Export limit exceeded: 10809 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10809 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-47077 | 1 Goauthentik | 1 Authentik | 2025-08-21 | 6.5 Medium |
| authentik is an open-source identity provider. Prior to versions 2024.8.3 and 2024.6.5, access tokens issued to one application can be stolen by that application and used to impersonate the user against any other proxy provider. Also, a user can steal an access token they were legitimately issued for one application and use it to access another application that they aren't allowed to access. Anyone who has more than one proxy provider application with different trust domains or different access control is affected. Versions 2024.8.3 and 2024.6.5 fix the issue. | ||||
| CVE-2025-8361 | 2 Config Pages Project, Drupal | 2 Config Pages, Drupal | 2025-08-21 | 7.6 High |
| Missing Authorization vulnerability in Drupal Config Pages allows Forceful Browsing.This issue affects Config Pages: from 0.0.0 before 2.18.0. | ||||
| CVE-2024-37905 | 1 Goauthentik | 1 Authentik | 2025-08-21 | 8.8 High |
| authentik is an open-source Identity Provider that emphasizes flexibility and versatility. Authentik API-Access-Token mechanism can be exploited to gain admin user privileges. A successful exploit of the issue will result in a user gaining full admin access to the Authentik application, including resetting user passwords and more. This issue has been patched in version(s) 2024.2.4, 2024.4.2 and 2024.6.0. | ||||
| CVE-2025-57728 | 1 Jetbrains | 1 Intellij Idea | 2025-08-21 | 6.5 Medium |
| In JetBrains IntelliJ IDEA before 2025.2 improper access control allowed Code With Me guest to discover hidden files | ||||
| CVE-2025-54608 | 1 Huawei | 1 Harmonyos | 2025-08-20 | 6.2 Medium |
| Vulnerability that allows setting screen rotation direction without permission verification in the screen management module. Impact: Successful exploitation of this vulnerability may cause device screen orientation to be arbitrarily set. | ||||
| CVE-2021-35567 | 5 Debian, Fedoraproject, Netapp and 2 more | 19 Debian Linux, Fedora, Active Iq Unified Manager and 16 more | 2025-08-15 | 6.8 Medium |
| Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows low privileged attacker with network access via Kerberos to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 6.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N). | ||||
| CVE-2023-47716 | 1 Ibm | 2 Cp4ba - Filenet Content Manager, Filenet Content Manager | 2025-08-15 | 6.3 Medium |
| IBM CP4BA - Filenet Content Manager Component 5.5.8.0, 5.5.10.0, and 5.5.11.0 could allow a user to gain the privileges of another user under unusual circumstances. IBM X-Force ID: 271656. | ||||
| CVE-2025-49556 | 1 Adobe | 3 Commerce, Commerce B2b, Magento | 2025-08-15 | 7.5 High |
| Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction, and scope is unchanged. | ||||
| CVE-2024-45081 | 2 Ibm, Microsoft | 3 Cognos Controller, Controller, Windows | 2025-08-15 | 6.5 Medium |
| IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 could allow an authenticated user to modify restricted content due to incorrect authorization checks. | ||||
| CVE-2024-12553 | 1 Geovision | 1 Gv-asmanager | 2025-08-14 | N/A |
| GeoVision GV-ASManager Missing Authorization Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of GeoVision GV-ASManager. Although authentication is required to exploit this vulnerability, default guest credentials may be used. The specific flaw exists within the GV-ASWeb service. The issue results from the lack of authorization prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-25394. | ||||
| CVE-2024-10219 | 1 Gitlab | 1 Gitlab | 2025-08-14 | 6.5 Medium |
| An issue has been discovered in GitLab CE/EE affecting all versions from 15.6 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that under certain conditions could have allowed authenticated users to bypass access controls and download private artifacts by accessing specific API endpoints. | ||||
| CVE-2024-39690 | 2 Clastix, Projectcapsule | 2 Capsule, Capsule | 2025-08-14 | 8.5 High |
| Capsule is a multi-tenancy and policy-based framework for Kubernetes. In Capsule v0.7.0 and earlier, the tenant-owner can patch any arbitrary namespace that has not been taken over by a tenant (i.e., namespaces without the ownerReference field), thereby gaining control of that namespace. Version 0.7.1 contains a patch. | ||||
| CVE-2025-5953 | 1 Mishubd | 1 Wp Human Resource Management | 2025-08-13 | 8.8 High |
| The WP Human Resource Management plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization in the ajax_insert_employee() and update_empoyee() functions in versions 2.0.0 through 2.2.17. The AJAX handler reads the client-supplied $_POST['role'] and, after basic cleaning via hrm_clean(), passes it directly to wp_insert_user() and later to $user->set_role() without verifying that the current user is allowed to assign that role. This makes it possible for authenticated attackers, with Employee-level access and above, to elevate their privileges to administrator. | ||||
| CVE-2025-5956 | 1 Mishubd | 1 Wp Human Resource Management | 2025-08-13 | 6.5 Medium |
| The WP Human Resource Management plugin for WordPress is vulnerable to Arbitrary User Deletion due to a missing authorization within the ajax_delete_employee() function in versions 2.0.0 through 2.2.17. The plugin’s deletion handler reads the client-supplied $_POST['delete'] array and passes each ID directly to wp_delete_user() without verifying that the caller has the delete_users capability or limiting which user IDs may be removed. This makes it possible for authenticated attackers, with Employee-level access and above, to delete arbitrary accounts, including administrators. | ||||
| CVE-2023-42124 | 1 Avast | 1 Premium Security | 2025-08-13 | 7.8 High |
| Avast Premium Security Sandbox Protection Incorrect Authorization Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Avast Premium Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the implementation of the sandbox feature. The issue results from incorrect authorization. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code outside the sandbox at medium integrity. . Was ZDI-CAN-20178. | ||||
| CVE-2025-2242 | 1 Gitlab | 1 Gitlab | 2025-08-13 | 7.5 High |
| An improper access control vulnerability in GitLab CE/EE affecting all versions from 17.4 prior to 17.8.6, 17.9 prior to 17.9.3, and 17.10 prior to 17.10.1 allows a user who was an instance admin before but has since been downgraded to a regular user to continue to maintain elevated privileges to groups and projects. | ||||
| CVE-2025-3150 | 1 Itning | 1 Student-homework-management-system | 2025-08-13 | 4.3 Medium |
| A vulnerability was found in itning Student Homework Management System up to 1.2.7. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Multiple endpoints might be affected. | ||||
| CVE-2024-11205 | 2 Wordpress, Wpforms | 2 Wordpress, Wpforms | 2025-08-12 | 8.5 High |
| The WPForms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpforms_is_admin_page' function in versions starting from 1.8.4 up to, and including, 1.9.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to refund payments and cancel subscriptions. | ||||
| CVE-2024-29241 | 1 Synology | 2 Diskstation Manager, Surveillance Station | 2025-08-12 | 9.9 Critical |
| Missing authorization vulnerability in System webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain non-sensitive information, write sensitive configurations in DSM, and reboot or shutdown NAS via unspecified vectors. | ||||
| CVE-2023-5600 | 1 Gitlab | 1 Gitlab | 2025-08-12 | 3.1 Low |
| An issue has been discovered in GitLab EE affecting all versions starting from 16.0 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. Arbitrary access to the titles of an private specific references could be leaked through the service-desk custom email template. | ||||