Total
2778 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-4316 | 1 Devolutions | 1 Devolutions Server | 2025-06-17 | N/A | 4.3 MEDIUM |
| Improper access control in PAM feature in Devolutions Server allows a PAM user to self approve their PAM requests even if disallowed by the configured policy via specific user interface actions. This issue affects Devolutions Server versions from 2025.1.3.0 through 2025.1.6.0, and all versions up to 2024.3.15.0. | |||||
| CVE-2024-29866 | 1 Datalust | 1 Seq | 2025-06-17 | N/A | 9.1 CRITICAL |
| Datalust Seq before 2023.4.11151 and 2024 before 2024.1.11146 has Incorrect Access Control because a Project Owner or Organization Owner can escalate to System privileges. | |||||
| CVE-2009-2631 | 4 Aladdin, Cisco, Sonicwall and 1 more | 5 Safenet Securewire Access Gateway, Adaptive Security Appliance, E-class Ssl Vpn and 2 more | 2025-06-16 | 6.8 MEDIUM | N/A |
| Multiple clientless SSL VPN products that run in web browsers, including Stonesoft StoneGate; Cisco ASA; SonicWALL E-Class SSL VPN and SonicWALL SSL VPN; SafeNet SecureWire Access Gateway; Juniper Networks Secure Access; Nortel CallPilot; Citrix Access Gateway; and other products, when running in configurations that do not restrict access to the same domain as the VPN, retrieve the content of remote URLs from one domain and rewrite them so they originate from the VPN's domain, which violates the same origin policy and allows remote attackers to conduct cross-site scripting attacks, read cookies that originated from other domains, access the Web VPN session to gain access to internal resources, perform key logging, and conduct other attacks. NOTE: it could be argued that this is a fundamental design problem in any clientless VPN solution, as opposed to a commonly-introduced error that can be fixed in separate implementations. Therefore a single CVE has been assigned for all products that have this design | |||||
| CVE-2024-37289 | 1 Trendmicro | 1 Apex One | 2025-06-16 | N/A | 7.8 HIGH |
| An improper access control vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | |||||
| CVE-2025-45237 | 1 86dbs | 1 Dbsyncer | 2025-06-16 | N/A | 7.5 HIGH |
| Incorrect access control in the component /config/download of DBSyncer v2.0.6 allows attackers to access the JSON file containing sensitive account information, including the encrypted password. | |||||
| CVE-2025-45612 | 1 Exrick | 1 Xmall | 2025-06-16 | N/A | 9.8 CRITICAL |
| Incorrect access control in xmall v1.1 allows attackers to bypass authentication via a crafted GET request to /index. | |||||
| CVE-2024-25677 | 1 Minbrowser | 1 Min | 2025-06-16 | N/A | 8.8 HIGH |
| In Min before 1.31.0, local files are not correctly treated as unique security origins, which allows them to improperly request cross-origin resources. For example, a local file may request other local files through an XML document. | |||||
| CVE-2023-51751 | 2 Microsoft, Scalefusion | 2 Windows, Scalefusion | 2025-06-16 | N/A | 6.8 MEDIUM |
| ScaleFusion 10.5.2 does not properly limit users to the Edge application because Alt-F4 can be used. This is fixed in 10.5.7 by preventing the launching of the file explorer in Agent-based Multi-App and Single App Kiosk mode. | |||||
| CVE-2023-51065 | 1 Qstar | 1 Archive Storage Manager | 2025-06-16 | N/A | 7.5 HIGH |
| Incorrect access control in QStar Archive Solutions Release RELEASE_3-0 Build 7 Patch 0 allows unauthenticated attackers to obtain system backups and other sensitive information from the QStar Server. | |||||
| CVE-2025-4538 | 1 Keking | 1 Kkfileview | 2025-06-16 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in kkFileView 4.4.0. It has been classified as critical. This affects an unknown part of the file /fileUpload. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-5130 | 1 Project Team | 1 Tmall Demo | 2025-06-16 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was found in Tmall Demo up to 20250505. It has been classified as critical. This affects the function uploadProductImage of the file tmall/admin/uploadProductImage. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-5428 | 1 Juzaweb | 1 Cms | 2025-06-16 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical has been found in juzaweb CMS up to 3.4.2. This affects an unknown part of the file /admin-cp/log-viewer of the component Error Logs Page. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-46889 | 1 Adobe | 1 Experience Manager | 2025-06-16 | N/A | 5.4 MEDIUM |
| Adobe Experience Manager versions 6.5.22 and earlier are affected by an Improper Access Control vulnerability that could result in privilege escalation. A low privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized elevated access. Exploitation of this issue does not require user interaction. | |||||
| CVE-2025-27689 | 2025-06-16 | N/A | 7.8 HIGH | ||
| Dell iDRAC Tools, version(s) prior to 11.3.0.0, contain(s) an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges. | |||||
| CVE-2024-31503 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2025-06-13 | N/A | 7.5 HIGH |
| Incorrect access control in Dolibarr ERP CRM versions 19.0.0 and before, allows authenticated attackers to steal victim users' session cookies and CSRF protection tokens via user interaction with a crafted web page, leading to account takeover. | |||||
| CVE-2024-31759 | 1 Publiccms | 1 Publiccms | 2025-06-12 | N/A | 8.8 HIGH |
| An issue in sanluan PublicCMS v.4.0.202302.e allows an attacker to escalate privileges via the change password function. | |||||
| CVE-2025-1791 | 1 Skycaiji | 1 Skycaiji | 2025-06-12 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability has been found in Zorlan SkyCaiji 2.9 and classified as critical. This vulnerability affects the function fileAction of the file vendor/skycaiji/app/admin/controller/Tool.php. The manipulation of the argument save_data leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-28201 | 1 Govicture | 2 Rx1800, Rx1800 Firmware | 2025-06-12 | N/A | 6.8 MEDIUM |
| An issue in Victure RX1800 EN_V1.0.0_r12_110933 allows physically proximate attackers to execute arbitrary code or gain root access. | |||||
| CVE-2025-28371 | 1 Engeniustech | 2 Enh500, Enh500 Firmware | 2025-06-12 | N/A | 6.5 MEDIUM |
| EnGenius ENH500 AP 2T2R V3.0 FW3.7.22 is vulnerable to Incorrect Access Control via the password change function. The device fails to validate the current password, allowing an attacker to submit a password change request with an invalid current password and set a new password. | |||||
| CVE-2025-4977 | 1 Netgear | 2 Dgnd3700, Dgnd3700 Firmware | 2025-06-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in Netgear DGND3700 1.1.00.15_1.00.15NA. Affected by this issue is some unknown functionality of the file /BRS_top.html. The manipulation leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Other products might be affected as well. The vendor was contacted early about this disclosure. | |||||