Total
4842 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-46557 | 2025-05-02 | N/A | N/A | ||
| XWiki is a generic wiki platform. In versions starting from 15.3-rc-1 to before 15.10.14, from 16.0.0-rc-1 to before 16.4.6, and from 16.5.0-rc-1 to before 16.10.0-rc-1, a user who can access pages located in the XWiki space (by default, anyone) can access the page XWiki.Authentication.Administration and (unless an authenticator is set in xwiki.cfg) switch to another installed authenticator. Note that, by default, there is only one authenticator available (Standard XWiki Authenticator). So, if no authenticator extension was installed, it's not really possible to do anything for an attacker. Also, in most cases, if an SSO authenticator is installed and utilized (like OIDC or LDAP for example), the worst an attacker can do is break authentication by switching back to the standard authenticator (that's because it's impossible to login to a user which does not have a stored password, and that's usually what SSO authenticator produce). This issue has been patched in versions 15.10.14, 16.4.6, and 16.10.0-rc-1. | |||||
| CVE-2025-46554 | 2025-05-02 | N/A | 5.3 MEDIUM | ||
| XWiki is a generic wiki platform. In versions starting from 1.8.1 to before 14.10.22, from 15.0-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.7.0, anyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint. There is no filtering for the results depending on current user rights, meaning an unauthenticated user could exploit this even in a private wiki. This issue has been patched in versions 14.10.22, 15.10.12, 16.4.3, and 16.7.0. | |||||
| CVE-2025-3746 | 2025-05-02 | N/A | 9.8 CRITICAL | ||
| The OTP-less one tap Sign in plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 2.0.14 to 2.0.59. This is due to the plugin not properly validating a user's identity prior to updating their details, like email. This makes it possible for unauthenticated attackers to change arbitrary users' email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. Additionally, the plugin returns authentication cookies in the response, which can be used to access the account directly. | |||||
| CVE-2023-33265 | 1 Hazelcast | 2 Hazelcast, Imdg | 2025-05-02 | N/A | 8.8 HIGH |
| In Hazelcast through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, executor services don't check client permissions properly, allowing authenticated users to execute tasks on members without the required permissions granted. | |||||
| CVE-2025-37087 | 2025-05-01 | N/A | 9.8 CRITICAL | ||
| A vulnerability in the cmdb service of the HPE Performance Cluster Manager (HPCM) could allow an attacker to gain access to an arbitrary file on the server host. | |||||
| CVE-2022-3451 | 1 Addify | 1 Product Stock Manager | 2025-05-01 | N/A | 4.3 MEDIUM |
| The Product Stock Manager WordPress plugin before 1.0.5 does not have authorisation and proper CSRF checks in multiple AJAX actions, allowing users with a role as low as subscriber to call them. One action in particular could allow to update arbitrary options | |||||
| CVE-2023-21244 | 1 Google | 1 Android | 2025-05-01 | N/A | 6.7 MEDIUM |
| In visitUris of Notification.java, there is a possible bypass of user profile boundaries due to a missing permission check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2022-3489 | 1 Weberge | 1 Wp Hide | 2025-05-01 | N/A | 5.3 MEDIUM |
| The WP Hide WordPress plugin through 0.0.2 does not have authorisation and CSRF checks in place when updating the custom_wpadmin_slug settings, allowing unauthenticated attackers to update it with a crafted request | |||||
| CVE-2022-20446 | 1 Google | 1 Android | 2025-05-01 | N/A | 3.3 LOW |
| In AlwaysOnHotwordDetector of AlwaysOnHotwordDetector.java, there is a possible way to access the microphone from the background due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-229793943 | |||||
| CVE-2022-20451 | 1 Google | 1 Android | 2025-05-01 | N/A | 7.8 HIGH |
| In onCallRedirectionComplete of CallsManager.java, there is a possible permissions bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-235098883 | |||||
| CVE-2022-20450 | 1 Google | 1 Android | 2025-05-01 | N/A | 7.8 HIGH |
| In restorePermissionState of PermissionManagerServiceImpl.java, there is a possible way to bypass user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-210065877 | |||||
| CVE-2024-43431 | 1 Moodle | 1 Moodle | 2025-05-01 | N/A | 7.5 HIGH |
| A vulnerability was found in Moodle. Insufficient capability checks made it possible to delete badges that a user does not have permission to access. | |||||
| CVE-2023-48676 | 2 Acronis, Microsoft | 2 Agent, Windows | 2025-05-01 | N/A | 7.1 HIGH |
| Sensitive information disclosure and manipulation due to missing authorization. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 36943. | |||||
| CVE-2022-44549 | 1 Huawei | 2 Emui, Harmonyos | 2025-05-01 | N/A | 7.5 HIGH |
| The LBS module has a vulnerability in geofencing API access. Successful exploitation of this vulnerability may cause third-party apps to access the geofencing APIs without authorization, affecting user confidentiality. | |||||
| CVE-2022-38651 | 1 Vmware | 1 Hyperic Server | 2025-05-01 | N/A | 9.8 CRITICAL |
| A security filter misconfiguration exists in VMware Hyperic Server 5.8.6. Exploitation of this vulnerability enables a malicious party to bypass some authentication requirements when issuing requests to Hyperic Server. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2022-2450 | 1 Resmush.it | 1 Resmush.it Image Optimizer | 2025-04-30 | N/A | 4.3 MEDIUM |
| The reSmush.it : the only free Image Optimizer & compress plugin WordPress plugin before 0.4.4 lacks authorization in various AJAX actions, allowing any logged-in users, such as subscribers to call them. | |||||
| CVE-2022-45390 | 1 Jenkins | 1 Loader.io | 2025-04-30 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins loader.io Plugin 1.0.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||||
| CVE-2022-45389 | 1 Jenkins | 1 Xp-dev | 2025-04-30 | N/A | 5.3 MEDIUM |
| A missing permission check in Jenkins XP-Dev Plugin 1.0 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to an attacker-specified repository. | |||||
| CVE-2022-45385 | 1 Jenkins | 1 Cloudbees Docker Hub\/registry Notification | 2025-04-30 | N/A | 7.5 HIGH |
| A missing permission check in Jenkins CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository. | |||||
| CVE-2022-45394 | 1 Jenkins | 1 Delete Log | 2025-04-30 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins Delete log Plugin 1.0 and earlier allows attackers with Item/Read permission to delete build logs. | |||||