Total
2476 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-64707 | 1 Frappe | 1 Learning | 2025-11-17 | N/A | 5.4 MEDIUM |
| Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, when admins revoked a role from the user, the effect was not immediate because of caching. The issue has been fixed in version 2.41.0 by ensuring the cache is cleared after roles are updated. | |||||
| CVE-2025-11777 | 1 Mattermost | 1 Mattermost Server | 2025-11-17 | N/A | 3.1 LOW |
| Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint | |||||
| CVE-2025-11776 | 1 Mattermost | 1 Mattermost Server | 2025-11-17 | N/A | 4.3 MEDIUM |
| Mattermost versions <11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint | |||||
| CVE-2025-41436 | 1 Mattermost | 1 Mattermost Server | 2025-11-17 | N/A | 3.1 LOW |
| Mattermost versions <11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access archived channel content and files via the "Open in Channel" functionality from followed threads | |||||
| CVE-2025-62394 | 1 Moodle | 1 Moodle | 2025-11-14 | N/A | 4.3 MEDIUM |
| Moodle failed to verify enrolment status correctly when sending quiz notifications. As a result, suspended or inactive users might receive quiz-related messages, leaking limited course information. | |||||
| CVE-2025-12149 | 2025-11-14 | N/A | N/A | ||
| In Search Guard FLX versions 3.1.2 and earlier, while Document-Level Security (DLS) is correctly enforced elsewhere, when the search is triggered from a Signals watch, the DLS rule is not enforced, allowing access to all documents in the queried indices. | |||||
| CVE-2025-13063 | 2025-11-14 | 7.5 HIGH | 7.3 HIGH | ||
| A flaw has been found in DinukaNavaratna Dee Store 1.0. Affected is an unknown function. Executing manipulation can lead to missing authorization. The attack may be performed from remote. The exploit has been published and may be used. Multiple endpoints are affected. | |||||
| CVE-2025-65002 | 2025-11-14 | N/A | 7.5 HIGH | ||
| Fujitsu / Fsas Technologies iRMC S6 on M5 before 1.37S mishandles Redfish/WebUI access if the length of a username is exactly 16 characters. | |||||
| CVE-2025-12621 | 2025-11-12 | N/A | 5.3 MEDIUM | ||
| The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the 'create_refund' function in all versions up to, and including, 1.0.42. This makes it possible for authenticated attackers, with Contributor-level access and above, to update the status of refund requests, including approving and refusing refunds. | |||||
| CVE-2025-11862 | 2025-11-12 | N/A | N/A | ||
| A security issue was discovered within Verve Asset Manager allowing unauthorized read-only users to read, update, and delete users via the API. | |||||
| CVE-2025-61830 | 2025-11-12 | N/A | 7.1 HIGH | ||
| Adobe Pass versions 3.7.3 and earlier are affected by an Incorrect Authorization vulnerability. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read and write access. Exploitation of this issue requires user interaction in that a victim must install a malicious SDK. | |||||
| CVE-2025-62795 | 1 Fit2cloud | 1 Jumpserver | 2025-11-12 | N/A | 7.1 HIGH |
| JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.21-lts and v4.10.12-lts, a low-privileged authenticated user can invoke LDAP configuration tests and start LDAP synchronization by sending crafted messages to the /ws/ldap/ WebSocket endpoint, bypassing authorization checks and potentially exposing LDAP credentials or causing unintended sync operations. This vulnerability is fixed in v3.10.21-lts and v4.10.12-lts. | |||||
| CVE-2025-62275 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-11-10 | N/A | 5.3 MEDIUM |
| Blogs in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions does not check permission of images in a blog entry, which allows remote attackers to view the images in a blog entry via crafted URL. | |||||
| CVE-2021-40655 | 1 Dlink | 2 Dir-605l, Dir-605l Firmware | 2025-11-10 | 5.0 MEDIUM | 7.5 HIGH |
| An informtion disclosure issue exists in D-LINK-DIR-605 B2 Firmware Version : 2.01MT. An attacker can obtain a user name and password by forging a post request to the / getcfg.php page | |||||
| CVE-2025-44824 | 1 Nagios | 1 Log Server | 2025-11-06 | N/A | 8.5 HIGH |
| Nagios Log Server before 2024R1.3.2 allows authenticated users (with read-only API access) to stop the Elasticsearch service via a /nagioslogserver/index.php/api/system/stop?subsystem=elasticsearch call. The service stops even though "message": "Could not stop elasticsearch" is in the API response. This is GL:NLS#474. | |||||
| CVE-2025-34273 | 1 Nagios | 1 Log Server | 2025-11-06 | N/A | 6.5 MEDIUM |
| Nagios Log Server versions prior to 2024R2.0.3 contain an incorrect authorization vulnerability that allows non-administrator users to delete global dashboards. The application did not correctly enforce authorization checks for the global dashboard deletion workflow, enabling lower-privileged users to remove dashboards that affect other users or the overall monitoring UI. | |||||
| CVE-2023-7322 | 1 Nagios | 1 Log Server | 2025-11-06 | N/A | 8.1 HIGH |
| Nagios Log Server versions prior to 2024R1 contain an incorrect authorization vulnerability. Users who lacked the required API permission were nevertheless able to invoke API endpoints, resulting in unintended access to data and actions exposed via the API. This incorrect authorization check could allow authenticated but non-privileged users to read or modify resources beyond their intended rights. | |||||
| CVE-2021-3560 | 4 Canonical, Debian, Polkit Project and 1 more | 7 Ubuntu Linux, Debian Linux, Polkit and 4 more | 2025-11-06 | 7.2 HIGH | 7.8 HIGH |
| It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | |||||
| CVE-2022-0866 | 1 Redhat | 3 Jboss Enterprise Application Platform, Openstack Platform, Wildfly | 2025-11-06 | 4.3 MEDIUM | 5.3 MEDIUM |
| This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. In particular, the org.jboss.as.ejb3.component.EJBComponent class has an incomingRunAsIdentity field. This field is used by the org.jboss.as.ejb3.security.RunAsPrincipalInterceptor to keep track of the current identity prior to switching to a new identity created using the RunAs principal. The exploit consist that the EJBComponent#incomingRunAsIdentity field is currently just a SecurityIdentity. This means in a concurrent environment, where multiple users are repeatedly invoking an EJB that is configured with a RunAs principal, it's possible for the wrong the caller principal to be returned from EJBComponent#getCallerPrincipal. Similarly, it's also possible for EJBComponent#isCallerInRole to return the wrong value. Both of these methods rely on incomingRunAsIdentity. Affects all versions of JBoss EAP from 7.1.0 and all versions of WildFly 11+ when Elytron is enabled. | |||||
| CVE-2025-9228 | 2025-11-05 | N/A | 4.3 MEDIUM | ||
| MiR software versions prior to version 3.0.0 have insufficient authorization controls when creating text notes, allowing low-privilege users to create notes which are intended only for administrative users. | |||||