Total
1693 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-30514 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 5.3 MEDIUM |
| Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "scenes"). | |||||
| CVE-2025-62241 | 1 Liferay | 1 Digital Experience Platform | 2025-11-12 | N/A | 4.3 MEDIUM |
| Insecure Direct Object Reference (IDOR) vulnerability with shipment addresses in Liferay DXP 2023.Q4.1 through 2023.Q4.5 allows remote authenticated users to from one virtual instance to view the shipment addresses of different virtual instance via the _com_liferay_commerce_order_web_internal_portlet_CommerceOrderPortlet_commerceOrderId parameter. | |||||
| CVE-2025-31950 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 5.3 MEDIUM |
| An unauthenticated attacker can obtain EV charger energy consumption information of other users. | |||||
| CVE-2025-31945 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 5.3 MEDIUM |
| An unauthenticated attacker can obtain other users' charger information. | |||||
| CVE-2025-31654 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 5.3 MEDIUM |
| An attacker can get information about the groups of the smart home devices for arbitrary users (i.e., "rooms"). | |||||
| CVE-2025-31360 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 6.5 MEDIUM |
| Unauthenticated attackers can trigger device actions associated with specific "scenes" of arbitrary users. | |||||
| CVE-2025-27568 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 5.3 MEDIUM |
| An unauthenticated attacker can get users' emails by knowing usernames. A password reset email will be sent in response to this unsolicited request. | |||||
| CVE-2025-24487 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 5.3 MEDIUM |
| An unauthenticated attacker can infer the existence of usernames in the system by querying an API. | |||||
| CVE-2023-38965 | 1 Oretnom23 | 1 Lost And Found Information System | 2025-11-11 | N/A | 9.8 CRITICAL |
| Lost and Found Information System 1.0 allows account takeover via username and password to a /classes/Users.php?f=save URI. | |||||
| CVE-2025-62242 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-11-07 | N/A | 4.3 MEDIUM |
| Insecure Direct Object Reference (IDOR) vulnerability with account addresses in Liferay Portal 7.4.3.4 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated users to from one account to view addresses from a different account via the _com_liferay_account_admin_web_internal_portlet_AccountEntriesAdminPortlet_addressId parameter. | |||||
| CVE-2024-45614 | 1 Puma | 1 Puma | 2025-11-03 | N/A | 5.4 MEDIUM |
| Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions. | |||||
| CVE-2023-49298 | 2 Freebsd, Openzfs | 2 Freebsd, Openzfs | 2025-11-03 | N/A | 7.5 HIGH |
| OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenarios involving applications that try to rely on efficient copying of file data, can replace file contents with zero-valued bytes and thus potentially disable security mechanisms. NOTE: this issue is not always security related, but can be security related in realistic situations. A possible example is cp, from a recent GNU Core Utilities (coreutils) version, when attempting to preserve a rule set for denying unauthorized access. (One might use cp when configuring access control, such as with the /etc/hosts.deny file specified in the IBM Support reference.) NOTE: this issue occurs less often in version 2.2.1, and in versions before 2.1.4, because of the default configuration in those versions. | |||||
| CVE-2025-52446 | 3 Linux, Microsoft, Tableau | 3 Linux Kernel, Windows, Tableau Server | 2025-10-31 | N/A | 8.0 HIGH |
| Authorization Bypass Through User-Controlled Key vulnerability in Salesforce Tableau Server on Windows, Linux (tab-doc api modules) allows Interface Manipulation (data access to the production database cluster).This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19. | |||||
| CVE-2025-52447 | 3 Linux, Microsoft, Tableau | 3 Linux Kernel, Windows, Tableau Server | 2025-10-31 | N/A | 8.1 HIGH |
| Authorization Bypass Through User-Controlled Key vulnerability in Salesforce Tableau Server on Windows, Linux (set-initial-sql tabdoc command modules) allows Interface Manipulation (data access to the production database cluster). This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19. | |||||
| CVE-2025-52448 | 3 Linux, Microsoft, Tableau | 3 Linux Kernel, Windows, Tableau Server | 2025-10-31 | N/A | 8.1 HIGH |
| Authorization Bypass Through User-Controlled Key vulnerability in Salesforce Tableau Server on Windows, Linux (validate-initial-sql api modules) allows Interface Manipulation (data access to the production database cluster). This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19. | |||||
| CVE-2025-9559 | 1 Pega | 1 Pega Platform | 2025-10-30 | N/A | 6.5 MEDIUM |
| Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data. | |||||
| CVE-2025-10759 | 1 Webkul | 1 Qloapps | 2025-10-30 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability was detected in Webkul QloApps up to 1.7.0. This affects an unknown function of the component CSRF Token Handler. Performing manipulation of the argument token results in authorization bypass. The attack may be initiated remotely. The exploit is now public and may be used. The vendor explains: "As We are already aware about this vulnerability and our Internal team are already working on this issue. (...) We'll implement the fix for this vulnerability in our next major release." | |||||
| CVE-2025-31997 | 1 Hcltech | 1 Unica Centralized Offer Management | 2025-10-29 | N/A | 4.2 MEDIUM |
| HCL Unica Centralized Offer Management is vulnerable to Insecure Direct Object References (IDOR). An attacker can bypass authorization and access resources in the system directly, for example database records or files. | |||||
| CVE-2025-0058 | 1 Sap | 1 Sap Basis | 2025-10-24 | N/A | 6.5 MEDIUM |
| In SAP Business Workflow and SAP Flexible Workflow, an authenticated attacker can manipulate a parameter in an otherwise legitimate resource request to view sensitive information that should otherwise be restricted. The attacker does not have the ability to modify the information or to make the information unavailable. | |||||
| CVE-2025-58055 | 1 Discourse | 1 Discourse | 2025-10-23 | N/A | 4.3 MEDIUM |
| Discourse is an open-source community discussion platform. In versions 3.5.0 and below, the Discourse AI suggestion endpoints for topic “Title”, “Category”, and “Tags” allowed authenticated users to extract information about topics that they weren’t authorized to access. By modifying the “topic_id” value in API requests to the AI suggestion endpoints, users could target specific restricted topics. The AI model’s responses then disclosed information that the authenticated user couldn’t normally access. This issue is fixed in version 3.5.1. To workaround this issue, users can restrict group access to the AI helper feature through the "composer_ai_helper_allowed_groups" and "post_ai_helper_allowed_groups" site settings. | |||||