Filtered by CWE-284
Total 3903 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2023-20261 1 Cisco 1 Catalyst Sd-wan Manager 2025-06-12 6.5 Medium
A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to retrieve arbitrary files from an affected system. This vulnerability is due to improper validation of parameters that are sent to the web UI. An attacker could exploit this vulnerability by logging in to Cisco Catalyst SD-WAN Manager and issuing crafted requests using the web UI. A successful exploit could allow the attacker to obtain arbitrary files from the underlying Linux file system of an affected system. To exploit this vulnerability, the attacker must be an authenticated user.
CVE-2025-47884 1 Jenkins 1 Openid Connect Provider 2025-06-12 9.1 Critical
In Jenkins OpenID Connect Provider Plugin 96.vee8ed882ec4d and earlier the generation of build ID Tokens uses potentially overridden values of environment variables, in conjunction with certain other plugins allowing attackers able to configure jobs to craft a build ID Token that impersonates a trusted job, potentially gaining unauthorized access to external services.
CVE-2023-21901 1 Oracle 1 Financial Services Analytical Applications Infrastructure 2025-06-11 7.4 High
Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Infrastructure). Supported versions that are affected are 8.0.7, 8.0.8, 8.0.9, 8.1.0, 8.1.1 and 8.1.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure. While the vulnerability is in Oracle Financial Services Analytical Applications Infrastructure, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Financial Services Analytical Applications Infrastructure accessible data as well as unauthorized read access to a subset of Oracle Financial Services Analytical Applications Infrastructure accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Financial Services Analytical Applications Infrastructure. CVSS 3.1 Base Score 7.4 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L).
CVE-2024-25830 1 F-logic 2 Datacube3, Datacube3 Firmware 2025-06-10 9.8 Critical
F-logic DataCube3 v1.0 is vulnerable to Incorrect Access Control due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains the path of the configuration file. A successful exploit could allow the attacker to extract the root and admin password.
CVE-2024-28390 1 Advancedplugins 1 Image Toolbox\ 2025-06-10 9.8 Critical
An issue in Advanced Plugins ultimateimagetool module for PrestaShop before v.2.2.01, allows a remote attacker to escalate privileges and obtain sensitive information via Improper Access Control.
CVE-2025-5299 1 Lerouxyxchire 1 Client Database Management System 2025-06-10 7.3 High
A vulnerability was found in SourceCodester Client Database Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /user_order_customer_update.php. The manipulation of the argument uploaded_file_cancelled leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-5840 1 Lerouxyxchire 1 Client Database Management System 2025-06-10 7.3 High
A vulnerability, which was classified as critical, was found in SourceCodester Client Database Management System 1.0. This affects an unknown part of the file /user_update_customer_order.php. The manipulation of the argument uploaded_file leads to unrestricted upload. It is possible to initiate the attack remotely.
CVE-2025-5649 1 Razormist 1 Student Result Management System 2025-06-10 5.3 Medium
A vulnerability classified as critical has been found in SourceCodester Student Result Management System 1.0. This affects an unknown part of the file /admin/core/new_user of the component Register Interface. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-5728 1 Nikhil-bhalerao 1 Open Source Clinic Management System 2025-06-10 6.3 Medium
A vulnerability classified as critical was found in SourceCodester Open Source Clinic Management System 1.0. This vulnerability affects unknown code of the file /manage_website.php. The manipulation of the argument website_image leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2023-48239 1 Nextcloud 1 Nextcloud Server 2025-06-10 8.5 High
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.13, 26.0.8, and 27.1.3 of Nextcloud Server and starting in version 20.0.0 and prior to versions 20.0.14.16, 21.0.9.13, 22.2.10.15, 23.0.12.12, 24.0.12.8, 25.0.13, 26.0.8, and 27.1.3 of Nextcloud Enterprise Server, a malicious user could update any personal or global external storage, making them inaccessible for everyone else as well. Nextcloud Server 25.0.13, 26.0.8, and 27.1.3 and Nextcloud Enterprise Server is upgraded to 20.0.14.16, 21.0.9.13, 22.2.10.15, 23.0.12.12, 24.0.12.8, 25.0.13, 26.0.8, and 27.1.3 contain a patch for this issue. As a workaround, disable app files_external. This workaround also makes the external storage inaccessible but retains the configurations until a patched version has been deployed.
CVE-2025-48734 2 Apache, Redhat 8 Commons Beanutils, Amq Streams, Apache Camel Spring Boot and 5 more 2025-06-09 8.8 High
Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default. Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty(). Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests. This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils 1.x are recommended to upgrade to version 1.11.0, which fixes the issue. Users of the artifact org.apache.commons:commons-beanutils2 2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.
CVE-2024-25251 1 Carmelo 1 Agro-school Management System 2025-06-09 8.8 High
code-projects Agro-School Management System 1.0 is suffers from Incorrect Access Control.
CVE-2025-5873 2025-06-09 6.3 Medium
A vulnerability was found in eCharge Hardy Barth Salia PLCC 2.2.0. It has been declared as critical. This vulnerability affects unknown code of the file /firmware.php of the component Web UI. The manipulation of the argument media leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-0212 1 Cloudflare 1 Cloudflare 2025-06-06 8.1 High
The Cloudflare Wordpress plugin was found to be vulnerable to improper authentication. The vulnerability enables attackers with a lower privileged account to access data from the Cloudflare API.
CVE-2023-44289 1 Dell 1 Command\|configure 2025-06-05 7.3 High
Dell Command | Configure versions prior to 4.11.0, contain an improper access control vulnerability. A local malicious standard user could potentially exploit this vulnerability while repairing/changing installation, leading to privilege escalation.
CVE-2025-48999 1 Dataease 1 Dataease 2025-06-05 8.8 High
DataEase is an open source business intelligence and data visualization tool. A bypass of CVE-2025-46566's patch exists in versions prior to 2.10.10. In a malicious payload, `getUrlType()` retrieves `hostName`. Since the judgment statement returns false, it will not enter the if statement and will not be filtered. The payload can be directly concatenated at the replace location to construct a malicious JDBC statement. Version 2.10.10 contains a patch for the issue.
CVE-2020-16241 1 Philips 2 Suresigns Vs4, Suresigns Vs4 Firmware 2025-06-04 6.3 Medium
Philips SureSigns VS4, A.07.107 and prior does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2024-27187 1 Joomla 1 Joomla\! 2025-06-04 7.5 High
Improper Access Controls allows backend users to overwrite their username when disallowed.
CVE-2024-40749 1 Joomla 1 Joomla\! 2025-06-04 7.5 High
Improper Access Controls allows access to protected views.
CVE-2025-4431 1 Krasenslavov 1 Featured Image Plus 2025-06-04 4.3 Medium
The Featured Image Plus – Quick & Bulk Edit with Unsplash plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fip_save_attach_featured function in all versions up to, and including, 1.6.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update featured image of any post.