Total
2480 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-25594 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2025-02-27 | N/A | 6.3 MEDIUM |
| A vulnerability in the web-based management interface of ClearPass Policy Manager allows an attacker with read-only privileges to perform actions that change the state of the ClearPass Policy Manager instance. Successful exploitation of this vulnerability allows an attacker to complete state-changing actions in the web-based management interface that should not be allowed by their current level of authorization on the platform. | |||||
| CVE-2023-5352 | 1 Getawesomesupport | 1 Awesome Support | 2025-02-26 | N/A | 4.3 MEDIUM |
| The Awesome Support WordPress plugin before 6.1.5 does not correctly authorize the wpas_edit_reply function, allowing users to edit posts for which they do not have permission. | |||||
| CVE-2023-21034 | 1 Google | 1 Android | 2025-02-26 | N/A | 7.8 HIGH |
| In multiple functions of SensorService.cpp, there is a possible access of accurate sensor data due to a permissions bypass. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-230358834 | |||||
| CVE-2023-0940 | 1 Metagauss | 1 Profilegrid | 2025-02-26 | N/A | 8.8 HIGH |
| The ProfileGrid WordPress plugin before 5.3.1 provides an AJAX endpoint for resetting a user password but does not implement proper authorization. This allows a user with low privileges, such as subscriber, to change the password of any account, including Administrator ones. | |||||
| CVE-2024-22133 | 1 Sap | 1 Fiori Front End Server | 2025-02-26 | N/A | 4.6 MEDIUM |
| SAP Fiori Front End Server - version 605, allows altering of approver details on the read-only field when sending leave request information. This could lead to creation of request with incorrect approver causing low impact on Confidentiality and Integrity with no impact on Availability of the application. | |||||
| CVE-2023-28611 | 1 Omicronenergy | 2 Stationguard, Stationscout | 2025-02-25 | N/A | 9.8 CRITICAL |
| Incorrect authorization in OMICRON StationGuard 1.10 through 2.20 and StationScout 1.30 through 2.20 allows an attacker to bypass intended access restrictions. | |||||
| CVE-2023-1603 | 1 Devolutions | 1 Devolutions Server | 2025-02-25 | N/A | 6.5 MEDIUM |
| Permission bypass when importing or synchronizing entries in User vault in Devolutions Server 2022.3.13 and prior versions allows users with restricted rights to bypass entry permission via id collision. | |||||
| CVE-2023-20975 | 1 Google | 1 Android | 2025-02-25 | N/A | 7.8 HIGH |
| In getAvailabilityStatus of EnableContentCapturePreferenceController.java, there is a possible way to bypass DISALLOW_CONTENT_CAPTURE due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-250573776 | |||||
| CVE-2023-20971 | 1 Google | 1 Android | 2025-02-25 | N/A | 7.8 HIGH |
| In removePermission of PermissionManagerServiceImpl.java, there is a possible way to obtain dangerous permissions without user consent due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-21035 | 1 Google | 1 Android | 2025-02-25 | N/A | 7.8 HIGH |
| In multiple functions of BackupHelper.java, there is a possible way for an app to get permissions previously granted to another app with the same package name due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-184847040 | |||||
| CVE-2023-1202 | 1 Devolutions | 1 Remote Desktop Manager | 2025-02-20 | N/A | 6.5 MEDIUM |
| Permission bypass when importing or synchronizing entries in User vault in Devolutions Remote Desktop Manager 2023.1.9 and prior versions allows users with restricted rights to bypass entry permission via id collision. | |||||
| CVE-2024-5705 | 2025-02-19 | N/A | 8.8 HIGH | ||
| The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. (CWE-863) Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, have modules enabled by default that allow execution of system level processes. When access control checks are incorrectly applied, users can access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures and denial of service. | |||||
| CVE-2024-39328 | 2025-02-18 | N/A | 6.8 MEDIUM | ||
| Insecure Permissions in Atos Eviden IDRA and IDCA before 2.7.0. A highly trusted role (Config Admin) could exceed their configuration privileges in a multi-partition environment and access some confidential data. Data integrity and availability is not at risk. | |||||
| CVE-2025-24872 | 2025-02-18 | N/A | 4.3 MEDIUM | ||
| The ABAP Build Framework in SAP ABAP Platform allows an authenticated attacker to gain unauthorized access to a specific transaction. By executing the add-on build functionality within the ABAP Build Framework, an attacker could call the transaction and view its details. This has a limited impact on the confidentiality of the application with no effect on the integrity and availability of the application. | |||||
| CVE-2025-24869 | 2025-02-18 | N/A | 4.3 MEDIUM | ||
| SAP NetWeaver Application Server Java allows an attacker to access an endpoint that can disclose information about deployed server components, including their XML definitions. This information should ideally be restricted to customer administrators, even though they may not need it. These XML files are not entirely SAP-internal as they are deployed with the server. In such a scenario, sensitive information could be exposed without compromising its integrity or availability. | |||||
| CVE-2023-23594 | 1 Sato-global | 2 Cl4nx Plus, Cl4nx Plus Firmware | 2025-02-18 | N/A | 9.8 CRITICAL |
| An authentication bypass vulnerability in the web client interface for the CL4NX printer before firmware version 1.13.3-u724_r2 provides remote unauthenticated attackers with access to execute commands intended only for valid/authenticated users, such as file uploads and configuration changes. | |||||
| CVE-2023-26829 | 1 Gladinet | 1 Centrestack | 2025-02-18 | N/A | 9.8 CRITICAL |
| An authentication bypass vulnerability in the Password Reset component of Gladinet CentreStack before 13.5.9808 allows remote attackers to set a new password for any valid user account, without needing the previous known password, resulting in a full authentication bypass. | |||||
| CVE-2023-6152 | 1 Grafana | 1 Grafana | 2025-02-15 | N/A | 5.4 MEDIUM |
| A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up. | |||||
| CVE-2024-28098 | 1 Apache | 1 Pulsar | 2025-02-13 | N/A | 6.4 MEDIUM |
| The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role. This issue affects Apache Pulsar versions from 2.7.1 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. 2.10 Apache Pulsar users should upgrade to at least 2.10.6. 2.11 Apache Pulsar users should upgrade to at least 2.11.4. 3.0 Apache Pulsar users should upgrade to at least 3.0.3. 3.1 Apache Pulsar users should upgrade to at least 3.1.3. 3.2 Apache Pulsar users should upgrade to at least 3.2.1. Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions. | |||||
| CVE-2024-26016 | 1 Apache | 1 Superset | 2025-02-13 | N/A | 4.3 MEDIUM |
| A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, it's important to note that access to the analytical data of these charts and dashboards would still be subject to validation based on data access privileges. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.Users are recommended to upgrade to version 3.1.1, which fixes the issue. | |||||