Total
886 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-12061 | 1 Nicheaddons | 1 Events Addon For Elementor | 2025-06-05 | 4.3 Medium |
| The Events Addon for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.2.3 via the naevents_elementor_template shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to. | ||||
| CVE-2024-12472 | 1 Metaphorcreations | 1 Post Duplicator | 2025-06-05 | 5.3 Medium |
| The Post Duplicator plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.36 via the mtphr_duplicate_post() due to insufficient restrictions on which posts can be duplicated. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to by duplicating the post. | ||||
| CVE-2024-20513 | 1 Cisco | 50 Meraki Mx100, Meraki Mx100 Firmware, Meraki Mx105 and 47 more | 2025-06-04 | 5.8 Medium |
| A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthenticated, remote attacker to cause a DoS condition for targeted users of the AnyConnect service on an affected device. This vulnerability is due to insufficient entropy for handlers that are used during SSL VPN session establishment. An unauthenticated attacker could exploit this vulnerability by brute forcing valid session handlers. An authenticated attacker could exploit this vulnerability by connecting to the AnyConnect VPN service of an affected device to retrieve a valid session handler and, based on that handler, predict further valid session handlers. The attacker would then send a crafted HTTPS request using the brute-forced or predicted session handler to the AnyConnect VPN server of the device. A successful exploit could allow the attacker to terminate targeted SSL VPN sessions, forcing remote users to initiate new VPN connections and reauthenticate. | ||||
| CVE-2024-27730 | 1 Friendica | 1 Friendica | 2025-06-04 | 9.8 Critical |
| Insecure Permissions vulnerability in Friendica v.2023.12 allows a remote attacker to obtain sensitive information and execute arbitrary code via the cid parameter of the calendar event feature. | ||||
| CVE-2023-50342 | 1 Hcltech | 1 Dryice Myxalytics | 2025-06-03 | 7.1 High |
| HCL DRYiCE MyXalytics is impacted by an Insecure Direct Object Reference (IDOR) vulnerability. A user can obtain certain details about another user as a result of improper access control. | ||||
| CVE-2022-2913 | 1 Login No Captcha Recaptcha Project | 1 Login No Captcha Recaptcha | 2025-06-03 | 4.3 Medium |
| The Login No Captcha reCAPTCHA WordPress plugin before 1.7 doesn't check the proper IP address allowing attackers to spoof IP addresses on the allow list and bypass the need for captcha on the login screen. | ||||
| CVE-2025-5182 | 1 Summerpearlgroup | 1 Vacation Rental Management Platform | 2025-06-03 | 4.3 Medium |
| A vulnerability has been found in Summer Pearl Group Vacation Rental Management Platform up to 1.0.1 and classified as critical. This vulnerability affects unknown code of the component Listing Handler. The manipulation leads to authorization bypass. The attack can be initiated remotely. Upgrading to version 1.0.2 is able to address this issue. It is recommended to upgrade the affected component. | ||||
| CVE-2025-5181 | 1 Summerpearlgroup | 1 Vacation Rental Management Platform | 2025-06-03 | 3.5 Low |
| A vulnerability, which was classified as problematic, was found in Summer Pearl Group Vacation Rental Management Platform up to 1.0.1. This affects an unknown part of the file /spgpm/updateListing. The manipulation of the argument spgLsTitle leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.0.2 is able to address this issue. It is recommended to upgrade the affected component. | ||||
| CVE-2023-6223 | 1 Thimpress | 1 Learnpress | 2025-06-03 | 4.3 Medium |
| The LearnPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.5.7 via the /wp-json/lp/v1/profile/course-tab REST API due to missing validation on the 'userID' user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve the details of another user's course progress. | ||||
| CVE-2025-47226 | 1 Snipeitapp | 1 Snipe-it | 2025-06-03 | 5 Medium |
| Grokability Snipe-IT before 8.1.0 has incorrect authorization for accessing asset information. | ||||
| CVE-2024-0264 | 1 Oretnom23 | 1 Clinic Queuing System | 2025-06-03 | 7.3 High |
| A vulnerability was found in SourceCodester Clinic Queuing System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /LoginRegistration.php. The manipulation of the argument formToken leads to authorization bypass. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249820. | ||||
| CVE-2024-32166 | 1 Webidsupport | 1 Webid | 2025-06-03 | 8.8 High |
| Webid v1.2.1 suffers from an Insecure Direct Object Reference (IDOR) - Broken Access Control vulnerability, allowing attackers to buy now an auction that is suspended (horizontal privilege escalation). | ||||
| CVE-2025-4691 | 2025-06-02 | 5.3 Medium | ||
| The Free Booking Plugin for Hotels, Restaurants and Car Rentals – eaSYNC Booking plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.21 via the 'view_request_details' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the details of any booking request. The vulnerability was partially patched in versions 1.3.18 and 1.3.21. | ||||
| CVE-2024-48899 | 1 Moodle | 1 Moodle | 2025-06-02 | 4.3 Medium |
| A vulnerability was found in Moodle. Additional checks are required to ensure users can only fetch the list of course badges for courses that they are intended to have access to. | ||||
| CVE-2024-0580 | 1 Idmsistemas | 1 Sinergia | 2025-06-02 | 6.5 Medium |
| Omission of user-controlled key authorization in the IDMSistemas platform, affecting the QSige product. This vulnerability allows an attacker to extract sensitive information from the API by making a request to the parameter '/qsige.locator/quotePrevious/centers/X', where X supports values 1,2,3, etc. | ||||
| CVE-2018-10211 | 1 Vaultize | 1 Enterprise File Sharing | 2025-05-30 | N/A |
| An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is improper authorization when listing the history of another user via a modified "vaultize_session_id" value in a cookie. | ||||
| CVE-2023-7199 | 1 Relevanssi | 1 Relevanssi | 2025-05-29 | 5.3 Medium |
| The Relevanssi WordPress plugin before 4.22.0, Relevanssi Premium WordPress plugin before 2.25.0 allows any unauthenticated user to read draft and private posts via a crafted request | ||||
| CVE-2025-40650 | 2025-05-28 | N/A | ||
| Insecure Direct Object Reference (IDOR) vulnerability in Clickedu. This vulnerability could allow an attacker to retrieve information about student report cards. | ||||
| CVE-2025-25777 | 1 Codeastro | 1 Bus Ticket Booking System | 2025-05-28 | 8 High |
| Insecure Direct Object Reference (IDOR) in Codeastro Bus Ticket Booking System v1.0 allows unauthorized access to user profiles. By manipulating the user ID in the URL, an attacker can access another user's profile without proper authentication or authorization checks. | ||||
| CVE-2022-40186 | 2 Hashicorp, Redhat | 2 Vault, Openshift Data Foundation | 2025-05-27 | 9.1 Critical |
| An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a deployment where an entity has multiple mount accessors with shared alias names, Vault may overwrite metadata to the wrong alias due to an issue with checking the proper alias assigned to an entity. This may allow for unintended access to key/value paths using that metadata in Vault. | ||||