Total
835 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-4210 | 2025-05-02 | 7.3 High | ||
| A vulnerability classified as critical was found in Casdoor up to 1.811.0. This vulnerability affects the function HandleScim of the file controllers/scim.go of the component SCIM User Creation Endpoint. The manipulation leads to authorization bypass. The attack can be initiated remotely. Upgrading to version 1.812.0 is able to address this issue. The name of the patch is 3d12ac8dc2282369296c3386815c00a06c6a92fe. It is recommended to upgrade the affected component. | ||||
| CVE-2025-30392 | 2025-05-02 | 9.8 Critical | ||
| Improper authorization in Azure Bot Framework SDK allows an unauthorized attacker to elevate privileges over a network. | ||||
| CVE-2025-30390 | 2025-05-02 | 9.9 Critical | ||
| Improper authorization in Azure allows an authorized attacker to elevate privileges over a network. | ||||
| CVE-2025-32972 | 2025-05-02 | 2.7 Low | ||
| XWiki is a generic wiki platform. In versions starting from 6.1-milestone-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the script API of the LESS compiler in XWiki is incorrectly checking for rights when calling the cache cleaning API, making it possible to clean the cache without having programming right. The only impact of this is a slowdown in XWiki execution as the caches are re-filled. As this vulnerability requires script right to exploit, and script right already allows unlimited execution of scripts, the additional impact due to this vulnerability is low. This issue has been patched in versions 15.10.12, 16.4.3, and 16.8.0-rc-1. | ||||
| CVE-2025-30389 | 2025-05-02 | 8.7 High | ||
| Improper authorization in Azure Bot Framework SDK allows an unauthorized attacker to elevate privileges over a network. | ||||
| CVE-2025-4136 | 2025-05-02 | 5.4 Medium | ||
| A vulnerability was found in Weitong Mall 1.0.0. It has been classified as critical. This affects an unknown part of the component Sale Endpoint. The manipulation of the argument ID leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-27188 | 1 Adobe | 3 Commerce, Commerce B2b, Magento | 2025-05-01 | 4.3 Medium |
| Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction. | ||||
| CVE-2022-39879 | 1 Google | 1 Android | 2025-05-01 | 5.9 Medium |
| Improper authorization vulnerability in?CallBGProvider prior to SMR Nov-2022 Release 1 allows local attacker to grant permission for accessing information with phone uid. | ||||
| CVE-2022-39883 | 1 Google | 1 Android | 2025-05-01 | 4 Medium |
| Improper authorization vulnerability in StorageManagerService prior to SMR Nov-2022 Release 1 allows local attacker to call privileged API. | ||||
| CVE-2022-39890 | 1 Samsung | 1 Billing | 2025-05-01 | 6.2 Medium |
| Improper Authorization in Samsung Billing prior to version 5.0.56.0 allows attacker to get sensitive information. | ||||
| CVE-2024-8676 | 1 Redhat | 2 Enterprise Linux, Openshift | 2025-05-01 | 7.4 High |
| A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the pod spec, verifying that the pod has access to the mounts it specifies are not applicable to a restored container. This flaw allows a malicious user to trick CRI-O into restoring a pod that doesn't have access to host mounts. The user needs access to the kubelet or cri-o socket to call the restore endpoint and trigger the restore. | ||||
| CVE-2025-26683 | 2025-04-30 | 8.1 High | ||
| Improper authorization in Azure Playwright allows an unauthorized attacker to elevate privileges over a network. | ||||
| CVE-2025-29794 | 2025-04-30 | 8.8 High | ||
| Improper authorization in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | ||||
| CVE-2021-25973 | 1 Publify Project | 1 Publify | 2025-04-30 | 6.5 Medium |
| In Publify, 9.0.0.pre1 to 9.2.4 are vulnerable to Improper Access Control. “guest” role users can self-register even when the admin does not allow. This happens due to front-end restriction only. | ||||
| CVE-2024-9095 | 1 Lunary | 1 Lunary | 2025-04-29 | 9.8 Critical |
| In lunary-ai/lunary version v1.4.28, the /bigquery API route lacks proper access control, allowing any logged-in user to create a Datastream to Google BigQuery and export the entire database. This includes sensitive data such as password hashes and secret API keys. The route is protected by a config check (`config.DATA_WAREHOUSE_EXPORTS_ALLOWED`), but it does not verify the user's access level or implement any access control middleware. This vulnerability can lead to the extraction of sensitive data, disruption of services, credential compromise, and service integrity breaches. | ||||
| CVE-2025-32982 | 2025-04-29 | 7.5 High | ||
| NETSCOUT nGeniusONE before 6.4.0 b2350 has a Broken Authorization Schema for the report module. | ||||
| CVE-2025-3980 | 2025-04-29 | 4.3 Medium | ||
| A vulnerability classified as problematic was found in wowjoy 浙江湖州华卓信息科技有限公司 Internet Doctor Workstation System 1.0. This vulnerability affects unknown code of the file /v1/prescription/list. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-3981 | 2025-04-29 | 4.3 Medium | ||
| A vulnerability, which was classified as problematic, has been found in wowjoy 浙江湖州华卓信息科技有限公司 Internet Doctor Workstation System 1.0. This issue affects some unknown processing of the file /v1/prescription/details/. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-2850 | 2025-04-29 | 3.5 Low | ||
| A vulnerability was found in GL.iNet GL-A1300 Slate Plus, GL-AR300M16 Shadow, GL-AR300M Shadow, GL-AR750 Creta, GL-AR750S-EXT Slate, GL-AX1800 Flint, GL-AXT1800 Slate AX, GL-B1300 Convexa-B, GL-B3000 Marble, GL-BE3600 Slate 7, GL-E750, GL-E750V2 Mudi, GL-MT300N-V2 Mango, GL-MT1300 Beryl, GL-MT2500 Brume 2, GL-MT3000 Beryl AX, GL-MT6000 Flint 2, GL-SFT1200 Opal, GL-X300B Collie, GL-X750 Spitz, GL-X3000 Spitz AX, GL-XE300 Puli and GL-XE3000 Puli AX 4.x. It has been rated as problematic. This issue affects some unknown processing of the component Download Interface. The manipulation leads to improper authorization. It is recommended to upgrade the affected component. | ||||
| CVE-2025-3967 | 2025-04-29 | 5.4 Medium | ||
| A vulnerability was found in itwanger paicoding 1.0.3. It has been classified as critical. This affects an unknown part of the file /article/api/post of the component Article Handler. The manipulation of the argument articleId leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||