Total
2456 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-4101 | 1 Multivendorx | 1 Multivendorx | 2025-05-28 | 4.3 Medium |
| The MultiVendorX – WooCommerce Multivendor Marketplace Solutions plugin for WordPress is vulnerable to unauthorized loss of data due to a misconfigured capability check on the 'delete_fpm_product' function in all versions up to, and including, 4.2.22. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary posts, pages, attachments, and products. The vulnerability was partially patched in version 4.2.22. | ||||
| CVE-2023-50777 | 1 Jenkins | 1 Paaslane Estimate | 2025-05-22 | 4.3 Medium |
| Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier does not mask PaaSLane authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | ||||
| CVE-2023-47320 | 1 Silverpeas | 1 Silverpeas | 2025-05-22 | 8.1 High |
| Silverpeas Core 6.3.1 is vulnerable to Incorrect Access Control. An attacker with low privileges is able to execute the administrator-only function of putting the application in "Maintenance Mode" due to broken access control. This makes the application unavailable to all users. This affects Silverpeas Core 6.3.1 and below. | ||||
| CVE-2019-10964 | 1 Medtronic | 38 Minimed 508, Minimed 508 Firmware, Minimed Paradigm 511 and 35 more | 2025-05-22 | 7.1 High |
| Medtronic MiniMed Insulin Pumps are designed to communicate using a wireless RF with other devices, such as blood glucose meters, glucose sensor transmitters, and CareLink USB devices. This wireless RF communication protocol does not properly implement authentication or authorization. An attacker with adjacent access to one of the affected insulin pump models can inject, replay, modify, and/or intercept data. This vulnerability could also allow attackers to change pump settings and control insulin delivery. | ||||
| CVE-2022-3024 | 1 Simple Bitcoin Faucets Project | 1 Simple Bitcoin Faucets | 2025-05-22 | 5.4 Medium |
| The Simple Bitcoin Faucets WordPress plugin through 1.7.0 does not have any authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscribers to call it and add/delete/edit Bonds. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues | ||||
| CVE-2025-1415 | 2025-05-21 | N/A | ||
| A low-privileged user is able to obtain information about tasks executed on devices controlled by Proget MDM (Mobile Device Management), as well as details of the devices like their UUIDs needed for exploitation of CVE-2025-1416. In order to perform the attack, one has to know a task_id, but since it's a low integer and there is no limit of requests an attacker can perform to a vulnerable endpoint, the task_id might be simply brute forced. This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite). | ||||
| CVE-2025-1416 | 2025-05-21 | N/A | ||
| In Proget MDM, a low-privileged user can retrieve passwords for managed devices and subsequently use functionalities restricted by the MDM (Mobile Device Management). For it to happen, they must know the UUIDs of targetted devices, which might be obtained by exploiting CVE-2025-1415 or CVE-2025-1417. This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite). | ||||
| CVE-2025-1418 | 2025-05-21 | N/A | ||
| A low-privileged user can access information about profiles created in Proget MDM (Mobile Device Management), which contain details about allowed/prohibited functions. The profiles do not reveal any sensitive information (including their usage in connected devices). This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite). | ||||
| CVE-2025-1417 | 2025-05-21 | N/A | ||
| In Proget MDM, a low-privileged user can access information about changes contained in backups of all devices managed by the MDM (Mobile Device Management). This information include user ids, email addresses, first names, last names and device UUIDs. The last one can be used for exploitation of CVE-2025-1416. Successful exploitation requires UUID of a targeted backup, which cannot be brute forced. This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite). | ||||
| CVE-2024-21120 | 1 Oracle | 1 Outside In Technology | 2025-05-21 | 5.3 Medium |
| Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: Outside In Core). Supported versions that are affected are 8.5.6 and 8.5.7. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Outside In Technology executes to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Outside In Technology accessible data as well as unauthorized read access to a subset of Oracle Outside In Technology accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Outside In Technology. CVSS 3.1 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). | ||||
| CVE-2022-3048 | 2 Fedoraproject, Google | 3 Fedora, Chrome, Chrome Os | 2025-05-21 | 6.8 Medium |
| Inappropriate implementation in Chrome OS lockscreen in Google Chrome on Chrome OS prior to 105.0.5195.52 allowed a local attacker to bypass lockscreen navigation restrictions via physical access to the device. | ||||
| CVE-2022-40816 | 1 Zammad | 1 Zammad | 2025-05-21 | 6.5 Medium |
| Zammad 5.2.1 is vulnerable to Incorrect Access Control. Zammad's asset handling mechanism has logic to ensure that customer users are not able to see personal information of other users. This logic was not effective when used through a web socket connection, so that a logged-in attacker would be able to fetch personal data of other users by querying the Zammad API. This issue is fixed in , 5.2.2. | ||||
| CVE-2022-39031 | 1 Lcnet | 1 Smart Evision | 2025-05-21 | 5.3 Medium |
| Smart eVision has insufficient authorization for task acquisition function. An unauthorized remote attacker can exploit this vulnerability to acquire the Session IDs of other general users only. | ||||
| CVE-2022-39029 | 1 Lcnet | 1 Smart Evision | 2025-05-21 | 6.5 Medium |
| Smart eVision has inadequate authorization for the database query function. A remote attacker with general user privilege, who is not explicitly authorized to access the information, can access sensitive information. | ||||
| CVE-2022-39030 | 1 Lcnet | 1 Smart Evision | 2025-05-21 | 7.5 High |
| smart eVision has inadequate authorization for system information query function. An unauthenticated remote attacker, who is not explicitly authorized to access the information, can access sensitive information. | ||||
| CVE-2024-5071 | 1 Wpbookster | 1 Bookster | 2025-05-19 | 6.5 Medium |
| The Bookster WordPress plugin through 1.1.0 allows adding sensitive parameters when validating appointments allowing attackers to manipulate the data sent when booking an appointment (the request body) to change its status from pending to approved. | ||||
| CVE-2025-43565 | 1 Adobe | 1 Coldfusion | 2025-05-19 | 8.4 High |
| ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Incorrect Authorization vulnerability that could lead to arbitrary code execution in the context of the current user. A high-privileged attacker could leverage this vulnerability to bypass security protections and execute code. Exploitation of this issue requires user interaction and scope is changed. | ||||
| CVE-2025-43561 | 1 Adobe | 1 Coldfusion | 2025-05-19 | 9.1 Critical |
| ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could leverage this vulnerability to bypass authentication mechanisms and execute code. Exploitation of this issue does not require user interaction and scope is changed. | ||||
| CVE-2025-46834 | 2025-05-19 | N/A | ||
| Alchemy's Modular Account is a smart contract account that is compatible with ERC-4337 and ERC-6900. In versions on the 2.x branch prior to commit 5e6f540d249afcaeaf76ab95517d0359fde883b0, owners of Modular Accounts can grant session keys (scoped external keys) to external parties and would use the allowlist module to restrict which external contracts can be accessed by the session key. There is a bug in the allowlist module in that we don't check for the `executeUserOp` -> `execute` or `executeBatch` path, effectively allowing any session key to bypass any access control restrictions set on the session key. Session keys are able to access ERC20 and ERC721 token contracts amongst others, transferring all tokens from the account out andonfigure the permissions on external modules on session keys. They would be able to remove all restrictions set on themselves this way, or rotate the keys of other keys with higher privileges into keys that they control. Commit 5e6f540d249afcaeaf76ab95517d0359fde883b0 fixes this issue. | ||||
| CVE-2024-22208 | 1 Phpmyfaq | 1 Phpmyfaq | 2025-05-15 | 6.5 Medium |
| phpMyFAQ is an Open Source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. The 'sharing FAQ' functionality allows any unauthenticated actor to misuse the phpMyFAQ application to send arbitrary emails to a large range of targets. The phpMyFAQ application has a functionality where anyone can share a FAQ item to others. The front-end of this functionality allows any phpMyFAQ articles to be shared with 5 email addresses. Any unauthenticated actor can perform this action. There is a CAPTCHA in place, however the amount of people you email with a single request is not limited to 5 by the backend. An attacker can thus solve a single CAPTCHA and send thousands of emails at once. An attacker can utilize the target application's email server to send phishing messages. This can get the server on a blacklist, causing all emails to end up in spam. It can also lead to reputation damages. This issue has been patched in version 3.2.5. | ||||