Total
619 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-58156 | 1 Nofusscomputing | 1 Centurion Erp | 2025-09-24 | N/A | 1.9 LOW |
| Centurion ERP is an ERP with a focus on ITSM and automation. In versions starting from 1.12.0 to before 1.21.0, an authenticated user can view all authentication token details within the database. This includes the actual token, although only the hashed token. This does not include any un-hashed authentication token as viewable. This issue has been patched in version 1.21.0. A workaround for this is not deemed viable as it would involve disabling token authentication. Users are encouraged to remove any authentication token that was created by one of the effected versions of Centurion ERP. Webmasters can ensure this occurs by removing all authentication tokens from the database. | |||||
| CVE-2025-27601 | 1 Umbraco | 1 Umbraco Cms | 2025-09-22 | N/A | 4.3 MEDIUM |
| Umbraco is a free and open source .NET content management system. An improper API access control issue has been identified Umbraco's API management package prior to versions 15.2.3 and 14.3.3, allowing low-privilege, authenticated users to create and update data type information that should be restricted to users with access to the settings section. The issue is patched in versions 15.2.3 and 14.3.3. No known workarounds are available. | |||||
| CVE-2025-27602 | 1 Umbraco | 1 Umbraco Cms | 2025-09-22 | N/A | 4.9 MEDIUM |
| Umbraco is a free and open source .NET content management system. In versions of Umbraco's web backoffice program prior to versions 10.8.9 and 13.7.1, via manipulation of backoffice API URLs, it's possible for authenticated backoffice users to retrieve or delete content or media held within folders the editor does not have access to. The issue is patched in versions 10.8.9 and 13.7.1. No known workarounds are available. | |||||
| CVE-2025-32964 | 1 Miraheze | 1 Managewiki | 2025-09-19 | N/A | 4.6 MEDIUM |
| ManageWiki is a MediaWiki extension allowing users to manage wikis. Prior to commit 00bebea, when enabling a conflicting extension, a restricted extension would be automatically disabled even if the user did not hold the ManageWiki-restricted right. This issue has been patched in commit 00bebea. A workaround involves ensuring that any extensions requiring specific permissions in `$wgManageWikiExtensions` also require the same permissions for managing any conflicting extensions. | |||||
| CVE-2024-51525 | 1 Huawei | 1 Harmonyos | 2025-09-18 | N/A | 6.2 MEDIUM |
| Permission control vulnerability in the clipboard module Impact: Successful exploitation of this vulnerability may affect service confidentiality. | |||||
| CVE-2024-42039 | 1 Huawei | 2 Emui, Harmonyos | 2025-09-18 | N/A | 4.3 MEDIUM |
| Access control vulnerability in the SystemUI module Impact: Successful exploitation of this vulnerability may affect service confidentiality. | |||||
| CVE-2024-42036 | 1 Huawei | 2 Emui, Harmonyos | 2025-09-18 | N/A | 2.5 LOW |
| Access permission verification vulnerability in the Notepad module Impact: Successful exploitation of this vulnerability may affect service confidentiality. | |||||
| CVE-2024-42032 | 1 Huawei | 2 Emui, Harmonyos | 2025-09-18 | N/A | 4.4 MEDIUM |
| Access permission verification vulnerability in the Contacts module Impact: Successful exploitation of this vulnerability may affect service confidentiality. | |||||
| CVE-2025-8057 | 2025-09-17 | N/A | 6.5 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key, Externally Controlled Reference to a Resource in Another Sphere, Improper Authorization vulnerability in Patika Global Technologies HumanSuite allows Exploiting Trust in Client.This issue affects HumanSuite: before 53.21.0. | |||||
| CVE-2025-41249 | 2025-09-16 | N/A | 7.5 HIGH | ||
| The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions. Your application may be affected by this if you are using Spring Security's @EnableMethodSecurity feature. You are not affected by this if you are not using @EnableMethodSecurity or if you do not use security annotations on methods in generic superclasses or generic interfaces. This CVE is published in conjunction with CVE-2025-41248 https://spring.io/security/cve-2025-41248 . | |||||
| CVE-2025-10374 | 2025-09-15 | 7.5 HIGH | 7.3 HIGH | ||
| A security flaw has been discovered in Shenzhen Sixun Business Management System 7/11. This affects an unknown part of the file /Adm/OperatorStop. Performing manipulation results in improper authorization. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. | |||||
| CVE-2024-12347 | 1 Huayi-tec | 1 Jeewms | 2025-09-11 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability was found in Guangzhou Huayi Intelligent Technology Jeewms up to 1.0.0 and classified as critical. This issue affects some unknown processing of the file /jeewms_war/webpage/system/druid/index.html of the component Druid Monitoring Interface. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-10209 | 2025-09-11 | 5.5 MEDIUM | 5.4 MEDIUM | ||
| A security flaw has been discovered in Papermerge DMS up to 3.5.3. This issue affects some unknown processing of the component Authorization Token Handler. Performing manipulation results in improper authorization. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-8756 | 1 Tduckcloud | 1 Tduck-platform | 2025-09-11 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability has been found in TDuckCloud tduck-platform up to 5.1 and classified as critical. Affected by this vulnerability is the function preHandle of the file /manage/ of the component com.tduck.cloud.api.web.interceptor.AuthorizationInterceptor. The manipulation leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-9602 | 1 Rockoa | 1 Rockoa | 2025-09-11 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in Xinhu RockOA up to 2.6.9. Impacted is the function publicsaveAjax of the file /index.php. Performing manipulation results in improper authorization. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | |||||
| CVE-2025-29927 | 1 Vercel | 1 Next.js | 2025-09-10 | N/A | 9.1 CRITICAL |
| Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3. | |||||
| CVE-2024-51479 | 1 Vercel | 1 Next.js | 2025-09-10 | N/A | 7.5 HIGH |
| Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory. For example: * [Not affected] `https://example.com/` * [Affected] `https://example.com/foo` * [Not affected] `https://example.com/foo/bar`. This issue is patched in Next.js `14.2.15` and later. If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version. There are no official workarounds for this vulnerability. | |||||
| CVE-2025-8840 | 1 Jishenghua | 1 Jsherp | 2025-09-09 | 5.5 MEDIUM | 5.4 MEDIUM |
| A vulnerability was determined in jshERP up to 3.5. Affected is an unknown function of the file /jshERP-boot/user/deleteBatch of the component Endpoint. The manipulation of the argument ids leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Different than CVE-2025-7947. | |||||
| CVE-2025-8839 | 1 Jishenghua | 1 Jsherp | 2025-09-09 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in jshERP up to 3.5. This issue affects some unknown processing of the file /jshERP-boot/user/addUser of the component Endpoint. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-10073 | 1 Portabilis | 1 I-educar | 2025-09-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was determined in Portabilis i-Educar up to 2.10. Impacted is an unknown function of the file /module/Api/turma. Executing manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. | |||||