Total
1084 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-41092 | 2 Boldworkplanner, Gps | 2 Bold Workplanner, Bold Workplanner | 2025-10-08 | 4.3 Medium |
| Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplanner in versions prior to 2.5.25 (4935b438f9b), consisting of a lack of adequate validation of user input, allowing an authenticated user to access to time records details using unauthorised internal identifiers. | ||||
| CVE-2025-7900 | 1 Typo3 | 1 Typo3 | 2025-10-07 | 6.5 Medium |
| The femanager extension for TYPO3 allows Insecure Direct Object Reference resulting in unauthorized modification of userdata. This issue affects femanager version 6.4.1 and below, 7.0.0 to 7.5.2 and 8.0.0 to 8.3.0 | ||||
| CVE-2025-11321 | 1 Zhuimengshaonian | 1 Wisdom-education | 2025-10-06 | 4.3 Medium |
| A vulnerability was detected in zhuimengshaonian wisdom-education up to 1.0.4. The affected element is an unknown function of the file src/main/java/com/education/api/controller/student/WrongBookController.java. Performing manipulation of the argument subjectId results in authorization bypass. The attack can be initiated remotely. The exploit is now public and may be used. | ||||
| CVE-2025-0606 | 1 Logo Software | 1 Logo Cloud | 2025-10-06 | 6 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Logo Software Inc. Logo Cloud allows Forceful Browsing, Resource Leak Exposure.This issue affects Logo Cloud: before 0.67. | ||||
| CVE-2025-0642 | 1 Poscube | 1 Assist | 2025-10-03 | 6.3 Medium |
| Use of Hard-coded Credentials, Authorization Bypass Through User-Controlled Key vulnerability in PosCube Hardware Software and Consulting Ltd. Co. Assist allows Excavation, Authentication Bypass.This issue affects Assist: through 10.02.2025. | ||||
| CVE-2025-43827 | 1 Liferay | 2 Dxp, Portal | 2025-10-02 | N/A |
| Insecure Direct Object Reference (IDOR) vulnerability with audit events in Liferay Portal 7.4.0 through 7.4.3.117, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote authenticated users to from one virtual instance to view the audit events from a different virtual instance via the _com_liferay_portal_security_audit_web_portlet_AuditPortlet_auditEventId parameter. | ||||
| CVE-2025-55621 | 1 Reolink | 1 Reolink | 2025-10-02 | 6.5 Medium |
| An Insecure Direct Object Reference (IDOR) vulnerability in Reolink v4.54.0.4.20250526 allows unauthorized attackers to access and download other users' profile photos via a crafted URL. NOTE: this is disputed by the Supplier because it is intentional behavior; the photos are part of a social platform on which users expect to find one another. | ||||
| CVE-2025-51533 | 2 Sage, Sagedpw | 2 Dpw, Sage Dpw | 2025-10-01 | 5.3 Medium |
| An Insecure Direct Object Reference (IDOR) in Sage DPW v2024_12_004 and below allows unauthorized attackers to access internal forms via sending a crafted GET request. | ||||
| CVE-2024-52507 | 1 Nextcloud | 1 Tables | 2025-10-01 | 3.5 Low |
| Nextcloud Tables allows users to to create tables with individual columns. The information which Table (numeric ID) is shared with which groups and users and the respective permissions was not limited to affected users. It is recommended that the Nextcloud Tables app is upgraded to 0.8.1. | ||||
| CVE-2024-52511 | 1 Nextcloud | 1 Tables | 2025-10-01 | 6.3 Medium |
| Nextcloud Tables allows users to to create tables with individual columns. By directly specifying the ID of a table or view, a malicious user could blindly insert new rows into tables they have no access to. It is recommended that the Nextcloud Tables is upgraded to 0.8.0. | ||||
| CVE-2024-32045 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-09-30 | 5.9 Medium |
| Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to enforce proper access controls for channel and team membership when linking a playbook run to a channel which allows members to link their runs to private channels they were not members of. | ||||
| CVE-2025-8532 | 1 Bimser | 1 Eba Document And Workflow Management System | 2025-09-30 | 6.4 Medium |
| Authorization Bypass Through User-Controlled Key, Improper Authorization vulnerability in Bimser Solution Software Trade Inc. EBA Document and Workflow Management System allows Forceful Browsing.This issue affects eBA Document and Workflow Management System: from 6.7.164 before 6.7.166. | ||||
| CVE-2025-8463 | 2025-09-30 | 5.3 Medium | ||
| Authorization Bypass Through User-Controlled Key vulnerability in SecHard Information Technologies SecHard allows Forceful Browsing.This issue affects SecHard: before 3.6.2-20250805. | ||||
| CVE-2024-33542 | 1 Crelly Slider Project | 1 Crelly Slider | 2025-09-29 | 4.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Fabio Rinaldi Crelly Slider.This issue affects Crelly Slider: from n/a through 1.4.5. | ||||
| CVE-2025-10947 | 2025-09-26 | 5.3 Medium | ||
| A flaw has been found in Sistemas Pleno Gestão de Locação up to 2025.7.x. The impacted element is an unknown function of the file /api/areacliente/pessoa/validarCpf of the component CPF Handler. Executing manipulation of the argument pes_cpf can lead to authorization bypass. The attack can be executed remotely. The exploit has been published and may be used. Upgrading to version 2025.8.0 is sufficient to resolve this issue. It is advisable to upgrade the affected component. | ||||
| CVE-2025-8789 | 1 Portabilis | 1 I-educar | 2025-09-25 | 4.3 Medium |
| A vulnerability was found in Portabilis i-Educar up to 2.9.0. It has been classified as problematic. This affects an unknown part of the file /module/Api/Diario of the component API Endpoint. The manipulation leads to authorization bypass. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-9081 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-09-25 | 3.1 Low |
| Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration | ||||
| CVE-2024-10439 | 2 Sun.net, Sunnet | 2 Ehrd Ctms, Ehrd Ctms | 2025-09-25 | 5.3 Medium |
| The eHRD CTMS from Sunnet has an Insecure Direct Object Reference (IDOR) vulnerability, allowing unauthenticated remote attackers to modify a specific parameter to access arbitrary files uploaded by any user. | ||||
| CVE-2025-43810 | 1 Liferay | 2 Dxp, Portal | 2025-09-24 | N/A |
| Insecure Direct Object Reference (IDOR) vulnerability with commerce order notes in Liferay Portal 7.3.5 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows remote authenticated users to from one virtual instance to add a note to an order in a different virtual instance via the _com_liferay_commerce_order_web_internal_portlet_CommerceOrderPortlet_commerceOrderId parameter. | ||||
| CVE-2025-9342 | 2025-09-24 | 6.5 Medium | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Anadolu Hayat Emeklilik Inc. AHE Mobile allows Privilege Abuse.This issue affects AHE Mobile: from 1.9.7 before 1.9.9. | ||||