Vulnerabilities (CVE)

Filtered by CWE-862
Total 4703 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-39117 2 Google, Unisoc 14 Android, S8000, Sc7731e and 11 more 2025-05-15 N/A 5.5 MEDIUM
In messaging service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed.
CVE-2022-39115 2 Google, Unisoc 14 Android, S8000, Sc7731e and 11 more 2025-05-15 N/A 5.5 MEDIUM
In Music service, there is a missing permission check. This could lead to local denial of service in Music service with no additional execution privileges needed.
CVE-2022-39114 2 Google, Unisoc 14 Android, S8000, Sc7731e and 11 more 2025-05-15 N/A 5.5 MEDIUM
In Music service, there is a missing permission check. This could lead to local denial of service in Music service with no additional execution privileges needed.
CVE-2022-39112 2 Google, Unisoc 14 Android, S8000, Sc7731e and 11 more 2025-05-15 N/A 5.5 MEDIUM
In Music service, there is a missing permission check. This could lead to local denial of service in Music service with no additional execution privileges needed.
CVE-2022-39111 2 Google, Unisoc 14 Android, S8000, Sc7731e and 11 more 2025-05-15 N/A 7.8 HIGH
In Music service, there is a missing permission check. This could lead to elevation of privilege in Music service with no additional execution privileges needed.
CVE-2022-39110 2 Google, Unisoc 14 Android, S8000, Sc7731e and 11 more 2025-05-15 N/A 7.8 HIGH
In Music service, there is a missing permission check. This could lead to elevation of privilege in Music service with no additional execution privileges needed.
CVE-2025-4282 1 Oretnom23 1 Stock Management System 2025-05-14 5.0 MEDIUM 4.3 MEDIUM
A vulnerability has been found in SourceCodester/oretnom23 Stock Management System 1.0 and classified as problematic. This vulnerability affects unknown code of the file /classes/Users.php?f=save. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-30448 2025-05-14 N/A 9.1 CRITICAL
This issue was addressed with additional entitlement checks. This issue is fixed in macOS Sonoma 14.7.6, iPadOS 17.7.7, iOS 18.5 and iPadOS 18.5, visionOS 2.5, macOS Ventura 13.7.6, macOS Sequoia 15.4. An attacker may be able to turn on sharing of an iCloud folder without authentication.
CVE-2025-43000 2025-05-13 N/A 7.9 HIGH
Under certain conditions Promotion Management Wizard (PMW) allows an attacker to access information which would otherwise be restricted.This has High impact on Confidentiality with Low impact on Integrity and Availability of the application.
CVE-2025-43008 2025-05-13 N/A 5.8 MEDIUM
Due to missing authorization check, an unauthorized user can view the files of other company. This might lead to disclosure of personal data of employees. There is no impact on integrity and availability.
CVE-2025-43004 2025-05-13 N/A 5.3 MEDIUM
Due to a security misconfiguration vulnerability, customers can develop Production Operator Dashboards (PODs) that enable outside users to access customer data when they access these dashboards. Since no mechanisms exist to enforce authentication, malicious unauthenticated users can view non-sensitive customer information. However, this does not affect data integrity or availability.
CVE-2025-43011 2025-05-13 N/A 7.7 HIGH
Under certain conditions, SAP Landscape Transformation's PCL Basis module does not perform the necessary authorization checks, allowing authenticated users to access restricted functionalities or data. This can lead to a high impact on confidentiality with no impact on the integrity or availability of the application.
CVE-2025-43007 2025-05-13 N/A 6.3 MEDIUM
SAP Service Parts Management (SPM) does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. This has low impact on confidentiality, integrity and availability of the application.
CVE-2025-4339 2025-05-13 N/A 4.3 MEDIUM
The TheGem theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxApi() function in all versions up to, and including, 5.10.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary theme options.
CVE-2025-43009 2025-05-13 N/A 6.3 MEDIUM
SAP Service Parts Management (SPM) does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. This has low impact on Confidentiality, integrity and availability of the application.
CVE-2022-3244 1 Smackcoders 1 Import All Pages\, Post Types\, Products\, Orders\, And Users As Xml \& Csv 2025-05-13 N/A 4.2 MEDIUM
The Import all XML, CSV & TXT WordPress plugin before 6.5.8 does not have authorisation in some places, which could allow any authenticated users to access some of the plugin features if they manage to get the related nonce
CVE-2022-3082 1 Miniorange 1 Discord Integration 2025-05-13 N/A 6.5 MEDIUM
The miniOrange Discord Integration WordPress plugin before 2.1.6 does not have authorisation and CSRF in some of its AJAX actions, allowing any logged in users, such as subscriber to call them, and disable the app for example
CVE-2025-32973 1 Xwiki 1 Xwiki 2025-05-13 N/A 9.0 CRITICAL
XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, when a user with programming rights edits a document in XWiki that was last edited by a user without programming rights and contains an XWiki.ComponentClass, there is no warning that this will grant programming rights to this object. An attacker who created such a malicious object could use this to gain programming rights on the wiki. For this, the attacker needs to have edit rights on at least one page to place this object and then get an admin user to edit that document. This issue has been patched in versions 15.10.12, 16.4.3, and 16.8.0-rc-1.
CVE-2025-23025 1 Xwiki 1 Xwiki 2025-05-13 N/A 9.0 CRITICAL
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. NOTE: The Realtime WYSIWYG Editor extension was **experimental**, and thus **not recommended**, in the versions affected by this vulnerability. It has become enabled by default, and thus recommended, starting with XWiki 16.9.0. A user with only **edit right** can join a realtime editing session where others, that where already there or that may join later, have **script** or **programming** access rights. This user can then insert **script rendering macros** that are executed for those users in the realtime session that have script or programming rights. The inserted scripts can be used to gain more access rights. This vulnerability has been patched in XWiki 15.10.2, 16.4.1 and 16.6.0-rc-1. Users are advised to upgrade. Users unable to upgrade may either disable the realtime WYSIWYG editing by disabling the ``xwiki-realtime`` CKEditor plugin from the WYSIWYG editor administration section or uninstall the Realtime WYSIWYG Editorextension (org.xwiki.platform:xwiki-platform-realtime-wysiwyg-ui).
CVE-2025-29926 1 Xwiki 1 Xwiki 2025-05-13 N/A 9.8 CRITICAL
XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard by default: it needs to be installed manually through the extension manager. The problem has been patched in versions 15.10.15, 16.4.6 and 16.10.0 of the REST module.