Filtered by vendor
Subscriptions
Total
807 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2013-1865 | 3 Canonical, Openstack, Redhat | 3 Ubuntu Linux, Folsom, Openstack | 2025-04-11 | N/A |
OpenStack Keystone Folsom (2012.2) does not properly perform revocation checks for Keystone PKI tokens when done through a server, which allows remote attackers to bypass intended access restrictions via a revoked PKI token. | ||||
CVE-2013-2113 | 2 Redhat, Theforeman | 2 Openstack, Foreman | 2025-04-11 | N/A |
The create method in app/controllers/users_controller.rb in Foreman before 1.2.0-RC2 allows remote authenticated users with permissions to create or edit other users to gain privileges by (1) changing the admin flag or (2) assigning an arbitrary role. | ||||
CVE-2022-24894 | 1 Sensiolabs | 1 Symfony | 2025-04-10 | 5.9 Medium |
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers) and returns them to the clients. In a recent change in the `AbstractSessionListener`, the response might contain a `Set-Cookie` header. If the Symfony HTTP cache system is enabled, this response might bill stored and return to the next clients. An attacker can use this vulnerability to retrieve the victim's session. This issue has been patched and is available for branch 4.4. | ||||
CVE-2024-9000 | 1 Lunary | 1 Lunary | 2025-04-10 | 6.5 Medium |
In lunary-ai/lunary before version 1.4.26, the checklists.post() endpoint allows users to create or modify checklists without validating whether the user has proper permissions. This missing access control permits unauthorized users to create checklists, bypassing intended permission checks. Additionally, the endpoint does not validate the uniqueness of the slug field when creating a new checklist, allowing an attacker to spoof existing checklists by reusing the slug of an already-existing checklist. This can lead to significant data integrity issues, as legitimate checklists can be replaced with malicious or altered data. | ||||
CVE-2022-4804 | 1 Usememos | 1 Memos | 2025-04-10 | 5.3 Medium |
Improper Authorization in GitHub repository usememos/memos prior to 0.9.1. | ||||
CVE-2024-9096 | 1 Lunary | 1 Lunary | 2025-04-10 | 7.1 High |
In lunary-ai/lunary version 1.4.28, the /checklists/:id route allows low-privilege users to modify checklists by sending a PATCH request. The route lacks proper access control, such as middleware to ensure that only authorized users (e.g., project owners or admins) can modify checklist data. This vulnerability allows any user associated with the project, regardless of their role, to modify checklists, including changing the slug or data fields, which can lead to tampering with essential project workflows, altering business logic, and introducing errors that undermine integrity. | ||||
CVE-2025-29794 | 2025-04-10 | 8.8 High | ||
Improper authorization in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | ||||
CVE-2022-4688 | 1 Usememos | 1 Memos | 2025-04-09 | 8.8 High |
Improper Authorization in GitHub repository usememos/memos prior to 0.9.0. | ||||
CVE-2025-27188 | 2025-04-09 | 4.3 Medium | ||
Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction. | ||||
CVE-2022-4868 | 1 Froxlor | 1 Froxlor | 2025-04-09 | 4.3 Medium |
Improper Authorization in GitHub repository froxlor/froxlor prior to 2.0.0-beta1. | ||||
CVE-2025-21520 | 2 Oracle, Redhat | 3 Mysql Cluster, Mysql Server, Enterprise Linux | 2025-04-09 | 1.8 Low |
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Options). Supported versions that are affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 1.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N). | ||||
CVE-2025-1806 | 2025-04-09 | 4.3 Medium | ||
A vulnerability, which was classified as problematic, has been found in Eastnets PaymentSafe 2.5.26.0. Affected by this issue is some unknown functionality of the file /Default.aspx of the component URL Handler. The manipulation leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.5.27.0 is able to address this issue. | ||||
CVE-2025-30373 | 2025-04-08 | 6.5 Medium | ||
Graylog is a free and open log management platform. Starting with 6.1, HTTP Inputs can be configured to check if a specified header is present and has a specified value to authenticate HTTP-based ingestion. Unfortunately, even though in cases of a missing header or a wrong value the correct HTTP response (401) is returned, the message will be ingested nonetheless. To mitigate the vulnerability, disable http-based inputs and allow only authenticated pull-based inputs. This vulnerability is fixed in 6.1.9. | ||||
CVE-2025-29927 | 2025-04-08 | 9.1 Critical | ||
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3. | ||||
CVE-2025-3199 | 2025-04-07 | 7.3 High | ||
A vulnerability was found in ageerle ruoyi-ai up to 2.0.1 and classified as critical. Affected by this issue is some unknown functionality of the file ruoyi-modules/ruoyi-system/src/main/java/org/ruoyi/system/controller/system/SysModelController.java of the component API Interface. The manipulation leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.2 is able to address this issue. The name of the patch is c0daf641fb25b244591b7a6c3affa35c69d321fe. It is recommended to upgrade the affected component. | ||||
CVE-2025-3202 | 2025-04-07 | 7.3 High | ||
A vulnerability classified as critical has been found in ageerle ruoyi-ai up to 2.0.0. Affected is an unknown function of the file ruoyi-modules/ruoyi-system/src/main/java/org/ruoyi/system/controller/system/SysNoticeController.java. The manipulation leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.1 is able to address this issue. The name of the patch is 6382e177bf90cc56ff70521842409e35c50df32d. It is recommended to upgrade the affected component. | ||||
CVE-2025-24053 | 2025-04-04 | 7.2 High | ||
Improper authentication in Microsoft Dataverse allows an authorized attacker to elevate privileges over a network. | ||||
CVE-2025-26683 | 2025-04-04 | 8.1 High | ||
Improper authorization in Azure Playwright allows an unauthorized attacker to elevate privileges over a network. | ||||
CVE-2024-8676 | 1 Redhat | 2 Enterprise Linux, Openshift | 2025-04-03 | 7.4 High |
A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the pod spec, verifying that the pod has access to the mounts it specifies are not applicable to a restored container. This flaw allows a malicious user to trick CRI-O into restoring a pod that doesn't have access to host mounts. The user needs access to the kubelet or cri-o socket to call the restore endpoint and trigger the restore. | ||||
CVE-2025-2638 | 1 Jizhicms | 1 Jizhicms | 2025-04-02 | 4.3 Medium |
A vulnerability, which was classified as problematic, was found in JIZHICMS up to 1.7.0. This affects an unknown part of the file /user/release.html of the component Article Handler. The manipulation of the argument ishot with the input 1 leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. |