Total
404 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-22239 | 2025-06-13 | N/A | 8.1 HIGH | ||
| Arbitrary event injection on Salt Master. The master's "_minion_event" method can be used by and authorized minion to send arbitrary events onto the master's event bus. | |||||
| CVE-2025-46840 | 1 Adobe | 1 Experience Manager | 2025-06-13 | N/A | 8.7 HIGH |
| Adobe Experience Manager versions 6.5.22 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. A low privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue requires user interaction. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high. | |||||
| CVE-2024-3013 | 1 Flir | 2 Flir Ax8, Flir Ax8 Firmware | 2025-06-12 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in FLIR AX8 up to 1.46.16. It has been rated as critical. This issue affects some unknown processing of the file /tools/test_login.php?action=register of the component User Registration. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-258299. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-43706 | 2025-06-12 | N/A | 7.6 HIGH | ||
| Improper authorization in Kibana can lead to privilege abuse via a direct HTTP request to a Synthetic monitor endpoint. | |||||
| CVE-2025-43585 | 2025-06-12 | N/A | 8.2 HIGH | ||
| Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access leading to a limited impact to confidentiality and a high impact to integrity. Exploitation of this issue does not require user interaction. | |||||
| CVE-2024-21026 | 1 Oracle | 1 Complex Maintenance Repair And Overhaul | 2025-06-09 | N/A | 6.1 MEDIUM |
| Vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul product of Oracle E-Business Suite (component: LOV). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Complex Maintenance, Repair, and Overhaul. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Complex Maintenance, Repair, and Overhaul, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Complex Maintenance, Repair, and Overhaul accessible data as well as unauthorized read access to a subset of Oracle Complex Maintenance, Repair, and Overhaul accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | |||||
| CVE-2025-1226 | 1 Yimihome | 1 Ywoa | 2025-06-05 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability was found in ywoa up to 2024.07.03. It has been declared as critical. This vulnerability affects unknown code of the file /oa/setup/setup.jsp. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2024.07.04 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2025-3587 | 1 Zerowdd | 1 Studentmanager | 2025-06-05 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical was found in ZeroWdd/code-projects studentmanager 1.0. This vulnerability affects unknown code of the file /getTeacherList. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-3537 | 1 Tutorials-website | 1 Employee Management System | 2025-06-05 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability was found in Tutorials-Website Employee Management System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/update-user.php. The manipulation of the argument ID leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-3536 | 1 Tutorials-website | 1 Employee Management System | 2025-06-05 | 6.4 MEDIUM | 6.5 MEDIUM |
| A vulnerability was found in Tutorials-Website Employee Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/delete-user.php. The manipulation of the argument ID leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-22021 | 1 Veeam | 3 Availability Orchestrator, Disaster Recovery Orchestrator, Recovery Orchestrator | 2025-06-05 | N/A | 4.3 MEDIUM |
| Vulnerability?CVE-2024-22021 allows?a?Veeam Recovery Orchestrator user with a low?privileged?role (Plan?Author)?to retrieve?plans?from?a?Scope other than the one they are assigned to. | |||||
| CVE-2024-9531 | 1 Multivendorx | 1 Multivendorx | 2025-06-05 | N/A | 4.3 MEDIUM |
| The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mvx_sent_deactivation_request' function in all versions up to, and including, 4.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send a canned email to the site's administrator asking to delete the profile of an arbitrary vendor. | |||||
| CVE-2025-29827 | 1 Microsoft | 1 Azure Automation | 2025-06-05 | N/A | 9.9 CRITICAL |
| Improper Authorization in Azure Automation allows an authorized attacker to elevate privileges over a network. | |||||
| CVE-2024-13241 | 1 Getopensocial | 1 Open Social | 2025-06-04 | N/A | 9.1 CRITICAL |
| Improper Authorization vulnerability in Drupal Open Social allows Collect Data from Common Resource Locations.This issue affects Open Social: from 0.0.0 before 12.0.5. | |||||
| CVE-2025-5522 | 2025-06-04 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability was found in jack0240 魏 bskms 蓝天幼儿园管理系统 up to dffe6640b5b54d8e29da6f060e0493fea74b3fad. It has been rated as critical. Affected by this issue is some unknown functionality of the file /sa/addUser of the component User Creation Handler. The manipulation leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. | |||||
| CVE-2025-5511 | 2025-06-04 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability, which was classified as critical, has been found in quequnlong shiyi-blog up to 1.2.1. This issue affects some unknown processing of the file /dev api/app/album/photos/. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-20979 | 1 Oracle | 1 Bi Publisher | 2025-06-03 | N/A | 5.4 MEDIUM |
| Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: Web Server). Supported versions that are affected are 6.4.0.0.0, 7.0.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle BI Publisher, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle BI Publisher accessible data as well as unauthorized read access to a subset of Oracle BI Publisher accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). | |||||
| CVE-2025-5182 | 1 Summerpearlgroup | 1 Vacation Rental Management Platform | 2025-06-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability has been found in Summer Pearl Group Vacation Rental Management Platform up to 1.0.1 and classified as critical. This vulnerability affects unknown code of the component Listing Handler. The manipulation leads to authorization bypass. The attack can be initiated remotely. Upgrading to version 1.0.2 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2025-5175 | 1 Erdogant | 1 Pypickle | 2025-06-03 | 4.3 MEDIUM | 5.3 MEDIUM |
| A vulnerability was found in erdogant pypickle up to 1.1.5. It has been classified as critical. This affects the function Save of the file pypickle/pypickle.py. The manipulation leads to improper authorization. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The patch is named 14b4cae704a0bb4eb6723e238f25382d847a1917. It is recommended to upgrade the affected component. | |||||
| CVE-2025-4103 | 2025-06-02 | N/A | 8.8 HIGH | ||
| The WP-GeoMeta plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the wp_ajax_wpgm_start_geojson_import() function in versions 0.3.4 to 0.3.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator. | |||||