Total
1230 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2010-4176 | 3 Dracut Project, Fedoraproject, Udev Project | 3 Dracut, Fedora, Udev | 2025-04-11 | 4.0 MEDIUM | N/A |
| plymouth-pretrigger.sh in dracut and udev, when running on Fedora 13 and 14, sets weak permissions for the /dev/systty device file, which allows remote authenticated users to read terminal data from tty0 for local users. | |||||
| CVE-2011-2782 | 2 Google, Linux | 2 Chrome, Linux Kernel | 2025-04-11 | 4.3 MEDIUM | N/A |
| The drag-and-drop implementation in Google Chrome before 13.0.782.107 on Linux does not properly enforce permissions for files, which allows user-assisted remote attackers to bypass intended access restrictions via unspecified vectors. | |||||
| CVE-2013-0632 | 1 Adobe | 1 Coldfusion | 2025-04-11 | 10.0 HIGH | 9.8 CRITICAL |
| administrator.cfc in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication and possibly execute arbitrary code by logging in to the RDS component using the default empty password and leveraging this session to access the administrative web interface, as exploited in the wild in January 2013. | |||||
| CVE-2013-4394 | 2 Debian, Systemd Project | 2 Debian Linux, Systemd | 2025-04-11 | 5.9 MEDIUM | N/A |
| The SetX11Keyboard function in systemd, when PolicyKit Local Authority (PKLA) is used to change the group permissions on the X Keyboard Extension (XKB) layouts description, allows local users in the group to modify the Xorg X11 Server configuration file and possibly gain privileges via vectors involving "special and control characters." | |||||
| CVE-2011-1435 | 1 Google | 1 Chrome | 2025-04-11 | 5.0 MEDIUM | N/A |
| Google Chrome before 11.0.696.57 does not properly implement the tabs permission for extensions, which allows remote attackers to read local files via a crafted extension. | |||||
| CVE-2023-28724 | 1 F5 | 3 Nginx Api Connectivity Manager, Nginx Instance Manager, Nginx Security Monitoring | 2025-04-10 | N/A | 7.1 HIGH |
| NGINX Management Suite default file permissions are set such that an authenticated attacker may be able to modify sensitive files on NGINX Instance Manager and NGINX API Connectivity Manager. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2022-46761 | 1 Huawei | 2 Emui, Harmonyos | 2025-04-09 | N/A | 7.5 HIGH |
| The system has a vulnerability that may cause dynamic hiding and restoring of app icons.Successful exploitation of this vulnerability may cause malicious hiding of app icons. | |||||
| CVE-2025-29801 | 2025-04-09 | N/A | 7.8 HIGH | ||
| Incorrect default permissions in Microsoft AutoUpdate (MAU) allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2006-5014 | 1 Cpanel | 1 Cpanel | 2025-04-09 | 9.0 HIGH | 8.8 HIGH |
| Unspecified vulnerability in cPanel before 10.9.0 12 Tree allows remote authenticated users to gain privileges via unspecified vectors in (1) mysqladmin and (2) hooksadmin. | |||||
| CVE-2024-23847 | 2025-04-08 | N/A | 5.9 MEDIUM | ||
| Incorrect default permissions issue exists in Unifier and Unifier Cast. If this vulnerability is exploited, arbitrary code may be executed with LocalSystem privilege. As a result, a malicious program may be installed, data may be altered or deleted. | |||||
| CVE-2025-27154 | 1 Spotipy Project | 1 Spotipy | 2025-04-07 | N/A | 9.8 CRITICAL |
| Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has `rw-r--r--` (644) permissions by default, when it could be locked down to `rw-------` (600) permissions. This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify account, depending on the scope granted to the token. Version 2.25.1 tightens the cache file permissions. | |||||
| CVE-2025-24234 | 1 Apple | 1 Macos | 2025-04-07 | N/A | 7.8 HIGH |
| This issue was addressed by removing the vulnerable code. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. A malicious app may be able to gain root privileges. | |||||
| CVE-2023-23566 | 1 Axigen | 1 Axigen Mail Server | 2025-04-07 | N/A | 9.8 CRITICAL |
| A 2-Step Verification problem in Axigen 10.3.3.52 allows an attacker to access a mailbox by bypassing 2-Step Verification when they try to add an account to any third-party webmail service (or add an account to Outlook or Gmail, etc.) with IMAP or POP3 without any verification code. | |||||
| CVE-2025-29570 | 2025-04-07 | N/A | 7.8 HIGH | ||
| An issue in Shenzhen Libituo Technology Co., Ltd LBT-T300-T400 v3.2 allows a local attacker to escalate privileges via the function tftp_image_check of a binary named rc. | |||||
| CVE-2025-0014 | 2025-04-07 | N/A | 7.3 HIGH | ||
| Incorrect default permissions on the AMD Ryzen(TM) AI installation folder could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution. | |||||
| CVE-2025-29504 | 2025-04-07 | N/A | 7.8 HIGH | ||
| Insecure Permission vulnerability in student-manage 1 allows a local attacker to escalate privileges via the Unsafe permission verification. | |||||
| CVE-2025-24195 | 1 Apple | 1 Macos | 2025-04-07 | N/A | 9.8 CRITICAL |
| An integer overflow was addressed with improved input validation. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. A user may be able to elevate privileges. | |||||
| CVE-2025-24207 | 1 Apple | 1 Macos | 2025-04-07 | N/A | 9.8 CRITICAL |
| A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. An app may be able to enable iCloud storage features without user consent. | |||||
| CVE-2024-11088 | 1 Simple-membership-plugin | 1 Simple Membership | 2025-04-05 | N/A | 5.3 MEDIUM |
| The Simple Membership plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.5.5 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator. | |||||
| CVE-2025-24277 | 1 Apple | 1 Macos | 2025-04-04 | N/A | 7.8 HIGH |
| A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. An app may be able to gain root privileges. | |||||