Total
4828 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-56295 | 1 Ays-pro | 1 Poll Maker | 2025-05-28 | N/A | 6.5 MEDIUM |
| Missing Authorization vulnerability in Poll Maker Team Poll Maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Poll Maker: from n/a through 5.5.6. | |||||
| CVE-2024-3601 | 1 Ays-pro | 1 Poll Maker | 2025-05-28 | N/A | 5.3 MEDIUM |
| The Poll Maker – Best WordPress Poll Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ays_poll_create_author function in all versions up to, and including, 5.1.8. This makes it possible for unauthenticated attackers to extract email addresses by enumerating them one character at a time. | |||||
| CVE-2025-5132 | 2025-05-28 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability was found in Tmall Demo up to 20250505. It has been rated as problematic. This issue affects some unknown processing of the file tmall/admin/account/logout. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-24577 | 1 Ays-pro | 1 Poll Maker | 2025-05-28 | N/A | 6.5 MEDIUM |
| Missing Authorization vulnerability in Ays Pro Poll Maker allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Poll Maker: from n/a through 5.5.0. | |||||
| CVE-2022-41228 | 1 Jenkins | 1 Ns-nd Integration Performance Publisher | 2025-05-28 | N/A | 8.8 HIGH |
| A missing permission check in Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.129 and earlier allows attackers with Overall/Read permissions to connect to an attacker-specified webserver using attacker-specified credentials. | |||||
| CVE-2025-28103 | 1 Dogukanurker | 1 Flaskblog | 2025-05-28 | N/A | 6.4 MEDIUM |
| Incorrect access control in laskBlog v2.6.1 allows attackers to arbitrarily delete user accounts via a crafted request. | |||||
| CVE-2022-41254 | 1 Jenkins | 1 Cons3rt | 2025-05-28 | N/A | 6.5 MEDIUM |
| Missing permission checks in Jenkins CONS3RT Plugin 1.0.0 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2022-41252 | 1 Jenkins | 1 Cons3rt | 2025-05-28 | N/A | 4.3 MEDIUM |
| Missing permission checks in Jenkins CONS3RT Plugin 1.0.0 and earlier allows users with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins. | |||||
| CVE-2022-41251 | 1 Jenkins | 1 Apprenda | 2025-05-28 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins Apprenda Plugin 2.2.0 and earlier allows users with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||||
| CVE-2022-41242 | 1 Jenkins | 1 Extreme-feedback | 2025-05-28 | N/A | 5.4 MEDIUM |
| A missing permission check in Jenkins extreme-feedback Plugin 1.7 and earlier allows attackers with Overall/Read permission to discover information about job names attached to lamps, discover MAC and IP addresses of existing lamps, and rename lamps. | |||||
| CVE-2022-41234 | 1 Jenkins | 1 Rundeck | 2025-05-28 | N/A | 8.8 HIGH |
| Jenkins Rundeck Plugin 3.6.11 and earlier does not protect access to the /plugin/rundeck/webhook/ endpoint, allowing users with Overall/Read permission to trigger jobs that are configured to be triggerable via Rundeck. | |||||
| CVE-2022-41233 | 1 Jenkins | 1 Rundeck | 2025-05-28 | N/A | 4.3 MEDIUM |
| Jenkins Rundeck Plugin 3.6.11 and earlier does not perform Run/Artifacts permission checks in multiple HTTP endpoints, allowing attackers with Item/Read permission to obtain information about build artifacts of a given job, if the optional Run/Artifacts permission is enabled. | |||||
| CVE-2022-41230 | 1 Jenkins | 1 Build-publisher | 2025-05-28 | N/A | 4.3 MEDIUM |
| Jenkins Build-Publisher Plugin 1.22 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain names and URLs of Jenkins servers that the plugin is configured to publish builds to, as well as builds pending for publication to those Jenkins servers. | |||||
| CVE-2025-40667 | 2025-05-28 | N/A | N/A | ||
| Missing authorization vulnerability in TCMAN's GIM v11. This allows an authenticated attacker to access any functionality of the application even when they are not available through the user interface. To exploit the vulnerability the attacker must modify the HTTP code of the response from ‘302 Found’ to ‘200 OK’, as well as the hidden fields hdnReadOnly and hdnUserLogin. | |||||
| CVE-2025-40673 | 2025-05-28 | N/A | N/A | ||
| A Missing Authorization vulnerability has been found in DinoRANK. This vulnerability allows an attacker to access invoices of any user via accessing endpoint '/facturas/YYYY-MM/SDRYYMM-XXXXX.pdf' because there is no access control. The pdf filename can be obtained via OSINT, insecure network traffic or brute force. | |||||
| CVE-2025-4683 | 2025-05-28 | N/A | 4.3 MEDIUM | ||
| The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create_blog function in all versions up to, and including, 4.17.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new posts. | |||||
| CVE-2025-5117 | 2025-05-28 | N/A | 8.8 HIGH | ||
| The Property plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the use of the property_package_user_role metadata in versions 1.0.5 to 1.0.6. This makes it possible for authenticated attackers, with Author‐level access and above, to elevate their privileges to that of an administrator by creating a package post whose property_package_user_role is set to administrator and then submitting the PayPal registration form. | |||||
| CVE-2025-2407 | 2025-05-28 | N/A | N/A | ||
| Missing Authentication & Authorization in Web-API in Mobatime AMX MTAPI v6 on IIS allows adversaries to unrestricted access via the network. The vulnerability is fixed in Version 1.5. | |||||
| CVE-2025-5185 | 2025-05-28 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability was found in Summer Pearl Group Vacation Rental Management Platform up to 1.0.1. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross-site request forgery. The attack can be launched remotely. Upgrading to version 1.0.2 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2025-26369 | 1 Q-free | 1 Maxtime | 2025-05-27 | N/A | 8.8 HIGH |
| A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add privileges to user groups via crafted HTTP requests. | |||||