Total
4572 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-4064 | 1 Scriptandtools | 1 Online Traveling System | 2025-05-09 | N/A | 5.3 MEDIUM |
| A vulnerability was found in ScriptAndTools Online-Travling-System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/viewenquiry.php. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-46348 | 1 Yeswiki | 1 Yeswiki | 2025-05-09 | N/A | 9.8 CRITICAL |
| YesWiki is a wiki system written in PHP. Prior to version 4.5.4, the request to commence a site backup can be performed and downloaded without authentication. The archives are created with a predictable filename, so a malicious user could create and download an archive without being authenticated. This could result in a malicious attacker making numerous requests to create archives and fill up the file system, or by downloading the archive which contains sensitive site information. This issue has been patched in version 4.5.4. | |||||
| CVE-2025-3949 | 2025-05-09 | N/A | 4.3 MEDIUM | ||
| The Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'seedprod_lite_get_revisisons' function in all versions up to, and including, 6.18.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the content of arbitrary landing page revisions. | |||||
| CVE-2022-43413 | 1 Jenkins | 1 Job Import | 2025-05-08 | N/A | 4.3 MEDIUM |
| Jenkins Job Import Plugin 3.5 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||||
| CVE-2022-43427 | 1 Jenkins | 1 Compuware Topaz For Total Test | 2025-05-08 | N/A | 4.3 MEDIUM |
| Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||||
| CVE-2022-43417 | 1 Jenkins | 1 Katalon | 2025-05-08 | N/A | 4.3 MEDIUM |
| Jenkins Katalon Plugin 1.0.32 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2022-43421 | 1 Jenkins | 1 Tuleap Git Branch Source | 2025-05-08 | N/A | 5.3 MEDIUM |
| A missing permission check in Jenkins Tuleap Git Branch Source Plugin 3.2.4 and earlier allows unauthenticated attackers to trigger Tuleap projects whose configured repository matches the attacker-specified value. | |||||
| CVE-2022-43431 | 1 Jenkins | 1 Compuware Strobe Measurement | 2025-05-08 | N/A | 4.3 MEDIUM |
| Jenkins Compuware Strobe Measurement Plugin 1.0.1 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||||
| CVE-2023-30586 | 1 Nodejs | 1 Node.js | 2025-05-08 | N/A | 7.5 HIGH |
| A privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permission model. The attack complexity is high. However, the crypto.setEngine() API can be used to bypass the permission model when called with a compatible OpenSSL engine. The OpenSSL engine can, for example, disable the permission model in the host process by manipulating the process's stack memory to locate the permission model Permission::enabled_ in the host process's heap memory. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. | |||||
| CVE-2025-20164 | 2025-05-07 | N/A | 8.3 HIGH | ||
| A vulnerability in the Cisco Industrial Ethernet Switch Device Manager (DM) of Cisco IOS Software could allow an authenticated, remote attacker to elevate privileges. This vulnerability is due to insufficient validation of authorizations for authenticated users. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to elevate privileges to privilege level 15. To exploit this vulnerability, the attacker must have valid credentials for a user account with privilege level 5 or higher. Read-only DM users are assigned privilege level 5. | |||||
| CVE-2022-41797 | 1 Lemon8 Project | 1 Lemon8 | 2025-05-07 | N/A | 6.5 MEDIUM |
| Improper authorization in handler for custom URL scheme vulnerability in Lemon8 App for Android versions prior to 3.3.5 and Lemon8 App for iOS versions prior to 3.3.5 allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack. | |||||
| CVE-2024-28215 | 1 Naver | 1 Ngrinder | 2025-05-07 | N/A | N/A |
| nGrinder before 3.5.9 allows an attacker to create or update webhook configuration due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery. | |||||
| CVE-2024-28216 | 1 Naver | 1 Ngrinder | 2025-05-07 | N/A | N/A |
| nGrinder before 3.5.9 allows an attacker to obtain the results of webhook requests due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery. | |||||
| CVE-2025-47591 | 2025-05-07 | N/A | N/A | ||
| Missing Authorization vulnerability in CreedAlly Bulk Featured Image allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Bulk Featured Image: from n/a through 1.2.1. | |||||
| CVE-2025-47467 | 2025-05-07 | N/A | N/A | ||
| Missing Authorization vulnerability in GS Plugins GS Testimonial Slider allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects GS Testimonial Slider: from n/a through 3.3.0. | |||||
| CVE-2025-47486 | 2025-05-07 | N/A | N/A | ||
| Missing Authorization vulnerability in CyberChimps Gutenberg & Elementor Templates Importer For Responsive allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Gutenberg & Elementor Templates Importer For Responsive: from n/a through 3.1.9. | |||||
| CVE-2025-47465 | 2025-05-07 | N/A | N/A | ||
| Missing Authorization vulnerability in CreativeThemes Blocksy allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Blocksy: from n/a through 2.0.97. | |||||
| CVE-2025-47471 | 2025-05-07 | N/A | N/A | ||
| Missing Authorization vulnerability in EnvoThemes Envo Extra allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Envo Extra: from n/a through 1.9.9. | |||||
| CVE-2025-47480 | 2025-05-07 | N/A | N/A | ||
| Missing Authorization vulnerability in Iqonic Design Graphina allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Graphina: from n/a through 3.0.4. | |||||
| CVE-2025-47472 | 2025-05-07 | N/A | N/A | ||
| Missing Authorization vulnerability in codepeople Music Player for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Music Player for WooCommerce: from n/a through 1.5.1. | |||||