Total
5244 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-49620 | 1 Apache | 1 Dolphinscheduler | 2025-02-13 | 6.5 Medium |
| Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this vulnerability | ||||
| CVE-2023-2183 | 2 Grafana, Redhat | 2 Grafana, Ceph Storage | 2025-02-13 | 4.1 Medium |
| Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function. This might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server. Users may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix. | ||||
| CVE-2023-26269 | 1 Apache | 2 James, James Server | 2025-02-13 | 7.8 High |
| Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a malicious local user. Administrators are advised to disable JMX, or set up a JMX password. Note that version 3.7.4 onward will set up a JMX password automatically for Guice users. | ||||
| CVE-2023-46652 | 1 Jenkins | 1 Lambdatest-automation | 2025-02-13 | 4.3 Medium |
| A missing permission check in Jenkins lambdatest-automation Plugin 1.20.9 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of LAMBDATEST credentials stored in Jenkins. | ||||
| CVE-2023-3482 | 1 Mozilla | 1 Firefox | 2025-02-13 | 6.5 Medium |
| When Firefox is configured to block storage of all cookies, it was still possible to store data in localstorage by using an iframe with a source of 'about:blank'. This could have led to malicious websites storing tracking data without permission. This vulnerability affects Firefox < 115. | ||||
| CVE-2023-2796 | 1 Myeventon | 1 Eventon | 2025-02-13 | 5.3 Medium |
| The EventON WordPress plugin before 2.1.2 lacks authentication and authorization in its eventon_ics_download ajax action, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id. | ||||
| CVE-2023-26035 | 1 Zoneminder | 1 Zoneminder | 2025-02-13 | 7.2 High |
| ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are vulnerable to Unauthenticated Remote Code Execution via Missing Authorization. There are no permissions check on the snapshot action, which expects an id to fetch an existing monitor but can be passed an object to create a new one instead. TriggerOn ends up calling shell_exec using the supplied Id. This issue is fixed in This issue is fixed in versions 1.36.33 and 1.37.33. | ||||
| CVE-2023-2448 | 1 Userproplugin | 1 Userpro | 2025-02-13 | 6.5 Medium |
| The UserPro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'userpro_shortcode_template' function in versions up to, and including, 5.1.4. This makes it possible for unauthenticated attackers to arbitrary shortcode execution. An attacker can leverage CVE-2023-2446 to get sensitive information via shortcode. | ||||
| CVE-2022-39335 | 1 Matrix | 1 Synapse | 2025-02-13 | 5 Medium |
| Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix Federation API allows remote homeservers to request the authorization events in a room. This is necessary so that a homeserver receiving some events can validate that those events are legitimate and permitted in their room. However, in versions of Synapse up to and including 1.68.0, a Synapse homeserver answering a query for authorization events does not sufficiently check that the requesting server should be able to access them. The issue was patched in Synapse 1.69.0. Homeserver administrators are advised to upgrade. | ||||
| CVE-2018-14628 | 2 Fedoraproject, Samba | 2 Fedora, Samba | 2025-02-13 | 4.3 Medium |
| An information leak vulnerability was discovered in Samba's LDAP server. Due to missing access control checks, an authenticated but unprivileged attacker could discover the names and preserved attributes of deleted objects in the LDAP store. | ||||
| CVE-2025-25167 | 1 Blackandwhitedigital | 1 Bookpress | 2025-02-12 | 8.2 High |
| Missing Authorization vulnerability in blackandwhitedigital BookPress – For Book Authors allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BookPress – For Book Authors: from n/a through 1.2.7. | ||||
| CVE-2025-24603 | 2025-02-12 | 4.3 Medium | ||
| Missing Authorization vulnerability in UkrSolution Print Barcode Labels for your WooCommerce products/orders. This issue affects Print Barcode Labels for your WooCommerce products/orders: from n/a through 3.4.10. | ||||
| CVE-2025-24606 | 2025-02-12 | 6.4 Medium | ||
| Missing Authorization vulnerability in Sprout Invoices Client Invoicing by Sprout Invoices allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Client Invoicing by Sprout Invoices: from n/a through 20.8.1. | ||||
| CVE-2025-24653 | 2025-02-12 | 4.3 Medium | ||
| Missing Authorization vulnerability in NotFound Admin and Site Enhancements (ASE) Pro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Admin and Site Enhancements (ASE) Pro: from n/a through 7.6.1.1. | ||||
| CVE-2025-24743 | 2025-02-12 | 4.3 Medium | ||
| Missing Authorization vulnerability in Rometheme RomethemeKit For Elementor. This issue affects RomethemeKit For Elementor: from n/a through 1.5.2. | ||||
| CVE-2025-24744 | 2025-02-12 | 4.3 Medium | ||
| Missing Authorization vulnerability in NotFound Bridge Core. This issue affects Bridge Core: from n/a through 3.3. | ||||
| CVE-2025-24747 | 2025-02-12 | 5.3 Medium | ||
| Missing Authorization vulnerability in Houzez.co Houzez. This issue affects Houzez: from n/a through 3.4.0. | ||||
| CVE-2025-23982 | 2025-02-12 | 7.1 High | ||
| Missing Authorization vulnerability in Marian Kanev Cab fare calculator allows Stored XSS. This issue affects Cab fare calculator: from n/a through 1.1. | ||||
| CVE-2025-22717 | 2025-02-12 | 7.5 High | ||
| Missing Authorization vulnerability in Joe Dolson My Tickets allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects My Tickets: from n/a through 2.0.9. | ||||
| CVE-2025-1214 | 2025-02-12 | 6.3 Medium | ||
| A vulnerability classified as critical has been found in pihome-shc PiHome 2.0. This affects an unknown part of the file /user_accounts.php?uid of the component Role-Based Access Control. The manipulation leads to missing authorization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||