Total
4344 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-6527 | 1 70mai | 2 M300, M300 Firmware | 2025-11-14 | 3.1 Low |
| A vulnerability, which was classified as problematic, was found in 70mai M300 up to 20250611. Affected is an unknown function of the component Web Server. The manipulation leads to improper access controls. The attack can only be initiated within the local network. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-63353 | 1 Fiberhome | 2 Hg6145f1, Rp4423 | 2025-11-14 | 9.8 Critical |
| A vulnerability in FiberHome GPON ONU HG6145F1 RP4423 allows the device's factory default Wi-Fi password (WPA/WPA2 pre-shared key) to be predicted from the SSID. The device generates default passwords using a deterministic algorithm that derives the router passphrase from the SSID, enabling an attacker who can observe the SSID to predict the default password without authentication or user interaction. | ||||
| CVE-2025-12480 | 1 Gladinet | 1 Triofox | 2025-11-14 | 9.1 Critical |
| Triofox versions prior to 16.7.10368.56560, are vulnerable to an Improper Access Control flaw that allows access to initial setup pages even after setup is complete. | ||||
| CVE-2025-63667 | 3 Asecam, Keview, Simicam | 3 H43, H43, H44 | 2025-11-12 | 7.5 High |
| Incorrect access control in SIMICAM v1.16.41-20250725, KEVIEW v1.14.92-20241120, ASECAM v1.14.10-20240725 allows attackers to access sensitive API endpoints without authentication. | ||||
| CVE-2025-60876 | 1 Busybox | 1 Busybox | 2025-11-12 | 6.5 Medium |
| BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20). | ||||
| CVE-2025-37135 | 2 Arubanetworks, Hpe | 2 Arubaos, Arubaos | 2025-11-12 | 6.5 Medium |
| Arbitrary file deletion vulnerabilities have been identified in the command-line interface of an AOS-8 Controller/Mobility Conductor. Successful exploitation of these vulnerabilities could allow an authenticated remote malicious actor to delete arbitrary files within the affected system. | ||||
| CVE-2025-37136 | 2 Arubanetworks, Hpe | 2 Arubaos, Arubaos | 2025-11-12 | 6.5 Medium |
| Arbitrary file deletion vulnerabilities have been identified in the command-line interface of an AOS-8 Controller/Mobility Conductor. Successful exploitation of these vulnerabilities could allow an authenticated remote malicious actor to delete arbitrary files within the affected system. | ||||
| CVE-2025-37137 | 2 Arubanetworks, Hpe | 2 Arubaos, Arubaos | 2025-11-12 | 6.5 Medium |
| Arbitrary file deletion vulnerabilities have been identified in the command-line interface of an AOS-8 Controller/Mobility Conductor. Successful exploitation of these vulnerabilities could allow an authenticated remote malicious actor to delete arbitrary files within the affected system. | ||||
| CVE-2025-37140 | 2 Arubanetworks, Hpe | 2 Arubaos, Arubaos | 2025-11-12 | 4.9 Medium |
| Arbitrary file download vulnerabilities exist in the CLI binary of AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to download arbitrary files through carefully constructed exploits. | ||||
| CVE-2025-37141 | 2 Arubanetworks, Hpe | 2 Arubaos, Arubaos | 2025-11-12 | 4.9 Medium |
| Arbitrary file download vulnerabilities exist in the CLI binary of AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to download arbitrary files through carefully constructed exploits. | ||||
| CVE-2025-37142 | 2 Arubanetworks, Hpe | 2 Arubaos, Arubaos | 2025-11-12 | 4.9 Medium |
| Arbitrary file download vulnerabilities exist in the CLI binary of AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to download arbitrary files through carefully constructed exploits. | ||||
| CVE-2025-58337 | 1 Apache | 2 Doris, Doris Mcp Server | 2025-11-12 | 5.4 Medium |
| An attacker with a valid read-only account can bypass Doris MCP Server’s read-only mode due to improper access control, allowing modifications that should have been prevented by read-only restrictions. Impact: Bypasses read-only mode; attackers with read-only access may perform unauthorized modifications. Recommended action for operators: Upgrade to version 0.6.0 as soon as possible (this release contains the fix). | ||||
| CVE-2025-22391 | 1 Intel | 1 Sigtest | 2025-11-12 | 6.7 Medium |
| Improper access control for some SigTest before version 6.1.10 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | ||||
| CVE-2024-12235 | 1 Tongzhouyun | 1 Agilebpm | 2025-11-12 | 6.3 Medium |
| A vulnerability was found in Shenzhen Dashi Tongzhou Information Technology AgileBPM up to 1.0.0. It has been declared as critical. Affected by this vulnerability is the function doFilter of the file \agile-bpm-basic-master\ab-auth\ab-auth-spring-security-oauth2\src\main\java\com\dstz\auth\filter\AuthorizationTokenCheckFilter.java. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-37143 | 2 Arubanetworks, Hpe | 2 Arubaos, Arubaos | 2025-11-12 | 4.9 Medium |
| An arbitrary file download vulnerability exists in the web-based management interface of AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an Authenticated malicious actor to download arbitrary files through carefully constructed exploits. | ||||
| CVE-2025-63686 | 1 Guominjim | 1 Personmanage | 2025-11-12 | 6.5 Medium |
| There is an arbitrary file download vulnerability in GuoMinJim PersonManage thru commit 5a02b1ab208feacf3a34fc123c9381162afbaa95 (2020-11-23) in the document query function under the Download Center menu in the PersonManage system. | ||||
| CVE-2025-27919 | 1 Anydesk | 1 Anydesk | 2025-11-12 | 8.2 High |
| An issue was discovered in AnyDesk through 9.0.4. A remotely connected user with the "Control my device" permission can manipulate remote AnyDesk settings and create a password for the Full Access profile without needing confirmation from the counterparty. Consequently, the attacker can later connect without this counterparty confirmation. | ||||
| CVE-2025-64347 | 1 Apollographql | 1 Apollo-router | 2025-11-12 | 7.5 High |
| Apollo Router Core is a configurable Rust graph router written to run a federated supergraph using Apollo Federation 2. Versions 1.61.12-rc.0 and below and 2.8.1-rc.0 allow unauthorized access to protected data through schema elements with access control directives (@authenticated, @requiresScopes, and @policy) that were renamed via @link imports. Router did not enforce renamed access control directives on schema elements (e.g. fields and types), allowing queries to bypass those element-level access controls. This issue is fixed in versions 1.61.12 and 2.8.1. | ||||
| CVE-2024-42919 | 1 Escanav | 1 Escan Management Console | 2025-11-12 | 9.8 Critical |
| eScan Management Console 14.0.1400.2281 is vulnerable to Incorrect Access Control via acteScanAVReport. | ||||
| CVE-2025-5962 | 1 Redhat | 1 Enterprise Linux | 2025-11-11 | 7.7 High |
| A flaw was found in the Lightspeed history service. Insufficient access controls allow a local, unprivileged user to access and manipulate the chat history of another user on the same system. By abusing inter-process communication calls to the history service, an attacker can view, delete, or inject arbitrary history entries, including misleading or malicious commands. This can be used to deceive another user into executing harmful actions, posing a risk of privilege misuse or unauthorized command execution through social engineering. | ||||