| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Use of implicit intent for sensitive communication in Settings prior to SMR Mar-2025 Release 1 allows local attackers to access sensitive information. |
| <p>An information disclosure vulnerability exists in how Microsoft Exchange validates tokens when handling certain messages. An attacker who successfully exploited the vulnerability could use this to gain further information from a user.</p>
<p>To exploit the vulnerability, an attacker could include specially crafted OWA messages that could be loaded, without warning or filtering, from the attacker-controlled URL. This callback vector provides an information disclosure tactic used in web beacons and other types of tracking systems.</p>
<p>The security update corrects the way that Exchange handles these token validations.</p> |
| Missing access permissions checks
in the M-Files server before 23.11.13156.0 allow attackers to perform data write and export
jobs using the M-Files API methods. |
| Unchecked parameter value in M-Files Server in versions before 23.6.12695.3 (excluding 23.2 SR2 and newer) allows anonymous user to cause denial of service |
| Desktop component service allows lateral movement between sessions in M-Files before 23.4.12455.0. |
| Omron’s CS and CJ series PLCs have an unrestricted externally accessible lock vulnerability. |
| Dell PowerScale OneFS versions 8.1.0-9.1.0 contain an Incorrect User Management vulnerability.under some specific conditions, this can allow the CompAdmin user to elevate privileges and break out of Compliance mode. This is a critical vulnerability and Dell recommends upgrading at the earliest. |
| Dell PowerScale OneFS Versions 8.2.2.x through 9.9.0.x contain an incorrect specified argument vulnerability. A remote low privileged legitimate user could potentially exploit this vulnerability, leading to information disclosure. |
| Discourse is an open source discussion platform. Prior to versions 3.5.3, 2025.11.1, and 2025.12.0, an attacker who knows part of a username can find the user and their full name via UI or API, even when `enable_names` is disabled. Versions 3.5.3, 2025.11.1, and 2025.12.0 contain a fix. |
| AList 3.15.1 is vulnerable to Incorrect Access Control, which can be exploited by attackers to obtain sensitive information. |
| User Interface (UI) Misrepresentation of Critical Information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network |
| Improper access control in Azure SaaS Resources allows an authorized attacker to disclose information over a network. |
| Improper access control in Azure allows an unauthorized attacker to disclose information over a network. |
| Improper handling of additional special element in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. |
| IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service due to excessive use of a global variable. |
| Windows LockDown Policy (WLDP) Security Feature Bypass Vulnerability |
| BitLocker Security Feature Bypass Vulnerability |
| Windows MSHTML Platform Spoofing Vulnerability |
| Windows File Explorer Elevation of Privilege Vulnerability |
| DCOM Remote Cross-Session Activation Elevation of Privilege Vulnerability |
