Total
5857 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-5888 | 1 Jsnjfz | 1 Webstack-guns | 2025-12-03 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in jsnjfz WebStack-Guns 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-65669 | 1 Classroomio | 1 Classroomio | 2025-12-03 | N/A | 9.1 CRITICAL |
| An issue was discovered in classroomio 0.1.13. Student accounts are able to delete courses from the Explore page without any authorization or authentication checks, bypassing the expected admin-only deletion restriction. | |||||
| CVE-2025-9954 | 1 Acquia | 1 Dam | 2025-12-03 | N/A | 7.5 HIGH |
| Missing Authorization vulnerability in Drupal Acquia DAM allows Forceful Browsing.This issue affects Acquia DAM: from 0.0.0 before 1.1.5. | |||||
| CVE-2025-46175 | 1 Ruoyi | 1 Ruoyi | 2025-12-03 | N/A | 7.5 HIGH |
| Ruoyi v4.8.0 is vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the authRole method of SysUserController.java. | |||||
| CVE-2025-46174 | 1 Ruoyi | 1 Ruoyi | 2025-12-03 | N/A | 7.5 HIGH |
| Ruoyi v4.8.0 vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the resetPwd Method of SysUserController.java. | |||||
| CVE-2025-41012 | 1 Tcman | 1 Gim | 2025-12-03 | N/A | 5.3 MEDIUM |
| Unauthorized access vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unauthenticated attacker to determine whether a user exists on the system by using the 'pda:userId' and 'pda:newPassword' parameters with 'soapaction UnlockUser’ in '/WS/PDAWebService.asmx'. | |||||
| CVE-2025-12169 | 1 Elula | 1 Wsdesk | 2025-12-03 | N/A | 4.3 MEDIUM |
| The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_eh_crm_settings_empty_scheduled_actions' AJAX Action in all versions up to, and including, 3.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the scheduled triggers option. | |||||
| CVE-2025-12085 | 1 Elula | 1 Wsdesk | 2025-12-03 | N/A | 4.3 MEDIUM |
| The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_settings_empty_trash' function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to empty the ticket trash. | |||||
| CVE-2025-12023 | 1 Elula | 1 Wsdesk | 2025-12-03 | N/A | 4.3 MEDIUM |
| The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eh_crm_restore_data() function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to restore tickets. | |||||
| CVE-2025-12022 | 1 Elula | 1 Wsdesk | 2025-12-03 | N/A | 4.3 MEDIUM |
| The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_settings_restore_trash' AJAX endpoint in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to restore all deleted tickets. | |||||
| CVE-2025-13756 | 2025-12-03 | N/A | 4.3 MEDIUM | ||
| The Fluent Booking plugin for WordPress is vulnerable to unauthorized calendar import and management due to a missing capability check on the "importCalendar" function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with subscriber level access and above, to import arbitrary calendars and manage them. | |||||
| CVE-2025-13354 | 2025-12-03 | N/A | 4.3 MEDIUM | ||
| The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.40.1. This is due to the plugin not properly verifying that a user is authorized to perform an action in the "taxopress_merge_terms_batch" function. This makes it possible for authenticated attackers, with subscriber level access and above, to merge or delete arbitrary taxonomy terms. | |||||
| CVE-2025-13342 | 2025-12-03 | N/A | 9.8 CRITICAL | ||
| The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthorized modification of arbitrary WordPress options in all versions up to, and including, 3.28.20. This is due to insufficient capability checks and input validation in the ActionOptions::run() save handler. This makes it possible for unauthenticated attackers to modify critical WordPress options such as users_can_register, default_role, and admin_email via submitting crafted form data to public frontend forms. | |||||
| CVE-2025-12887 | 2025-12-03 | N/A | 5.4 MEDIUM | ||
| The Post SMTP plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.1. This is due to the plugin not properly verifying that a user is authorized to update OAuth tokens on the 'handle_gmail_oauth_redirect' function. This makes it possible for authenticated attackers, with subscriber level access and above, to inject invalid or attacker-controlled OAuth credentials. | |||||
| CVE-2025-13472 | 2025-12-03 | N/A | N/A | ||
| A fix was made in BlazeMeter Jenkins Plugin version 4.27 to allow users only with certain permissions to see the list of available resources like credential IDs, bzm workspaces and bzm project Ids. Prior to this fix, anyone could see this list as a dropdown on the Jenkins UI. | |||||
| CVE-2022-23709 | 1 Elastic | 1 Kibana | 2025-12-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. A user with this privilege would be able to create new alerting rules or overwrite existing ones. However, any new or modified rules would not be enabled, and a user with this privilege could not modify alerting connectors. This effectively means that Read users could disable existing alerting rules. | |||||
| CVE-2025-10304 | 2025-12-03 | N/A | 5.3 MEDIUM | ||
| The Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the process_status_unlink() function in all versions up to, and including, 2.3.8. This makes it possible for unauthenticated attackers to delete the back-up progress files and cause a back-up to fail while it is in progress. | |||||
| CVE-2021-22147 | 1 Elastic | 1 Elasticsearch | 2025-12-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view. | |||||
| CVE-2021-22149 | 1 Elastic | 1 Enterprise Search | 2025-12-03 | 6.5 MEDIUM | 8.8 HIGH |
| Elastic Enterprise Search App Search versions before 7.14.0 are vulnerable to an issue where API keys were missing authorization via an alternate route. Using this vulnerability, an authenticated attacker could utilize API keys belonging to higher privileged users. | |||||
| CVE-2023-52177 | 1 Softlabbd | 1 Integrate Google Drive | 2025-12-02 | N/A | 5.4 MEDIUM |
| Missing Authorization vulnerability in SoftLab Integrate Google Drive.This issue affects Integrate Google Drive: from n/a through 1.3.3. | |||||