Total
2310 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-2201 | 2025-03-17 | N/A | ||
| Broken access control vulnerability in the IcProgress Innovación y Cualificación plugin. This vulnerability allows an attacker to obtain sensitive information about other users such as public IP addresses, messages with other users and more. | ||||
| CVE-2025-2202 | 2025-03-17 | N/A | ||
| Broken access control vulnerability in the Innovación y Cualificación local administration plugin ajax.php. This vulnerability allows an attacker to obtain sensitive information about other users such as id, name, login and email. | ||||
| CVE-2024-7265 | 2 Nask, Nask-pib | 2 Ezd Rp, Ezd Rp | 2025-03-17 | 8.8 High |
| Incorrect User Management vulnerability in Naukowa i Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy EZD RP allows logged-in user to change the password of any user, including root user, which could lead to privilege escalation. This issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2. | ||||
| CVE-2024-27798 | 1 Apple | 1 Macos | 2025-03-14 | 7.8 High |
| An authorization issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.5. An attacker may be able to elevate privileges. | ||||
| CVE-2024-6512 | 1 Devolutions | 1 Devolutions Server | 2025-03-14 | 6.5 Medium |
| Authorization bypass in the PAM access request approval mechanism in Devolutions Server 2024.2.10 and earlier allows authenticated users with permissions to approve their own requests, bypassing intended security restrictions, via the PAM access request approval mechanism. | ||||
| CVE-2024-49209 | 1 Archerirm | 1 Archer | 2025-03-14 | 6.5 Medium |
| Archer Platform 2024.03 before version 2024.09 is affected by an API authorization bypass vulnerability related to supporting application files. A remote unprivileged attacker could potentially exploit this vulnerability to elevate their privileges and upload additional system icons. | ||||
| CVE-2024-49208 | 1 Archerirm | 1 Archer | 2025-03-14 | 5.9 Medium |
| Archer Platform 2024.03 before version 2024.08 is affected by an authorization bypass vulnerability related to supporting application files. A remote unprivileged attacker could potentially exploit this vulnerability to elevate their privileges and delete system icons. | ||||
| CVE-2024-40771 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2025-03-14 | 8.4 High |
| The issue was addressed with improved memory handling. This issue is fixed in macOS Sonoma 14.5, iOS 16.7.8 and iPadOS 16.7.8, iOS 17.5 and iPadOS 17.5, macOS Monterey 12.7.5, watchOS 10.5, tvOS 17.5, macOS Ventura 13.6.7, visionOS 1.2. An app may be able to execute arbitrary code with kernel privileges. | ||||
| CVE-2025-29997 | 2025-03-13 | N/A | ||
| This vulnerability exists in the CAP back office application due to improper authorization checks on certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating API request URL to gain unauthorized access to other user accounts. | ||||
| CVE-2024-46918 | 1 Misp | 1 Misp | 2025-03-13 | 9.8 Critical |
| app/Controller/UserLoginProfilesController.php in MISP before 2.4.198 does not prevent an org admin from viewing sensitive login fields of another org admin in the same org. | ||||
| CVE-2023-52374 | 1 Huawei | 2 Emui, Harmonyos | 2025-03-13 | 7.5 High |
| Permission control vulnerability in the package management module.Successful exploitation of this vulnerability may affect service confidentiality. | ||||
| CVE-2023-51405 | 1 Reputeinfosystems | 1 Bookingpress | 2025-03-12 | 5.3 Medium |
| Improper Authentication vulnerability in Repute Infosystems BookingPress allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects BookingPress: from n/a through 1.0.74. | ||||
| CVE-2023-23506 | 1 Apple | 1 Macos | 2025-03-11 | 5.5 Medium |
| A permissions issue was addressed with improved validation. This issue is fixed in macOS Ventura 13.2. An app may be able to access user-sensitive data. | ||||
| CVE-2023-50946 | 3 Ibm, Linux, Microsoft | 4 Aix, Common Licensing, Linux Kernel and 1 more | 2025-03-11 | 6.5 Medium |
| IBM Common Licensing 9.0 could allow an authenticated user to modify a configuration file that they should not have access to due to a broken authorization mechanism. | ||||
| CVE-2023-23510 | 1 Apple | 1 Macos | 2025-03-11 | 5.5 Medium |
| A permissions issue was addressed with improved validation. This issue is fixed in macOS Ventura 13.2. An app may be able to access a user’s Safari history. | ||||
| CVE-2022-46704 | 1 Apple | 1 Macos | 2025-03-11 | 5.5 Medium |
| A logic issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.1, macOS Big Sur 11.7.2, macOS Monterey 12.6.2. An app may be able to modify protected parts of the file system. | ||||
| CVE-2023-22482 | 2 Argoproj, Redhat | 2 Argo Cd, Openshift Gitops | 2025-03-11 | 9.1 Critical |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions of Argo CD starting with v1.8.2 and prior to 2.3.13, 2.4.19, 2.5.6, and 2.6.0-rc-3 are vulnerable to an improper authorization bug causing the API to accept certain invalid tokens. OIDC providers include an `aud` (audience) claim in signed tokens. The value of that claim specifies the intended audience(s) of the token (i.e. the service or services which are meant to accept the token). Argo CD _does_ validate that the token was signed by Argo CD's configured OIDC provider. But Argo CD _does not_ validate the audience claim, so it will accept tokens that are not intended for Argo CD. If Argo CD's configured OIDC provider also serves other audiences (for example, a file storage service), then Argo CD will accept a token intended for one of those other audiences. Argo CD will grant the user privileges based on the token's `groups` claim, even though those groups were not intended to be used by Argo CD. This bug also increases the impact of a stolen token. If an attacker steals a valid token for a different audience, they can use it to access Argo CD. A patch for this vulnerability has been released in versions 2.6.0-rc3, 2.5.6, 2.4.19, and 2.3.13. There are no workarounds. | ||||
| CVE-2023-22480 | 1 Fit2cloud | 1 Kubeoperator | 2025-03-10 | 7.3 High |
| KubeOperator is an open source Kubernetes distribution focused on helping enterprises plan, deploy and operate production-level K8s clusters. In KubeOperator versions 3.16.3 and below, API interfaces with unauthorized entities and can leak sensitive information. This vulnerability could be used to take over the cluster under certain conditions. This issue has been patched in version 3.16.4. | ||||
| CVE-2023-22500 | 1 Glpi-project | 1 Glpi | 2025-03-10 | 7.5 High |
| GLPI is a Free Asset and IT Management Software package. Versions 10.0.0 and above, prior to 10.0.6 are vulnerable to Incorrect Authorization. This vulnerability allow unauthorized access to inventory files. Thus, if anonymous access to FAQ is allowed, inventory files are accessbile by unauthenticated users. This issue is patched in version 10.0.6. As a workaround, disable native inventory and delete inventory files from server (default location is `files/_inventory`). | ||||
| CVE-2023-23924 | 1 Dompdf Project | 1 Dompdf | 2025-03-10 | 10 Critical |
| Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `<image>` tags with uppercase letters. This may lead to arbitrary object unserialize on PHP < 8, through the `phar` URL wrapper. An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will lead to the very least to an arbitrary file deletion and even remote code execution, depending on classes that are available. | ||||