Total
416 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-29827 | 2025-05-08 | N/A | 9.9 CRITICAL | ||
| Improper Authorization in Azure Automation allows an authorized attacker to elevate privileges over a network. | |||||
| CVE-2024-24830 | 1 Openobserve | 1 Openobserve | 2025-05-08 | N/A | 9.9 CRITICAL |
| OpenObserve is a observability platform built specifically for logs, metrics, traces, analytics, designed to work at petabyte scale. A vulnerability has been identified in the "/api/{org_id}/users" endpoint. This vulnerability allows any authenticated regular user ('member') to add new users with elevated privileges, including the 'root' role, to an organization. This issue circumvents the intended security controls for role assignments. The vulnerability resides in the user creation process, where the payload does not validate the user roles. A regular user can manipulate the payload to assign root-level privileges. This vulnerability leads to Unauthorized Privilege Escalation and significantly compromises the application's role-based access control system. It allows unauthorized control over application resources and poses a risk to data security. All users, particularly those in administrative roles, are impacted. This issue has been addressed in release version 0.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2022-36454 | 1 Mitel | 1 Micollab | 2025-05-07 | N/A | 6.5 MEDIUM |
| A vulnerability in the MiCollab Client API of Mitel MiCollab through 9.5.0.101 could allow an authenticated attacker to modify their profile parameters due to improper authorization controls. A successful exploit could allow the authenticated attacker to impersonate another user's name. | |||||
| CVE-2022-36453 | 1 Mitel | 1 Micollab | 2025-05-07 | N/A | 8.8 HIGH |
| A vulnerability in the MiCollab Client API of Mitel MiCollab 9.1.3 through 9.5.0.101 could allow an authenticated attacker to modify their profile parameters due to improper authorization controls. A successful exploit could allow the authenticated attacker to control another extension number. | |||||
| CVE-2024-2557 | 1 Kishor-23 | 1 Food Waste Management System | 2025-05-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability was found in kishor-23 Food Waste Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/admin.php. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257056. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-3921 | 2025-05-07 | N/A | 8.2 HIGH | ||
| The PeproDev Ultimate Profile Solutions plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handel_ajax_req() function in versions 1.9.1 to 7.5.2. This makes it possible for unauthenticated attackers to update arbitrary user's metadata which can be leveraged to block an administrator from accessing their site when wp_capabilities is set to 0. | |||||
| CVE-2025-3924 | 2025-05-07 | N/A | 5.3 MEDIUM | ||
| The PeproDev Ultimate Profile Solutions plugin for WordPress is vulnerable to unauthorized access of data via its publicly exposed reset-password endpoint. The plugin looks up the 'valid_email' value based solely on a supplied username parameter, without verifying that the requester is associated with that user account. This allows unauthenticated attackers to enumerate email addresses for any user, including administrators. | |||||
| CVE-2025-4104 | 2025-05-07 | N/A | 9.8 CRITICAL | ||
| The Frontend Dashboard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the fed_wp_ajax_fed_login_form_post() function in versions 1.0 to 2.2.6. This makes it possible for unauthenticated attackers to reset the administrator’s email and password, and elevate their privileges to that of an administrator. | |||||
| CVE-2025-3918 | 2025-05-05 | N/A | 9.8 CRITICAL | ||
| The Job Listings plugin for WordPress is vulnerable to Privilege Escalation due to improper authorization within the register_action() function in versions 0.1 to 0.1.1. The plugin’s registration handler reads the client-supplied $_POST['user_role'] and passes it directly to wp_insert_user() without restricting to a safe set of roles. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator. | |||||
| CVE-2025-4210 | 2025-05-05 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability classified as critical was found in Casdoor up to 1.811.0. This vulnerability affects the function HandleScim of the file controllers/scim.go of the component SCIM User Creation Endpoint. The manipulation leads to authorization bypass. The attack can be initiated remotely. Upgrading to version 1.812.0 is able to address this issue. The name of the patch is 3d12ac8dc2282369296c3386815c00a06c6a92fe. It is recommended to upgrade the affected component. | |||||
| CVE-2024-2441 | 1 Vikwp | 1 Vikbooking Hotel Booking Engine \& Pms | 2025-05-05 | N/A | 8.1 HIGH |
| The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.6.8 allows direct access to menus, allowing an authenticated user with subscriber privileges or above, to bypass authorization and access settings of the VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.6.8's they shouldn't be allowed to. | |||||
| CVE-2025-30392 | 2025-05-02 | N/A | 9.8 CRITICAL | ||
| Improper authorization in Azure Bot Framework SDK allows an unauthorized attacker to elevate privileges over a network. | |||||
| CVE-2025-30390 | 2025-05-02 | N/A | 9.9 CRITICAL | ||
| Improper authorization in Azure allows an authorized attacker to elevate privileges over a network. | |||||
| CVE-2025-32972 | 2025-05-02 | N/A | 2.7 LOW | ||
| XWiki is a generic wiki platform. In versions starting from 6.1-milestone-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the script API of the LESS compiler in XWiki is incorrectly checking for rights when calling the cache cleaning API, making it possible to clean the cache without having programming right. The only impact of this is a slowdown in XWiki execution as the caches are re-filled. As this vulnerability requires script right to exploit, and script right already allows unlimited execution of scripts, the additional impact due to this vulnerability is low. This issue has been patched in versions 15.10.12, 16.4.3, and 16.8.0-rc-1. | |||||
| CVE-2025-30389 | 2025-05-02 | N/A | 8.7 HIGH | ||
| Improper authorization in Azure Bot Framework SDK allows an unauthorized attacker to elevate privileges over a network. | |||||
| CVE-2025-4136 | 2025-05-02 | 5.5 MEDIUM | 5.4 MEDIUM | ||
| A vulnerability was found in Weitong Mall 1.0.0. It has been classified as critical. This affects an unknown part of the component Sale Endpoint. The manipulation of the argument ID leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-8676 | 2025-05-01 | N/A | 7.4 HIGH | ||
| A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the pod spec, verifying that the pod has access to the mounts it specifies are not applicable to a restored container. This flaw allows a malicious user to trick CRI-O into restoring a pod that doesn't have access to host mounts. The user needs access to the kubelet or cri-o socket to call the restore endpoint and trigger the restore. | |||||
| CVE-2024-9095 | 1 Lunary | 1 Lunary | 2025-04-29 | N/A | 9.8 CRITICAL |
| In lunary-ai/lunary version v1.4.28, the /bigquery API route lacks proper access control, allowing any logged-in user to create a Datastream to Google BigQuery and export the entire database. This includes sensitive data such as password hashes and secret API keys. The route is protected by a config check (`config.DATA_WAREHOUSE_EXPORTS_ALLOWED`), but it does not verify the user's access level or implement any access control middleware. This vulnerability can lead to the extraction of sensitive data, disruption of services, credential compromise, and service integrity breaches. | |||||
| CVE-2025-32982 | 2025-04-29 | N/A | 7.5 HIGH | ||
| NETSCOUT nGeniusONE before 6.4.0 b2350 has a Broken Authorization Schema for the report module. | |||||
| CVE-2025-2850 | 2025-04-29 | 2.7 LOW | 3.5 LOW | ||
| A vulnerability was found in GL.iNet GL-A1300 Slate Plus, GL-AR300M16 Shadow, GL-AR300M Shadow, GL-AR750 Creta, GL-AR750S-EXT Slate, GL-AX1800 Flint, GL-AXT1800 Slate AX, GL-B1300 Convexa-B, GL-B3000 Marble, GL-BE3600 Slate 7, GL-E750, GL-E750V2 Mudi, GL-MT300N-V2 Mango, GL-MT1300 Beryl, GL-MT2500 Brume 2, GL-MT3000 Beryl AX, GL-MT6000 Flint 2, GL-SFT1200 Opal, GL-X300B Collie, GL-X750 Spitz, GL-X3000 Spitz AX, GL-XE300 Puli and GL-XE3000 Puli AX 4.x. It has been rated as problematic. This issue affects some unknown processing of the component Download Interface. The manipulation leads to improper authorization. It is recommended to upgrade the affected component. | |||||