ReportizFlow
Filtered by vendor
Subscriptions
Total
2385 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-2321 | 1 Wso2 | 2 Api Manager, Identity Server | 2025-10-03 | 5.6 Medium |
| An incorrect authorization vulnerability exists in multiple WSO2 products, allowing protected APIs to be accessed directly using a refresh token instead of the expected access token. Due to improper authorization checks and token mapping, session cookies are not required for API access, potentially enabling unauthorized operations. Exploitation requires an attacker to obtain a valid refresh token of an admin user. Since refresh tokens generally have a longer expiration time, this could lead to prolonged unauthorized access to API resources, impacting data confidentiality and integrity. | ||||
| CVE-2025-3913 | 1 Mattermost | 1 Mattermost Server | 2025-10-03 | 5.3 Medium |
| Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the /api/v4/teams/:teamId/privacy endpoint. | ||||
| CVE-2024-58260 | 2 Rancher, Suse | 2 Rancher, Rancher | 2025-10-03 | 7.6 High |
| A vulnerability has been identified within Rancher Manager where a missing server-side validation on the `.username` field in Rancher can allow users with update permissions on other User resources to cause denial of access for targeted accounts. | ||||
| CVE-2025-24397 | 1 Jenkins | 1 Gitlab | 2025-10-03 | 4.3 Medium |
| An incorrect permission check in Jenkins GitLab Plugin 1.9.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credential IDs of GitLab API token and Secret text credentials stored in Jenkins. | ||||
| CVE-2025-24400 | 1 Jenkins | 1 Eiffel Broadcaster | 2025-10-03 | 4.3 Medium |
| Jenkins Eiffel Broadcaster Plugin 2.8.0 through 2.10.2 (both inclusive) uses the credential ID as the cache key during signing operations, allowing attackers able to create a credential with the same ID as a legitimate one in a different credentials store to sign an event published to RabbitMQ with the legitimate credentials. | ||||
| CVE-2025-24401 | 1 Jenkins | 1 Folder-based Authorization Strategy | 2025-10-03 | 6.8 Medium |
| Jenkins Folder-based Authorization Strategy Plugin 217.vd5b_18537403e and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they're no longer entitled to. | ||||
| CVE-2025-32093 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-10-02 | 4.7 Medium |
| Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to restrict certain operations on system admins to only other system admins, which allows delegated granular administration users with the "Edit Other Users" permission to perform unauthorized modifications to system administrators via improper permission validation. | ||||
| CVE-2025-24839 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-10-02 | 3.1 Low |
| Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to prevent Wrangler posts from triggering AI responses. This vulnerability allows users without access to the AI bot to activate it by attaching the activate_ai override property to a post via the Wrangler plugin, provided both the AI and Wrangler plugins are enabled. | ||||
| CVE-2025-46744 | 2025-10-02 | 2.7 Low | ||
| An authenticated administrator could modify the Created By username for a user account | ||||
| CVE-2025-25010 | 1 Elastic | 1 Kibana | 2025-10-01 | 6.5 Medium |
| Incorrect authorization in Kibana can lead to privilege escalation via the built-in reporting_user role which incorrectly has the ability to access all Kibana Spaces. | ||||
| CVE-2024-12247 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-10-01 | 4.6 Medium |
| Mattermost versions 9.7.x <= 9.7.5, 9.8.x <= 9.8.2 and 9.9.x <= 9.9.2 fail to properly propagate permission scheme updates across cluster nodes which allows a user to keep old permissions, even if the permission scheme has been updated. | ||||
| CVE-2025-27571 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-10-01 | 4.3 Medium |
| Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to check the "Allow Users to View Archived Channels" configuration when fetching channel metadata of a post from archived channels, which allows authenticated users to access such information when a channel is archived. | ||||
| CVE-2025-2424 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-10-01 | 3.1 Low |
| Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to check if a file has been deleted when creating a bookmark which allows an attacker who knows the IDs of deleted files to obtain metadata of the files via bookmark creation. | ||||
| CVE-2025-24866 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-10-01 | 2.7 Low |
| Mattermost versions 9.11.x <= 9.11.8 fail to enforce proper access controls on the /api/v4/audits endpoint, allowing users with delegated granular administration roles who lack access to Compliance Monitoring to retrieve User Activity Logs. | ||||
| CVE-2025-1472 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-10-01 | 4.3 Medium |
| Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics. | ||||
| CVE-2025-24526 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-10-01 | 4.3 Medium |
| Mattermost versions 10.1.x <= 10.1.3, 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to restrict channel export of archived channels when the "Allow users to view archived channels" is disabled which allows a user to export channel contents when they shouldn't have access to it | ||||
| CVE-2024-9082 | 2 Oretnom23, Sourcecodester | 2 Online Eyewear Shop, Online Eyewear Shop | 2025-09-30 | 6.3 Medium |
| A vulnerability was found in SourceCodester Online Eyewear Shop 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /classes/Users.php?f=save of the component User Creation Handler. The manipulation of the argument Type with the input 1 leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-41246 | 2 Microsoft, Vmware | 2 Windows, Tools | 2025-09-30 | 7.6 High |
| VMware Tools for Windows contains an improper authorisation vulnerability due to the way it handles user access controls. A malicious actor with non-administrative privileges on a guest VM, who is already authenticated through vCenter or ESX may exploit this issue to access other guest VMs. Successful exploitation requires knowledge of credentials of the targeted VMs and vCenter or ESX. | ||||
| CVE-2025-26442 | 1 Google | 1 Android | 2025-09-30 | 5.5 Medium |
| In onCreate of NotificationAccessConfirmationActivity.java, there is a possible incorrect verification of proper intent filters in NLS due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2025-26436 | 1 Google | 1 Android | 2025-09-30 | 7.8 High |
| In clearAllowBgActivityStarts of PendingIntentRecord.java, there is a possible way for an application to launch an activity from the background due to BAL Bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||