Total
875 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-48063 | 1 Xwiki | 1 Xwiki | 2025-06-20 | 8.8 High |
| XWiki is a generic wiki platform. In XWiki 16.10.0, required rights were introduced as a way to limit which rights a document can have. Part of the security model of required rights is that a user who doesn't have a right also cannot define that right as required right. That way, users who are editing documents on which required rights are enforced can be sure that they're not giving a right to a script or object that it didn't have before. A bug in the implementation of the enforcement of this rule means that in fact, it was possible for any user with edit right on a document to set programming right as required right. If then a user with programming right edited that document, the content of that document would gain programming right, allowing remote code execution. This thereby defeats most of the security benefits of required rights. As XWiki still performs the required rights analysis when a user edits a page even when required rights are enforced, the user with programming right would still be warned about the dangerous content unless the attacker managed to bypass this check. Note also that none of the affected versions include a UI for enabling the enforcing of required rights so it seems unlikely that anybody relied on them for security in the affected versions. As this vulnerability provides no additional attack surface unless all documents in the wiki enforce required rights, we consider the impact of this attack to be low even though gaining programming right could have a high impact. This vulnerability has been patched in XWiki 16.10.4 and 17.1.0RC1. No known workarounds are available except for upgrading. | ||||
| CVE-2023-40430 | 1 Apple | 1 Macos | 2025-06-20 | 5.5 Medium |
| A logic issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14. An app may be able to access removable volumes without user consent. | ||||
| CVE-2025-28131 | 1 Nagios | 1 Nagios Network Analyzer | 2025-06-20 | 4.6 Medium |
| A Broken Access Control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows low-privilege users with "Read-Only" access to perform administrative actions, including stopping system services and deleting critical resources. This flaw arises due to improper authorization enforcement, enabling unauthorized modifications that compromise system integrity and availability. | ||||
| CVE-2023-42453 | 2 Fedoraproject, Matrix | 2 Fedora, Synapse | 2025-06-18 | 3.1 Low |
| Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Users were able to forge read receipts for any event (if they knew the room ID and event ID). Note that the users were not able to view the events, but simply mark it as read. This could be confusing as clients will show the event as read by the user, even if they are not in the room. This issue has been patched in version 1.93.0. Users are advised to upgrade. There are no known workarounds for this issue. | ||||
| CVE-2024-23576 | 1 Hcltechsw | 1 Hcl Commerce | 2025-06-17 | 7.1 High |
| Security vulnerability in HCL Commerce 9.1.12 and 9.1.13 could allow denial of service, disclosure of user personal data, and performing of unauthorized administrative operations. | ||||
| CVE-2023-48252 | 1 Bosch | 21 Nexo-os, Nexo Cordless Nutrunner Nxa011s-36v-b \(0608842012\), Nexo Cordless Nutrunner Nxa011s-36v \(0608842011\) and 18 more | 2025-06-17 | 8.8 High |
| The vulnerability allows an authenticated remote attacker to perform actions exceeding their authorized access via crafted HTTP requests. | ||||
| CVE-2025-29827 | 1 Microsoft | 1 Azure Automation | 2025-06-17 | 9.9 Critical |
| Improper Authorization in Azure Automation allows an authorized attacker to elevate privileges over a network. | ||||
| CVE-2025-6099 | 2025-06-16 | 5.3 Medium | ||
| A vulnerability was found in szluyu99 gin-vue-blog up to 61dd11ccd296e8642a318ada3ef7b3f7776d2410. It has been declared as critical. This vulnerability affects unknown code of the file gin-blog-server/internal/manager.go of the component PATCH Request Handler. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | ||||
| CVE-2025-22239 | 2025-06-16 | 8.1 High | ||
| Arbitrary event injection on Salt Master. The master's "_minion_event" method can be used by and authorized minion to send arbitrary events onto the master's event bus. | ||||
| CVE-2024-38129 | 1 Microsoft | 1 Windows Server 2022 23h2 | 2025-06-16 | 7.5 High |
| Windows Kerberos Elevation of Privilege Vulnerability | ||||
| CVE-2024-43602 | 1 Microsoft | 1 Azure Cyclecloud | 2025-06-16 | 9.9 Critical |
| Azure CycleCloud Remote Code Execution Vulnerability | ||||
| CVE-2024-23806 | 1 Hidglobal | 4 Iclass Se Reader Configuration Cards, Iclass Se Reader Configuration Cards Firmware, Omnikey Secure Elements Reader Configuration Cards and 1 more | 2025-06-13 | 5.3 Medium |
| Sensitive data can be extracted from HID iCLASS SE reader configuration cards. This could include credential and device administrator keys. | ||||
| CVE-2025-46840 | 1 Adobe | 1 Experience Manager | 2025-06-13 | 8.7 High |
| Adobe Experience Manager versions 6.5.22 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. A low privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue requires user interaction. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high. | ||||
| CVE-2024-3013 | 1 Flir | 2 Flir Ax8, Flir Ax8 Firmware | 2025-06-12 | 6.3 Medium |
| A vulnerability was found in FLIR AX8 up to 1.46.16. It has been rated as critical. This issue affects some unknown processing of the file /tools/test_login.php?action=register of the component User Registration. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-258299. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-43706 | 2025-06-12 | 7.6 High | ||
| Improper authorization in Kibana can lead to privilege abuse via a direct HTTP request to a Synthetic monitor endpoint. | ||||
| CVE-2024-21026 | 1 Oracle | 1 Complex Maintenance Repair And Overhaul | 2025-06-09 | 6.1 Medium |
| Vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul product of Oracle E-Business Suite (component: LOV). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Complex Maintenance, Repair, and Overhaul. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Complex Maintenance, Repair, and Overhaul, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Complex Maintenance, Repair, and Overhaul accessible data as well as unauthorized read access to a subset of Oracle Complex Maintenance, Repair, and Overhaul accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | ||||
| CVE-2019-3842 | 4 Debian, Fedoraproject, Redhat and 1 more | 5 Debian Linux, Fedora, Enterprise Linux and 2 more | 2025-06-09 | 7.0 High |
| In systemd before v242-rc4, it was discovered that pam_systemd does not properly sanitize the environment before using the XDG_SEAT variable. It is possible for an attacker, in some particular configurations, to set a XDG_SEAT environment variable which allows for commands to be checked against polkit policies using the "allow_active" element rather than "allow_any". | ||||
| CVE-2025-1226 | 1 Yimihome | 1 Ywoa | 2025-06-05 | 5.3 Medium |
| A vulnerability was found in ywoa up to 2024.07.03. It has been declared as critical. This vulnerability affects unknown code of the file /oa/setup/setup.jsp. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2024.07.04 is able to address this issue. It is recommended to upgrade the affected component. | ||||
| CVE-2025-3587 | 1 Zerowdd | 1 Studentmanager | 2025-06-05 | 6.3 Medium |
| A vulnerability classified as critical was found in ZeroWdd/code-projects studentmanager 1.0. This vulnerability affects unknown code of the file /getTeacherList. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-3537 | 1 Tutorials-website | 1 Employee Management System | 2025-06-05 | 5.3 Medium |
| A vulnerability was found in Tutorials-Website Employee Management System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/update-user.php. The manipulation of the argument ID leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||