ReportizFlow
Filtered by vendor
Subscriptions
Total
32272 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-6504 | 1 Rapid7 | 1 Insightvm | 2025-09-05 | 4.3 Medium |
| Rapid7 InsightVM Console versions below 6.6.260 suffer from a protection mechanism failure whereby an attacker with network access to the InsightVM Console can cause it to overload or crash by sending repeated invalid REST requests in a short timeframe, to the Console's port 443 causing the console to enter an exception handling logging loop, exhausting the CPU. There is no indication that an attacker can use this method to escalate privilege, acquire unauthorized access to data, or gain control of protected resources. This issue is fixed in version 6.6.261. | ||||
| CVE-2025-3698 | 1 Tecno | 1 Carlcare | 2025-09-05 | 7.5 High |
| Interface exposure vulnerability in the mobile application (com.transsion.carlcare) may lead to information leakage risk. | ||||
| CVE-2024-7697 | 2 Tecno, Transsion | 2 Com.transsion.carlcare, Carlcare | 2025-09-05 | 7.5 High |
| Logical vulnerability in the mobile application (com.transsion.carlcare) may lead to user information leakage risks. | ||||
| CVE-2025-30288 | 1 Adobe | 1 Coldfusion | 2025-09-05 | 8.2 High |
| ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low privileged attacker with local access could leverage this vulnerability to bypass security protections and execute code. Exploitation of this issue requires user interaction in that a victim must be coerced into performing actions within the application and scope is changed. | ||||
| CVE-2024-52509 | 1 Nextcloud | 1 Mail | 2025-09-05 | 3.5 Low |
| Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. The Nextcloud mail app incorrectly allowed attaching shared files without download permissions as attachments. This allowed users to send them the files to themselves and then downloading it from their mail clients. It is recommended that the Nextcloud Mail is upgraded to 2.2.10, 3.6.2 or 3.7.2. | ||||
| CVE-2024-34739 | 1 Google | 1 Android | 2025-09-04 | 7.7 High |
| In shouldRestrictOverlayActivities of UsbProfileGroupSettingsManager.java, there is a possible escape from SUW due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | ||||
| CVE-2023-21342 | 1 Google | 1 Android | 2025-09-04 | 7.8 High |
| In RemoteSpeechRecognitionService of RemoteSpeechRecognitionService.java, there is a possible way to launch an activity from the background due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2025-9774 | 1 Remoteclinic | 1 Remote Clinic | 2025-09-04 | 4.3 Medium |
| A vulnerability has been found in RemoteClinic up to 2.0. This issue affects some unknown processing of the file /patients/edit-patient.php. The manipulation of the argument Email leads to information disclosure. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-2443 | 1 Github | 1 Enterprise Server | 2025-09-04 | 9.1 Critical |
| A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance when configuring GeoJSON settings. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.13 and was fixed in versions 3.8.17, 3.9.12, 3.10.9, 3.11.7, and 3.12.1. This vulnerability was reported via the GitHub Bug Bounty program. | ||||
| CVE-2025-30294 | 1 Adobe | 1 Coldfusion | 2025-09-04 | 6.8 Medium |
| ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security protections and gain unauthorized read access. Exploitation of this issue does not require user interaction and scope is changed. | ||||
| CVE-2024-2469 | 1 Github | 1 Enterprise Server | 2025-09-04 | 8 High |
| An attacker with an Administrator role in GitHub Enterprise Server could gain SSH root access via remote code execution. This vulnerability affected GitHub Enterprise Server version 3.8.0 and above and was fixed in version 3.8.17, 3.9.12, 3.10.9, 3.11.7 and 3.12.1. This vulnerability was reported via the GitHub Bug Bounty program. | ||||
| CVE-2024-32467 | 1 Metersphere | 1 Metersphere | 2025-09-04 | 5.7 Medium |
| MeterSphere is an open source continuous testing platform. Prior to version 2.10.14-lts, members without space permissions can view member information from other workspaces beyond their authority. Version 2.10.14-lts fixes this issue. | ||||
| CVE-2024-28255 | 1 Open-metadata | 1 Openmetadata | 2025-09-04 | 9.8 Critical |
| OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The `JwtFilter` handles the API authentication by requiring and verifying JWT tokens. When a new request comes in, the request's path is checked against this list. When the request's path contains any of the excluded endpoints the filter returns without validating the JWT. Unfortunately, an attacker may use Path Parameters to make any path contain any arbitrary strings. For example, a request to `GET /api/v1;v1%2fusers%2flogin/events/subscriptions/validation/condition/111` will match the excluded endpoint condition and therefore will be processed with no JWT validation allowing an attacker to bypass the authentication mechanism and reach any arbitrary endpoint, including the ones listed above that lead to arbitrary SpEL expression injection. This bypass will not work when the endpoint uses the `SecurityContext.getUserPrincipal()` since it will return `null` and will throw an NPE. This issue may lead to authentication bypass and has been addressed in version 1.2.4. Users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as `GHSL-2023-237`. | ||||
| CVE-2024-47255 | 1 2n | 1 Access Commander | 2025-09-04 | 4.7 Medium |
| In 2N Access Commander versions 3.1.1.2 and prior, a local attacker can escalate their privileges in the system which could allow for arbitrary code execution with root permissions. | ||||
| CVE-2024-47254 | 1 2n | 1 Access Commander | 2025-09-04 | 6.3 Medium |
| In 2N Access Commander versions 3.1.1.2 and prior, an Insufficient Verification of Data Authenticity vulnerability could allow an attacker to escalate their privileges and gain root access to the system. | ||||
| CVE-2024-34537 | 1 Typo3 | 1 Typo3 | 2025-09-03 | 4.9 Medium |
| TYPO3 before 13.3.1 allows denial of service (interface error) in the Bookmark Toolbar (ext:backend), exploitable by an administrator-level backend user account via manipulated data saved in the bookmark toolbar of the backend user interface. The fixed versions are 10.4.46 ELTS, 11.5.40 LTS, 12.4.21 LTS, and 13.3.1. | ||||
| CVE-2025-9461 | 1 Diyhi | 1 Bbs | 2025-09-03 | 4.3 Medium |
| A weakness has been identified in diyhi bbs up to 6.8. The impacted element is an unknown function of the file src/main/java/cms/web/action/filePackage/FilePackageManageAction.java of the component File Compression Handler. This manipulation of the argument idGroup causes information disclosure. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. | ||||
| CVE-2025-3831 | 1 Checkpoint | 1 Harmony Sase | 2025-09-03 | 8.1 High |
| Log files uploaded during troubleshooting by the Harmony SASE agent may have been accessible to unauthorized parties. | ||||
| CVE-2025-33051 | 1 Microsoft | 1 Exchange Server | 2025-09-03 | 7.5 High |
| Exposure of sensitive information to an unauthorized actor in Microsoft Exchange Server allows an unauthorized attacker to disclose information over a network. | ||||
| CVE-2024-49972 | 1 Linux | 1 Linux Kernel | 2025-09-03 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Deallocate DML memory if allocation fails [Why] When DC state create DML memory allocation fails, memory is not deallocated subsequently, resulting in uninitialized structure that is not NULL. [How] Deallocate memory if DML memory allocation fails. | ||||