Export limit exceeded: 10428 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10428 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-52233 | 1 Wpexperts | 1 Post Smtp | 2025-06-04 | 8.6 High |
| Missing Authorization vulnerability in Post SMTP Post SMTP Mailer/Email Log.This issue affects Post SMTP Mailer/Email Log: from n/a through 2.8.6. | ||||
| CVE-2024-54020 | 1 Fortinet | 1 Fortimanager | 2025-06-04 | 2.1 Low |
| A missing authorization in Fortinet FortiManager versions 7.2.0 through 7.2.1, and versions 7.0.0 through 7.0.7 may allow an authenticated attacker to overwrite global threat feeds via crafted update requests. | ||||
| CVE-2024-23388 | 1 Mercari | 1 Mercari | 2025-06-03 | 6.1 Medium |
| Improper authorization in handler for custom URL scheme issue in "Mercari" App for Android prior to version 5.78.0 allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack. | ||||
| CVE-2023-5877 | 1 Servit | 1 Affiliate-toolkit | 2025-06-03 | 9.8 Critical |
| The affiliate-toolkit WordPress plugin before 3.4.3 lacks authorization and authentication for requests to it's affiliate-toolkit-starter/tools/atkp_imagereceiver.php endpoint, allowing unauthenticated visitors to make requests to arbitrary URL's, including RFC1918 private addresses, leading to a Server Side Request Forgery (SSRF) issue. | ||||
| CVE-2023-6048 | 1 Estatik | 1 Estatik | 2025-06-03 | 6.5 Medium |
| The Estatik Real Estate Plugin WordPress plugin before 4.1.1 does not prevent user with low privileges on the site, like subscribers, from setting any of the site's options to 1, which could be used to break sites and lead to DoS when certain options are reset | ||||
| CVE-2023-40610 | 1 Apache | 1 Superset | 2025-06-03 | 6.3 Medium |
| Improper authorization check and possible privilege escalation on Apache Superset up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset's metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data. | ||||
| CVE-2025-31681 | 1 Authenticator Login Project | 1 Authenticator Login | 2025-06-02 | 9.8 Critical |
| Missing Authorization vulnerability in Drupal Authenticator Login allows Forceful Browsing.This issue affects Authenticator Login: from 0.0.0 before 2.0.6. | ||||
| CVE-2025-3475 | 1 Europa | 1 Web-t | 2025-06-02 | 6.5 Medium |
| Allocation of Resources Without Limits or Throttling, Incorrect Authorization vulnerability in Drupal WEB-T allows Excessive Allocation, Content Spoofing.This issue affects WEB-T: from 0.0.0 before 1.1.0. | ||||
| CVE-2025-31673 | 1 Drupal | 1 Drupal | 2025-06-02 | 4.6 Medium |
| Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3. | ||||
| CVE-2023-48926 | 1 Prestashop | 1 Advanced Loyalty Program | 2025-06-02 | 5.3 Medium |
| An issue in 202 ecommerce Advanced Loyalty Program: Loyalty Points before v2.3.4 for PrestaShop allows unauthenticated attackers to arbitrarily change an order status. | ||||
| CVE-2024-45689 | 1 Moodle | 1 Moodle | 2025-06-02 | 6.5 Medium |
| A flaw was found in Moodle. Dynamic tables did not enforce capability checks, which resulted in users having the ability to retrieve information they did not have permission to access. | ||||
| CVE-2024-0238 | 1 Myeventon | 1 Eventon | 2025-06-02 | 6.1 Medium |
| The EventON Premium WordPress plugin before 4.5.6, EventON WordPress plugin before 2.2.8 do not have authorisation in an AJAX action, and does not ensure that the post to be updated belong to the plugin, allowing unauthenticated users to update arbitrary post metadata. | ||||
| CVE-2024-0237 | 1 Myeventon | 1 Eventon | 2025-06-02 | 5.3 Medium |
| The EventON WordPress plugin through 4.5.8, EventON WordPress plugin before 2.2.7 do not have authorisation in some AJAX actions, allowing unauthenticated users to update virtual events settings, such as meeting URL, moderator, access details etc | ||||
| CVE-2024-0569 | 1 Totolink | 2 T8, T8 Firmware | 2025-06-02 | 4.3 Medium |
| A vulnerability classified as problematic has been found in Totolink T8 4.1.5cu.833_20220905. This affects the function getSysStatusCfg of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. The manipulation of the argument ssid/key leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.5cu.862_B20230228 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-250785 was assigned to this vulnerability. | ||||
| CVE-2023-50726 | 2 Argoproj, Redhat | 2 Argo Cd, Openshift Gitops | 2025-06-02 | 6.4 Medium |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. "Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted users, since it allows the user to bypass any merge protections in git. An improper validation bug allows users who have `create` privileges but not `override` privileges to sync local manifests on app creation. All other restrictions, including AppProject restrictions are still enforced. The only restriction which is not enforced is that the manifests come from some approved git/Helm/OCI source. The bug was introduced in 1.2.0-rc1 when the local manifest sync feature was added. The bug has been patched in Argo CD versions 2.10.3, 2.9.8, and 2.8.12. Users are advised to upgrade. Users unable to upgrade may mitigate the risk of branch protection bypass by removing `applications, create` RBAC access. The only way to eliminate the issue without removing RBAC access is to upgrade to a patched version. | ||||
| CVE-2022-26767 | 1 Apple | 1 Macos | 2025-05-30 | 5.5 Medium |
| The issue was addressed with additional permissions checks. This issue is fixed in macOS Monterey 12.4, macOS Big Sur 11.6.6. A malicious application may be able to bypass Privacy preferences. | ||||
| CVE-2025-46823 | 2025-05-30 | N/A | ||
| openmrs-module-fhir2 provides the FHIR REST API and related services for OpenMRS, an open medical records system. In versions of the FHIR2 module prior to 2.5.0, privileges were not always correctly checked, which means that unauthorized users may have been able to add or edit data they were not supposed to be able to. All implementers should update to FHIR2 2.5.0 or newer as soon as is feasible to receive a patch. | ||||
| CVE-2023-43846 | 1 Aten | 2 Pe6208, Pe6208 Firmware | 2025-05-30 | 5.3 Medium |
| Incorrect access control in logs management function of web interface in Aten PE6208 2.3.228 and 2.4.232 allows remote attackers to get the device logs via HTTP GET request. The logs contain such information as user names and IP addresses used in the infrastructure. This information may help the attackers to conduct further attacks in the infrastructure. | ||||
| CVE-2023-26097 | 1 Telindus | 1 Apsal | 2025-05-30 | 8.4 High |
| An issue was discovered in Telindus Apsal 3.14.2022.235 b. Unauthorized actions that could modify the application behaviour may not be blocked. | ||||
| CVE-2018-10212 | 1 Vaultize | 1 Enterprise File Sharing | 2025-05-30 | N/A |
| An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is improper authorization leading to creation of folders within another account via a modified device value. | ||||