Total
3085 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-21112 | 1 Oracle | 1 Vm Virtualbox | 2025-03-28 | N/A | 8.8 HIGH |
| Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 7.0.16. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | |||||
| CVE-2023-49930 | 1 Couchbase | 1 Couchbase Server | 2025-03-28 | N/A | 9.8 CRITICAL |
| An issue was discovered in Couchbase Server before 7.2.4. cURL calls to /diag/eval are not sufficiently restricted. | |||||
| CVE-2025-2280 | 1 Devolutions | 1 Devolutions Server | 2025-03-28 | N/A | 8.1 HIGH |
| Improper access control in web extension restriction feature in Devolutions Server 2024.3.4.0 and earlier allows an authenticated user to bypass the browser extension restriction feature. | |||||
| CVE-2025-2278 | 1 Devolutions | 1 Devolutions Server | 2025-03-28 | N/A | 6.5 MEDIUM |
| Improper access control in temporary access requests and checkout requests endpoints in Devolutions Server 2024.3.13 and earlier allows an authenticated user to access information about these requests via a known request ID. | |||||
| CVE-2023-49545 | 1 Oretnom23 | 1 Customer Support System | 2025-03-28 | N/A | 7.5 HIGH |
| A directory listing vulnerability in Customer Support System v1 allows attackers to list directories and sensitive files within the application without requiring authorization. | |||||
| CVE-2024-5687 | 1 Mozilla | 1 Firefox | 2025-03-27 | N/A | 5.3 MEDIUM |
| If a specific sequence of actions is performed when opening a new tab, the triggering principal associated with the new tab may have been incorrect. The triggering principal is used to calculate many values, including the `Referer` and `Sec-*` headers, meaning there is the potential for incorrect security checks within the browser in addition to incorrect or misleading information sent to remote websites. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 127. | |||||
| CVE-2024-51995 | 1 Combodo | 1 Itop | 2025-03-27 | N/A | 7.1 HIGH |
| Combodo iTop is a web based IT Service Management tool. An attacker can request any `route` we want as long as we specify an `operation` that is allowed. This issue has been addressed in version 3.2.0 by applying the same access control pattern as in `UI.php` to the `ajax.render.php` page which does not allow arbitrary `routes` to be dispatched. All users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-20911 | 1 Oracle | 1 Audit Vault And Database Firewall | 2025-03-27 | N/A | 2.6 LOW |
| Vulnerability in Oracle Audit Vault and Database Firewall (component: Firewall). Supported versions that are affected are 20.1-20.9. Difficult to exploit vulnerability allows high privileged attacker with network access via Oracle Net to compromise Oracle Audit Vault and Database Firewall. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Audit Vault and Database Firewall, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Audit Vault and Database Firewall accessible data. CVSS 3.1 Base Score 2.6 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N). | |||||
| CVE-2025-29315 | 2025-03-27 | N/A | 9.8 CRITICAL | ||
| An issue in the Shiro-based RBAC (Role-based Access Control) mechanism of OpenDaylight Service Function Chaining (SFC) Subproject SFC Sodium-SR4 and below allows attackers to execute privileged operations via a crafted request. | |||||
| CVE-2025-2705 | 2025-03-27 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability classified as critical has been found in Digiwin ERP 5.1. Affected is the function DoUpload/DoWebUpload of the file /Api/FileUploadApi.ashx. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-2706 | 2025-03-27 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability classified as critical was found in Digiwin ERP 5.0.1. Affected by this vulnerability is an unknown functionality of the file /Api/TinyMce/UploadAjaxAPI.ashx. The manipulation of the argument File leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-52972 | 2025-03-27 | N/A | 5.5 MEDIUM | ||
| Huawei PCs have a vulnerability that allows low-privilege users to bypass SDDL permission checks . Successful exploitation this vulnerability could lead to termination of some system processes. | |||||
| CVE-2025-23203 | 2025-03-27 | N/A | 5.5 MEDIUM | ||
| Icinga Director is an Icinga config deployment tool. A Security vulnerability has been found starting in version 1.0.0 and prior to 1.10.3 and 1.11.3 on several director endpoints of REST API. To reproduce this vulnerability an authenticated user with permission to access the Director is required (plus api access with regard to the api endpoints). And even though some of these Icinga Director users are restricted from accessing certain objects, are able to retrieve information related to them if their name is known. This makes it possible to change the configuration of these objects by those Icinga Director users restricted from accessing them. This results in further exploitation, data breaches and sensitive information disclosure. Affected endpoints include icingaweb2/director/service, if the host name is left out of the query; icingaweb2/directore/notification; icingaweb2/director/serviceset; and icingaweb2/director/scheduled-downtime. In addition, the endpoint `icingaweb2/director/services?host=filteredHostName` returns a status code 200 even though the services for the host is filtered. This in turn lets the restricted user know that the host `filteredHostName` exists even though the user is restricted from accessing it. This could again result in further exploitation of this information and data breaches. Icinga Director has patches in versions 1.10.3 and 1.11.1. If upgrading is not feasible, disable the director module for the users other than admin role for the time being. | |||||
| CVE-2024-41246 | 1 Lopalopa | 1 Responsive School Management System | 2025-03-27 | N/A | 5.3 MEDIUM |
| An Incorrect Access Control vulnerability was found in /smsa/admin_dashboard.php in Kashipara Responsive School Management System v3.2.0, which allows remote unauthenticated attackers to view administrator dashboard. | |||||
| CVE-2022-47699 | 1 Comfast Project | 2 Cf-wr623n, Cf-wr623n Firmware | 2025-03-27 | N/A | 9.8 CRITICAL |
| COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 is vulnerable to Incorrect Access Control. | |||||
| CVE-2023-52375 | 1 Huawei | 2 Emui, Harmonyos | 2025-03-26 | N/A | 7.5 HIGH |
| Permission control vulnerability in the WindowManagerServices module.Successful exploitation of this vulnerability may affect availability. | |||||
| CVE-2024-21071 | 1 Oracle | 1 Workflow | 2025-03-26 | N/A | 9.1 CRITICAL |
| Vulnerability in the Oracle Workflow product of Oracle E-Business Suite (component: Admin Screens and Grants UI). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Workflow. While the vulnerability is in Oracle Workflow, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Workflow. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). | |||||
| CVE-2023-0661 | 1 Devolutions | 1 Devolutions Server | 2025-03-25 | N/A | 6.5 MEDIUM |
| Improper access control in Devolutions Server allows an authenticated user to access unauthorized sensitive data. | |||||
| CVE-2024-27803 | 1 Apple | 2 Ipados, Iphone Os | 2025-03-25 | N/A | 2.4 LOW |
| A permissions issue was addressed with improved validation. This issue is fixed in iOS 17.5 and iPadOS 17.5. An attacker with physical access may be able to share items from the lock screen. | |||||
| CVE-2024-46432 | 1 Tenda | 2 W18e, W18e Firmware | 2025-03-25 | N/A | 8.8 HIGH |
| Tenda W18E V16.01.0.8(1625) is vulnerable to Incorrect Access Control. An attacker can send a specially crafted HTTP POST request to the setQuickCfgWifiAndLogin function, which allows unauthorized changes to WiFi configuration settings and administrative credentials. | |||||