Total
121 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-50170 | 1 Microsoft | 14 Server, Windows, Windows 10 1809 and 11 more | 2025-11-04 | 7.8 High |
| Improper handling of insufficient permissions or privileges in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-58457 | 1 Apache | 1 Zookeeper | 2025-11-04 | 4.3 Medium |
| Improper permission check in ZooKeeper AdminServer lets authorized clients to run snapshot and restore command with insufficient permissions. This issue affects Apache ZooKeeper: from 3.9.0 before 3.9.4. Users are recommended to upgrade to version 3.9.4, which fixes the issue. The issue can be mitigated by disabling both commands (via admin.snapshot.enabled and admin.restore.enabled), disabling the whole AdminServer interface (via admin.enableServer), or ensuring that the root ACL does not provide open permissions. (Note that ZooKeeper ACLs are not recursive, so this does not impact operations on child nodes besides notifications from recursive watches.) | ||||
| CVE-2025-41244 | 4 Debian, Linux, Microsoft and 1 more | 9 Debian Linux, Linux Kernel, Windows and 6 more | 2025-11-04 | 7.8 High |
| VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM. | ||||
| CVE-2023-42931 | 1 Apple | 1 Macos | 2025-11-04 | 8.3 High |
| The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.6.3, macOS Sonoma 14.2, macOS Monterey 12.7.2. A process may gain admin privileges without proper authentication. | ||||
| CVE-2024-10462 | 2 Mozilla, Redhat | 9 Firefox, Firefox Esr, Thunderbird and 6 more | 2025-11-03 | 7.5 High |
| Truncation of a long URL could have allowed origin spoofing in a permission prompt. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132. | ||||
| CVE-2024-10458 | 2 Mozilla, Redhat | 8 Firefox, Thunderbird, Enterprise Linux and 5 more | 2025-11-03 | 6.5 Medium |
| A permission leak could have occurred from a trusted site to an untrusted site via `embed` or `object` elements. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Firefox ESR < 115.17, Thunderbird < 128.4, and Thunderbird < 132. | ||||
| CVE-2024-12430 | 2025-11-03 | 7 High | ||
| An attacker who successfully exploited these vulnerabilities could cause enable command execution. A vulnerability exists in the AC500 V3 version mentioned. After successfully exploiting CVE-2024-12429 (directory traversal), a successfully authenticated attacker can inject arbitrary commands into a specifically crafted file, which then will be executed by root user. All AC500 V3 products (PM5xxx) with firmware version earlier than 3.8.0 are affected by this vulnerability. | ||||
| CVE-2025-30453 | 1 Apple | 1 Macos | 2025-11-03 | 7.8 High |
| The issue was addressed with additional permissions checks. This issue is fixed in macOS Sequoia 15.4, macOS Ventura 13.7.6, macOS Sonoma 14.7.6. A malicious app may be able to gain root privileges. | ||||
| CVE-2025-45376 | 1 Dell | 1 Repository Manager | 2025-10-29 | 7.5 High |
| Dell Repository Manager (DRM), versions 3.4.7 and 3.4.8, contains an Improper Handling of Insufficient Permissions or Privileges vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges. | ||||
| CVE-2024-55604 | 1 Appsmith | 1 Appsmith | 2025-10-24 | 4.3 Medium |
| Appsmith is a platform to build admin panels, internal tools, and dashboards. Users invited as "App Viewer" should not have access to development information of a workspace. Datasources are such a component in a workspace. Yet, in versions of Appsmith prior to 1.51, app viewers are able to get a list of datasources in a workspace they're a member of. This information disclosure does NOT expose sensitive data in the datasources, such as database passwords and API Keys. The attacker needs to have been invited to a workspace as a "viewer", by someone in that workspace with access to invite. The attacker then needs to be able to signup/login to that Appsmith instance. The issue is patched in version 1.51. No known workarounds are available. | ||||
| CVE-2024-29748 | 1 Google | 2 Android, Pixel | 2025-10-24 | 7.8 High |
| there is a possible way to bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | ||||
| CVE-2025-62509 | 1 Filerise | 1 Filrise | 2025-10-21 | 8.1 High |
| FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to version 1.4.0, a business logic flaw in FileRise’s file/folder handling allows low-privilege users to perform unauthorized operations (view/delete/modify) on files created by other users. The root cause was inferring ownership/visibility from folder names (e.g., a folder named after a username) and missing server-side authorization/ownership checks across file operation endpoints. This amounted to an IDOR pattern: an attacker could operate on resources identified only by predictable names. This issue has been patched in version 1.4.0 and further hardened in version 1.5.0. A workaround for this issue involves restricting non-admin users to read-only or disable delete/rename APIs server-side, avoid creating top-level folders named after other usernames, and adding server-side checks that verify ownership before delete/rename/move. | ||||
| CVE-2025-62510 | 1 Filerise | 1 Filerise | 2025-10-21 | 8.1 High |
| FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. In version 1.4.0, a regression allowed folder visibility/ownership to be inferred from folder names. Low-privilege users could see or interact with folders matching their username and, in some cases, other users’ content. This issue has been patched in version 1.5.0, where it introduces explicit per-folder ACLs (owners/read/write/share/read_own) and strict server-side checks across list, read, write, share, rename, copy/move, zip, and WebDAV paths. | ||||
| CVE-2025-46708 | 3 Google, Imaginationtech, Linux | 3 Android, Ddk, Linux Kernel | 2025-10-21 | 4.3 Medium |
| Software installed and running inside a Guest VM may conduct improper GPU system calls to prevent other Guests from running work on the GPU. | ||||
| CVE-2025-62176 | 1 Joinmastodon | 1 Mastodon | 2025-10-21 | 4.3 Medium |
| Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, the streaming server accepts serving events for public timelines to clients using any valid authentication token, even if those tokens lack the read:statuses scope. This allows OAuth clients without the read scope to subscribe to public channels and receive public timeline events. The impact is limited, as this only affects new public posts published on the public timelines and requires an otherwise valid token, but this may lead to unexpected access to public posts in a limited-federation setting. This issue has been patched in versions 4.4.6, 4.3.14, and 4.2.27. No known workarounds exist. | ||||
| CVE-2023-41972 | 1 Zscaler | 1 Client Connector | 2025-10-10 | 7.3 High |
| In some rare cases, there is a password type validation missing in Revert Password check and for some features it could be disabled. Fixed Version: Win ZApp 4.3.0.121 and later. | ||||
| CVE-2024-36451 | 2 Gentoo, Webmin | 2 Webmin, Webmin | 2025-10-08 | 8.8 High |
| Improper handling of insufficient permissions or privileges vulnerability exists in ajaxterm module of Webmin prior to 2.003. If this vulnerability is exploited, a console session may be hijacked by an unauthorized user. As a result, data within a system may be referred, a webpage may be altered, or a server may be permanently halted. | ||||
| CVE-2025-27521 | 1 Huawei | 1 Harmonyos | 2025-09-26 | 6.8 Medium |
| Vulnerability of improper access permission in the process management module Impact: Successful exploitation of this vulnerability may affect service confidentiality. | ||||
| CVE-2025-59040 | 1 Enalean | 1 Tuleap | 2025-09-22 | 4.3 Medium |
| Tuleap is an Open Source Suite to improve management of software developments and collaboration. Backlog item representations do not verify the permissions of the child trackers. Users might see tracker names they should not have access to. This vulnerability is fixed in Tuleap Community Edition 16.11.99.1757427600 and Tuleap Enterprise Edition 16.11-6 and 16.10-8. | ||||
| CVE-2025-29826 | 1 Microsoft | 1 Dataverse | 2025-09-10 | 7.3 High |
| Improper handling of insufficient permissions or privileges in Microsoft Dataverse allows an authorized attacker to elevate privileges over a network. | ||||