Total
2238 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-13253 | 1 Advanced Pwa Inc Push Notifications Project | 1 Advanced Pwa Inc Push Notifications | 2025-06-04 | 9.1 Critical |
| Incorrect Authorization vulnerability in Drupal Advanced PWA inc Push Notifications allows Forceful Browsing.This issue affects Advanced PWA inc Push Notifications: from 0.0.0 before 1.5.0. | ||||
| CVE-2025-25251 | 1 Fortinet | 1 Forticlient | 2025-06-04 | 7.4 High |
| An Incorrect Authorization vulnerability [CWE-863] in FortiClient Mac 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14 may allow a local attacker to escalate privileges via crafted XPC messages. | ||||
| CVE-2024-13258 | 1 Rest \& Json Api Authentication Project | 1 Rest \& Json Api Authentication | 2025-06-04 | 9.8 Critical |
| Incorrect Authorization vulnerability in Drupal Drupal REST & JSON API Authentication allows Forceful Browsing.This issue affects Drupal REST & JSON API Authentication: from 0.0.0 before 2.0.13. | ||||
| CVE-2024-13257 | 1 Commerce View Receipt Project | 1 Commerce View Receipt | 2025-06-04 | 5.3 Medium |
| Incorrect Authorization vulnerability in Drupal Commerce View Receipt allows Forceful Browsing.This issue affects Commerce View Receipt: from 0.0.0 before 1.0.3. | ||||
| CVE-2025-25026 | 1 Ibm | 1 Security Guardium | 2025-06-04 | 4.3 Medium |
| IBM Security Guardium 12.0 could allow an authenticated user to obtain sensitive information due to an incorrect authentication check. | ||||
| CVE-2023-40610 | 1 Apache | 1 Superset | 2025-06-03 | 6.3 Medium |
| Improper authorization check and possible privilege escalation on Apache SupersetĀ up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset's metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data. | ||||
| CVE-2023-3964 | 1 Gitlab | 1 Gitlab | 2025-06-03 | 4.3 Medium |
| An issue has been discovered in GitLab affecting all versions starting from 13.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for users to access composer packages on public projects that have package registry disabled in the project settings. | ||||
| CVE-2025-3260 | 2025-06-02 | 8.3 High | ||
| A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless of permissions - Editors can view/edit/delete all dashboards/folders regardless of permissions - Editors can create dashboards in any folder regardless of permissions - Anonymous users with viewer/editor roles are similarly affected Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources. | ||||
| CVE-2025-48948 | 2025-06-02 | N/A | ||
| Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings. In the threat model where administrators are trusted but regular users are not, this vulnerability represents a significant security risk when transcoding is enabled. Version 0.56.0 patches the issue. | ||||
| CVE-2025-3475 | 1 Europa | 1 Web-t | 2025-06-02 | 6.5 Medium |
| Allocation of Resources Without Limits or Throttling, Incorrect Authorization vulnerability in Drupal WEB-T allows Excessive Allocation, Content Spoofing.This issue affects WEB-T: from 0.0.0 before 1.1.0. | ||||
| CVE-2025-31673 | 1 Drupal | 1 Drupal | 2025-06-02 | 4.6 Medium |
| Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3. | ||||
| CVE-2023-50726 | 2 Argoproj, Redhat | 2 Argo Cd, Openshift Gitops | 2025-06-02 | 6.4 Medium |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. "Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted users, since it allows the user to bypass any merge protections in git. An improper validation bug allows users who have `create` privileges but not `override` privileges to sync local manifests on app creation. All other restrictions, including AppProject restrictions are still enforced. The only restriction which is not enforced is that the manifests come from some approved git/Helm/OCI source. The bug was introduced in 1.2.0-rc1 when the local manifest sync feature was added. The bug has been patched in Argo CD versions 2.10.3, 2.9.8, and 2.8.12. Users are advised to upgrade. Users unable to upgrade may mitigate the risk of branch protection bypass by removing `applications, create` RBAC access. The only way to eliminate the issue without removing RBAC access is to upgrade to a patched version. | ||||
| CVE-2022-26767 | 1 Apple | 1 Macos | 2025-05-30 | 5.5 Medium |
| The issue was addressed with additional permissions checks. This issue is fixed in macOS Monterey 12.4, macOS Big Sur 11.6.6. A malicious application may be able to bypass Privacy preferences. | ||||
| CVE-2024-7097 | 2025-05-30 | 4.3 Medium | ||
| An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which allows user account creation regardless of the self-registration configuration settings. This vulnerability enables malicious actors to create new user accounts without proper authorization. Exploitation of this flaw could allow an attacker to create multiple low-privileged user accounts, gaining unauthorized access to the system. Additionally, continuous exploitation could lead to system resource exhaustion through mass user creation. | ||||
| CVE-2025-3611 | 2025-05-30 | 3.1 Low | ||
| Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not have access to via direct API requests to team endpoints, even when explicitly configured with 'No access' to Teams in the System Console. | ||||
| CVE-2025-3913 | 2025-05-30 | 5.3 Medium | ||
| Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the /api/v4/teams/:teamId/privacy endpoint. | ||||
| CVE-2024-7096 | 2025-05-30 | 4.2 Medium | ||
| A privilege escalation vulnerability exists in multiple [Vendor Name] products due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when all of the following conditions are met: * SOAP admin services are accessible to the attacker. * The deployment includes an internally used attribute that is not part of the default WSO2 product configuration. * At least one custom role exists with non-default permissions. * The attacker has knowledge of the custom role and the internal attribute used in the deployment. Exploiting this vulnerability allows malicious actors to assign higher privileges to self-registered users, bypassing intended access control mechanisms. | ||||
| CVE-2025-48473 | 2025-05-30 | N/A | ||
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.179, when creating a conversation from a message in another conversation, there is no check to ensure that the user has the ability to view this message. Thus, the user can view arbitrary messages from other mailboxes or from other conversations to which they do not have access (access restriction to conversations is implemented by the show_only_assigned_conversations setting, which is also not checked). This issue has been patched in version 1.8.179. | ||||
| CVE-2023-26097 | 1 Telindus | 1 Apsal | 2025-05-30 | 8.4 High |
| An issue was discovered in Telindus Apsal 3.14.2022.235 b. Unauthorized actions that could modify the application behaviour may not be blocked. | ||||
| CVE-2018-10212 | 1 Vaultize | 1 Enterprise File Sharing | 2025-05-30 | N/A |
| An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is improper authorization leading to creation of folders within another account via a modified device value. | ||||