Total
934 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-55737 | 1 Dogukanurker | 1 Flaskblog | 2025-08-21 | 6.5 Medium |
| flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when deleting a comment, there's no validation of the ownership of the comment. Every user can delete an arbitrary comment of another user on every post, by simply intercepting the delete request and changing the commentID. The code that causes the problem is in routes/post.py. | ||||
| CVE-2025-55370 | 2025-08-21 | 8.8 High | ||
| Incorrect access control in the component \controller\ResourceController.java of jshERP v3.5 allows unauthorized attackers to obtain all the corresponding ID data by modifying the ID value. | ||||
| CVE-2025-53208 | 1 Wordpress | 1 Wordpress | 2025-08-21 | 7.5 High |
| Authorization Bypass Through User-Controlled Key vulnerability in paymayapg Maya Business allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Maya Business: from n/a through 1.2.0. | ||||
| CVE-2025-5261 | 2025-08-20 | 7.5 High | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Pik Online Yazılım Çözümleri A.Ş. Pik Online allows Exploitation of Trusted Identifiers.This issue affects Pik Online: before 3.1.5. | ||||
| CVE-2025-6765 | 1 Intelbras | 2 Incontrol, Incontrol Web | 2025-08-20 | 6.3 Medium |
| A vulnerability, which was classified as critical, has been found in Intelbras InControl 2.21.60.9. This issue affects some unknown processing of the file /v1/operador/ of the component HTTP PUT Request Handler. The manipulation leads to permission issues. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-11216 | 2025-08-19 | 7.6 High | ||
| Authorization Bypass Through User-Controlled Key, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in PozitifIK Pik Online allows Account Footprinting, Session Hijacking.This issue affects Pik Online: before 3.1.5. | ||||
| CVE-2025-43732 | 1 Liferay | 2 Dxp, Portal | 2025-08-18 | N/A |
| Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.10, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.17 and 7.4 GA through update 92 is vulnerable to Insecure Direct Object Reference (IDOR) in the groupId parameter of the _com_liferay_roles_selector_web_portlet_RolesSelectorPortlet_groupId. When an organization administrator modifies this parameter id value, they can gain unauthorized access to user lists from other organizations. | ||||
| CVE-2025-54691 | 2 Stylemix, Wordpress | 2 Motors, Wordpress | 2025-08-16 | 5.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Stylemix Motors allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Motors: from n/a through 1.4.80. | ||||
| CVE-2025-50340 | 1 Sogo | 1 Webmail | 2025-08-15 | 4.3 Medium |
| An Insecure Direct Object Reference (IDOR) vulnerability was discovered in SOGo Webmail thru 5.6.0, allowing an authenticated user to send emails on behalf of other users by manipulating a user-controlled identifier in the email-sending request. The server fails to verify whether the authenticated user is authorized to use the specified sender identity, resulting in unauthorized message delivery as another user. This can lead to impersonation, phishing, or unauthorized communication within the system. NOTE: this is disputed by the Supplier because the only effective way to prevent this sender spoofing is on the SMTP server, not within a client such as SOGo. | ||||
| CVE-2025-36023 | 1 Ibm | 1 Cloud Pak For Business Automation | 2025-08-15 | 6.5 Medium |
| IBM Cloud Pak for Business Automation 24.0.0 through 24.0.0 IF005 and 24.0.1 through 24.0.1 IF002 could allow an authenticated user to view sensitive user and system information due to an indirect object reference through a user-controlled key. | ||||
| CVE-2025-8770 | 1 Gitlab | 1 Gitlab | 2025-08-15 | 6.5 Medium |
| An issue has been discovered in GitLab EE affecting all versions from 18.0 prior to 18.0.6, 18.1 prior to 18.1.4, and 18.2 prior to 18.2.2 that could have allowed authenticated users with specific access to bypass merge request approval policies by manipulating approval rule identifiers. | ||||
| CVE-2025-8794 | 1 Litmus Project | 1 Litmus | 2025-08-13 | 5.3 Medium |
| A vulnerability, which was classified as problematic, has been found in LitmusChaos Litmus up to 3.19.0. Affected by this issue is some unknown functionality of the component LocalStorage Handler. The manipulation of the argument projectID leads to authorization bypass. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-4796 | 2 Themewinter, Wordpress | 2 Eventin, Wordpress | 2025-08-13 | 8.8 High |
| The Eventin plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.34. This is due to the plugin not properly validating a user's identity or capability prior to updating their details like email in the 'Eventin\Speaker\Api\SpeakerController::update_item' function. This makes it possible for unauthenticated attackers with contributor-level and above permissions to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. | ||||
| CVE-2025-3089 | 1 Servicenow | 1 Servicenow | 2025-08-13 | N/A |
| ServiceNow has addressed a Broken Access Control vulnerability that was identified in the ServiceNow AI Platform. This vulnerability could allow a low privileged user to bypass access controls and perform a limited set of actions typically reserved for higher privileged users, potentially leading to unauthorized data modifications. This issue is addressed in the listed patches and family releases, which have been made available to hosted and self-hosted customers, as well as partners. | ||||
| CVE-2025-8789 | 1 Portabilis | 1 I-educar | 2025-08-13 | 4.3 Medium |
| A vulnerability was found in Portabilis i-Educar up to 2.9.0. It has been classified as problematic. This affects an unknown part of the file /module/Api/Diario of the component API Endpoint. The manipulation leads to authorization bypass. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-8755 | 1 Macrozheng | 1 Mall | 2025-08-12 | 5.3 Medium |
| A vulnerability was found in macrozheng mall up to 1.0.3 and classified as problematic. This issue affects the function detail of the file UmsMemberController.java of the component com.macro.mall.portal.controller. The manipulation of the argument orderId leads to authorization bypass. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-51533 | 1 Sage | 1 Dpw | 2025-08-12 | 5.3 Medium |
| An Insecure Direct Object Reference (IDOR) in Sage DPW v2024_12_004 and below allows unauthorized attackers to access internal forms via sending a crafted GET request. | ||||
| CVE-2025-5195 | 1 Gitlab | 1 Gitlab | 2025-08-08 | 4.3 Medium |
| An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. It was possible for authenticated users to access arbitrary compliance frameworks, leading to unauthorized data disclosure. | ||||
| CVE-2025-46387 | 2025-08-06 | 8.8 High | ||
| CWE-639 Authorization Bypass Through User-Controlled Key | ||||
| CVE-2025-46386 | 2025-08-06 | 8.8 High | ||
| CWE-639 Authorization Bypass Through User-Controlled Key | ||||