Total
5353 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-36912 | 1 Jenkins | 1 Openstack Heat | 2025-05-05 | 4.3 Medium |
| A missing permission check in Jenkins Openstack Heat Plugin 1.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. | ||||
| CVE-2022-3320 | 1 Cloudflare | 1 Warp | 2025-05-05 | 6.7 Medium |
| It was possible to bypass policies configured for Zero Trust Secure Web Gateway by using warp-cli 'set-custom-endpoint' subcommand. Using this command with an unreachable endpoint caused the WARP Client to disconnect and allowed bypassing administrative restrictions on a Zero Trust enrolled endpoint. | ||||
| CVE-2024-26705 | 1 Linux | 1 Linux Kernel | 2025-05-04 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: parisc: BTLB: Fix crash when setting up BTLB at CPU bringup When using hotplug and bringing up a 32-bit CPU, ask the firmware about the BTLB information to set up the static (block) TLB entries. For that write access to the static btlb_info struct is needed, but since it is marked __ro_after_init the kernel segfaults with missing write permissions. Fix the crash by dropping the __ro_after_init annotation. | ||||
| CVE-2023-52642 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2025-05-04 | 7.8 High |
| In the Linux kernel, the following vulnerability has been resolved: media: rc: bpf attach/detach requires write permission Note that bpf attach/detach also requires CAP_NET_ADMIN. | ||||
| CVE-2024-57682 | 1 Dlink | 2 Dir-816, Dir-816 Firmware | 2025-05-02 | 6.5 Medium |
| An information disclosure vulnerability in the component d_status.asp of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to access sensitive information via a crafted POST request. | ||||
| CVE-2025-3953 | 2025-05-02 | 6.5 Medium | ||
| The WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'optionUpdater' function in all versions up to, and including, 14.13.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary plugin settings. | ||||
| CVE-2023-33265 | 1 Hazelcast | 2 Hazelcast, Imdg | 2025-05-02 | 8.8 High |
| In Hazelcast through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, executor services don't check client permissions properly, allowing authenticated users to execute tasks on members without the required permissions granted. | ||||
| CVE-2022-3451 | 1 Addify | 1 Product Stock Manager | 2025-05-01 | 4.3 Medium |
| The Product Stock Manager WordPress plugin before 1.0.5 does not have authorisation and proper CSRF checks in multiple AJAX actions, allowing users with a role as low as subscriber to call them. One action in particular could allow to update arbitrary options | ||||
| CVE-2023-21244 | 1 Google | 1 Android | 2025-05-01 | 6.7 Medium |
| In visitUris of Notification.java, there is a possible bypass of user profile boundaries due to a missing permission check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2022-3489 | 1 Weberge | 1 Wp Hide | 2025-05-01 | 5.3 Medium |
| The WP Hide WordPress plugin through 0.0.2 does not have authorisation and CSRF checks in place when updating the custom_wpadmin_slug settings, allowing unauthenticated attackers to update it with a crafted request | ||||
| CVE-2022-20446 | 1 Google | 1 Android | 2025-05-01 | 3.3 Low |
| In AlwaysOnHotwordDetector of AlwaysOnHotwordDetector.java, there is a possible way to access the microphone from the background due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-229793943 | ||||
| CVE-2022-20451 | 1 Google | 1 Android | 2025-05-01 | 7.8 High |
| In onCallRedirectionComplete of CallsManager.java, there is a possible permissions bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-235098883 | ||||
| CVE-2022-20450 | 1 Google | 1 Android | 2025-05-01 | 7.8 High |
| In restorePermissionState of PermissionManagerServiceImpl.java, there is a possible way to bypass user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-210065877 | ||||
| CVE-2024-43431 | 1 Moodle | 1 Moodle | 2025-05-01 | 7.5 High |
| A vulnerability was found in Moodle. Insufficient capability checks made it possible to delete badges that a user does not have permission to access. | ||||
| CVE-2023-48676 | 2 Acronis, Microsoft | 2 Agent, Windows | 2025-05-01 | 7.1 High |
| Sensitive information disclosure and manipulation due to missing authorization. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 36943. | ||||
| CVE-2022-44549 | 1 Huawei | 2 Emui, Harmonyos | 2025-05-01 | 7.5 High |
| The LBS module has a vulnerability in geofencing API access. Successful exploitation of this vulnerability may cause third-party apps to access the geofencing APIs without authorization, affecting user confidentiality. | ||||
| CVE-2022-38651 | 1 Vmware | 1 Hyperic Server | 2025-05-01 | 9.8 Critical |
| A security filter misconfiguration exists in VMware Hyperic Server 5.8.6. Exploitation of this vulnerability enables a malicious party to bypass some authentication requirements when issuing requests to Hyperic Server. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2022-2450 | 1 Resmush.it | 1 Resmush.it Image Optimizer | 2025-04-30 | 4.3 Medium |
| The reSmush.it : the only free Image Optimizer & compress plugin WordPress plugin before 0.4.4 lacks authorization in various AJAX actions, allowing any logged-in users, such as subscribers to call them. | ||||
| CVE-2022-45390 | 1 Jenkins | 1 Loader.io | 2025-04-30 | 4.3 Medium |
| A missing permission check in Jenkins loader.io Plugin 1.0.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | ||||
| CVE-2022-45389 | 1 Jenkins | 1 Xp-dev | 2025-04-30 | 5.3 Medium |
| A missing permission check in Jenkins XP-Dev Plugin 1.0 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to an attacker-specified repository. | ||||