Total
1952 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-9902 | 2025-02-25 | N/A | 6.3 MEDIUM | ||
| A flaw was found in Ansible. The ansible-core `user` module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the `user` module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner. | |||||
| CVE-2023-28611 | 1 Omicronenergy | 2 Stationguard, Stationscout | 2025-02-25 | N/A | 9.8 CRITICAL |
| Incorrect authorization in OMICRON StationGuard 1.10 through 2.20 and StationScout 1.30 through 2.20 allows an attacker to bypass intended access restrictions. | |||||
| CVE-2023-1603 | 1 Devolutions | 1 Devolutions Server | 2025-02-25 | N/A | 6.5 MEDIUM |
| Permission bypass when importing or synchronizing entries in User vault in Devolutions Server 2022.3.13 and prior versions allows users with restricted rights to bypass entry permission via id collision. | |||||
| CVE-2023-20975 | 1 Google | 1 Android | 2025-02-25 | N/A | 7.8 HIGH |
| In getAvailabilityStatus of EnableContentCapturePreferenceController.java, there is a possible way to bypass DISALLOW_CONTENT_CAPTURE due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-250573776 | |||||
| CVE-2023-20971 | 1 Google | 1 Android | 2025-02-25 | N/A | 7.8 HIGH |
| In removePermission of PermissionManagerServiceImpl.java, there is a possible way to obtain dangerous permissions without user consent due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-21035 | 1 Google | 1 Android | 2025-02-25 | N/A | 7.8 HIGH |
| In multiple functions of BackupHelper.java, there is a possible way for an app to get permissions previously granted to another app with the same package name due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-184847040 | |||||
| CVE-2025-26532 | 2025-02-24 | N/A | 3.1 LOW | ||
| Additional checks were required to ensure trusttext is applied (when enabled) to glossary entries being restored. | |||||
| CVE-2025-26531 | 2025-02-24 | N/A | 3.1 LOW | ||
| Insufficient capability checks made it possible to disable badges a user does not have permission to access. | |||||
| CVE-2025-26526 | 2025-02-24 | N/A | 6.5 MEDIUM | ||
| Separate Groups mode restrictions were not factored into permission checks before allowing viewing or deletion of responses in Feedback activities. | |||||
| CVE-2023-24880 | 1 Microsoft | 10 Windows 10 1607, Windows 10 1809, Windows 10 20h2 and 7 more | 2025-02-24 | N/A | 4.4 MEDIUM |
| Windows SmartScreen Security Feature Bypass Vulnerability | |||||
| CVE-2023-21715 | 1 Microsoft | 1 365 Apps | 2025-02-24 | N/A | 7.3 HIGH |
| Microsoft Publisher Security Feature Bypass Vulnerability | |||||
| CVE-2023-20269 | 1 Cisco | 2 Adaptive Security Appliance Software, Firepower Threat Defense | 2025-02-24 | N/A | 5.0 MEDIUM |
| A vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and password combinations or an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user. This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features. An attacker could exploit this vulnerability by specifying a default connection profile/tunnel group while conducting a brute force attack or while establishing a clientless SSL VPN session using valid credentials. A successful exploit could allow the attacker to achieve one or both of the following: Identify valid credentials that could then be used to establish an unauthorized remote access VPN session. Establish a clientless SSL VPN session (only when running Cisco ASA Software Release 9.16 or earlier). Notes: Establishing a client-based remote access VPN tunnel is not possible as these default connection profiles/tunnel groups do not and cannot have an IP address pool configured. This vulnerability does not allow an attacker to bypass authentication. To successfully establish a remote access VPN session, valid credentials are required, including a valid second factor if multi-factor authentication (MFA) is configured. Cisco will release software updates that address this vulnerability. There are workarounds that address this vulnerability. | |||||
| CVE-2025-24526 | 2025-02-24 | N/A | 4.3 MEDIUM | ||
| Mattermost versions 10.1.x <= 10.1.3, 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to restrict channel export of archived channels when the "Allow users to view archived channels" is disabled which allows a user to export channel contents when they shouldn't have access to it | |||||
| CVE-2023-1202 | 1 Devolutions | 1 Remote Desktop Manager | 2025-02-20 | N/A | 6.5 MEDIUM |
| Permission bypass when importing or synchronizing entries in User vault in Devolutions Remote Desktop Manager 2023.1.9 and prior versions allows users with restricted rights to bypass entry permission via id collision. | |||||
| CVE-2024-5705 | 2025-02-19 | N/A | 8.8 HIGH | ||
| The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. (CWE-863) Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, have modules enabled by default that allow execution of system level processes. When access control checks are incorrectly applied, users can access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures and denial of service. | |||||
| CVE-2021-3493 | 1 Canonical | 1 Ubuntu Linux | 2025-02-19 | 7.2 HIGH | 8.8 HIGH |
| The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivileged overlay mounts, an attacker could use this to gain elevated privileges. | |||||
| CVE-2024-45081 | 2025-02-19 | N/A | 6.5 MEDIUM | ||
| IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 could allow an authenticated user to modify restricted content due to incorrect authorization checks. | |||||
| CVE-2024-39328 | 2025-02-18 | N/A | 6.8 MEDIUM | ||
| Insecure Permissions in Atos Eviden IDRA and IDCA before 2.7.0. A highly trusted role (Config Admin) could exceed their configuration privileges in a multi-partition environment and access some confidential data. Data integrity and availability is not at risk. | |||||
| CVE-2025-24872 | 2025-02-18 | N/A | 4.3 MEDIUM | ||
| The ABAP Build Framework in SAP ABAP Platform allows an authenticated attacker to gain unauthorized access to a specific transaction. By executing the add-on build functionality within the ABAP Build Framework, an attacker could call the transaction and view its details. This has a limited impact on the confidentiality of the application with no effect on the integrity and availability of the application. | |||||
| CVE-2025-24869 | 2025-02-18 | N/A | 4.3 MEDIUM | ||
| SAP NetWeaver Application Server Java allows an attacker to access an endpoint that can disclose information about deployed server components, including their XML definitions. This information should ideally be restricted to customer administrators, even though they may not need it. These XML files are not entirely SAP-internal as they are deployed with the server. In such a scenario, sensitive information could be exposed without compromising its integrity or availability. | |||||