Total
5236 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-40667 | 1 Tcman | 1 Gim | 2025-06-23 | N/A |
| Missing authorization vulnerability in TCMAN's GIM v11. This allows an authenticated attacker to access any functionality of the application even when they are not available through the user interface. To exploit the vulnerability the attacker must modify the HTTP code of the response from ‘302 Found’ to ‘200 OK’, as well as the hidden fields hdnReadOnly and hdnUserLogin. | ||||
| CVE-2025-46554 | 1 Xwiki | 1 Xwiki-platform | 2025-06-23 | 5.3 Medium |
| XWiki is a generic wiki platform. In versions starting from 1.8.1 to before 14.10.22, from 15.0-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.7.0, anyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint. There is no filtering for the results depending on current user rights, meaning an unauthenticated user could exploit this even in a private wiki. This issue has been patched in versions 14.10.22, 15.10.12, 16.4.3, and 16.7.0. | ||||
| CVE-2025-46557 | 1 Xwiki | 1 Xwiki-platform | 2025-06-23 | N/A |
| XWiki is a generic wiki platform. In versions starting from 15.3-rc-1 to before 15.10.14, from 16.0.0-rc-1 to before 16.4.6, and from 16.5.0-rc-1 to before 16.10.0-rc-1, a user who can access pages located in the XWiki space (by default, anyone) can access the page XWiki.Authentication.Administration and (unless an authenticator is set in xwiki.cfg) switch to another installed authenticator. Note that, by default, there is only one authenticator available (Standard XWiki Authenticator). So, if no authenticator extension was installed, it's not really possible to do anything for an attacker. Also, in most cases, if an SSO authenticator is installed and utilized (like OIDC or LDAP for example), the worst an attacker can do is break authentication by switching back to the standard authenticator (that's because it's impossible to login to a user which does not have a stored password, and that's usually what SSO authenticator produce). This issue has been patched in versions 15.10.14, 16.4.6, and 16.10.0-rc-1. | ||||
| CVE-2025-29756 | 2025-06-23 | N/A | ||
| SunGrow's back end users system iSolarCloud https://isolarcloud.com uses an MQTT service to transport data from the user's connected devices to the user's web browser. The MQTT server however did not have sufficient restrictions in place to limit the topics that a user could subscribe to. While the data that is transmitted through the MQTT server is encrypted and the credentials for the MQTT server are obtained though an API call, the credentials could be used to subscribe to any topic and the encryption key can be used to decrypt all messages received. An attack with an account on iSolarCloud.com could extract MQTT credentials and the decryption key from the browser and then use an external program to subscribe to the topic '#' and thus recieve all messages from all connected devices. | ||||
| CVE-2024-0236 | 1 Myeventon | 1 Eventon | 2025-06-20 | 5.3 Medium |
| The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not have authorisation in an AJAX action, allowing unauthenticated users to retrieve the settings of arbitrary virtual events, including any meeting password set (for example for Zoom) | ||||
| CVE-2024-0235 | 1 Myeventon | 1 Eventon | 2025-06-20 | 5.3 Medium |
| The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not have authorisation in an AJAX action, allowing unauthenticated users to retrieve email addresses of any users on the blog | ||||
| CVE-2023-48339 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-06-20 | 4.4 Medium |
| In jpg driver, there is a possible missing permission check. This could lead to local information disclosure with System execution privileges needed | ||||
| CVE-2023-6554 | 1 Tecnick | 1 Tcexam | 2025-06-20 | 6.5 Medium |
| When access to the "admin" folder is not protected by some external authorization mechanisms e.g. Apache Basic Auth, it is possible for any user to download protected information like exam answers. | ||||
| CVE-2023-5905 | 1 Demomentsomtres | 1 Export Posts With Images | 2025-06-20 | 8.1 High |
| The DeMomentSomTres WordPress Export Posts With Images WordPress plugin through 20220825 does not check authorization of requests to export the blog data, allowing any logged in user, such as subscribers to export the contents of the blog, including restricted and unpublished posts, as well as passwords of protected posts. | ||||
| CVE-2023-40362 | 1 Centralsquare | 1 Click2gov Building Permit | 2025-06-20 | 4.3 Medium |
| An issue was discovered in CentralSquare Click2Gov Building Permit before October 2023. Lack of access control protections allows remote attackers to arbitrarily delete the contractors from any user's account when the user ID and contractor information is known. | ||||
| CVE-2023-34063 | 1 Vmware | 2 Aria Automation, Cloud Foundation | 2025-06-20 | 9.9 Critical |
| Aria Automation contains a Missing Access Control vulnerability. An authenticated malicious actor may exploit this vulnerability leading to unauthorized access to remote organizations and workflows. | ||||
| CVE-2025-5033 | 1 Teacms Project | 1 Teacms | 2025-06-20 | 4.3 Medium |
| A vulnerability classified as problematic was found in XiaoBingby TeaCMS 2.0.2. Affected by this vulnerability is an unknown functionality of the file src/main/java/me/teacms/controller/admin/UserManageController/addUser. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-48013 | 1 Quick Node Block Project | 1 Quick Node Block | 2025-06-20 | 5.3 Medium |
| Missing Authorization vulnerability in Drupal Quick Node Block allows Forceful Browsing.This issue affects Quick Node Block: from 0.0.0 before 2.0.0. | ||||
| CVE-2025-48444 | 1 Quick Node Block Project | 1 Quick Node Block | 2025-06-20 | 5.3 Medium |
| Missing Authorization vulnerability in Drupal Quick Node Block allows Forceful Browsing.This issue affects Quick Node Block: from 0.0.0 before 2.0.0. | ||||
| CVE-2025-49874 | 1 Tychesoftwares | 1 Arconix Faq | 2025-06-20 | 4.3 Medium |
| Missing Authorization vulnerability in tychesoftwares Arconix FAQ allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Arconix FAQ: from n/a through 1.9.6. | ||||
| CVE-2025-49872 | 2025-06-20 | 5.3 Medium | ||
| Missing Authorization vulnerability in WPExperts.io myCred allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects myCred: from n/a through 2.9.4.2. | ||||
| CVE-2025-49864 | 2025-06-20 | 5.3 Medium | ||
| Missing Authorization vulnerability in AFS Analytics AFS Analytics allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects AFS Analytics: from n/a through 4.21. | ||||
| CVE-2023-42358 | 1 O-ran-sc | 1 Ric-plt-e2mgr | 2025-06-18 | 7.5 High |
| An issue was discovered in O-RAN Software Community ric-plt-e2mgr in the G-Release environment, allows remote attackers to cause a denial of service (DoS) via a crafted request to the E2Manager API component. | ||||
| CVE-2025-23999 | 2025-06-18 | 4.3 Medium | ||
| Missing Authorization vulnerability in Cloudways Breeze allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Breeze: from n/a through 2.2.13. | ||||
| CVE-2025-49857 | 2025-06-18 | 4.3 Medium | ||
| Missing Authorization vulnerability in WPExperts.io myCred allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects myCred: from n/a through 2.9.4.2. | ||||