Total
1091 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-31950 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 5.3 MEDIUM |
| An unauthenticated attacker can obtain EV charger energy consumption information of other users. | |||||
| CVE-2025-31945 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 5.3 MEDIUM |
| An unauthenticated attacker can obtain other users' charger information. | |||||
| CVE-2025-31654 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 5.3 MEDIUM |
| An attacker can get information about the groups of the smart home devices for arbitrary users (i.e., "rooms"). | |||||
| CVE-2025-31360 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 6.5 MEDIUM |
| Unauthenticated attackers can trigger device actions associated with specific "scenes" of arbitrary users. | |||||
| CVE-2025-27568 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 5.3 MEDIUM |
| An unauthenticated attacker can get users' emails by knowing usernames. A password reset email will be sent in response to this unsolicited request. | |||||
| CVE-2025-24487 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 5.3 MEDIUM |
| An unauthenticated attacker can infer the existence of usernames in the system by querying an API. | |||||
| CVE-2023-38965 | 1 Oretnom23 | 1 Lost And Found Information System | 2025-11-11 | N/A | 9.8 CRITICAL |
| Lost and Found Information System 1.0 allows account takeover via username and password to a /classes/Users.php?f=save URI. | |||||
| CVE-2025-11690 | 2025-11-10 | N/A | 8.5 HIGH | ||
| An Insecure Direct Object Reference (IDOR) vulnerability exists in the vehicleId parameter, allowing unauthorized access to sensitive information of other users’ vehicles. Exploiting this issue enables an attacker to retrieve data such as GPS coordinates, encryption keys, initialization vectors, model numbers, and fuel statistics belonging to other users, instead of being limited to their own vehicle data. The fix for this vulnerability is a server-side authorization fix. | |||||
| CVE-2025-62242 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-11-07 | N/A | 4.3 MEDIUM |
| Insecure Direct Object Reference (IDOR) vulnerability with account addresses in Liferay Portal 7.4.3.4 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated users to from one account to view addresses from a different account via the _com_liferay_account_admin_web_internal_portlet_AccountEntriesAdminPortlet_addressId parameter. | |||||
| CVE-2025-63248 | 2025-11-06 | N/A | 7.5 HIGH | ||
| DWSurvey 6.14.0 is vulnerable to Incorrect Access Control. When deleting a questionnaire, replacing the questionnaire ID with the ID of another questionnaire can enable the deletion of other questionnaires. | |||||
| CVE-2025-7938 | 1 Jerryshensjf | 1 Jpacookieshop | 2025-11-06 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in jerryshensjf JPACookieShop 蛋糕商城JPA版 1.0 and classified as critical. This issue affects the function updateGoods of the file GoodsController.java. The manipulation leads to authorization bypass. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-34140 | 2025-11-04 | N/A | N/A | ||
| An authorization bypass vulnerability exists in ETQ Reliance (legacy CG and NXG SaaS platforms). By appending a specific URI suffix to certain API endpoints, an unauthenticated attacker can bypass access control checks and retrieve limited sensitive resources. The root cause was a misconfiguration in API authorization logic, which has since been corrected in SE.2025.1 and 2025.1.2. | |||||
| CVE-2023-49112 | 2025-11-04 | N/A | 6.5 MEDIUM | ||
| Kiuwan provides an API endpoint /saas/rest/v1/info/application to get information about any application, providing only its name via the "application" parameter. This endpoint lacks proper access control mechanisms, allowing other authenticated users to read information about applications, even though they have not been granted the necessary rights to do so. This issue affects Kiuwan SAST: <master.1808.p685.q13371 | |||||
| CVE-2025-12623 | 2025-11-04 | 2.1 LOW | 3.1 LOW | ||
| A vulnerability was identified in fushengqian fuint up to 41e26be8a2c609413a0feaa69bdad33a71ae8032. Affected by this issue is some unknown functionality of the file fuint-application/src/main/java/com/fuint/module/clientApi/controller/ClientSignController.java of the component Authentication Token Handler. Such manipulation leads to authorization bypass. The attack may be launched remotely. Attacks of this nature are highly complex. The exploitation is known to be difficult. The exploit is publicly available and might be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. | |||||
| CVE-2025-0987 | 2025-11-04 | N/A | 9.9 CRITICAL | ||
| Authorization Bypass Through User-Controlled Key vulnerability in CB Project Ltd. Co. CVLand allows Parameter Injection.This issue affects CVLand: from 2.1.0 through 20251103. | |||||
| CVE-2025-5949 | 2025-11-04 | N/A | 8.8 HIGH | ||
| The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.0. This is due to the plugin not properly validating a user's identity prior to processing a password change request. This makes it possible for authenticated attackers with subscriber access or higher to reset other users' passwords, including those of admins. | |||||
| CVE-2025-6574 | 2025-11-04 | N/A | 8.8 HIGH | ||
| The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and excluding, 6.1. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. | |||||
| CVE-2024-45614 | 1 Puma | 1 Puma | 2025-11-03 | N/A | 5.4 MEDIUM |
| Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions. | |||||
| CVE-2023-46446 | 1 Asyncssh Project | 1 Asyncssh | 2025-11-03 | N/A | 6.8 MEDIUM |
| An issue in AsyncSSH before 2.14.1 allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation, aka a "Rogue Session Attack." | |||||
| CVE-2023-49298 | 2 Freebsd, Openzfs | 2 Freebsd, Openzfs | 2025-11-03 | N/A | 7.5 HIGH |
| OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenarios involving applications that try to rely on efficient copying of file data, can replace file contents with zero-valued bytes and thus potentially disable security mechanisms. NOTE: this issue is not always security related, but can be security related in realistic situations. A possible example is cp, from a recent GNU Core Utilities (coreutils) version, when attempting to preserve a rule set for denying unauthorized access. (One might use cp when configuring access control, such as with the /etc/hosts.deny file specified in the IBM Support reference.) NOTE: this issue occurs less often in version 2.2.1, and in versions before 2.1.4, because of the default configuration in those versions. | |||||