Total
2367 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-11776 | 1 Mattermost | 1 Mattermost Server | 2025-11-17 | N/A | 4.3 MEDIUM |
| Mattermost versions <11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint | |||||
| CVE-2025-41436 | 1 Mattermost | 1 Mattermost Server | 2025-11-17 | N/A | 3.1 LOW |
| Mattermost versions <11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access archived channel content and files via the "Open in Channel" functionality from followed threads | |||||
| CVE-2025-62394 | 1 Moodle | 1 Moodle | 2025-11-14 | N/A | 4.3 MEDIUM |
| Moodle failed to verify enrolment status correctly when sending quiz notifications. As a result, suspended or inactive users might receive quiz-related messages, leaking limited course information. | |||||
| CVE-2025-12149 | 2025-11-14 | N/A | N/A | ||
| In Search Guard FLX versions 3.1.2 and earlier, while Document-Level Security (DLS) is correctly enforced elsewhere, when the search is triggered from a Signals watch, the DLS rule is not enforced, allowing access to all documents in the queried indices. | |||||
| CVE-2025-65002 | 2025-11-14 | N/A | 7.5 HIGH | ||
| Fujitsu / Fsas Technologies iRMC S6 on M5 before 1.37S mishandles Redfish/WebUI access if the length of a username is exactly 16 characters. | |||||
| CVE-2025-13063 | 2025-11-14 | 7.5 HIGH | 7.3 HIGH | ||
| A flaw has been found in DinukaNavaratna Dee Store 1.0. Affected is an unknown function. Executing manipulation can lead to missing authorization. The attack may be performed from remote. The exploit has been published and may be used. Multiple endpoints are affected. | |||||
| CVE-2025-64746 | 2025-11-14 | N/A | 4.6 MEDIUM | ||
| Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean up field-level permissions when a field is deleted. When a field is removed from a collection, its reference in the permissions table remains intact. This stale reference creates a security gap: if another field is later created using the same name, it inherits the outdated permission entry. This behavior can unintentionally grant roles access to data they should not be able to read or modify. The issue is particularly risky in multi-tenant or production environments, where administrators may reuse field names, assuming old permissions have been fully cleared. Version 11.13.0 fixes the issue. | |||||
| CVE-2025-63687 | 2025-11-12 | N/A | 6.5 MEDIUM | ||
| An issue was discovered in rymcu forest thru commit f782e85 (2025-09-04) in function doBefore in file src/main/java/com/rymcu/forest/core/service/security/AuthorshipAspect.java, allowing authorized attackers to delete arbitrary users posts. | |||||
| CVE-2025-37736 | 2025-11-12 | N/A | 8.8 HIGH | ||
| Improper Authorization in Elastic Cloud Enterprise can lead to Privilege Escalation where the built-in readonly user can call APIs that should not be allowed. The list of APIs that are affected by this issue is: post:/platform/configuration/security/service-accounts delete:/platform/configuration/security/service-accounts/{user_id} patch:/platform/configuration/security/service-accounts/{user_id} post:/platform/configuration/security/service-accounts/{user_id}/keys delete:/platform/configuration/security/service-accounts/{user_id}/keys/{api_key_id} patch:/user post:/users post:/users/auth/keys delete:/users/auth/keys delete:/users/auth/keys/_all delete:/users/auth/keys/{api_key_id} delete:/users/{user_id}/auth/keys delete:/users/{user_id}/auth/keys/{api_key_id} delete:/users/{user_name} patch:/users/{user_name} | |||||
| CVE-2025-12925 | 2025-11-12 | 7.5 HIGH | 7.3 HIGH | ||
| A security flaw has been discovered in rymcu forest up to de53ce79db9faa2efc4e79ce1077a302c42a1224. Impacted is the function getAll/addDic/getAllDic/deleteDic of the file src/main/java/com/rymcu/forest/lucene/api/UserDicController.java. The manipulation results in missing authorization. The attack may be launched remotely. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. | |||||
| CVE-2025-12621 | 2025-11-12 | N/A | 5.3 MEDIUM | ||
| The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the 'create_refund' function in all versions up to, and including, 1.0.42. This makes it possible for authenticated attackers, with Contributor-level access and above, to update the status of refund requests, including approving and refusing refunds. | |||||
| CVE-2025-12924 | 2025-11-12 | 4.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability was identified in rymcu forest up to de53ce79db9faa2efc4e79ce1077a302c42a1224. This issue affects the function GlobalResult of the file src/main/java/com/rymcu/forest/web/api/bank/BankController.java. The manipulation leads to missing authorization. The attack may be initiated remotely. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. | |||||
| CVE-2025-11862 | 2025-11-12 | N/A | N/A | ||
| A security issue was discovered within Verve Asset Manager allowing unauthorized read-only users to read, update, and delete users via the API. | |||||
| CVE-2025-61830 | 2025-11-12 | N/A | 7.1 HIGH | ||
| Adobe Pass versions 3.7.3 and earlier are affected by an Incorrect Authorization vulnerability. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read and write access. Exploitation of this issue requires user interaction in that a victim must install a malicious SDK. | |||||
| CVE-2025-62795 | 1 Fit2cloud | 1 Jumpserver | 2025-11-12 | N/A | 7.1 HIGH |
| JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.21-lts and v4.10.12-lts, a low-privileged authenticated user can invoke LDAP configuration tests and start LDAP synchronization by sending crafted messages to the /ws/ldap/ WebSocket endpoint, bypassing authorization checks and potentially exposing LDAP credentials or causing unintended sync operations. This vulnerability is fixed in v3.10.21-lts and v4.10.12-lts. | |||||
| CVE-2025-62275 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-11-10 | N/A | 5.3 MEDIUM |
| Blogs in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions does not check permission of images in a blog entry, which allows remote attackers to view the images in a blog entry via crafted URL. | |||||
| CVE-2021-40655 | 1 Dlink | 2 Dir-605l, Dir-605l Firmware | 2025-11-10 | 5.0 MEDIUM | 7.5 HIGH |
| An informtion disclosure issue exists in D-LINK-DIR-605 B2 Firmware Version : 2.01MT. An attacker can obtain a user name and password by forging a post request to the / getcfg.php page | |||||
| CVE-2025-44824 | 1 Nagios | 1 Log Server | 2025-11-06 | N/A | 8.5 HIGH |
| Nagios Log Server before 2024R1.3.2 allows authenticated users (with read-only API access) to stop the Elasticsearch service via a /nagioslogserver/index.php/api/system/stop?subsystem=elasticsearch call. The service stops even though "message": "Could not stop elasticsearch" is in the API response. This is GL:NLS#474. | |||||
| CVE-2025-34273 | 1 Nagios | 1 Log Server | 2025-11-06 | N/A | 6.5 MEDIUM |
| Nagios Log Server versions prior to 2024R2.0.3 contain an incorrect authorization vulnerability that allows non-administrator users to delete global dashboards. The application did not correctly enforce authorization checks for the global dashboard deletion workflow, enabling lower-privileged users to remove dashboards that affect other users or the overall monitoring UI. | |||||
| CVE-2023-7322 | 1 Nagios | 1 Log Server | 2025-11-06 | N/A | 8.1 HIGH |
| Nagios Log Server versions prior to 2024R1 contain an incorrect authorization vulnerability. Users who lacked the required API permission were nevertheless able to invoke API endpoints, resulting in unintended access to data and actions exposed via the API. This incorrect authorization check could allow authenticated but non-privileged users to read or modify resources beyond their intended rights. | |||||