Total
2367 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-5714 | 1 Lunary | 1 Lunary | 2025-10-15 | N/A | 6.8 MEDIUM |
| In lunary-ai/lunary version 1.2.4, an improper access control vulnerability allows members with team management permissions to manipulate project identifiers in requests, enabling them to invite users to projects in other organizations, change members to projects in other organizations with escalated privileges, and change members from other organizations to their own or other projects, also with escalated privileges. This vulnerability is due to the backend's failure to validate project identifiers against the current user's organization ID and projects belonging to it, as well as a misconfiguration in attribute naming (`org_id` should be `orgId`) that prevents proper user organization validation. As a result, attackers can cause inconsistencies on the platform for affected users and organizations, including unauthorized privilege escalation. The issue is present in the backend API endpoints for user invitation and modification, specifically in the handling of project IDs in requests. | |||||
| CVE-2024-3504 | 1 Lunary | 1 Lunary | 2025-10-15 | N/A | 6.5 MEDIUM |
| An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, where an admin can update any organization user to the organization owner. This vulnerability allows the elevated user to delete projects within the organization. The issue is resolved in version 1.2.7. | |||||
| CVE-2024-3404 | 1 Gaizhenbiao | 1 Chuanhuchatgpt | 2025-10-15 | N/A | 6.5 MEDIUM |
| In gaizhenbiao/chuanhuchatgpt, specifically the version tagged as 20240121, there exists a vulnerability due to improper access control mechanisms. This flaw allows an authenticated attacker to bypass intended access restrictions and read the `history` files of other users, potentially leading to unauthorized access to sensitive information. The vulnerability is present in the application's handling of access control for the `history` path, where no adequate mechanism is in place to prevent an authenticated user from accessing another user's chat history files. This issue poses a significant risk as it could allow attackers to obtain sensitive information from the chat history of other users. | |||||
| CVE-2024-10275 | 1 Lunary | 1 Lunary | 2025-10-15 | N/A | 7.3 HIGH |
| In version 1.5.5 of lunary-ai/lunary, a vulnerability exists where admins, who do not have direct permissions to access billing resources, can change the permissions of existing users to include billing permissions. This can lead to a privilege escalation scenario where an administrator can manage billing, effectively bypassing the intended role-based access control. Only users with the 'owner' role should be allowed to invite members with billing permissions. This flaw allows admins to circumvent those restrictions, gaining unauthorized access and control over billing information, posing a risk to the organization’s financial resources. | |||||
| CVE-2024-10273 | 1 Lunary | 1 Lunary | 2025-10-15 | N/A | 6.5 MEDIUM |
| In lunary-ai/lunary v1.5.0, improper privilege management in the models.ts file allows users with viewer roles to modify models owned by others. The PATCH endpoint for models does not have appropriate privilege checks, enabling low-privilege users to update models they should not have access to modify. This vulnerability could lead to unauthorized changes in critical resources, affecting the integrity and reliability of the system. | |||||
| CVE-2025-40619 | 1 Bookgy | 1 Bookgy | 2025-10-14 | N/A | 7.5 HIGH |
| Bookgy does not provide for proper authorisation control in multiple areas of the application. This deficiency could allow a malicious actor, without authentication, to reach private areas and/or areas intended for other roles. | |||||
| CVE-2025-48043 | 2025-10-14 | N/A | N/A | ||
| Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/authorizer/authorizer.ex and program routines 'Elixir.Ash.Policy.Authorizer':strict_filters/2. This issue affects ash: from pkg:hex/ash@0 before pkg:hex/[email protected], before 3.6.2, before 66d81300065b970da0d2f4528354835d2418c7ae. | |||||
| CVE-2025-7374 | 2025-10-14 | N/A | 5.4 MEDIUM | ||
| The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to authorization bypass in all versions up to, and including, 7.6. This is due to insufficient login restrictions on inactive and pending accounts. This makes it possible for authenticated attackers, with Candidate- and Employer-level access and above, to log in to the site even if their account is inactive or pending. | |||||
| CVE-2025-8886 | 2025-10-14 | N/A | 6.7 MEDIUM | ||
| Incorrect Permission Assignment for Critical Resource, Exposure of Sensitive Information to an Unauthorized Actor, Missing Authorization, Incorrect Authorization vulnerability in Usta Information Systems Inc. Aybs Interaktif allows Privilege Abuse, Authentication Bypass.This issue affects Aybs Interaktif: from 2024 through 28082025. | |||||
| CVE-2025-42939 | 2025-10-14 | N/A | 4.3 MEDIUM | ||
| SAP S/4HANA (Manage Processing Rules - For Bank Statements) allows an authenticated attacker with basic privileges to delete conditions from any shared rule of any user by tampering the request parameter. Due to missing authorization check, the attacker can delete shared rule conditions that should be restricted, compromising the integrity of the application without affecting its confidentiality or availability. | |||||
| CVE-2025-62243 | 2025-10-14 | N/A | N/A | ||
| Insecure direct object reference (IDOR) vulnerability in Publications in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated attackers to view publication comments via the _com_liferay_change_tracking_web_portlet_PublicationsPortlet_value parameter. Publications comments in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 does not properly check user permissions, which allows remote authenticated users to edit publication comments via crafted URLs. | |||||
| CVE-2024-52314 | 1 Amazon | 1 Data.all | 2025-10-14 | N/A | 4.9 MEDIUM |
| A data.all admin team member who has access to the customer-owned AWS Account where data.all is deployed may be able to extract user data from data.all application logs in data.all via CloudWatch log scanning for particular operations that interact with customer producer teams data. | |||||
| CVE-2024-52312 | 1 Amazon | 1 Data.all | 2025-10-14 | N/A | 5.4 MEDIUM |
| Due to inconsistent authorization permissions, data.all may allow an external actor with an authenticated account to perform restricted operations against DataSets and Environments. | |||||
| CVE-2024-10953 | 1 Amazon | 1 Data.all | 2025-10-14 | N/A | 4.3 MEDIUM |
| An authenticated data.all user is able to perform mutating UPDATE operations on persisted Notification records in data.all for group notifications that their user is not a member of. | |||||
| CVE-2024-34146 | 1 Jenkins | 1 Git Server | 2025-10-10 | N/A | 6.5 MEDIUM |
| Jenkins Git server Plugin 114.v068a_c7cc2574 and earlier does not perform a permission check for read access to a Git repository over SSH, allowing attackers with a previously configured SSH public key but lacking Overall/Read permission to access these repositories. | |||||
| CVE-2023-45793 | 1 Siemens | 1 Siveillance Control | 2025-10-10 | N/A | 5.5 MEDIUM |
| A vulnerability has been identified in Siveillance Control (All versions >= V2.8 < V3.1.1). The affected product does not properly check the list of access groups that are assigned to an individual user. This could enable a locally logged on user to gain write privileges for objects where they only have read privileges. | |||||
| CVE-2025-3719 | 1 Nozominetworks | 2 Cmc, Guardian | 2025-10-09 | N/A | 8.1 HIGH |
| An access control vulnerability was discovered in the CLI functionality due to a specific access restriction not being properly enforced for users with limited privileges. An authenticated user with limited privileges can issue administrative CLI commands, altering the device configuration, and/or affecting its availability. | |||||
| CVE-2025-11439 | 1 Jhumanj | 1 Opnform | 2025-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in JhumanJ OpnForm up to 1.9.3. This issue affects some unknown processing of the file /show/integrations. Performing manipulation results in missing authorization. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The patch is named 11d97d78f2de2cb49f79baed6bde8b611ec1f384. It is recommended to apply a patch to fix this issue. | |||||
| CVE-2025-11438 | 1 Jhumanj | 1 Opnform | 2025-10-09 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability has been found in JhumanJ OpnForm up to 1.9.3. This vulnerability affects unknown code of the file /custom-domains of the component API Endpoint. Such manipulation leads to missing authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is beb153ce52dceb971c1518f98333328c95f1ba20. It is best practice to apply a patch to resolve this issue. | |||||
| CVE-2025-11239 | 1 Knime | 1 Business Hub | 2025-10-08 | N/A | 4.3 MEDIUM |
| Potentially sensitive information in jobs on KNIME Business Hub prior to 1.16.0 were visible to all members of the user's team. Starting with KNIME Business Hub 1.16.0 only metadata of jobs is shown to team members. Only the creator of a job can see all information including in- and output data (if present). | |||||