Total
5473 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-23714 | 2 Elastic, Microsoft | 2 Endpoint Security, Windows | 2025-12-03 | 7.2 HIGH | 7.8 HIGH |
| A local privilege escalation (LPE) issue was discovered in the ransomware canaries features of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account. | |||||
| CVE-2022-23709 | 1 Elastic | 1 Kibana | 2025-12-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. A user with this privilege would be able to create new alerting rules or overwrite existing ones. However, any new or modified rules would not be enabled, and a user with this privilege could not modify alerting connectors. This effectively means that Read users could disable existing alerting rules. | |||||
| CVE-2022-23708 | 1 Elastic | 1 Elasticsearch | 2025-12-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| A flaw was discovered in Elasticsearch 7.17.0’s upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built protections on the security index, allowing authenticated users with “*” index permissions access to this index. | |||||
| CVE-2016-10364 | 1 Elastic | 1 Kibana | 2025-12-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, any authenticated user could make requests to those services regardless of their own permissions. | |||||
| CVE-2025-58302 | 1 Huawei | 2 Emui, Harmonyos | 2025-12-02 | N/A | 8.4 HIGH |
| Permission control vulnerability in the Settings module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | |||||
| CVE-2025-64315 | 1 Huawei | 1 Harmonyos | 2025-12-02 | N/A | 4.4 MEDIUM |
| Configuration defect vulnerability in the file management module. Impact: Successful exploitation of this vulnerability may affect app data confidentiality and integrity. | |||||
| CVE-2025-58315 | 1 Huawei | 1 Harmonyos | 2025-12-02 | N/A | 5.5 MEDIUM |
| Permission control vulnerability in the Wi-Fi module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | |||||
| CVE-2025-58312 | 1 Huawei | 1 Harmonyos | 2025-12-02 | N/A | 5.1 MEDIUM |
| Permission control vulnerability in the App Lock module. Impact: Successful exploitation of this vulnerability may affect availability. | |||||
| CVE-2025-58309 | 1 Huawei | 1 Harmonyos | 2025-12-02 | N/A | 6.8 MEDIUM |
| Permission control vulnerability in the startup recovery module. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality. | |||||
| CVE-2025-58294 | 1 Huawei | 1 Harmonyos | 2025-12-02 | N/A | 6.2 MEDIUM |
| Permission control vulnerability in the print module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | |||||
| CVE-2015-0801 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-11-25 | 7.5 HIGH | N/A |
| Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving anchor navigation, a similar issue to CVE-2015-0818. | |||||
| CVE-2013-5598 | 1 Mozilla | 1 Firefox | 2025-11-25 | 8.3 HIGH | N/A |
| PDF.js in Mozilla Firefox before 25.0 and Firefox ESR 24.x before 24.1 does not properly handle the appending of an IFRAME element, which allows remote attackers to read arbitrary files or execute arbitrary JavaScript code with chrome privileges by using this element within an embedded PDF object. | |||||
| CVE-2015-0816 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-11-25 | 5.0 MEDIUM | N/A |
| Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 do not properly restrict resource: URLs, which makes it easier for remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging the ability to bypass the Same Origin Policy, as demonstrated by the resource: URL associated with PDF.js. | |||||
| CVE-2014-5415 | 1 Beckhoff | 2 Embedded Pc Images, Twincat | 2025-11-05 | 9.4 HIGH | 9.1 CRITICAL |
| Beckhoff Embedded PC images before 2014-10-22 and Automation Device Specification (ADS) TwinCAT components might allow remote attackers to obtain access via the (1) Windows CE Remote Configuration Tool, (2) CE Remote Display service, or (3) TELNET service. | |||||
| CVE-2014-5412 | 2 Aveva, Schneider-electric | 2 Clearscada, Scada Expert Clearscada | 2025-11-04 | 6.4 MEDIUM | N/A |
| Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 allows remote attackers to read database records by leveraging access to the guest account. | |||||
| CVE-2015-1318 | 1 Apport Project | 1 Apport | 2025-11-03 | 7.2 HIGH | N/A |
| The crash reporting feature in Apport 2.13 through 2.17.x before 2.17.1 allows local users to gain privileges via a crafted usr/share/apport/apport file in a namespace (container). | |||||
| CVE-2014-2349 | 1 Emerson | 1 Deltav | 2025-10-31 | 6.2 MEDIUM | N/A |
| Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentials for diagnostic services, which allows remote attackers to bypass intended access restrictions via a TCP session, as demonstrated by a session that uses the telnet program. | |||||
| CVE-2013-0422 | 3 Canonical, Opensuse, Oracle | 4 Ubuntu Linux, Opensuse, Jdk and 1 more | 2025-10-22 | 10.0 HIGH | 9.8 CRITICAL |
| Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114. CVE-2013-0422 covers both the JMX/MBean and Reflection API issues. NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks. NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11. If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue. | |||||
| CVE-2016-3643 | 1 Solarwinds | 1 Virtualization Manager | 2025-10-22 | 7.2 HIGH | 7.8 HIGH |
| SolarWinds Virtualization Manager 6.3.1 and earlier allow local users to gain privileges by leveraging a misconfiguration of sudo, as demonstrated by "sudo cat /etc/passwd." | |||||
| CVE-2015-1769 | 1 Microsoft | 9 Windows 10, Windows 7, Windows 8 and 6 more | 2025-10-22 | 7.2 HIGH | 6.6 MEDIUM |
| Mount Manager in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 mishandles symlinks, which allows physically proximate attackers to execute arbitrary code by connecting a crafted USB device, aka "Mount Manager Elevation of Privilege Vulnerability." | |||||