Total
2190 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-26767 | 1 Apple | 1 Macos | 2025-05-30 | 4.3 MEDIUM | 5.5 MEDIUM |
| The issue was addressed with additional permissions checks. This issue is fixed in macOS Monterey 12.4, macOS Big Sur 11.6.6. A malicious application may be able to bypass Privacy preferences. | |||||
| CVE-2024-7097 | 2025-05-30 | N/A | 4.3 MEDIUM | ||
| An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which allows user account creation regardless of the self-registration configuration settings. This vulnerability enables malicious actors to create new user accounts without proper authorization. Exploitation of this flaw could allow an attacker to create multiple low-privileged user accounts, gaining unauthorized access to the system. Additionally, continuous exploitation could lead to system resource exhaustion through mass user creation. | |||||
| CVE-2025-3913 | 2025-05-30 | N/A | 5.3 MEDIUM | ||
| Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the /api/v4/teams/:teamId/privacy endpoint. | |||||
| CVE-2025-3611 | 2025-05-30 | N/A | 3.1 LOW | ||
| Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not have access to via direct API requests to team endpoints, even when explicitly configured with 'No access' to Teams in the System Console. | |||||
| CVE-2025-48473 | 2025-05-30 | N/A | N/A | ||
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.179, when creating a conversation from a message in another conversation, there is no check to ensure that the user has the ability to view this message. Thus, the user can view arbitrary messages from other mailboxes or from other conversations to which they do not have access (access restriction to conversations is implemented by the show_only_assigned_conversations setting, which is also not checked). This issue has been patched in version 1.8.179. | |||||
| CVE-2025-1792 | 2025-05-30 | N/A | 3.1 LOW | ||
| Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members API endpoint. | |||||
| CVE-2024-7096 | 2025-05-30 | N/A | 4.2 MEDIUM | ||
| A privilege escalation vulnerability exists in multiple [Vendor Name] products due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when all of the following conditions are met: * SOAP admin services are accessible to the attacker. * The deployment includes an internally used attribute that is not part of the default WSO2 product configuration. * At least one custom role exists with non-default permissions. * The attacker has knowledge of the custom role and the internal attribute used in the deployment. Exploiting this vulnerability allows malicious actors to assign higher privileges to self-registered users, bypassing intended access control mechanisms. | |||||
| CVE-2023-26097 | 1 Telindus | 1 Apsal | 2025-05-30 | N/A | 8.4 HIGH |
| An issue was discovered in Telindus Apsal 3.14.2022.235 b. Unauthorized actions that could modify the application behaviour may not be blocked. | |||||
| CVE-2020-28406 | 1 Iris | 1 Star Practice Management | 2025-05-30 | 4.0 MEDIUM | 6.5 MEDIUM |
| An improper authorization vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an unauthorized user to access details about jobs he should not have access to via the Audit Trail Feature. | |||||
| CVE-2020-28405 | 1 Iris | 1 Star Practice Management | 2025-05-30 | 6.5 MEDIUM | 8.8 HIGH |
| An improper authorization vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an unauthorized user to change the privileges of any user of the application. This can be used to grant himself the administrative role or remove all administrative accounts of the application. | |||||
| CVE-2020-28404 | 1 Iris | 1 Star Practice Management | 2025-05-30 | 4.0 MEDIUM | 6.5 MEDIUM |
| An improper authorization vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an unauthorized user to access the Billing page without the appropriate privileges. | |||||
| CVE-2020-28402 | 1 Iris | 1 Star Practice Management | 2025-05-30 | 6.5 MEDIUM | 5.4 MEDIUM |
| An improper authorization vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an unauthorized user to access Launcher Configuration Panel. | |||||
| CVE-2020-28401 | 1 Iris | 1 Star Practice Management | 2025-05-30 | 4.0 MEDIUM | 6.5 MEDIUM |
| An improper authorization vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an unauthorized user to access WIP details about jobs he should not have access to. | |||||
| CVE-2018-10212 | 1 Vaultize | 1 Enterprise File Sharing | 2025-05-30 | 5.5 MEDIUM | 5.4 MEDIUM |
| An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is improper authorization leading to creation of folders within another account via a modified device value. | |||||
| CVE-2025-1110 | 1 Gitlab | 1 Gitlab | 2025-05-29 | N/A | 2.7 LOW |
| An issue has been discovered in GitLab CE/EE affecting all versions from 18.0 before 18.0.1. In certain circumstances, a user with limited permissions could access Job Data via a crafted GraphQL query. | |||||
| CVE-2024-50419 | 1 Greenshiftwp | 1 Greenshift - Animation And Page Builder Blocks | 2025-05-28 | N/A | 5.4 MEDIUM |
| Incorrect Authorization vulnerability in Wpsoul Greenshift – animation and page builder blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Greenshift – animation and page builder blocks: from n/a through 9.7. | |||||
| CVE-2024-31403 | 1 Cybozu | 1 Garoon | 2025-05-28 | N/A | 5.4 MEDIUM |
| Incorrect authorization vulnerability in Cybozu Garoon 5.0.0 to 6.0.0 allows a remote authenticated attacker to alter and/or obtain the data of Memo. | |||||
| CVE-2024-27138 | 1 Apache | 1 Archiva | 2025-05-28 | N/A | 7.5 HIGH |
| ** UNSUPPORTED WHEN ASSIGNED ** Incorrect Authorization vulnerability in Apache Archiva. Apache Archiva has a setting to disable user registration, however this restriction can be bypassed. As Apache Archiva has been retired, we do not expect to release a version of Apache Archiva that fixes this issue. You are recommended to look into migrating to a different solution, or isolate your instance from any untrusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | |||||
| CVE-2024-27139 | 1 Apache | 1 Archiva | 2025-05-28 | N/A | 7.5 HIGH |
| ** UNSUPPORTED WHEN ASSIGNED ** Incorrect Authorization vulnerability in Apache Archiva: a vulnerability in Apache Archiva allows an unauthenticated attacker to modify account data, potentially leading to account takeover. This issue affects Apache Archiva: from 2.0.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2019-15941 | 2 Debian, Lemonldap-ng | 2 Debian Linux, Lemonldap\ | 2025-05-28 | 7.5 HIGH | 9.8 CRITICAL |
| OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may allow an attacker to bypass access control rules via a crafted OpenID Connect authorization request. To be vulnerable, there must exist an OIDC Relaying party within the LemonLDAP configuration with weaker access control rules than the target RP, and no filtering on redirection URIs. | |||||