Export limit exceeded: 11188 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11188 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-27497 | 1 Linksys | 2 E2000, E2000 Firmware | 2025-06-27 | 8.8 High |
| Linksys E2000 Ver.1.0.06 build 1 is vulnerable to authentication bypass via the position.js file. | ||||
| CVE-2024-3164 | 1 Dotcms | 1 Dotcms | 2025-06-27 | 4.5 Medium |
| In dotCMS dashboard, the Tools and Log Files tabs under System → Maintenance Portlet, which is and always has been an Admin portlet, is accessible to anyone with that portlet and not just to CMS Admins. Users that get site admin but not a system admin, should not have access to the System Maintenance → Tools portlet. This would share database username and password under Log Files and download DB Dump and other dotCMS Content under Tools. Nothing in the System → Maintenance should be displayed for users with site admin role. Only system admins must have access to System Maintenance. OWASP Top 10 - A01) Broken Access Control OWASP Top 10 - A04) Insecure Design | ||||
| CVE-2023-47297 | 1 Ncr | 1 Terminal Handler | 2025-06-27 | 9.8 Critical |
| A settings manipulation vulnerability in NCR Terminal Handler v1.5.1 allows attackers to execute arbitrary commands, including editing system security auditing configurations. | ||||
| CVE-2023-47031 | 1 Ncr | 1 Terminal Handler | 2025-06-27 | 9.8 Critical |
| An issue in NCR Terminal Handler v.1.5.1 allows a remote attacker to escalate privileges via a crafted POST request to the grantRolesToUsers, grantRolesToGroups, and grantRolesToOrganization SOAP API component. | ||||
| CVE-2025-49603 | 2025-06-26 | 9.1 Critical | ||
| Northern.tech Mender Server before 3.7.11 and 4.x before 4.0.1 has Incorrect Access Control. | ||||
| CVE-2025-6531 | 2025-06-26 | 4.3 Medium | ||
| A vulnerability was found in SIFUSM/MZZYG BD S1 up to 20250611. It has been declared as problematic. This vulnerability affects unknown code of the component RTSP Live Video Stream Endpoint. The manipulation leads to improper access controls. Access to the local network is required for this attack to succeed. The exploit has been disclosed to the public and may be used. This dashcam is distributed by multiple resellers and different names. | ||||
| CVE-2025-52571 | 2025-06-26 | 9.7 Critical | ||
| Hikka is a Telegram userbot. A vulnerability affects all users of versions below 1.6.2, including most of the forks. It allows an unauthenticated attacker to gain access to Telegram account of a victim, as well as full access to the server. The issue is patched in version 1.6.2. No known workarounds are available. | ||||
| CVE-2010-5305 | 1 Rockwellautomation | 5 Plc5 1785-lx, Plc5 1785-lx Firmware, Rslogix and 2 more | 2025-06-26 | N/A |
| The potential exists for exposure of the product's password used to restrict unauthorized access to Rockwell PLC5/SLC5/0x/RSLogix 1785-Lx and 1747-L5x controllers. The potential exists for an unauthorized programming and configuration client to gain access to the product and allow changes to the product’s configuration or program. When applicable, upgrade product firmware to a version that includes enhanced security functionality compatible with Rockwell Automation's FactoryTalk Security services. | ||||
| CVE-2018-14670 | 1 Clickhouse | 1 Clickhouse | 2025-06-25 | N/A |
| Incorrect configuration in deb package in ClickHouse before 1.1.54131 could lead to unauthorized use of the database. | ||||
| CVE-2025-6422 | 1 Campcodes | 1 Online Recruitment Management System | 2025-06-25 | 6.3 Medium |
| A vulnerability classified as critical was found in Campcodes Online Recruitment Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/ajax.php?action=save_settings of the component About Content Page. The manipulation of the argument img leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2023-4702 | 1 Yepas | 1 Digital Yepas | 2025-06-25 | 9.8 Critical |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Yepas Digital Yepas allows Authentication Bypass.This issue affects Digital Yepas: before 1.0.1. | ||||
| CVE-2025-48746 | 1 Netwrix | 1 Directory Manager | 2025-06-24 | 6.5 Medium |
| Netwrix Directory Manager (formerly Imanami GroupID) v.11.0.0.0 and before, as well as after v.11.1.25134.03 lacks Authentication for a Critical Function. | ||||
| CVE-2025-3627 | 1 Moodle | 1 Moodle | 2025-06-24 | 4.3 Medium |
| A security vulnerability was discovered in Moodle that allows some users to access sensitive information about other students before they finish verifying their identities using two-factor authentication (2FA). | ||||
| CVE-2025-3634 | 1 Moodle | 1 Moodle | 2025-06-24 | 4.3 Medium |
| A security vulnerability was discovered in Moodle that allows students to enroll themselves in courses without completing all the necessary safety checks. Specifically, users can sign up for courses prematurely, even if they haven't finished two-step verification processes. | ||||
| CVE-2025-27399 | 1 Joinmastodon | 1 Mastodon | 2025-06-24 | 5.3 Medium |
| Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, and 4.3.4, when the visibility for domain blocks/reasons is set to "users" (localized English string: "To logged-in users"), users that are not yet approved can view the block reasons. Instance admins that do not want their domain blocks to be public are impacted. Versions 4.1.23, 4.2.16, and 4.3.4 fix the issue. | ||||
| CVE-2025-25621 | 1 Changeweb | 1 Unifiedtransform | 2025-06-24 | 4.3 Medium |
| Unifiedtransform 2.0 is vulnerable to Incorrect Access Control, which allows teachers to take attendance of fellow teachers. This affected endpoint is /courses/teacher/index?teacher_id=2&semester_id=1. | ||||
| CVE-2025-25618 | 1 Changeweb | 1 Unifiedtransform | 2025-06-24 | 3.3 Low |
| Incorrect Access Control in Unifiedtransform 2.0 leads to Privilege Escalation allowing the change of Section Name and Room Number by Teachers. | ||||
| CVE-2025-3454 | 1 Grafana | 1 Grafana | 2025-06-24 | 5 Medium |
| This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources. | ||||
| CVE-2025-48063 | 1 Xwiki | 2 Xwiki, Xwiki-platform | 2025-06-24 | 8.8 High |
| XWiki is a generic wiki platform. In XWiki 16.10.0, required rights were introduced as a way to limit which rights a document can have. Part of the security model of required rights is that a user who doesn't have a right also cannot define that right as required right. That way, users who are editing documents on which required rights are enforced can be sure that they're not giving a right to a script or object that it didn't have before. A bug in the implementation of the enforcement of this rule means that in fact, it was possible for any user with edit right on a document to set programming right as required right. If then a user with programming right edited that document, the content of that document would gain programming right, allowing remote code execution. This thereby defeats most of the security benefits of required rights. As XWiki still performs the required rights analysis when a user edits a page even when required rights are enforced, the user with programming right would still be warned about the dangerous content unless the attacker managed to bypass this check. Note also that none of the affected versions include a UI for enabling the enforcing of required rights so it seems unlikely that anybody relied on them for security in the affected versions. As this vulnerability provides no additional attack surface unless all documents in the wiki enforce required rights, we consider the impact of this attack to be low even though gaining programming right could have a high impact. This vulnerability has been patched in XWiki 16.10.4 and 17.1.0RC1. No known workarounds are available except for upgrading. | ||||
| CVE-2025-43585 | 1 Adobe | 4 Adobe Commerce, Commerce, Commerce B2b and 1 more | 2025-06-24 | 8.2 High |
| Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access leading to a limited impact to confidentiality and a high impact to integrity. Exploitation of this issue does not require user interaction. | ||||