Total
4252 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-65239 | 2025-11-26 | 4.3 Medium | ||
| Incorrect access control in the /aux1/ocussd/trace endpoint of OpenCode Systems USSD Gateway OC Release:5, version 6.13.11 allows attackers with low-level privileges to read server logs. | ||||
| CVE-2025-65963 | 2025-11-26 | 5.4 Medium | ||
| Files is a module for managing files inside spaces and user profiles. Prior to versions 0.16.11 and 0.17.2, insufficient authorization checks allow non-member users to create new folders, up- and download files as a ZIP archive in public spaces. Private spaces are not affected. This issue has been patched in versions 0.16.11 and 0.17.2. | ||||
| CVE-2025-24314 | 1 Intel | 2 Cip Software, Computing Improvement Program | 2025-11-26 | 2 Low |
| Improper access control for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an information disclosure. Unprivileged software adversary with a privileged user combined with a high complexity attack may enable data exposure. This result may potentially occur via network access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (low), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | ||||
| CVE-2025-31216 | 1 Apple | 3 Ios, Ipados, Iphone Os | 2025-11-26 | 2.4 Low |
| The issue was addressed with improved checks. This issue is fixed in iPadOS 17.7.7, iOS 18.5 and iPadOS 18.5. An attacker with physical access to a device may be able to override managed Wi-Fi profiles. | ||||
| CVE-2025-54563 | 1 Desktopalert | 1 Pingalert | 2025-11-26 | 7.5 High |
| An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows Incorrect Access Control, leading to Remote Information Disclosure. | ||||
| CVE-2025-64660 | 1 Microsoft | 1 Visual Studio Code | 2025-11-26 | 8 High |
| Improper access control in GitHub Copilot and Visual Studio Code allows an authorized attacker to execute code over a network. | ||||
| CVE-2025-47179 | 1 Microsoft | 4 Configuration Manager, Configuration Manager 2403, Configuration Manager 2409 and 1 more | 2025-11-25 | 6.7 Medium |
| Improper access control in Microsoft Configuration Manager allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-60705 | 1 Microsoft | 27 Windows, Windows 10, Windows 10 1607 and 24 more | 2025-11-25 | 7.8 High |
| Improper access control in Windows Client-Side Caching (CSC) Service allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-59512 | 1 Microsoft | 24 Windows, Windows 10, Windows 10 1607 and 21 more | 2025-11-25 | 7.8 High |
| Improper access control in Customer Experience Improvement Program (CEIP) allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-64064 | 2025-11-25 | 8.8 High | ||
| Primakon Pi Portal 1.0.18 /api/v2/pp_users endpoint fails to adequately check user permissions before processing a PATCH request to modify the PP_SECURITY_PROFILE_ID. Because of weak access controls any low level user can use this API and change their permission to Administrator by using PP_SECURITY_PROFILE_ID=2 inside body of request and escalate privileges. | ||||
| CVE-2025-64066 | 2025-11-25 | 8.6 High | ||
| Primakon Pi Portal 1.0.18 REST /api/v2/user/register endpoint suffers from a Broken Access Control vulnerability. The endpoint fails to implement any authorization checks, allowing unauthenticated attackers to perform POST requests to register new user accounts in the application's local database. This bypasses the intended security architecture, which relies on an external Identity Provider for initial user registration and assumes that internal user creation is an administrative-only function. This vector can also be chained with other vulnerabilities for privilege escalation and complete compromise of application. This specific request can be used to also enumerate already registered user accounts, aiding in social engineering or further targeted attacks. | ||||
| CVE-2025-13443 | 1 Macrozheng | 1 Mall | 2025-11-25 | 5.4 Medium |
| A vulnerability was detected in macrozheng mall up to 1.0.3. Affected by this issue is the function delete of the file /member/readHistory/delete. Performing manipulation of the argument ids results in improper access controls. Remote exploitation of the attack is possible. The exploit is now public and may be used. | ||||
| CVE-2025-60799 | 2 Phppgadmin, Phppgadmin Project | 2 Phppgadmin, Phppgadmin | 2025-11-25 | 6.1 Medium |
| phpPgAdmin 7.13.0 and earlier contains an incorrect access control vulnerability in sql.php at lines 68-76. The application allows unauthorized manipulation of session variables by accepting user-controlled parameters ('subject', 'server', 'database', 'queryid') without proper validation or access control checks. Attackers can exploit this to store arbitrary SQL queries in $_SESSION['sqlquery'] by manipulating these parameters, potentially leading to session poisoning, stored cross-site scripting, or unauthorized access to sensitive session data. | ||||
| CVE-2025-48986 | 2 Revive, Revive-adserver | 2 Adserver, Revive Adserver | 2025-11-25 | N/A |
| Authorization bypass in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes an logged in attacker to change other users' email address and potentialy take over their accounts using the forgot password functionality. | ||||
| CVE-2025-53092 | 1 Strapi | 1 Strapi | 2025-11-25 | 6.5 Medium |
| Strapi is an open source headless content management system. Strapi versions prior to 5.20.0 contain a CORS misconfiguration vulnerability in default installations. By default, Strapi reflects the value of the Origin header back in the Access-Control-Allow-Origin response header without proper validation or whitelisting. This allows an attacker-controlled site to send credentialed requests to the Strapi backend. An attacker can exploit this by hosting a malicious site on a different origin (e.g., different port) and sending requests with credentials to the Strapi API. The vulnerability is fixed in version 5.20.0. No known workarounds exist. | ||||
| CVE-2025-6741 | 1 Devolutions | 1 Devolutions Server | 2025-11-25 | 7.7 High |
| Improper access control in secure message component in Devolutions Server allows an authenticated user to steal unauthorized entries via the secure message entry attachment feature This issue affects the following versions : * Devolutions Server 2025.2.2.0 through 2025.2.4.0 * Devolutions Server 2025.1.11.0 and earlier | ||||
| CVE-2025-4433 | 1 Devolutions | 1 Devolutions Server | 2025-11-25 | 8.8 High |
| Improper access control in user group management in Devolutions Server 2025.1.7.0 and earlier allows a non-administrative user with both "User Management" and "User Group Management" permissions to perform privilege escalation by adding users to groups with administrative privileges. | ||||
| CVE-2016-9905 | 3 Debian, Mozilla, Redhat | 7 Debian Linux, Firefox, Thunderbird and 4 more | 2025-11-25 | N/A |
| A potentially exploitable crash in "EnumerateSubDocuments" while adding or removing sub-documents. This vulnerability affects Firefox ESR < 45.6 and Thunderbird < 45.6. | ||||
| CVE-2025-5409 | 1 Mist | 1 Mist | 2025-11-25 | 7.3 High |
| A vulnerability was found in Mist Community Edition up to 4.7.1. It has been classified as critical. This affects the function create_token of the file src/mist/api/auth/views.py of the component API Token Handler. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.7.2 is able to address this issue. The identifier of the patch is db10ecb62ac832c1ed4924556d167efb9bc07fad. It is recommended to upgrade the affected component. | ||||
| CVE-2025-13574 | 1 Code-projects | 1 Online Bidding System | 2025-11-25 | 4.7 Medium |
| A weakness has been identified in code-projects Online Bidding System 1.0. This issue affects the function categoryadd of the file /administrator/addcategory.php. This manipulation of the argument catimage causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. | ||||