ReportizFlow
Filtered by vendor
Subscriptions
Total
9670 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-61679 | 2025-10-04 | 7.7 High | ||
| Anyquery is an SQL query engine built on top of SQLite. Versions 0.4.3 and below allow attackers who have already gained access to localhost, even with low privileges, to use the http server through the port unauthenticated, and access private integration data like emails, without any warning of a foreign login from the provider. This issue is fixed in version 0.4.4. | ||||
| CVE-2025-40803 | 1 Siemens | 2 Ruggedcom Rst2428p, Ruggedcom Rst2428p Firmware | 2025-10-03 | 3.1 Low |
| A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions). The affected device exposes certain non-critical information from the device. This could allow an unauthenticated attacker to access sensitive data, potentially leading to a breach of confidentiality. | ||||
| CVE-2025-45994 | 2 Aranda, Arandasoft | 2 Passrecovery, Passrecovery | 2025-10-03 | 7.5 High |
| An issue in Aranda PassRecovery v1.0 allows attackers to enumerate valid user accounts in Active Directory via sending a crafted POST request to /user/existdirectory/1. | ||||
| CVE-2025-2842 | 1 Redhat | 1 Openshift Distributed Tracing | 2025-10-03 | 4.3 Medium |
| A flaw was found in the Tempo Operator. When the Jaeger UI Monitor Tab functionality is enabled in a Tempo instance managed by the Tempo Operator, the Operator creates a ClusterRoleBinding for the Service Account of the Tempo instance to grant the cluster-monitoring-view ClusterRole. This can be exploited if a user has 'create' permissions on TempoStack and 'get' permissions on Secret in a namespace (for example, a user has ClusterAdmin permissions for a specific namespace), as the user can read the token of the Tempo service account and therefore has access to see all cluster metrics. | ||||
| CVE-2025-2786 | 1 Redhat | 1 Openshift Distributed Tracing | 2025-10-03 | 4.3 Medium |
| A flaw was found in Tempo Operator, where it creates a ServiceAccount, ClusterRole, and ClusterRoleBinding when a user deploys a TempoStack or TempoMonolithic instance. This flaw allows a user with full access to their namespace to extract the ServiceAccount token and use it to submit TokenReview and SubjectAccessReview requests, potentially revealing information about other users' permissions. While this does not allow privilege escalation or impersonation, it exposes information that could aid in gathering information for further attacks. | ||||
| CVE-2014-2356 | 1 Innominate | 1 Mguard Firmware | 2025-10-03 | N/A |
| Innominate mGuard before 7.6.4 and 8.x before 8.0.3 does not require authentication for snapshot downloads, which allows remote attackers to obtain sensitive information via a crafted HTTPS request. | ||||
| CVE-2025-9209 | 2025-10-03 | 9.8 Critical | ||
| The RestroPress – Online Food Ordering System plugin for WordPress is vulnerable to Authentication Bypass in versions 3.0.0 to 3.1.9.2. This is due to the plugin exposing user private tokens and API data via the /wp-json/wp/v2/users REST API endpoint. This makes it possible for unauthenticated attackers to forge JWT tokens for other users, including administrators, and authenticate as them. | ||||
| CVE-2025-61665 | 1 Wegia | 1 Wegia | 2025-10-03 | N/A |
| WeGIA is an open source web manager with a focus on charitable institutions. Versions 3.4.12 and below contain a Broken Access Control vulnerability, identified in the get_relatorios_socios.php endpoint. This vulnerability allows unauthenticated attackers to directly access sensitive personal and financial information of members without requiring authentication or authorization. This issue is fixed in version 3.5.0. | ||||
| CVE-2025-60449 | 2025-10-03 | 4.9 Medium | ||
| An information disclosure vulnerability has been discovered in SeaCMS 13.1. The vulnerability exists in the admin_safe.php component located in the /btcoan/ directory. This security flaw allows authenticated administrators to scan and download not only the application’s source code but also potentially any file accessible on the server’s root directory. | ||||
| CVE-2025-11079 | 1 Campcodes | 1 Farm Management System | 2025-10-03 | 5.3 Medium |
| A security flaw has been discovered in Campcodes Farm Management System 1.0. Affected by this issue is some unknown functionality. The manipulation results in file and directory information exposure. The attack may be performed from remote. The exploit has been released to the public and may be exploited. | ||||
| CVE-2025-61589 | 2025-10-03 | 5.9 Medium | ||
| Cursor is a code editor built for programming with AI. In versions 1.6 and below, Mermaid (a to render diagrams) allows embedding images which then get rendered by Cursor in the chat box. An attacker can use this to exfiltrate sensitive information to a third-party attacker controlled server through an image fetch after successfully performing a prompt injection. A malicious model (or hallucination/backdoor) might also trigger this exploit at will. This issue requires prompt injection from malicious data (web, image upload, source code) in order to exploit. In that case, it can send sensitive information to an attacker-controlled external server. Some additional bypasses not covered in the initial fix to this issue were discovered, see GHSA-43wj-mwcc-x93p. This issue is fixed in version 1.7. | ||||
| CVE-2025-54468 | 2 Rancher, Suse | 2 Rancher, Rancher | 2025-10-03 | 4.7 Medium |
| A vulnerability has been identified within Rancher Manager whereby `Impersonate-Extra-*` headers are being sent to an external entity, for example `amazonaws.com`, via the `/meta/proxy` Rancher endpoint. These headers may contain identifiable and/or sensitive information e.g. email addresses. | ||||
| CVE-2025-40646 | 1 Viday | 1 Viday | 2025-10-03 | N/A |
| Exposure of sensitive information in Viday. This vulnerability could allow an attacker to obtain sensitive information about customers by intercepting HTTP requests and searching for the JWT containing sensitive user information in the JWT payload. | ||||
| CVE-2025-40645 | 1 Viday | 1 Viday | 2025-10-03 | N/A |
| Exposure of sensitive information in Viday. This vulnerability could allow an unauthenticated attacker to obtain sensitive information about customers by sending an HTTP GET request to “/api/reserva/web/clients” using the “phone” parameter. | ||||
| CVE-2025-54290 | 2 Canonical, Linux | 2 Lxd, Linux | 2025-10-03 | N/A |
| Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints. | ||||
| CVE-2025-56161 | 1 Yoshop | 1 Yoshop | 2025-10-03 | 7.5 High |
| YOSHOP 2.0 allows unauthenticated information disclosure via comment-list API endpoints in the Goods module. The Comment model eagerly loads the related User model without field filtering; because User.php defines no $hidden or $visible attributes, sensitive fields (bcrypt password hash, mobile number, pay_money, expend_money.) are exposed in JSON responses. Route names vary per deployment (e.g. /api/goods.pinglun/list), but all call the same vulnerable model logic. | ||||
| CVE-2025-59405 | 2 Flocksafety, Google | 5 Bravo Edge Ai Compute Device, Falcon, License Plate Reader and 2 more | 2025-10-03 | 7.5 High |
| The Flock Safety Peripheral com.flocksafety.android.peripheral application 7.38.3 for Android (installed on Falcon and Sparrow License Plate Readers and Bravo Edge AI Compute Devices) contains a cleartext DataDog API key within in its codebase. Because application binaries can be trivially decompiled or inspected, attackers can recover the OAuth secret without special privileges. This secret is intended to remain confidential and should never be embedded directly in client-side software. | ||||
| CVE-2014-2347 | 1 Amtelco | 1 Misecuremessages | 2025-10-03 | N/A |
| Amtelco miSecureMessages (aka MSM) 6.2 does not properly manage sessions, which allows remote authenticated users to obtain sensitive information via a modified message request. | ||||
| CVE-2025-10321 | 1 Wavlink | 2 Wl-wn578w2, Wl-wn578w2 Firmware | 2025-10-02 | 5.3 Medium |
| A flaw has been found in Wavlink WL-WN578W2 221110. Impacted is an unknown function of the file /live_online.shtml. Executing manipulation can lead to information disclosure. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-34220 | 1 Vasion | 2 Virtual Appliance Application, Virtual Appliance Host | 2025-10-02 | N/A |
| Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contains a /api-gateway/identity/search-groups endpoint that does not require authentication. Requests to https://<tenant>.printercloud10.com/api-gateway/identity/search-groups and adjustments to the `Host` header allow an unauthenticated remote attacker to enumerate every group object stored for that tenant. The response includes internal identifiers (group ID, source service ID, Azure AD object IDs, creation timestamps, and tenant IDs). This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced. | ||||