Total
5239 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-9018 | 2025-09-11 | N/A | 8.8 HIGH | ||
| The Time Tracker plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'tt_update_table_function' and 'tt_delete_record_function' functions in all versions up to, and including, 3.1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update options such as user registration and default role, allowing anyone to register as an Administrator, and to delete limited data from the database. | |||||
| CVE-2025-36756 | 2025-09-11 | N/A | N/A | ||
| A problem with missing authorization on SolaX Cloud platform allows taking over any SolaX solarpanel inverter of which the serial number is known. | |||||
| CVE-2025-57817 | 1 Ethyca | 1 Fides | 2025-09-10 | N/A | 7.2 HIGH |
| Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highly privileged users with `client:create` or `client:update` permissions to escalate their privileges to owner-level. Version 2.69.1 fixes the issue. No known workarounds are available. | |||||
| CVE-2025-8712 | 2025-09-10 | N/A | 5.4 MEDIUM | ||
| Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin privileges to configure restricted settings. | |||||
| CVE-2024-38002 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-09-10 | N/A | 9.0 CRITICAL |
| The workflow component in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92 and 7.3 GA through update 36 does not properly check user permissions before updating a workflow definition, which allows remote authenticated users to modify workflow definitions and execute arbitrary code (RCE) via the headless API. | |||||
| CVE-2025-59017 | 1 Typo3 | 1 Typo3 | 2025-09-10 | N/A | 8.8 HIGH |
| Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke AJAX backend routes without having access to the corresponding backend modules. | |||||
| CVE-2025-32688 | 2025-09-09 | N/A | 5.4 MEDIUM | ||
| Missing Authorization vulnerability in Sovica Target Video Easy Publish. This issue affects Target Video Easy Publish: from n/a through 3.8.8. | |||||
| CVE-2025-42912 | 2025-09-09 | N/A | 6.5 MEDIUM | ||
| SAP HCM My Timesheet Fiori 2.0 application does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This issue has a significant impact on the application's integrity, while confidentiality and availability remain unaffected. | |||||
| CVE-2025-55144 | 2025-09-09 | N/A | 5.4 MEDIUM | ||
| Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin privileges to configure restricted settings. | |||||
| CVE-2025-42913 | 2025-09-09 | N/A | 3.1 LOW | ||
| Due to missing authorization checks, SAP HCM My Timesheet Fiori 2.0 application allows an authenticated attacker with in-depth system knowledge to escalate privileges and perform activities that are otherwise restricted, resulting in a low impact on the integrity of the application. Confidentiality and availability are not impacted. | |||||
| CVE-2025-42918 | 2025-09-09 | N/A | 4.3 MEDIUM | ||
| SAP NetWeaver Application Server for ABAP allows authenticated users with access to background processing to gain unauthorized read access to profile parameters. This results in a low impact on confidentiality, with no impact on integrity or availability | |||||
| CVE-2025-55141 | 2025-09-09 | N/A | 8.8 HIGH | ||
| Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin privileges to configure authentication related settings. | |||||
| CVE-2025-42911 | 2025-09-09 | N/A | 5.0 MEDIUM | ||
| SAP NetWeaver (Service Data Download) allows an authenticated user to call a remote-enabled function module, which could grant access to information about the SAP system and operating system. This leads to a low impact on confidentiality, with no effect on the integrity and availability of the application | |||||
| CVE-2025-42917 | 2025-09-09 | N/A | 6.5 MEDIUM | ||
| SAP HCM Approve Timesheets Fiori 2.0 application does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This issue has a significant impact on the application's integrity, while confidentiality and availability remain unaffected. | |||||
| CVE-2025-55142 | 2025-09-09 | N/A | 8.8 HIGH | ||
| Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin privileges to configure authentication related settings. | |||||
| CVE-2025-9542 | 2025-09-09 | N/A | 5.4 MEDIUM | ||
| The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple plugin's functions in all versions up to, and including, 5.3.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify integration settings or view existing automations. | |||||
| CVE-2025-55148 | 2025-09-09 | N/A | 7.6 HIGH | ||
| Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin privileges to configure restricted settings. | |||||
| CVE-2025-55145 | 2025-09-09 | N/A | 8.9 HIGH | ||
| Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker to hijack existing HTML5 connections. | |||||
| CVE-2025-42915 | 2025-09-09 | N/A | 5.4 MEDIUM | ||
| Fiori app Manage Payment Blocks does not perform the necessary authorization checks, allowing an attacker with basic user privileges to abuse functionalities that should be restricted to specific user groups.This issue could impact both the confidentiality and integrity of the application without affecting the availability. | |||||
| CVE-2025-42914 | 2025-09-09 | N/A | 3.1 LOW | ||
| Due to missing authorization checks, SAP HCM My Timesheet Fiori 2.0 application allows an authenticated attacker with in-depth system knowledge to escalate privileges and perform activities that are otherwise restricted, resulting in a low impact on the integrity of the application. Confidentiality and availability are not impacted. | |||||