Total
4833 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-26369 | 1 Q-free | 1 Maxtime | 2025-05-27 | N/A | 8.8 HIGH |
| A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add privileges to user groups via crafted HTTP requests. | |||||
| CVE-2023-43652 | 1 Fit2cloud | 1 Jumpserver | 2025-05-27 | N/A | 8.2 HIGH |
| JumpServer is an open source bastion host. As an unauthenticated user, it is possible to authenticate to the core API with a username and an SSH public key without needing a password or the corresponding SSH private key. An SSH public key should be considered public knowledge and should not used as an authentication secret alone. JumpServer provides an API for the KoKo component to validate user private key logins. This API does not verify the source of requests and will generate a personal authentication token. Given that public keys can be easily leaked, an attacker can exploit the leaked public key and username to authenticate, subsequently gaining access to the current user's information and authorized actions. This issue has been addressed in versions 2.28.20 and 3.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2022-41250 | 1 Jenkins | 1 Scm Httpclient | 2025-05-27 | N/A | 6.5 MEDIUM |
| A missing permission check in Jenkins SCM HttpClient Plugin 1.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2022-41246 | 1 Jenkins | 1 Worksoft Execution Manager | 2025-05-27 | N/A | 6.5 MEDIUM |
| A missing permission check in Jenkins Worksoft Execution Manager Plugin 10.0.3.503 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2022-39975 | 1 Liferay | 2 Dxp, Liferay Portal | 2025-05-27 | N/A | 4.3 MEDIUM |
| The Layout module in Liferay Portal v7.3.3 through v7.4.3.34, and Liferay DXP 7.3 before update 10, and 7.4 before update 35 does not check user permission before showing the preview of a "Content Page" type page, allowing attackers to view unpublished "Content Page" pages via URL manipulation. | |||||
| CVE-2022-38512 | 1 Liferay | 2 Dxp, Liferay Portal | 2025-05-27 | N/A | 6.5 MEDIUM |
| The Translation module in Liferay Portal v7.4.3.12 through v7.4.3.36, and Liferay DXP 7.4 update 8 through 36 does not check permissions before allowing a user to export a web content for translation, allowing attackers to download a web content page's XLIFF translation file via crafted URL. | |||||
| CVE-2025-39412 | 1 Averta | 1 Master Slider | 2025-05-27 | N/A | 4.3 MEDIUM |
| Missing Authorization vulnerability in Averta Master Slider.This issue affects Master Slider: from n/a through 3.10.8. | |||||
| CVE-2021-41803 | 1 Hashicorp | 1 Consul | 2025-05-27 | N/A | 7.1 HIGH |
| HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2." | |||||
| CVE-2025-30448 | 1 Apple | 4 Ipados, Iphone Os, Macos and 1 more | 2025-05-27 | N/A | 9.1 CRITICAL |
| This issue was addressed with additional entitlement checks. This issue is fixed in macOS Sonoma 14.7.6, iPadOS 17.7.7, iOS 18.5 and iPadOS 18.5, visionOS 2.5, macOS Ventura 13.7.6, macOS Sequoia 15.4. An attacker may be able to turn on sharing of an iCloud folder without authentication. | |||||
| CVE-2024-13703 | 1 Vcita | 1 Crm And Lead Management By Vcita | 2025-05-26 | N/A | 4.3 MEDIUM |
| The CRM and Lead Management by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcita_ajax_toggle_ae() function in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable and disable plugin widgets. | |||||
| CVE-2025-2104 | 1 Pagelayer | 1 Pagelayer | 2025-05-26 | N/A | 4.3 MEDIUM |
| The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to unauthorized post publication due to insufficient validation on the pagelayer_save_content() function in all versions up to, and including, 1.9.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to bypass post moderation and publish posts to the site. | |||||
| CVE-2024-13358 | 1 Themekraft | 1 Buddypress Woocommerce My Account Integration | 2025-05-26 | N/A | 4.3 MEDIUM |
| The BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wc4bp_delete_page() function in all versions up to, and including, 3.4.24. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugins page setting. | |||||
| CVE-2025-1780 | 1 Themekraft | 1 Buddypress Woocommerce My Account Integration | 2025-05-26 | N/A | 4.3 MEDIUM |
| The BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wc4bp_delete_page() function in all versions up to, and including, 3.4.25. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugins page setting. | |||||
| CVE-2024-50500 | 1 Averta | 1 Shortcodes And Extra Features For Phlox Theme | 2025-05-26 | N/A | 4.3 MEDIUM |
| Missing Authorization vulnerability in By Averta Shortcodes and extra features for Phlox theme allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Shortcodes and extra features for Phlox theme: from n/a through 2.17.2. | |||||
| CVE-2025-24607 | 1 Northernbeacheswebsites | 1 Ideapush | 2025-05-23 | N/A | 5.8 MEDIUM |
| Missing Authorization vulnerability in Northern Beaches Websites IdeaPush allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects IdeaPush: from n/a through 8.71. | |||||
| CVE-2025-22289 | 1 Eniture | 1 Ltl Freight Quotes | 2025-05-23 | N/A | 6.5 MEDIUM |
| Missing Authorization vulnerability in NotFound LTL Freight Quotes – Unishippers Edition allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects LTL Freight Quotes – Unishippers Edition: from n/a through 2.5.8. | |||||
| CVE-2025-47942 | 2025-05-23 | N/A | 5.3 MEDIUM | ||
| The Open edX Platform is a learning management platform. Prior to commit 6740e75c0fdc7ba095baf88e9f5e4f3e15cfd8ba, edxapp has no built-in protection against downloading the python_lib.zip asset from courses, which is a concern since it often contains custom grading code or answers to course problems. This potentially affects any course using custom Python-graded problem blocks. The openedx/configuration repo has had a patch since 2016 in the form of an nginx rule, but this was only intended as a temporary mitigation. As the configuration repo has been deprecated and we have not been able to locate any similar protection in Tutor, it is likely that most deployments have no protection against python_lib.zip being downloaded. The recommended mitigation, implemented in commit 6740e75c0fdc7ba095baf88e9f5e4f3e15cfd8ba, restricts python_lib.zip downloads to just the course team and site staff/superusers. | |||||
| CVE-2025-2506 | 2025-05-23 | N/A | 5.3 MEDIUM | ||
| When pglogical attempts to replicate data, it does not verify it is using a replication connection, which means a user with CONNECT access to a database configured for replication can execute the pglogical command to obtain read access to replicated tables. When pglogical runs it should verify it is running on a replication connection but does not perform this check. This vulnerability was introduced in the pglogical 3.x codebase, which is proprietary to EDB. The same code base has been integrated into BDR/PGD 4 and 5. To exploit the vulnerability the attacker needs at least CONNECT permissions to a database configured for replication and must understand a number of pglogical3/BDR specific commands and be able to decode the binary protocol. | |||||
| CVE-2025-47619 | 2025-05-23 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in 6Storage 6Storage Rentals allows Path Traversal. This issue affects 6Storage Rentals: from n/a through 2.19.4. | |||||
| CVE-2025-48271 | 2025-05-23 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in Leadinfo Leadinfo allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Leadinfo: from n/a through 1.1. | |||||