Total
846 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-29927 | 2025-04-08 | 9.1 Critical | ||
| Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3. | ||||
| CVE-2025-3202 | 2025-04-07 | 7.3 High | ||
| A vulnerability classified as critical has been found in ageerle ruoyi-ai up to 2.0.0. Affected is an unknown function of the file ruoyi-modules/ruoyi-system/src/main/java/org/ruoyi/system/controller/system/SysNoticeController.java. The manipulation leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.1 is able to address this issue. The name of the patch is 6382e177bf90cc56ff70521842409e35c50df32d. It is recommended to upgrade the affected component. | ||||
| CVE-2025-3199 | 2025-04-07 | 7.3 High | ||
| A vulnerability was found in ageerle ruoyi-ai up to 2.0.1 and classified as critical. Affected by this issue is some unknown functionality of the file ruoyi-modules/ruoyi-system/src/main/java/org/ruoyi/system/controller/system/SysModelController.java of the component API Interface. The manipulation leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.2 is able to address this issue. The name of the patch is c0daf641fb25b244591b7a6c3affa35c69d321fe. It is recommended to upgrade the affected component. | ||||
| CVE-2025-2638 | 1 Jizhicms | 1 Jizhicms | 2025-04-02 | 4.3 Medium |
| A vulnerability, which was classified as problematic, was found in JIZHICMS up to 1.7.0. This affects an unknown part of the file /user/release.html of the component Article Handler. The manipulation of the argument ishot with the input 1 leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-2637 | 1 Jizhicms | 1 Jizhicms | 2025-04-02 | 4.3 Medium |
| A vulnerability, which was classified as problematic, has been found in JIZHICMS up to 1.7.0. Affected by this issue is some unknown functionality of the file /user/userinfo.html of the component Account Profile Page. The manipulation of the argument jifen leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2022-3740 | 1 Gitlab | 1 Gitlab | 2025-04-02 | 6.5 Medium |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.9 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. A group owner may be able to bypass External Authorization check, if it is enabled, to access git repositories and package registries by using Deploy tokens or Deploy keys . | ||||
| CVE-2025-21275 | 1 Microsoft | 8 Windows 10 21h2, Windows 10 22h2, Windows 11 22h2 and 5 more | 2025-04-02 | 7.8 High |
| Windows App Package Installer Elevation of Privilege Vulnerability | ||||
| CVE-2025-21348 | 1 Microsoft | 1 Sharepoint Server | 2025-04-02 | 7.2 High |
| Microsoft SharePoint Server Remote Code Execution Vulnerability | ||||
| CVE-2024-44314 | 1 Tastyigniter | 1 Tastyigniter | 2025-04-02 | 6.5 Medium |
| TastyIgniter 3.7.6 contains an Incorrect Access Control vulnerability in the Orders Management System, allowing unauthorized users to update order statuses. The issue occurs in the index_onUpdateStatus() function within Orders.php, which fails to verify if the user has permission to modify an order's status. This flaw can be exploited remotely, leading to unauthorized order manipulation. | ||||
| CVE-2024-13060 | 1 Mintplexlabs | 1 Anythingllm Docker | 2025-04-01 | 4.3 Medium |
| A vulnerability in AnythingLLM Docker version 1.3.1 allows users with 'Default' permission to access other users' profile pictures by changing the 'id' parameter in the user cookie. This issue is present in versions prior to 1.3.1. | ||||
| CVE-2025-3013 | 2025-04-01 | N/A | ||
| Insecure Direct Object References (IDOR) in access control in Customer Portal before 2.1.4 on NightWolf Penetration Testing allows an attacker to access via manipulating request parameters or object references. | ||||
| CVE-2025-3014 | 2025-04-01 | N/A | ||
| Insecure Direct Object References (IDOR) in access control in Tracking 2.1.4 on NightWolf Penetration Testing allows an attacker to access via manipulating request parameters or object references. | ||||
| CVE-2025-28131 | 2025-04-01 | 4.6 Medium | ||
| A Broken Access Control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows low-privilege users with "Read-Only" access to perform administrative actions, including stopping system services and deleting critical resources. This flaw arises due to improper authorization enforcement, enabling unauthorized modifications that compromise system integrity and availability. | ||||
| CVE-2025-2589 | 1 Code-projects | 1 Human Resource Management | 2025-04-01 | 5.5 Medium |
| A vulnerability was found in code-projects Human Resource Management System 1.0.1 and classified as critical. This issue affects the function Index of the file \handler\Account.go. The manipulation of the argument user_cookie leads to improper authorization. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-33749 | 1 Dedecms | 1 Dedecms | 2025-04-01 | 9.1 Critical |
| DedeCMS V5.7.114 is vulnerable to deletion of any file via mail_file_manage.php. | ||||
| CVE-2025-2600 | 2025-04-01 | 6.8 Medium | ||
| Improper authorization in the variable component in Devolutions Remote Desktop Manager on Windows allows an authenticated password to use the ELEVATED_PASSWORD variable even though not allowed by the "Allow password in variable policy". This issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29. | ||||
| CVE-2021-39341 | 1 Optinmonster | 1 Optinmonster | 2025-03-31 | 8.2 High |
| The OptinMonster WordPress plugin is vulnerable to sensitive information disclosure and unauthorized setting updates due to insufficient authorization validation via the logged_in_or_has_api_key function in the ~/OMAPI/RestApi.php file that can used to exploit inject malicious web scripts on sites with the plugin installed. This affects versions up to, and including, 2.6.4. | ||||
| CVE-2024-9082 | 2 Oretnom23, Sourcecodester | 2 Online Eyewear Shop, Online Eyewear Shop | 2025-03-31 | 6.3 Medium |
| A vulnerability was found in SourceCodester Online Eyewear Shop 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /classes/Users.php?f=save of the component User Creation Handler. The manipulation of the argument Type with the input 1 leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-21035 | 1 Oracle | 1 Complex Maintenance Repair And Overhaul | 2025-03-28 | 6.1 Medium |
| Vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul product of Oracle E-Business Suite (component: LOV). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Complex Maintenance, Repair, and Overhaul. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Complex Maintenance, Repair, and Overhaul, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Complex Maintenance, Repair, and Overhaul accessible data as well as unauthorized read access to a subset of Oracle Complex Maintenance, Repair, and Overhaul accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | ||||
| CVE-2025-2639 | 1 Jizhicms | 1 Jizhicms | 2025-03-28 | 4.3 Medium |
| A vulnerability has been found in JIZHICMS up to 1.7.0 and classified as problematic. This vulnerability affects unknown code of the file /user/release.html of the component Article Handler. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||