Export limit exceeded: 366528 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11868 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-0866 | 1 Redhat | 4 Jboss Enterprise Application Platform, Openstack Platform, Red Hat Single Sign On and 1 more | 2025-11-06 | 5.3 Medium |
| This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. In particular, the org.jboss.as.ejb3.component.EJBComponent class has an incomingRunAsIdentity field. This field is used by the org.jboss.as.ejb3.security.RunAsPrincipalInterceptor to keep track of the current identity prior to switching to a new identity created using the RunAs principal. The exploit consist that the EJBComponent#incomingRunAsIdentity field is currently just a SecurityIdentity. This means in a concurrent environment, where multiple users are repeatedly invoking an EJB that is configured with a RunAs principal, it's possible for the wrong the caller principal to be returned from EJBComponent#getCallerPrincipal. Similarly, it's also possible for EJBComponent#isCallerInRole to return the wrong value. Both of these methods rely on incomingRunAsIdentity. Affects all versions of JBoss EAP from 7.1.0 and all versions of WildFly 11+ when Elytron is enabled. | ||||
| CVE-2024-48932 | 2 Icewhaletech, Zimaspace | 2 Zimaos, Zimaos | 2025-11-05 | 5.3 Medium |
| ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions below 1.5.0, the API endpoint `http://<Server-ip>/v1/users/name` allows unauthenticated users to access sensitive information, such as usernames, without any authorization. This vulnerability could be exploited by an attacker to enumerate usernames and leverage them for further attacks, such as brute-force or phishing campaigns. As of time of publication, no known patched versions are available. | ||||
| CVE-2025-41111 | 1 Canaldenuncia | 2 Canaldenuncia.app, Canaldenuncia App | 2025-11-05 | 7.5 High |
| A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameter 'id_denuncia' in '/backend/api/buscarComentariosByDenuncia.php'. | ||||
| CVE-2025-41112 | 1 Canaldenuncia | 2 Canaldenuncia.app, Canaldenuncia App | 2025-11-05 | 7.5 High |
| A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameter 'web' in '/backend/api/buscarConfiguracionParametros2.php'. | ||||
| CVE-2025-41113 | 1 Canaldenuncia | 2 Canaldenuncia.app, Canaldenuncia App | 2025-11-05 | 7.5 High |
| A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameter 'id_denuncia' in '/backend/api/buscarDenunciaByPin.php'. | ||||
| CVE-2025-41114 | 1 Canaldenuncia | 2 Canaldenuncia.app, Canaldenuncia App | 2025-11-05 | 7.5 High |
| A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameters 'id_denuncia' and 'id_user' in '/backend/api/buscarDocumentosByIdDenunciaUsuario.php'. | ||||
| CVE-2025-41335 | 1 Canaldenuncia | 2 Canaldenuncia.app, Canaldenuncia App | 2025-11-05 | 7.5 High |
| A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameters 'id' and ' 'id_sociedad' in '/api/buscarEmpresaById.php'. | ||||
| CVE-2025-41337 | 1 Canaldenuncia | 2 Canaldenuncia.app, Canaldenuncia App | 2025-11-05 | 7.5 High |
| A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameter 'web' in '/backend/api/buscarSSOParametros.php'. | ||||
| CVE-2025-41336 | 1 Canaldenuncia | 2 Canaldenuncia.app, Canaldenuncia App | 2025-11-05 | 7.5 High |
| A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameter 'web' in '/backend/api/buscarConfiguracionParametros.php'. | ||||
| CVE-2025-41338 | 1 Canaldenuncia | 2 Canaldenuncia.app, Canaldenuncia App | 2025-11-05 | 7.5 High |
| A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameters 'id_denuncia' and 'id_user' in '/backend/api/buscarTestigoByIdDenunciaUsuario.php'. | ||||
| CVE-2025-41339 | 1 Canaldenuncia | 2 Canaldenuncia.app, Canaldenuncia App | 2025-11-05 | 7.5 High |
| A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameter 'id_sociedad' in '/backend/api/buscarTipoDenuncia.php'. | ||||
| CVE-2025-41340 | 1 Canaldenuncia | 2 Canaldenuncia.app, Canaldenuncia App | 2025-11-05 | 7.5 High |
| A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameters 'id_tp_denuncia' and 'id_sociedad' in '/backend/api/buscarTipoDenunciabyId.php'. | ||||
| CVE-2025-41341 | 1 Canaldenuncia | 2 Canaldenuncia.app, Canaldenuncia App | 2025-11-05 | 7.5 High |
| A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameters 'id_denuncia' and 'seguro' in '/backend/api/buscarUsuarioByDenuncia.php'. | ||||
| CVE-2025-41342 | 1 Canaldenuncia | 2 Canaldenuncia.app, Canaldenuncia App | 2025-11-05 | 7.5 High |
| A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameter 'id_user' in '/backend/api/buscarUsuarioId.php'. | ||||
| CVE-2025-41343 | 1 Canaldenuncia | 2 Canaldenuncia.app, Canaldenuncia App | 2025-11-05 | 7.5 High |
| A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameter 'email' in '/backend/api/users/searchUserByEmail.php'. | ||||
| CVE-2025-41344 | 1 Canaldenuncia | 2 Canaldenuncia.app, Canaldenuncia App | 2025-11-05 | 7.5 High |
| A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameter 'id_archivo' in '/backend/api/verArchivo.php'. | ||||
| CVE-2025-41345 | 1 Canaldenuncia | 2 Canaldenuncia.app, Canaldenuncia App | 2025-11-05 | 7.5 High |
| A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameters 'id_denuncia' and 'id_user' in '/backend/api/buscarDenunciasById.php'. | ||||
| CVE-2025-64150 | 1 Jenkins | 2 Jenkins, Publish To Bitbucket | 2025-11-04 | 5.4 Medium |
| A missing permission check in Jenkins Publish to Bitbucket Plugin 0.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | ||||
| CVE-2025-64148 | 1 Jenkins | 2 Jenkins, Publish To Bitbucket | 2025-11-04 | 4.3 Medium |
| A missing permission check in Jenkins Publish to Bitbucket Plugin 0.4 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | ||||
| CVE-2025-64142 | 1 Jenkins | 2 Jenkins, Nexus Task Runner | 2025-11-04 | 4.3 Medium |
| A missing permission check in Jenkins Nexus Task Runner Plugin 0.9.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. | ||||