Total
1425 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-34042 | 1 Vmware | 1 Spring Security | 2025-06-03 | N/A | 4.1 MEDIUM |
| The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system. While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical Resource” and could result in an exploit. Users should update to the latest version of Spring Security to mitigate any future exploits found around this issue. | |||||
| CVE-2023-6506 | 1 Wpwhitesecurity | 1 Wp 2fa | 2025-06-03 | N/A | 4.3 MEDIUM |
| The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.5.0 via the send_backup_codes_email due to missing validation on a user controlled key. This makes it possible for subscriber-level attackers to email arbitrary users on the site. | |||||
| CVE-2023-52116 | 1 Huawei | 2 Emui, Harmonyos | 2025-06-02 | N/A | 7.5 HIGH |
| Permission management vulnerability in the multi-screen interaction module. Successful exploitation of this vulnerability may cause service exceptions of the device. | |||||
| CVE-2020-15595 | 1 Zohocorp | 1 Manageengine Application Control Plus | 2025-05-30 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Zoho Application Control Plus before version 10.0.511. The Element Configuration feature (to configure elements included in the scope of elements managed by the product) allows an attacker to retrieve the entire list of the IP ranges and subnets configured in the product and consequently obtain information about the cartography of the internal networks to which the product has access. | |||||
| CVE-2024-2905 | 2025-05-29 | N/A | 6.2 MEDIUM | ||
| A security vulnerability has been discovered within rpm-ostree, pertaining to the /etc/shadow file in default builds having the world-readable bit enabled. This issue arises from the default permissions being set at a higher level than recommended, potentially exposing sensitive authentication data to unauthorized access. | |||||
| CVE-2022-2995 | 1 Kubernetes | 1 Cri-o | 2025-05-29 | N/A | 7.1 HIGH |
| Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container. | |||||
| CVE-2017-20148 | 1 Debian | 1 Logcheck | 2025-05-29 | N/A | 9.8 CRITICAL |
| In the ebuild package through logcheck-1.3.23.ebuild for Logcheck on Gentoo, it is possible to achieve root privilege escalation from the logcheck user because of insecure recursive chown calls. | |||||
| CVE-2025-3395 | 1 Abb | 1 Automation Builder | 2025-05-28 | N/A | 7.1 HIGH |
| Incorrect Permission Assignment for Critical Resource, Cleartext Storage of Sensitive Information vulnerability in ABB Automation Builder.This issue affects Automation Builder: through 2.8.0. | |||||
| CVE-2025-3394 | 1 Abb | 1 Automation Builder | 2025-05-28 | N/A | 7.8 HIGH |
| Incorrect Permission Assignment for Critical Resource vulnerability in ABB Automation Builder.This issue affects Automation Builder: through 2.8.0. | |||||
| CVE-2025-46802 | 2025-05-28 | N/A | 6.0 MEDIUM | ||
| For a short time they PTY is set to mode 666, allowing any user on the system to connect to the screen session. | |||||
| CVE-2025-40672 | 2025-05-28 | N/A | N/A | ||
| A Privilege Escalation vulnerability has been found in Panloader component v3.24.0.0 by Espiral MS Group. This vulnerability allows any user to override the file panLoad.exe that will be executed by SYSTEM user via a programmed task. This would allow an attacker to obtain administrator permissions to perform whatever activities he/she wants, shuch as accessing sensitive information, executing code remotely, and even causing a denial of service (DoS). | |||||
| CVE-2025-31262 | 1 Apple | 6 Ipados, Iphone Os, Macos and 3 more | 2025-05-28 | N/A | 5.5 MEDIUM |
| A permissions issue was addressed with additional restrictions. This issue is fixed in visionOS 2.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, tvOS 18.3. An app may be able to modify protected parts of the file system. | |||||
| CVE-2022-28802 | 1 Zapier | 1 Code By Zapier | 2025-05-27 | N/A | 9.9 CRITICAL |
| Code by Zapier before 2022-08-17 allowed intra-account privilege escalation that included execution of Python or JavaScript code. In other words, Code by Zapier was providing a customer-controlled general-purpose virtual machine that unintentionally granted full access to all users of a company's account, but was supposed to enforce role-based access control within that company's account. Before 2022-08-17, a customer could have resolved this by (in effect) using a separate virtual machine for an application that held credentials - or other secrets - that weren't supposed to be shared among all of its employees. (Multiple accounts would have been needed to operate these independent virtual machines.) | |||||
| CVE-2022-40298 | 1 Crestron | 1 Airmedia | 2025-05-27 | N/A | 8.8 HIGH |
| Crestron AirMedia for Windows before 5.5.1.84 has insecure inherited permissions, which leads to a privilege escalation vulnerability found in the AirMedia Windows Application, version 4.3.1.39. A low privileged user can initiate a repair of the system and gain a SYSTEM level shell. | |||||
| CVE-2025-45472 | 2025-05-23 | N/A | 8.8 HIGH | ||
| Insecure permissions in autodeploy-layer v1.2.0 allows attackers to escalate privileges and compromise the customer cloud account. | |||||
| CVE-2025-45471 | 2025-05-23 | N/A | 8.8 HIGH | ||
| Insecure permissions in measure-cold-start v1.4.1 allows attackers to escalate privileges and compromise the customer cloud account. | |||||
| CVE-2025-45468 | 2025-05-23 | N/A | 8.8 HIGH | ||
| Insecure permissions in fc-stable-diffusion-plus v1.0.18 allows attackers to escalate privileges and compromise the customer cloud account. | |||||
| CVE-2025-34025 | 2025-05-23 | N/A | N/A | ||
| The Versa Concerto SD-WAN orchestration platform is vulnerable to an privileges escalation and container escape vulnerability caused by unsafe default mounting of host binary paths that allow the container to modify host paths. The escape can be used to trigger remote code execution or direct host access depending on the host operating system configuration.This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable. | |||||
| CVE-2022-35250 | 1 Rocket.chat | 1 Rocket.chat | 2025-05-22 | N/A | 4.3 MEDIUM |
| A privilege escalation vulnerability exists in Rocket.chat <v5 which made it possible to elevate privileges for any authenticated user to view Direct messages without appropriate permissions. | |||||
| CVE-2019-13535 | 1 Medtronic | 4 Valleylab Ft10 Energy Platform, Valleylab Ft10 Energy Platform Firmware, Valleylab Ls10 Energy Platform and 1 more | 2025-05-22 | 2.1 LOW | 4.6 MEDIUM |
| In Medtronic Valleylab FT10 Energy Platform (VLFT10GEN) version 2.1.0 and lower and version 2.0.3 and lower, and Valleylab LS10 Energy Platform (VLLS10GEN—not available in the United States) version 1.20.2 and lower, the RFID security mechanism does not apply read protection, allowing for full read access of the RFID security mechanism data. | |||||