Total
899 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-49135 | 2025-06-26 | N/A | N/A | ||
| CVAT is an open source interactive video and image annotation tool for computer vision. Versions 2.2.0 through 2.39.0 have no validation during the import process of a project or task backup to check that the filename specified in the query parameter refers to a TUS-uploaded file belonging to the same user. As a result, if an attacker with a CVAT account and a `user` role knows the filenames of other users' uploads, they could potentially access and steal data by creating projects or tasks using those files. This issue does not affect annotation or dataset TUS uploads, since in this case object-specific temporary directories are used. Users should upgrade to CVAT 2.40.0 or a later version to receive a patch. No known workarounds are available. | |||||
| CVE-2025-3625 | 1 Moodle | 1 Moodle | 2025-06-24 | N/A | 7.1 HIGH |
| A security vulnerability was discovered in Moodle that can allow hackers to gain access to sensitive information about students and prevent them from logging into their accounts, even after they had completed two-factor authentication (2FA). | |||||
| CVE-2025-3640 | 1 Moodle | 1 Moodle | 2025-06-24 | N/A | 4.3 MEDIUM |
| A flaw was found in Moodle. Insufficient capability checks made it possible for a user enrolled in a course to access some details, such as the full name and profile image URL, of other users they did not have permission to access. | |||||
| CVE-2025-3636 | 1 Moodle | 1 Moodle | 2025-06-24 | N/A | 4.3 MEDIUM |
| A flaw was found in Moodle. This vulnerability allows unauthorized users to access and view RSS feeds due to insufficient capability checks. | |||||
| CVE-2025-49995 | 2025-06-23 | N/A | 5.3 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Download Attachments: from n/a through 1.3.1. | |||||
| CVE-2025-49978 | 2025-06-23 | N/A | 4.3 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in eyecix JobSearch allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JobSearch: from n/a through 2.9.0. | |||||
| CVE-2024-23747 | 1 Modernasistemas | 1 Modernanet Hospital Management System 2024 | 2025-06-20 | N/A | 7.5 HIGH |
| The Moderna Sistemas ModernaNet Hospital Management System 2024 is susceptible to an Insecure Direct Object Reference (IDOR) vulnerability. This vulnerability resides in the system's handling of user data access through a /Modernanet/LAUDO/LAU0000100/Laudo?id= URI. By manipulating this id parameter, an attacker can gain access to sensitive medical information. | |||||
| CVE-2024-38447 | 1 Ncia | 1 Advisor Network | 2025-06-20 | N/A | 8.1 HIGH |
| NATO NCI ANET 3.4.1 allows Insecure Direct Object Reference via a modified ID field in a request for a private draft report (that belongs to an arbitrary user). | |||||
| CVE-2024-38446 | 1 Ncia | 1 Advisor Network | 2025-06-20 | N/A | 6.5 MEDIUM |
| NATO NCI ANET 3.4.1 mishandles report ownership. A user can create a report and, despite the restrictions imposed by the UI, change the author of that report to an arbitrary user (without their consent or knowledge) via a modified UUID in a POST request. | |||||
| CVE-2024-31815 | 1 Totolink | 2 Ex200, Ex200 Firmware | 2025-06-17 | N/A | 9.1 CRITICAL |
| In TOTOLINK EX200 V4.0.3c.7314_B20191204, an attacker can obtain the configuration file without authorization through /cgi-bin/ExportSettings.sh | |||||
| CVE-2023-47022 | 1 Ncr | 1 Terminal Handler | 2025-06-17 | N/A | 6.5 MEDIUM |
| Insecure Direct Object Reference in NCR Terminal Handler v.1.5.1 allows an unprivileged user to edit the audit logs for any user and can lead to CSV injection. | |||||
| CVE-2025-40658 | 2025-06-12 | N/A | N/A | ||
| An Insecure Direct Object Reference (IDOR) vulnerability has been found in DM Corporative CMS. This vulnerability allows an attacker to access the private area setting the option parameter equal to 0, 1 or 2 in /administer/selectionnode/framesSelection.asp. | |||||
| CVE-2025-40661 | 2025-06-12 | N/A | N/A | ||
| An Insecure Direct Object Reference (IDOR) vulnerability has been found in DM Corporative CMS. This vulnerability allows an attacker to access the private area setting the option parameter equal to 0, 1 or 2 in /administer/selectionnode/selection.asp. | |||||
| CVE-2025-40660 | 2025-06-12 | N/A | N/A | ||
| An Insecure Direct Object Reference (IDOR) vulnerability has been found in DM Corporative CMS. This vulnerability allows an attacker to access the private area setting the option parameter equal to 0, 1 or 2 in /administer/select node/data.asp?mode=catalogue&id1=1&id2=1session=&cod=1&networks=0. | |||||
| CVE-2025-40659 | 2025-06-12 | N/A | N/A | ||
| An Insecure Direct Object Reference (IDOR) vulnerability has been found in DM Corporative CMS. This vulnerability allows an attacker to access the private area setting the option parameter equal to 0, 1 or 2 in /administer/selectionnode/framesSelectionNetworks.asp. | |||||
| CVE-2023-6824 | 1 Marvinlabs | 1 Wp Customer Area | 2025-06-11 | N/A | 6.5 MEDIUM |
| The WP Customer Area WordPress plugin before 8.2.1 does not properly validates user capabilities in some of its AJAX actions, allowing any users to retrieve other user's account address. | |||||
| CVE-2023-6384 | 1 Wp-eventmanager | 1 User Profile Avatar | 2025-06-11 | N/A | 4.3 MEDIUM |
| The WP User Profile Avatar WordPress plugin before 1.0.1 does not properly check for authorisation, allowing authors to delete and update arbitrary avatar | |||||
| CVE-2023-36235 | 1 Webkul | 1 Qloapps | 2025-06-10 | N/A | 6.5 MEDIUM |
| An issue in webkul qloapps before v1.6.0 allows an attacker to obtain sensitive information via the id_order parameter. | |||||
| CVE-2024-12767 | 1 Buddyboss | 1 Buddyboss Platform | 2025-06-10 | N/A | 7.5 HIGH |
| The buddyboss-platform WordPress plugin before 2.7.60 lacks proper access controls and allows a logged-in user to view comments on private posts | |||||
| CVE-2024-32823 | 1 Blazzdev | 1 Rate My Post | 2025-06-09 | N/A | 5.3 MEDIUM |
| Authorization Bypass Through User-Controlled Key vulnerability in FeedbackWP Rate my Post – WP Rating System.This issue affects Rate my Post – WP Rating System: from n/a through 3.4.4. | |||||