Veeam Backup \& Replication | 2025-04-24 | 8.8 High |
| A vulnerability in Veeam Backup & Replication allows a low-privileged user to start an agent remotely in server mode and obtain credentials, effectively escalating privileges to system-level access. This allows the attacker to upload files to the server with elevated privileges. The vulnerability exists because remote calls bypass permission checks, leading to full system compromise. | ||||
| CVE-2024-45204 | 1 Veeam | 1 Veeam Backup \& Replication | 2025-04-24 | 4.3 Medium |
| A vulnerability exists where a low-privileged user can exploit insufficient permissions in credential handling to leak NTLM hashes of saved credentials. The exploitation involves using retrieved credentials to expose sensitive NTLM hashes, impacting systems beyond the initial target and potentially leading to broader security vulnerabilities. | ||||
| CVE-2022-44039 | 1 Franklinfueling | 1 Colibri Firmware | 2025-04-24 | 9.8 Critical |
| Franklin Fueling System FFS Colibri 1.9.22.8925 is affected by: File system overwrite. The impact is: File system rewrite (remote). ¶¶ An attacker can overwrite system files like [system.conf] and [passwd], this occurs because the insecure usage of "fopen" system function with the mode "wb" which allows overwriting file if exists. Overwriting files such as passwd, allows an attacker to escalate his privileges by planting backdoor user with root privilege or change root password. | ||||
| CVE-2025-26853 | 1 Descor | 1 Infocad | 2025-04-23 | 10 Critical |
| DESCOR INFOCAD 3.5.1 and before and fixed in v.3.5.2.0 has a broken authorization schema. | ||||
| CVE-2022-21678 | 1 Discourse | 1 Discourse | 2025-04-23 | 4.3 Medium |
| Discourse is an open source discussion platform. Prior to version 2.8.0.beta11 in the `tests-passed` branch, version 2.8.0.beta11 in the `beta` branch, and version 2.7.13 in the `stable` branch, the bios of users who made their profiles private were still visible in the `<meta>` tags on their users' pages. The problem is patched in `tests-passed` version 2.8.0.beta11, `beta` version 2.8.0.beta11, and `stable` version 2.7.13 of Discourse. | ||||