Total
619 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-10319 | 1 Jeecg | 1 Jeecg Boot | 2025-12-31 | 4.0 MEDIUM | 4.3 MEDIUM |
| A security flaw has been discovered in JeecgBoot up to 3.8.2. Affected by this issue is some unknown functionality of the file /sys/tenant/exportLog of the component Tenant Log Export. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-10318 | 1 Jeecg | 1 Jeecg Boot | 2025-12-31 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was identified in JeecgBoot up to 3.8.2. Affected by this vulnerability is an unknown functionality of the file /api/system/sendWebSocketMsg of the component WebSocket Message Handler. The manipulation of the argument userIds leads to improper authorization. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-10981 | 1 Jeecg | 1 Jeecg Boot | 2025-12-31 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was detected in JeecgBoot up to 3.8.2. This impacts an unknown function of the file /sys/tenant/exportXls. Performing manipulation results in improper authorization. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-10980 | 1 Jeecg | 1 Jeecg Boot | 2025-12-31 | 4.0 MEDIUM | 4.3 MEDIUM |
| A security vulnerability has been detected in JeecgBoot up to 3.8.2. This affects an unknown function of the file /sys/position/exportXls. Such manipulation leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-15126 | 1 Jeecg | 1 Jeecg Boot | 2025-12-30 | 2.1 LOW | 3.1 LOW |
| A weakness has been identified in JeecgBoot up to 3.9.0. Affected by this vulnerability is the function getPositionUserList of the file /sys/position/getPositionUserList. This manipulation of the argument positionId causes improper authorization. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-15120 | 1 Jeecg | 1 Jeecg Boot | 2025-12-30 | 2.1 LOW | 3.1 LOW |
| A flaw has been found in JeecgBoot up to 3.9.0. Impacted is the function getDeptRoleList of the file /sys/sysDepartRole/getDeptRoleList. This manipulation of the argument departId causes improper authorization. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitability is considered difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-15122 | 1 Jeecg | 1 Jeecg Boot | 2025-12-30 | 2.1 LOW | 3.1 LOW |
| A vulnerability was found in JeecgBoot up to 3.9.0. The impacted element is the function loadDatarule of the file /sys/sysDepartRole/datarule/. Performing manipulation of the argument departId/roleId results in improper authorization. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is regarded as difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-15123 | 1 Jeecg | 1 Jeecg Boot | 2025-12-30 | 2.1 LOW | 3.1 LOW |
| A vulnerability was determined in JeecgBoot up to 3.9.0. This affects an unknown function of the file /sys/sysDepartPermission/datarule/. Executing manipulation can lead to improper authorization. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitability is reported as difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-15124 | 1 Jeecg | 1 Jeecg Boot | 2025-12-30 | 2.1 LOW | 3.1 LOW |
| A vulnerability was identified in JeecgBoot up to 3.9.0. This impacts the function getParameterMap of the file /sys/sysDepartPermission/list. The manipulation of the argument departId leads to improper authorization. The attack can be initiated remotely. The attack's complexity is rated as high. The exploitability is said to be difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-15125 | 1 Jeecg | 1 Jeecg Boot | 2025-12-30 | 2.1 LOW | 3.1 LOW |
| A security flaw has been discovered in JeecgBoot up to 3.9.0. Affected is the function queryDepartPermission of the file /sys/permission/queryDepartPermission. The manipulation of the argument departId results in improper authorization. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-53895 | 1 Potsky | 1 Pimp My Log | 2025-12-30 | N/A | 9.8 CRITICAL |
| PimpMyLog 1.7.14 contains an improper access control vulnerability that allows remote attackers to create admin accounts without authorization through the configuration endpoint. Attackers can exploit the unsanitized username field to inject malicious JavaScript, create a hidden backdoor account, and potentially access sensitive server-side log information and environmental variables. | |||||
| CVE-2025-13806 | 1 Nutzam | 1 Nutzboot | 2025-12-30 | 7.5 HIGH | 7.3 HIGH |
| A security vulnerability has been detected in nutzam NutzBoot up to 2.6.0-SNAPSHOT. This impacts an unknown function of the file nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-web3j/src/main/java/io/nutz/demo/simple/module/EthModule.java of the component Transaction API. The manipulation of the argument from/to/wei leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2025-14889 | 1 Campcodes | 1 Advanced Voting Management System | 2025-12-24 | 5.5 MEDIUM | 5.4 MEDIUM |
| A security flaw has been discovered in Campcodes Advanced Voting Management System 1.0. The impacted element is an unknown function of the file /admin/voters_edit.php of the component Password Handler. Performing manipulation of the argument ID results in improper authorization. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. | |||||
| CVE-2025-65782 | 1 Wekan Project | 1 Wekan | 2025-12-23 | N/A | 6.5 MEDIUM |
| An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authorization flaw in card update handling allows board members (and potentially other authenticated users) to add/remove arbitrary user IDs in vote.positive / vote.negative arrays, enabling vote forgery and unauthorized voting. | |||||
| CVE-2025-68481 | 2025-12-23 | N/A | 5.9 MEDIUM | ||
| FastAPI Users allows users to quickly add a registration and authentication system to their FastAPI project. Prior to version 15.0.2, the OAuth login state tokens are completely stateless and carry no per-request entropy or any data that could link them to the session that initiated the OAuth flow. `generate_state_token()` is always called with an empty `state_data` dict, so the resulting JWT only contains the fixed audience claim plus an expiration timestamp. On callback, the library merely checks that the JWT verifies under `state_secret` and is unexpired; there is no attempt to match the state value to the browser that initiated the OAuth request, no correlation cookie, and no server-side cache. Any attacker can hit `/authorize`, capture the server-generated state, finish the upstream OAuth flow with their own provider account, and then trick a victim into loading `.../callback?code=<attacker_code>&state=<attacker_state>`. Because the state JWT is valid for any client for \~1 hour, the victim’s browser will complete the flow. This leads to login CSRF. Depending on the app’s logic, the login CSRF can lead to an account takeover of the victim account or to the victim user getting logged in to the attacker's account. Version 15.0.2 contains a patch for the issue. | |||||
| CVE-2025-46296 | 1 Claris | 1 Filemaker Server | 2025-12-23 | N/A | 5.4 MEDIUM |
| An authorization bypass vulnerability in FileMaker Server Admin Console allowed administrator roles with minimal privileges to access administrative features such as viewing license details and downloading application logs. This vulnerability has been fully addressed in FileMaker Server 22.0.4. | |||||
| CVE-2025-58386 | 1 Terminalfour | 1 Terminalfour | 2025-12-19 | N/A | 9.8 CRITICAL |
| In Terminalfour 8 through 8.4.1.1, the userLevel parameter in the user management function is not subject to proper server-side authorization checks. A Power User can intercept and modify this parameter to assign the Administrator role to other existing lower-privileged accounts, or invite a new lower-privileged account and escalate its privileges. While manipulating this request, the Power User can also change the target account's password, effectively taking full control of it. | |||||
| CVE-2025-14546 | 2025-12-19 | N/A | 6.3 MEDIUM | ||
| Versions of the package fastapi-sso before 0.19.0 are vulnerable to Cross-site Request Forgery (CSRF) due to the improper validation of the OAuth state parameter during the authentication callback. While the get_login_url method allows for state generation, it does not persist the state or bind it to the user's session. Consequently, the verify_and_process method accepts the state received in the query parameters without verifying it against a trusted local value. This allows a remote attacker to trick a victim into visiting a malicious callback URL, which can result in the attacker's account being linked to the victim's internal account. | |||||
| CVE-2025-46289 | 1 Apple | 1 Macos | 2025-12-18 | N/A | 5.5 MEDIUM |
| A logic issue was addressed with improved file handling. This issue is fixed in macOS Tahoe 26.2, macOS Sequoia 15.7.3, macOS Sonoma 14.8.3. An app may be able to access protected user data. | |||||
| CVE-2025-67715 | 1 Weblate | 1 Weblate | 2025-12-17 | N/A | 4.3 MEDIUM |
| Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve user notification settings or list all users via API. Version 5.15 fixes the issue. | |||||