ReportizFlow
Filtered by vendor
Subscriptions
Total
4211 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-42022 | 1 Veeam | 1 One | 2025-04-28 | 5.3 Medium |
| An incorrect permission assignment vulnerability allows an attacker to modify product configuration files. | ||||
| CVE-2024-42023 | 1 Veeam | 1 One | 2025-04-28 | 8.8 High |
| An improper access control vulnerability allows low-privileged users to execute code with Administrator privileges remotely. | ||||
| CVE-2024-44571 | 1 Relyum | 2 Rely-pcie, Rely-pcie Firmware | 2025-04-28 | 8.8 High |
| RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain incorrect access control in the mService function at phpinf.php. | ||||
| CVE-2024-42794 | 2 Kashipara, Lopalopa | 2 Music Management System, Music Management System | 2025-04-28 | 4.7 Medium |
| Kashipara Music Management System v1.0 is vulnerable to Incorrect Access Control via /music/ajax.php?action=save_user. | ||||
| CVE-2024-42795 | 2 Kashipara, Lopalopa | 2 Music Management System, Music Management System | 2025-04-28 | 4.2 Medium |
| An Incorrect Access Control vulnerability was found in /music/view_user.php?id=3 and /music/controller.php?page=edit_user&id=3 in Kashipara Music Management System v1.0. This vulnerability allows an unauthenticated attacker to view valid user details. | ||||
| CVE-2024-42796 | 2 Kashipara, Lopalopa | 2 Music Management System, Music Management System | 2025-04-28 | 5.9 Medium |
| An Incorrect Access Control vulnerability was found in /music/ajax.php?action=delete_genre in Kashipara Music Management System v1.0. This vulnerability allows an unauthenticated attacker to delete the valid music genre entries. | ||||
| CVE-2024-38909 | 2 Std42, Studio42 | 2 Elfinder, Elfinder | 2025-04-28 | 9.8 Critical |
| Studio 42 elFinder 2.1.64 is vulnerable to Incorrect Access Control. Copying files with an unauthorized extension between server directories allows an arbitrary attacker to expose secrets, perform RCE, etc. | ||||
| CVE-2023-47422 | 1 Tenda | 8 Ax12, Ax12 Firmware, Ax3 and 5 more | 2025-04-25 | 8.8 High |
| An access control issue in /usr/sbin/httpd in Tenda TX9 V1 V22.03.02.54, Tenda AX3 V3 V16.03.12.11, Tenda AX9 V1 V22.03.01.46, and Tenda AX12 V1 V22.03.01.46 allows attackers to bypass authentication on any endpoint via a crafted URL. | ||||
| CVE-2024-20065 | 2 Google, Mediatek | 14 Android, Mt6768, Mt6781 and 11 more | 2025-04-25 | 4 Medium |
| In telephony, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08698617; Issue ID: MSV-1394. | ||||
| CVE-2022-44037 | 1 Apsystems | 2 Ecu-c, Ecu-c Firmware | 2025-04-25 | 8.8 High |
| An access control issue in APsystems ENERGY COMMUNICATION UNIT (ECU-C) Power Control Software V4.1NA, V3.11.4, W2.1NA, V4.1SAA, C1.2.2 allows attackers to access sensitive data and execute specific commands and functions with full admin rights without authenticating allows him to perform multiple attacks, such as attacking wireless network in the product's range. | ||||
| CVE-2022-44212 | 1 Gl-inet | 1 Goodcloud | 2025-04-24 | 5.9 Medium |
| In GL.iNet Goodcloud 1.0, insecure design allows remote attacker to access devices' admin panel. | ||||
| CVE-2022-44211 | 1 Gl-inet | 1 Goodcloud | 2025-04-24 | 7.4 High |
| In GL.iNet Goodcloud 1.1 Incorrect access control allows a remote attacker to access/change devices' settings. | ||||
| CVE-2024-23447 | 1 Elastic | 1 Network Drive Connector | 2025-04-24 | 5.3 Medium |
| An issue was discovered in the Windows Network Drive Connector when using Document Level Security to assign permissions to a file, with explicit allow write and deny read. Although the document is not accessible to the user in Network Drive it is visible in search applications to the user. | ||||
| CVE-2024-25120 | 1 Typo3 | 1 Typo3 | 2025-04-24 | 4.3 Medium |
| TYPO3 is an open source PHP based web content management system released under the GNU GPL. The TYPO3-specific `t3://` URI scheme could be used to access resources outside of the users' permission scope. This encompassed files, folders, pages, and records (although only if a valid link-handling configuration was provided). Exploiting this vulnerability requires a valid backend user account. Users are advised to update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. There are no known workarounds for this issue. | ||||
| CVE-2023-7025 | 1 Kylinos | 1 Hedron-domain-hook | 2025-04-24 | 7.8 High |
| A vulnerability was found in KylinSoft hedron-domain-hook up to 3.8.0.12-0k0.5. It has been declared as critical. This vulnerability affects the function init_kcm of the component DBus Handler. The manipulation leads to improper access controls. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. VDB-248578 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-36643 | 1 Itb-pim | 1 Tradepro | 2025-04-24 | 7.5 High |
| Incorrect Access Control in ITB-GmbH TradePro v9.5, allows remote attackers to receive all orders from the online shop via oordershow component in customer function. | ||||
| CVE-2023-36644 | 1 Itb-pim | 1 Tradepro | 2025-04-24 | 7.5 High |
| Incorrect Access Control in ITB-GmbH TradePro v9.5, allows remote attackers to receive all order confirmations from the online shop via the printmail plugin. | ||||
| CVE-2021-37183 | 1 Siemens | 1 Sinema Remote Connect Server | 2025-04-23 | 6.5 Medium |
| A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). The affected software allows sending send-to-sleep notifications to the managed devices. An unauthenticated attacker in the same network of the affected system can abuse these notifications to cause a Denial-of-Service condition in the managed devices. | ||||
| CVE-2021-28579 | 1 Adobe | 1 Connect | 2025-04-23 | 4.3 Medium |
| Adobe Connect version 11.2.1 (and earlier) is affected by an Improper access control vulnerability that can lead to the elevation of privileges. An attacker with 'Learner' permissions can leverage this scenario to access the list of event participants. | ||||
| CVE-2022-21706 | 1 Zulip | 1 Zulip Server | 2025-04-23 | 7.2 High |
| Zulip is an open-source team collaboration tool with topic-based threading. Zulip Server version 2.0.0 and above are vulnerable to insufficient access control with multi-use invitations. A Zulip Server deployment which hosts multiple organizations is vulnerable to an attack where an invitation created in one organization (potentially as a role with elevated permissions) can be used to join any other organization. This bypasses any restrictions on required domains on users' email addresses, may be used to gain access to organizations which are only accessible by invitation, and may be used to gain access with elevated privileges. This issue has been patched in release 4.10. There are no known workarounds for this issue. ### Patches _Has the problem been patched? What versions should users upgrade to?_ ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ ### References _Are there any links users can visit to find out more?_ ### For more information If you have any questions or comments about this advisory, you can discuss them on the [developer community Zulip server](https://zulip.com/developer-community/), or email the [Zulip security team](mailto:[email protected]). | ||||