Total
1016 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-52448 | 3 Linux, Microsoft, Tableau | 3 Linux Kernel, Windows, Tableau Server | 2025-10-31 | N/A | 8.1 HIGH |
| Authorization Bypass Through User-Controlled Key vulnerability in Salesforce Tableau Server on Windows, Linux (validate-initial-sql api modules) allows Interface Manipulation (data access to the production database cluster). This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19. | |||||
| CVE-2025-43724 | 1 Dell | 1 Powerscale Onefs | 2025-10-31 | N/A | 4.4 MEDIUM |
| Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an authorization bypass through user-controlled key vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability to gain unauthorized access to NFSv4 or SMB shares. | |||||
| CVE-2025-9559 | 1 Pega | 1 Pega Platform | 2025-10-30 | N/A | 6.5 MEDIUM |
| Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data. | |||||
| CVE-2025-61876 | 2025-10-30 | N/A | 5.0 MEDIUM | ||
| Insecure Direct Object Reference (IDOR) in /tenants/{id} API endpoint in Inforcer Platform version 2.0.153 allows an authenticated user with low privileges to enumerate and access tenant information belonging to other clients via modification of the tenant ID in the request URL. | |||||
| CVE-2025-12351 | 2025-10-30 | N/A | 6.8 MEDIUM | ||
| Honeywell S35 Series Cameras contains an authorization bypass Vulnerability through User controller key. An attacker could potentially exploit this vulnerability, leading to Privilege Escalation to admin privileged functionalities . Honeywell also recommends updating to the most recent version of this product, service or offering (S35 Pinhole/Kit Camera to version 2025.08.28, S35 AI Fisheye & Dual Sensor/Micro Dome/Full Color Eyeball & Bullet Camera to version 2025.08.22, S35 Thermal Camera to version 2025.08.26). | |||||
| CVE-2025-12288 | 2025-10-30 | 4.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability was detected in Bdtask Pharmacy Management System up to 9.4. Affected is an unknown function of the file /user/edit_user/ of the component User Profile Handler. Performing manipulation results in authorization bypass. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-64283 | 2025-10-30 | N/A | 6.5 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Rometheme RTMKit rometheme-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RTMKit: from n/a through <= 1.6.7. | |||||
| CVE-2025-10759 | 1 Webkul | 1 Qloapps | 2025-10-30 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability was detected in Webkul QloApps up to 1.7.0. This affects an unknown function of the component CSRF Token Handler. Performing manipulation of the argument token results in authorization bypass. The attack may be initiated remotely. The exploit is now public and may be used. The vendor explains: "As We are already aware about this vulnerability and our Internal team are already working on this issue. (...) We'll implement the fix for this vulnerability in our next major release." | |||||
| CVE-2025-31997 | 1 Hcltech | 1 Unica Centralized Offer Management | 2025-10-29 | N/A | 4.2 MEDIUM |
| HCL Unica Centralized Offer Management is vulnerable to Insecure Direct Object References (IDOR). An attacker can bypass authorization and access resources in the system directly, for example database records or files. | |||||
| CVE-2025-62893 | 2025-10-28 | N/A | 8.1 HIGH | ||
| Authorization Bypass Through User-Controlled Key vulnerability in mediavine Create by Mediavine mediavine-create allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Create by Mediavine: from n/a through <= 1.9.14. | |||||
| CVE-2025-11957 | 1 Devolutions | 1 Devolutions Server | 2025-10-27 | N/A | 8.4 HIGH |
| Improper authorization in the temporary access workflow of Devolutions Server 2025.2.12.0 and earlier allows an authenticated basic user to self-approve or approve the temporary access requests of other users and gain unauthorized access to vaults and entries via crafted API requests. | |||||
| CVE-2025-34293 | 2025-10-27 | N/A | N/A | ||
| GN4 Publishing System versions prior to 2.6 contain an insecure direct object reference (IDOR) vulnerability via the API. Authenticated requests to the API's object endpoints allow an authenticated user to request arbitrary user IDs and receive sensitive account data for those users, including the stored password and the account's security question and answer. The exposed recovery data and encrypted password may be used to reset or take over the target account. | |||||
| CVE-2025-0058 | 1 Sap | 1 Sap Basis | 2025-10-24 | N/A | 6.5 MEDIUM |
| In SAP Business Workflow and SAP Flexible Workflow, an authenticated attacker can manipulate a parameter in an otherwise legitimate resource request to view sensitive information that should otherwise be restricted. The attacker does not have the ability to modify the information or to make the information unavailable. | |||||
| CVE-2025-49952 | 2025-10-23 | N/A | 6.3 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in favethemes Houzez houzez allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Houzez: from n/a through <= 4.1.1. | |||||
| CVE-2025-5947 | 2025-10-23 | N/A | 9.8 CRITICAL | ||
| The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and including, 6.0. This is due to the plugin not properly validating a user's cookie value prior to logging them in through the service_finder_switch_back() function. This makes it possible for unauthenticated attackers to login as any user including admins. | |||||
| CVE-2025-58055 | 1 Discourse | 1 Discourse | 2025-10-23 | N/A | 4.3 MEDIUM |
| Discourse is an open-source community discussion platform. In versions 3.5.0 and below, the Discourse AI suggestion endpoints for topic “Title”, “Category”, and “Tags” allowed authenticated users to extract information about topics that they weren’t authorized to access. By modifying the “topic_id” value in API requests to the AI suggestion endpoints, users could target specific restricted topics. The AI model’s responses then disclosed information that the authenticated user couldn’t normally access. This issue is fixed in version 3.5.1. To workaround this issue, users can restrict group access to the AI helper feature through the "composer_ai_helper_allowed_groups" and "post_ai_helper_allowed_groups" site settings. | |||||
| CVE-2025-6833 | 2025-10-22 | N/A | 4.3 MEDIUM | ||
| The All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0 via the 'aio_time_clock_lite_js' AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber access and above, to clock other users in and out. | |||||
| CVE-2025-10570 | 2025-10-22 | N/A | 4.3 MEDIUM | ||
| The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.38 via the save_refund_request() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to submit refund requests for arbitrary orders that they do not own. | |||||
| CVE-2024-9097 | 1 Zohocorp | 1 Manageengine Endpoint Central | 2025-10-22 | N/A | 3.5 LOW |
| ManageEngine Endpoint Central versions before 11.3.2440.09 are vulnerable to IDOR vulnerability which allows the attacker to change the username in the chat. | |||||
| CVE-2025-40658 | 1 Acc | 1 Dm Corporative Cms | 2025-10-22 | N/A | 7.5 HIGH |
| An Insecure Direct Object Reference (IDOR) vulnerability has been found in DM Corporative CMS. This vulnerability allows an attacker to access the private area setting the option parameter equal to 0, 1 or 2 in /administer/selectionnode/framesSelection.asp. | |||||