Total
29527 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-52337 | 1 Trendmicro | 2 Deep Security, Deep Security Agent | 2025-06-20 | N/A | 7.8 HIGH |
| An improper access control vulnerability in Trend Micro Deep Security 20.0 and Trend Micro Cloud One - Endpoint and Workload Security Agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | |||||
| CVE-2023-51948 | 1 Actidata | 2 Actinas Sl 2u-8 Rdx, Actinas Sl 2u-8 Rdx Firmware | 2025-06-20 | N/A | 7.5 HIGH |
| A Site-wide directory listing vulnerability in /fm in actidata actiNAS SL 2U-8 RDX 3.2.03-SP1 allows remote attackers to list the files hosted by the web application. | |||||
| CVE-2024-22362 | 1 Drupal | 1 Drupal | 2025-06-20 | N/A | 7.5 HIGH |
| Drupal contains a vulnerability with improper handling of structural elements. If this vulnerability is exploited, an attacker may be able to cause a denial-of-service (DoS) condition. | |||||
| CVE-2024-56128 | 1 Apache | 1 Kafka | 2025-06-20 | N/A | N/A |
| Incorrect Implementation of Authentication Algorithm in Apache Kafka's SCRAM implementation. Issue Summary: Apache Kafka's implementation of the Salted Challenge Response Authentication Mechanism (SCRAM) did not fully adhere to the requirements of RFC 5802 [1]. Specifically, as per RFC 5802, the server must verify that the nonce sent by the client in the second message matches the nonce sent by the server in its first message. However, Kafka's SCRAM implementation did not perform this validation. Impact: This vulnerability is exploitable only when an attacker has plaintext access to the SCRAM authentication exchange. However, the usage of SCRAM over plaintext is strongly discouraged as it is considered an insecure practice [2]. Apache Kafka recommends deploying SCRAM exclusively with TLS encryption to protect SCRAM exchanges from interception [3]. Deployments using SCRAM with TLS are not affected by this issue. How to Detect If You Are Impacted: If your deployment uses SCRAM authentication over plaintext communication channels (without TLS encryption), you are likely impacted. To check if TLS is enabled, review your server.properties configuration file for listeners property. If you have SASL_PLAINTEXT in the listeners, then you are likely impacted. Fix Details: The issue has been addressed by introducing nonce verification in the final message of the SCRAM authentication exchange to ensure compliance with RFC 5802. Affected Versions: Apache Kafka versions 0.10.2.0 through 3.9.0, excluding the fixed versions below. Fixed Versions: 3.9.0 3.8.1 3.7.2 Users are advised to upgrade to 3.7.2 or later to mitigate this issue. Recommendations for Mitigation: Users unable to upgrade to the fixed versions can mitigate the issue by: - Using TLS with SCRAM Authentication: Always deploy SCRAM over TLS to encrypt authentication exchanges and protect against interception. - Considering Alternative Authentication Mechanisms: Evaluate alternative authentication mechanisms, such as PLAIN, Kerberos or OAuth with TLS, which provide additional layers of security. | |||||
| CVE-2023-49961 | 1 Wallix | 2 Bastion, Bastion Access Manager | 2025-06-18 | N/A | 7.5 HIGH |
| WALLIX Bastion 7.x, 8.x, 9.x and 10.x and WALLIX Access Manager 3.x and 4.x have Incorrect Access Control which can lead to sensitive data exposure. | |||||
| CVE-2023-50343 | 1 Hcltech | 1 Dryice Myxalytics | 2025-06-18 | N/A | 6.5 MEDIUM |
| HCL DRYiCE MyXalytics is impacted by an Improper Access Control (Controller APIs) vulnerability. Certain API endpoints are accessible to Customer Admin Users that can allow access to sensitive information about other users. | |||||
| CVE-2023-50344 | 1 Hcltech | 1 Dryice Myxalytics | 2025-06-18 | N/A | 5.4 MEDIUM |
| HCL DRYiCE MyXalytics is impacted by improper access control (Unauthenticated File Download) vulnerability. An unauthenticated user can download certain files. | |||||
| CVE-2023-50341 | 1 Hcltech | 1 Dryice Myxalytics | 2025-06-18 | N/A | 7.5 HIGH |
| HCL DRYiCE MyXalytics is impacted by Improper Access Control (Obsolete web pages) vulnerability. Discovery of outdated and accessible web pages, reflects a "Missing Access Control" vulnerability, which could lead to inadvertent exposure of sensitive information and/or exposing a vulnerable endpoint. | |||||
| CVE-2023-28197 | 1 Apple | 1 Macos | 2025-06-17 | N/A | 3.3 LOW |
| An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Ventura 13.3, macOS Big Sur 11.7.5, macOS Monterey 12.6.4. An app may be able to access user-sensitive data. | |||||
| CVE-2021-46903 | 1 Meinbergglobal | 1 Lantime Firmware | 2025-06-17 | N/A | 6.5 MEDIUM |
| An issue was discovered in LTOS-Web-Interface in Meinberg LANTIME-Firmware before 6.24.029 MBGID-9343 and 7 before 7.04.008 MBGID-6303. An admin can delete required user accounts (in violation of expected access control). | |||||
| CVE-2023-47202 | 1 Trendmicro | 1 Apex One | 2025-06-17 | N/A | 7.8 HIGH |
| A local file inclusion vulnerability on the Trend Micro Apex One management server could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | |||||
| CVE-2024-23055 | 1 Plone | 1 Plone Docker Official Image | 2025-06-17 | N/A | 6.1 MEDIUM |
| An issue in Plone Docker Official Image 5.2.13 (5221) open-source software allows for remote code execution via improper validation of input by the HOST headers. | |||||
| CVE-2023-6447 | 1 Metagauss | 1 Eventprime | 2025-06-17 | N/A | 5.3 MEDIUM |
| The EventPrime WordPress plugin before 3.3.6 lacks authentication and authorization, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id/event name. | |||||
| CVE-2023-27001 | 1 Egerie | 1 Egerie | 2025-06-17 | N/A | 8.8 HIGH |
| An issue discovered in Egerie Risk Manager v4.0.5 allows attackers to bypass the signature mechanism and tamper with the values inside the JWT payload resulting in privilege escalation. | |||||
| CVE-2024-25677 | 1 Minbrowser | 1 Min | 2025-06-16 | N/A | 8.8 HIGH |
| In Min before 1.31.0, local files are not correctly treated as unique security origins, which allows them to improperly request cross-origin resources. For example, a local file may request other local files through an XML document. | |||||
| CVE-2023-51065 | 1 Qstar | 1 Archive Storage Manager | 2025-06-16 | N/A | 7.5 HIGH |
| Incorrect access control in QStar Archive Solutions Release RELEASE_3-0 Build 7 Patch 0 allows unauthenticated attackers to obtain system backups and other sensitive information from the QStar Server. | |||||
| CVE-2024-44106 | 1 Ivanti | 1 Workspace Control | 2025-06-12 | N/A | 7.8 HIGH |
| Insufficient server-side controls in the management console of Ivanti Workspace Control before version 2025.2 (10.19.0.0) allows a local authenticated attacker to escalate their privileges. | |||||
| CVE-2022-26461 | 2 Google, Mediatek | 15 Android, Mt6833, Mt6853 and 12 more | 2025-06-12 | N/A | 6.7 MEDIUM |
| In vow, there is a possible undefined behavior due to an API misuse. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07032604; Issue ID: ALPS07032604. | |||||
| CVE-2021-24566 | 1 Pluginus | 1 Fox - Currency Switcher Professional For Woocommerce | 2025-06-11 | N/A | 8.8 HIGH |
| The WooCommerce Currency Switcher FOX WordPress plugin before 1.3.7 was vulnerable to LFI attacks via the "woocs" shortcode. | |||||
| CVE-2023-47132 | 1 N-able | 1 N-central | 2025-06-11 | N/A | 9.8 CRITICAL |
| An issue discovered in N-able N-central before 2023.6 and earlier allows attackers to gain escalated privileges via API calls. | |||||