ReportizFlow
Filtered by vendor
Subscriptions
Total
2314 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-6981 | 1 Github | 1 Enterprise Server | 2025-08-27 | 4.3 Medium |
| An incorrect authorization vulnerability allowed unauthorized read access to the contents of internal repositories for contractor accounts when the Contractors API feature was enabled. The Contractors API is a rarely-enabled feature in private preview. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18 and was fixed in versions 3.14.15, 3.15.10, 3.16.6 and 3.17.3 | ||||
| CVE-2023-3899 | 2 Fedoraproject, Redhat | 24 Fedora, Enterprise Linux, Enterprise Linux Desktop and 21 more | 2025-08-27 | 7.8 High |
| A vulnerability was found in subscription-manager that allows local privilege escalation due to inadequate authorization. The D-Bus interface com.redhat.RHSM1 exposes a significant number of methods to all users that could change the state of the registration. By using the com.redhat.RHSM1.Config.SetAll() method, a low-privileged local user could tamper with the state of the registration, by unregistering the system or by changing the current entitlements. This flaw allows an attacker to set arbitrary configuration directives for /etc/rhsm/rhsm.conf, which can be abused to cause a local privilege escalation to an unconfined root. | ||||
| CVE-2024-10295 | 1 Redhat | 2 3scale Api Management, Red Hat 3scale Amp | 2025-08-27 | 7.5 High |
| A flaw was found in Gateway. Sending a non-base64 'basic' auth with special characters can cause APICast to incorrectly authenticate a request. A malformed basic authentication header containing special characters bypasses authentication and allows unauthorized access to the backend. This issue can occur due to a failure in the base64 decoding process, which causes APICast to skip the rest of the authentication checks and proceed with routing the request upstream. | ||||
| CVE-2023-4853 | 2 Quarkus, Redhat | 21 Quarkus, Build Of Optaplanner, Build Of Quarkus and 18 more | 2025-08-27 | 8.1 High |
| A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service. | ||||
| CVE-2025-1501 | 1 Nozominetworks | 1 Cmc | 2025-08-27 | 4.3 Medium |
| An access control vulnerability was discovered in the Request Trace and Download Trace functionalities of CMC before 25.1.0 due to a specific access restriction not being properly enforced for users with limited privileges. An authenticated user with limited privileges can request and download trace files due to improper access restrictions, potentially exposing unauthorized network data. | ||||
| CVE-2025-47930 | 1 Zulip | 1 Zulip | 2025-08-27 | 5.3 Medium |
| Zulip is an open-source team chat application. Starting in version 10.0 and prior to version 10.3, the "Who can create public channels" access control mechanism can be circumvented by creating a private or web-public channel, and then changing the channel privacy to public. A similar technique works for creating private channels without permission, though such a process requires either the API or modifying the HTML, as we do mark the "private" radio button as disabled in such cases. Version 10.3 contains a patch. | ||||
| CVE-2025-5199 | 2 Apple, Canonical | 2 Macos, Multipass | 2025-08-26 | 7.3 High |
| In Canonical Multipass up to and including version 1.15.1 on macOS, incorrect default permissions allow a local attacker to escalate privileges by modifying files executed with administrative privileges by a Launch Daemon during system startup. | ||||
| CVE-2025-53836 | 1 Xwiki | 2 Xwiki, Xwiki-rendering | 2025-08-26 | 10 Critical |
| XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 4.2-milestone-1 and prior to versions 13.10.11, 14.4.7, and 14.10, the default macro content parser doesn't preserve the restricted attribute of the transformation context when executing nested macros. This allows executing macros that are normally forbidden in restricted mode, in particular script macros. The cache and chart macros that are bundled in XWiki use the vulnerable feature. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. To avoid the exploitation of this bug, comments can be disabled for untrusted users until an upgrade to a patched version has been performed. Note that users with edit rights will still be able to add comments via the object editor even if comments have been disabled. | ||||
| CVE-2025-53895 | 1 Zitadel | 1 Zitadel | 2025-08-26 | 8.8 High |
| ZITADEL is an open source identity management system. Starting in version 2.53.0 and prior to versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14, vulnerability in ZITADEL's session management API allows any authenticated user to update a session if they know its ID, due to a missing permission check. This flaw enables session hijacking, allowing an attacker to impersonate another user and access sensitive resources. Versions prior to `2.53.0` are not affected, as they required the session token for updates. Versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14 fix the issue. | ||||
| CVE-2025-36157 | 1 Ibm | 1 Jazz Foundation | 2025-08-26 | 9.8 Critical |
| IBM Jazz Foundation 7.0.2 to 7.0.2 iFix035, 7.0.3 to 7.0.3 iFix018, and 7.1.0 to 7.1.0 iFix004 could allow an unauthenticated remote attacker to update server property files that would allow them to perform unauthorized actions. | ||||
| CVE-2025-48948 | 1 Navidrome | 1 Navidrome | 2025-08-26 | 6.5 Medium |
| Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings. In the threat model where administrators are trusted but regular users are not, this vulnerability represents a significant security risk when transcoding is enabled. Version 0.56.0 patches the issue. | ||||
| CVE-2025-2527 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-08-22 | 4.3 Medium |
| Mattermost versions 10.5.x <= 10.5.2, 9.11.x <= 9.11.11 failed to properly verify a user's permissions when accessing groups, which allows an attacker to view group information via an API request. | ||||
| CVE-2025-49810 | 1 Mattermost | 1 Mattermost | 2025-08-22 | 3.5 Low |
| Mattermost versions 10.5.x <= 10.5.8 fail to validate access controls at time of access which allows user to read a thread via AI posts | ||||
| CVE-2025-53971 | 1 Mattermost | 1 Mattermost | 2025-08-22 | 3.8 Low |
| Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins to demote Team Members to Guests via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles API endpoint. | ||||
| CVE-2025-27213 | 2025-08-22 | 4.9 Medium | ||
| An Improper Access Control could allow a malicious actor authenticated in the API of certain UniFi Connect devices to enable Android Debug Bridge (ADB) and make unsupported changes to the system. Affected Products: UniFi Connect EV Station Pro (Version 1.5.18 and earlier) UniFi Connect Display (Version 1.9.324 and earlier) UniFi Connect Display Cast (Version 1.9.301 and earlier) UniFi Connect Display Cast Pro (Version 1.0.78 and earlier) UniFi Connect Display Cast Lite (Version 1.0.3 and earlier) Mitigation: Update UniFi Connect EV Station Pro to Version 1.5.27 or later Update UniFi Connect Display to Version 1.13.6 or later Update UniFi Connect Display Cast to Version 1.10.3 or later Update UniFi Connect Display Cast Pro to Version 1.0.83 or later Update UniFi Connect Display Cast Lite to Version 1.1.3 or later | ||||
| CVE-2025-53902 | 1 Enalean | 1 Tuleap | 2025-08-22 | 4.3 Medium |
| Tuleap is an Open Source Suite created to facilitate management of software development and collaboration. In Tuleap Community Edition prior to version 16.9.99.1752585665 and Tuleap Enterprise Edition prior to 16.8-6 and 16.9-5, users may potentially access confidential information from artifacts that they are not authorized to view. This is fixed in Tuleap Community Edition prior to version 16.9.99.1752585665 and Tuleap Enterprise Edition prior to 16.8-6 and 16.9-5. | ||||
| CVE-2017-3891 | 1 Blackberry | 1 Qnx Software Development Platform | 2025-08-22 | 9.6 Critical |
| In BlackBerry QNX Software Development Platform (SDP) 6.6.0, an elevation of privilege vulnerability in the default configuration of the QNX SDP with QNet enabled on networks comprising two or more QNet nodes could allow an attacker to access local and remote files or take ownership of files on other QNX nodes regardless of permissions by executing commands targeting arbitrary nodes from a secondary QNX 6.6.0 QNet node. | ||||
| CVE-2024-38002 | 1 Liferay | 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more | 2025-08-22 | 9 Critical |
| The workflow component in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92 and 7.3 GA through update 36 does not properly check user permissions before updating a workflow definition, which allows remote authenticated users to modify workflow definitions and execute arbitrary code (RCE) via the headless API. | ||||
| CVE-2025-30155 | 1 Enalean | 1 Tuleap | 2025-08-22 | 4.3 Medium |
| Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap does not enforce read permissions on parent trackers in the REST API. This vulnerability is fixed in Tuleap Community Edition 16.5.99.1742392651 and Tuleap Enterprise Edition 16.5-5 and 16.4-8. | ||||
| CVE-2025-30209 | 1 Enalean | 1 Tuleap | 2025-08-22 | 5.3 Medium |
| Tuleap is an Open Source Suite to improve management of software developments and collaboration. An attacker can access release notes content or information via the FRS REST endpoints it should not have access to. This vulnerability is fixed in Tuleap Community Edition 16.5.99.1742812323 and Tuleap Enterprise Edition 16.5-6 and 16.4-10. | ||||