ReportizFlow
Filtered by vendor
Subscriptions
Total
4190 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-57130 | 1 Zwiicms | 1 Zwiicms | 2025-11-06 | 8.3 High |
| An Incorrect Access Control vulnerability in the user management component of ZwiiCMS up to v13.6.07 allows a remote, authenticated attacker to escalate their privileges. By sending a specially crafted HTTP request, a low-privilege user can access and modify the profile data of any other user, including administrators. | ||||
| CVE-2025-62720 | 1 Linkace | 1 Linkace | 2025-11-06 | N/A |
| LinkAce is a self-hosted archive to collect website links. Versions 2.3.1 and below allow any authenticated user to export the entire database of links from all users in the system, including private links that should only be accessible to their owners. The HTML and CSV export functions in the ExportController class retrieve all links without applying any ownership or visibility filtering, effectively bypassing all access controls implemented elsewhere in the application. This issue is fixed in version 2.4.0. | ||||
| CVE-2025-60784 | 1 Xiaozhangbang | 1 Voluntary Like System | 2025-11-06 | 6.5 Medium |
| A vulnerability in the XiaozhangBang Voluntary Like System V8.8 allows remote attackers to manipulate the zhekou parameter in the /topfirst.php Pay module, enabling unauthorized discounts. By sending a crafted HTTP POST request with zhekou set to an abnormally low value, an attacker can purchase votes at a reduced cost. Furthermore, by modifying the zid parameter, attackers can influence purchases made by other users, amplifying the impact. This issue stems from insufficient server-side validation of these parameters, potentially leading to economic loss and unfair manipulation of vote counts. | ||||
| CVE-2025-60800 | 1 Jishenghua | 1 Jsherp | 2025-11-06 | 7.5 High |
| Incorrect access control in the /jshERP-boot/user/info interface of jshERP up to commit 90c411a allows attackers to access sensitive information via a crafted GET request. | ||||
| CVE-2019-11634 | 1 Citrix | 2 Receiver, Workspace | 2025-11-06 | 9.8 Critical |
| Citrix Workspace App before 1904 for Windows has Incorrect Access Control. | ||||
| CVE-2025-7939 | 1 Jerryshensjf | 1 Jpacookieshop | 2025-11-06 | 6.3 Medium |
| A vulnerability was found in jerryshensjf JPACookieShop 蛋糕商城JPA版 1.0. It has been classified as critical. Affected is the function addGoods of the file GoodsController.java. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. | ||||
| CVE-2025-43450 | 1 Apple | 3 Ios, Ipados, Iphone Os | 2025-11-06 | 7.5 High |
| A logic issue was addressed with improved checks. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. An app may be able to learn information about the current camera view before being granted camera access. | ||||
| CVE-2024-48932 | 2 Icewhaletech, Zimaspace | 2 Zimaos, Zimaos | 2025-11-06 | 5.3 Medium |
| ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions below 1.5.0, the API endpoint `http://<Server-ip>/v1/users/name` allows unauthenticated users to access sensitive information, such as usernames, without any authorization. This vulnerability could be exploited by an attacker to enumerate usernames and leverage them for further attacks, such as brute-force or phishing campaigns. As of time of publication, no known patched versions are available. | ||||
| CVE-2025-23141 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2025-11-06 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses Acquire a lock on kvm->srcu when userspace is getting MP state to handle a rather extreme edge case where "accepting" APIC events, i.e. processing pending INIT or SIPI, can trigger accesses to guest memory. If the vCPU is in L2 with INIT *and* a TRIPLE_FAULT request pending, then getting MP state will trigger a nested VM-Exit by way of ->check_nested_events(), and emuating the nested VM-Exit can access guest memory. The splat was originally hit by syzkaller on a Google-internal kernel, and reproduced on an upstream kernel by hacking the triple_fault_event_test selftest to stuff a pending INIT, store an MSR on VM-Exit (to generate a memory access on VMX), and do vcpu_mp_state_get() to trigger the scenario. ============================= WARNING: suspicious RCU usage 6.14.0-rc3-b112d356288b-vmx/pi_lockdep_false_pos-lock #3 Not tainted ----------------------------- include/linux/kvm_host.h:1058 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by triple_fault_ev/1256: #0: ffff88810df5a330 (&vcpu->mutex){+.+.}-{4:4}, at: kvm_vcpu_ioctl+0x8b/0x9a0 [kvm] stack backtrace: CPU: 11 UID: 1000 PID: 1256 Comm: triple_fault_ev Not tainted 6.14.0-rc3-b112d356288b-vmx #3 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Call Trace: <TASK> dump_stack_lvl+0x7f/0x90 lockdep_rcu_suspicious+0x144/0x190 kvm_vcpu_gfn_to_memslot+0x156/0x180 [kvm] kvm_vcpu_read_guest+0x3e/0x90 [kvm] read_and_check_msr_entry+0x2e/0x180 [kvm_intel] __nested_vmx_vmexit+0x550/0xde0 [kvm_intel] kvm_check_nested_events+0x1b/0x30 [kvm] kvm_apic_accept_events+0x33/0x100 [kvm] kvm_arch_vcpu_ioctl_get_mpstate+0x30/0x1d0 [kvm] kvm_vcpu_ioctl+0x33e/0x9a0 [kvm] __x64_sys_ioctl+0x8b/0xb0 do_syscall_64+0x6c/0x170 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> | ||||
| CVE-2025-12297 | 2 Atjiu, Pybbs Project | 2 Pybbs, Pybbs | 2025-11-05 | 4.3 Medium |
| A vulnerability was detected in atjiu pybbs up to 6.0.0. This affects an unknown function of the file UserApiController.java. The manipulation results in information disclosure. The attack may be launched remotely. The exploit is now public and may be used. | ||||
| CVE-2025-63562 | 1 Summerpearlgroup | 1 Vacation Rental Management Platform | 2025-11-05 | 6.3 Medium |
| Summer Pearl Group Vacation Rental Management Platform prior to v1.0.2 suffers from insufficient server-side authorization. Authenticated attackers can call several endpoints and perform create/update/delete actions on resources owned by arbitrary users by manipulating request parameters (e.g., owner or resource id). | ||||
| CVE-2025-43499 | 1 Apple | 3 Macos, Macos Sequoia, Macos Sonoma | 2025-11-05 | 5.5 Medium |
| This issue was addressed with additional entitlement checks. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. An app may be able to access sensitive user data. | ||||
| CVE-2025-43495 | 1 Apple | 4 Ios, Ipad Os, Ipados and 1 more | 2025-11-05 | 5.4 Medium |
| The issue was addressed with improved checks. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. An app may be able to monitor keystrokes without user permission. | ||||
| CVE-2025-12593 | 2 Code-projects, Fabian | 2 Simple Online Hotel Reservation System, Simple Online Hotel Reservation System | 2025-11-05 | 4.7 Medium |
| A vulnerability was identified in code-projects Simple Online Hotel Reservation System 2.0. The impacted element is an unknown function of the file /admin/edit_room.php of the component Photo Handler. The manipulation leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. | ||||
| CVE-2025-43454 | 1 Apple | 4 Ios, Ipad Os, Ipados and 1 more | 2025-11-05 | 7.5 High |
| This issue was addressed through improved state management. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. A device may persistently fail to lock. | ||||
| CVE-2025-43481 | 1 Apple | 2 Macos, Macos Sequoia | 2025-11-05 | 5.2 Medium |
| This issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.7.2. An app may be able to break out of its sandbox. | ||||
| CVE-2025-43412 | 1 Apple | 3 Macos, Macos Sequoia, Macos Sonoma | 2025-11-05 | 6.3 Medium |
| A file quarantine bypass was addressed with additional checks. This issue is fixed in macOS Sonoma 14.8.2, macOS Sequoia 15.7.2. An app may be able to break out of its sandbox. | ||||
| CVE-2025-43414 | 1 Apple | 3 Macos, Macos Sequoia, Macos Sonoma | 2025-11-05 | 6.2 Medium |
| A permissions issue was addressed with improved validation. This issue is fixed in macOS Sonoma 14.8.2, macOS Sequoia 15.7.2. A shortcut may be able to access files that are normally inaccessible to the Shortcuts app. | ||||
| CVE-2025-43335 | 1 Apple | 3 Macos, Macos Sequoia, Macos Sonoma | 2025-11-05 | 5.5 Medium |
| The issue was addressed by adding additional logic. This issue is fixed in macOS Sonoma 14.8.2, macOS Sequoia 15.7.2. An app may be able to access user-sensitive data. | ||||
| CVE-2025-43407 | 1 Apple | 7 Ios, Ipados, Iphone Os and 4 more | 2025-11-05 | 7.8 High |
| This issue was addressed with improved entitlements. This issue is fixed in visionOS 26.1, macOS Sonoma 14.8.2, macOS Sequoia 15.7.2, iOS 26.1 and iPadOS 26.1, tvOS 26.1. An app may be able to break out of its sandbox. | ||||