Total
3085 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-3565 | 1 Huanfenz | 1 Studentmanager | 2025-05-21 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability classified as critical was found in huanfenz/code-projects StudentManager 1.0. This vulnerability affects unknown code of the file /upload/uploadArticle.do of the component Announcement Management Section. The manipulation of the argument File leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-21067 | 1 Oracle | 1 Enterprise Manager Base Platform | 2025-05-21 | N/A | 8.8 HIGH |
| Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Host Management). The supported version that is affected is 13.5.0.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Enterprise Manager Base Platform executes to compromise Oracle Enterprise Manager Base Platform. While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | |||||
| CVE-2024-31846 | 1 Italtel | 1 Embrace | 2025-05-21 | N/A | 7.5 HIGH |
| An issue was discovered in Italtel Embrace 1.6.4. The web application does not restrict or incorrectly restricts access to a resource from an unauthorized actor. | |||||
| CVE-2022-39835 | 1 Gajim | 1 Gajim | 2025-05-21 | N/A | 5.3 MEDIUM |
| An issue was discovered in Gajim through 1.4.7. The vulnerability allows attackers, via crafted XML stanzas, to correct messages that were not sent by them. The attacker needs to be part of the group chat or single chat. The fixed version is 1.5.0. | |||||
| CVE-2022-36771 | 1 Ibm | 1 Qradar User Behavior Analytics | 2025-05-21 | N/A | 6.5 MEDIUM |
| IBM QRadar User Behavior Analytics could allow an authenticated user to obtain sensitive information from that they should not have access to. IBM X-Force ID: 232791. | |||||
| CVE-2025-33072 | 1 Microsoft | 1 Msagsfeedback.azurewebsites.net | 2025-05-21 | N/A | 8.1 HIGH |
| Improper access control in Azure allows an unauthorized attacker to disclose information over a network. | |||||
| CVE-2025-4901 | 1 Dlink | 2 Di-7003g, Di-7003g Firmware | 2025-05-21 | 3.3 LOW | 4.3 MEDIUM |
| A vulnerability classified as problematic was found in D-Link DI-7003GV2 24.04.18D1 R(68125). Affected by this vulnerability is the function sub_41E304 of the file /H5/state_view.data of the component HTTP Endpoint. The manipulation leads to information disclosure. The attack can only be done within the local network. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-4902 | 1 Dlink | 2 Di-7003g, Di-7003g Firmware | 2025-05-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in D-Link DI-7003GV2 24.04.18D1 R(68125). Affected by this issue is the function sub_48F4F0 of the file /H5/versionupdate.data. The manipulation leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-4926 | 1 Phpgurukul | 1 Car Rental Portal | 2025-05-21 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was found in PHPGurukul Car Rental Project 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/post-avehical.php. The manipulation of the argument img1/img2/img3/img4/img5 leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-1959 | 1 Spsoftmobile | 1 Applock | 2025-05-20 | N/A | 6.6 MEDIUM |
| AppLock version 7.9.29 allows an attacker with physical access to the device to bypass biometric authentication. This is possible because the application did not correctly implement fingerprint validations. | |||||
| CVE-2022-42717 | 2 Hashicorp, Linux | 2 Vagrant, Linux Kernel | 2025-05-20 | N/A | 7.8 HIGH |
| An issue was discovered in Hashicorp Packer before 2.3.1. The recommended sudoers configuration for Vagrant on Linux is insecure. If the host has been configured according to this documentation, non-privileged users on the host can leverage a wildcard in the sudoers configuration to execute arbitrary commands as root. | |||||
| CVE-2025-27191 | 1 Adobe | 3 Commerce, Commerce B2b, Magento | 2025-05-20 | N/A | 5.3 MEDIUM |
| Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction. | |||||
| CVE-2025-23164 | 2025-05-19 | N/A | 4.4 MEDIUM | ||
| A misconfigured access token mechanism in the Unifi Protect Application (Version 5.3.41 and earlier) could permit the recipient of a "Share Livestream" link to maintain access to the corresponding livestream subsequent to such link becoming disabled. | |||||
| CVE-2025-29973 | 1 Microsoft | 1 Azure File Sync | 2025-05-19 | N/A | 7.0 HIGH |
| Improper access control in Azure File Sync allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-24887 | 1 Citeum | 1 Opencti | 2025-05-19 | N/A | 6.3 MEDIUM |
| OpenCTI is an open-source cyber threat intelligence platform. In versions starting from 6.4.8 to before 6.4.10, the allow/deny lists can be bypassed, allowing a user to change attributes that are intended to be unmodifiable by the user. It is possible to toggle the `external` flag on/off and change the own token value for a user. It is also possible to edit attributes that are not in the allow list, such as `otp_qr` and `otp_activated`. If external users exist in the OpenCTI setup and the information about these users identities is sensitive, the above vulnerabilities can be used to enumerate existing user accounts as a standard low privileged user. This issue has been patched in version 6.4.10. | |||||
| CVE-2023-24468 | 1 Microfocus | 1 Netiq Advanced Authentication | 2025-05-16 | N/A | 9.8 CRITICAL |
| Broken access control in Advanced Authentication versions prior to 6.4.1.1 and 6.3.7.2 | |||||
| CVE-2025-4118 | 1 Weitong | 1 Mall | 2025-05-16 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability classified as critical has been found in Weitong Mall 1.0.0. This affects an unknown part of the file /historyList of the component Product History Handler. The manipulation of the argument isDelete with the input 1 leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-4119 | 1 Weitong | 1 Mall | 2025-05-16 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability classified as critical was found in Weitong Mall 1.0.0. This vulnerability affects unknown code of the file /queryTotal of the component Product Statistics Handler. The manipulation of the argument isDelete with the input 1 leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-27134 | 1 Joplin Project | 1 Joplin | 2025-05-16 | N/A | 8.8 HIGH |
| Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, a privilege escalation vulnerability exists in the Joplin server, allowing non-admin users to exploit the API endpoint `PATCH /api/users/:id` to set the `is_admin` field to 1. The vulnerability allows malicious low-privileged users to perform administrative actions without proper authorization. This issue has been patched in version 3.3.3. | |||||
| CVE-2025-32376 | 1 Discourse | 1 Discourse | 2025-05-16 | N/A | 4.3 MEDIUM |
| Discourse is an open-source discussion platform. Prior to versions 3.4.3 on the stable branch and 3.5.0.beta3 on the beta branch, the users limit for a DM can be bypassed, thus giving the ability to potentially create a DM with every user from a site in it. This issue has been patched in stable version 3.4.3 and beta version 3.5.0.beta3. | |||||