Export limit exceeded: 10535 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10535 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-43431 | 1 Moodle | 1 Moodle | 2025-05-01 | 7.5 High |
| A vulnerability was found in Moodle. Insufficient capability checks made it possible to delete badges that a user does not have permission to access. | ||||
| CVE-2023-48676 | 2 Acronis, Microsoft | 2 Agent, Windows | 2025-05-01 | 7.1 High |
| Sensitive information disclosure and manipulation due to missing authorization. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 36943. | ||||
| CVE-2022-44549 | 1 Huawei | 2 Emui, Harmonyos | 2025-05-01 | 7.5 High |
| The LBS module has a vulnerability in geofencing API access. Successful exploitation of this vulnerability may cause third-party apps to access the geofencing APIs without authorization, affecting user confidentiality. | ||||
| CVE-2024-48176 | 1 Lylme | 1 Lylme Spage | 2025-05-01 | 9.8 Critical |
| Lylme Spage v1.9.5 is vulnerable to Incorrect Access Control. There is no limit on the number of login attempts, and the verification code will not be refreshed after a failed login, which allows attackers to blast the username and password and log into the system backend. | ||||
| CVE-2022-38651 | 1 Vmware | 1 Hyperic Server | 2025-05-01 | 9.8 Critical |
| A security filter misconfiguration exists in VMware Hyperic Server 5.8.6. Exploitation of this vulnerability enables a malicious party to bypass some authentication requirements when issuing requests to Hyperic Server. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2022-2450 | 1 Resmush.it | 1 Resmush.it Image Optimizer | 2025-04-30 | 4.3 Medium |
| The reSmush.it : the only free Image Optimizer & compress plugin WordPress plugin before 0.4.4 lacks authorization in various AJAX actions, allowing any logged-in users, such as subscribers to call them. | ||||
| CVE-2022-45390 | 1 Jenkins | 1 Loader.io | 2025-04-30 | 4.3 Medium |
| A missing permission check in Jenkins loader.io Plugin 1.0.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | ||||
| CVE-2022-45389 | 1 Jenkins | 1 Xp-dev | 2025-04-30 | 5.3 Medium |
| A missing permission check in Jenkins XP-Dev Plugin 1.0 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to an attacker-specified repository. | ||||
| CVE-2022-45385 | 1 Jenkins | 1 Cloudbees Docker Hub\/registry Notification | 2025-04-30 | 7.5 High |
| A missing permission check in Jenkins CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository. | ||||
| CVE-2022-42978 | 1 Atlassian | 1 Confluence Data Center | 2025-04-30 | 7.5 High |
| In the Netic User Export add-on before 1.3.5 for Atlassian Confluence, authorization is mishandled. An unauthenticated attacker could access files on the remote system. | ||||
| CVE-2022-45394 | 1 Jenkins | 1 Delete Log | 2025-04-30 | 4.3 Medium |
| A missing permission check in Jenkins Delete log Plugin 1.0 and earlier allows attackers with Item/Read permission to delete build logs. | ||||
| CVE-2024-42773 | 2 Jayesh, Kashipara | 2 Hotel Management System, Hotel Management System | 2025-04-30 | 9.1 Critical |
| An Incorrect Access Control vulnerability was found in /admin/edit_room_controller.php in Kashipara Hotel Management System v1.0, which allows an unauthenticated attacker to edit the valid hotel room entries in the administrator section. | ||||
| CVE-2025-30093 | 1 Wisc | 1 Htcondor | 2025-04-30 | 8.1 High |
| HTCondor 23.0.x before 23.0.22, 23.10.x before 23.10.22, 24.0.x before 24.0.6, and 24.6.x before 24.6.1 allows authenticated attackers to bypass authorization restrictions. | ||||
| CVE-2024-55072 | 1 Mealie | 1 Mealie | 2025-04-30 | 5.4 Medium |
| A Broken Object Level Authorization vulnerability in the component /api/users/{user-id} of hay-kot mealie v2.2.0 allows users to edit their own profile in order to give themselves more permissions or to change their household. | ||||
| CVE-2024-52921 | 1 Bitcoin | 1 Bitcoin Core | 2025-04-30 | 5.3 Medium |
| In Bitcoin Core before 25.0, a peer can affect the download state of other peers by sending a mutated block. | ||||
| CVE-2022-45399 | 1 Jenkins | 1 Cluster Statistics | 2025-04-30 | 4.3 Medium |
| A missing permission check in Jenkins Cluster Statistics Plugin 0.4.6 and earlier allows attackers to delete recorded Jenkins Cluster Statistics. | ||||
| CVE-2022-3538 | 1 Webmaster Tools Verification Project | 1 Webmaster Tools Verification | 2025-04-30 | 6.5 Medium |
| The Webmaster Tools Verification WordPress plugin through 1.2 does not have authorisation and CSRF checks when disabling plugins, allowing unauthenticated users to disable arbitrary plugins | ||||
| CVE-2025-32796 | 1 Langgenius | 1 Dify | 2025-04-30 | 6.5 Medium |
| Dify is an open-source LLM app development platform. Prior to version 0.6.12, a vulnerability was identified in the DIFY where normal users can enable or disable apps through the API, even though the web UI button for this action is disabled and normal users are not permitted to make such changes. This access control flaw allows non-admin users to make unauthorized changes, which can disrupt the functionality and availability of the APPS. This issue has been patched in version 0.6.12. A workaround for this vulnerability involves updating the API access control mechanisms to enforce stricter user role permissions and implementing role-based access controls (RBAC) to ensure that only users with admin privileges can send enable or disable requests for apps. | ||||
| CVE-2024-55662 | 1 Xwiki | 1 Xwiki | 2025-04-30 | 10 Critical |
| XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances where `Extension Repository Application` is installed, any user can execute any code requiring `programming` rights on the server. This vulnerability has been fixed in XWiki 15.10.9 and 16.3.0. Since `Extension Repository Application` is not mandatory, it can be safely disabled on instances that do not use it as a workaround. It is also possible to manually apply the patches from commit 8659f17d500522bf33595e402391592a35a162e8 to the page `ExtensionCode.ExtensionSheet` and to the page `ExtensionCode.ExtensionAuthorsDisplayer`. | ||||
| CVE-2024-55876 | 1 Xwiki | 1 Xwiki | 2025-04-30 | 5.4 Medium |
| XWiki Platform is a generic wiki platform. Starting in version 1.2-milestone-2 and prior to versions 15.10.9 and 16.3.0, any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document `Scheduler.WebHome` in a subwiki. Then, click on any operation (*e.g.,* Trigger) on any job. If the operation is successful, then the instance is vulnerable. This has been patched in XWiki 15.10.9 and 16.3.0. As a workaround, those who have subwikis where the Job Scheduler is enabled can edit the objects on `Scheduler.WebPreferences` to match the patch. | ||||