Total
1125 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-65021 | 2025-11-19 | 9.1 Critical | ||
| Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability exists in the poll finalization feature of the application. Any authenticated user can finalize a poll they do not own by manipulating the pollId parameter in the request. This allows unauthorized users to finalize other users’ polls and convert them into events without proper authorization checks, potentially disrupting user workflows and causing data integrity and availability issues. This issue has been patched in version 4.5.4. | ||||
| CVE-2025-65020 | 2025-11-19 | 6.5 Medium | ||
| Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability in the poll duplication endpoint (/api/trpc/polls.duplicate) allows any authenticated user to duplicate polls they do not own by modifying the pollId parameter. This effectively bypasses access control and lets unauthorized users clone private or administrative polls. This issue has been patched in version 4.5.4. | ||||
| CVE-2025-65031 | 2025-11-19 | 6.5 Medium | ||
| Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an improper authorization flaw in the comment creation endpoint allows authenticated users to impersonate any other user by altering the authorName field in the API request. This enables attackers to post comments under arbitrary usernames, including privileged ones such as administrators, potentially misleading other users and enabling phishing or social engineering attacks. This issue has been patched in version 4.5.4. | ||||
| CVE-2025-12524 | 1 Wordpress | 1 Wordpress | 2025-11-18 | 5.4 Medium |
| The Post Type Switcher plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.0.0 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to modify the post type of arbitrary posts and pages they do not own, including those created by administrators, which can lead to site disruption, broken navigation, and SEO impact. | ||||
| CVE-2025-58627 | 1 Wordpress | 1 Wordpress | 2025-11-17 | 9.8 Critical |
| Authorization Bypass Through User-Controlled Key vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Miraculous Core Plugin: from n/a through < 2.0.9. | ||||
| CVE-2025-8855 | 1 Optimus Software | 1 Brokerage Automation | 2025-11-15 | 8.1 High |
| Authorization Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, Authentication Bypass by Assumed-Immutable Data vulnerability in Optimus Software Brokerage Automation allows Exploiting Trust in Client, Authentication Bypass, Manipulate Registry Information.This issue affects Brokerage Automation: before 1.1.71. | ||||
| CVE-2025-31357 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| An unauthenticated attacker can obtain a user's plant list by knowing the username. | ||||
| CVE-2025-31933 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| An unauthenticated attacker can check the existence of usernames in the system by querying an API. | ||||
| CVE-2025-31941 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| An unauthenticated attacker can obtain a list of smart devices by knowing a valid username. | ||||
| CVE-2025-31949 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| An authenticated attacker can obtain any plant name by knowing the plant ID. | ||||
| CVE-2025-24315 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| Unauthenticated attackers can add devices of other users to their scenes (or arbitrary scenes of other arbitrary users). | ||||
| CVE-2025-24850 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| An attacker can export other users' plant information. | ||||
| CVE-2025-25276 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| An unauthenticated attacker can hijack other users' devices and potentially control them. | ||||
| CVE-2025-26857 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| Unauthenticated attackers can rename arbitrary devices of arbitrary users (i.e., EV chargers). | ||||
| CVE-2025-27561 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| Unauthenticated attackers can rename "rooms" of arbitrary users. | ||||
| CVE-2025-27565 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| An unauthenticated attacker can delete any user's "rooms" by knowing the user's and room IDs. | ||||
| CVE-2025-27575 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| An unauthenticated attacker can obtain EV charger version and firmware upgrading history by knowing the charger ID. | ||||
| CVE-2025-27719 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| Unauthenticated attackers can query an API endpoint and get device details. | ||||
| CVE-2025-27927 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| An unauthenticated attackers can obtain a list of smart devices by knowing a valid username through an unprotected API. | ||||
| CVE-2025-27929 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts. | ||||