Total
2382 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-11239 | 1 Knime | 1 Business Hub | 2025-10-08 | 4.3 Medium |
| Potentially sensitive information in jobs on KNIME Business Hub prior to 1.16.0 were visible to all members of the user's team. Starting with KNIME Business Hub 1.16.0 only metadata of jobs is shown to team members. Only the creator of a job can see all information including in- and output data (if present). | ||||
| CVE-2025-59714 | 1 Internet2 | 1 Grouper | 2025-10-08 | 6.5 Medium |
| In Internet2 Grouper 5.17.1 before 5.20.5, group admins who are not Grouper sysadmins can configure loader jobs. | ||||
| CVE-2024-10306 | 1 Redhat | 3 Enterprise Linux, Jboss Core Services, Rhel Eus | 2025-10-08 | 5.4 Medium |
| A vulnerability was found in mod_proxy_cluster. The issue is that the <Directory> directive should be replaced by the <Location> directive as the former does not restrict IP/host access as `Require ip IP_ADDRESS` would suggest. This means that anyone with access to the host might send MCMP requests that may result in adding/removing/updating nodes for the balancing. However, this host should not be accessible to the public network as it does not serve the general traffic. | ||||
| CVE-2025-49641 | 1 Zabbix | 1 Zabbix | 2025-10-08 | 4.3 Medium |
| A regular Zabbix user with no permission to the Monitoring -> Problems view is still able to call the problem.view.refresh action and therefore still retrieve a list of active problems. | ||||
| CVE-2025-27236 | 1 Zabbix | 1 Zabbix | 2025-10-08 | 6.5 Medium |
| A regular Zabbix user can search other users in their user group via Zabbix API by select fields the user does not have access to view. This allows data-mining some field values the user does not have access to. | ||||
| CVE-2025-4975 | 2025-10-08 | N/A | ||
| When a notification relating to low battery appears for a user with whom the device has been shared, tapping the notification grants full access to the power settings of that device. | ||||
| CVE-2025-40668 | 1 Tcman | 1 Gim | 2025-10-06 | 6.5 Medium |
| Incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an attacker, with low privilege level, to change the password of other users through a POST request using the parameters idUser, PasswordActual, PasswordNew and PasswordNewRepeat in /PC/WebService.aspx/validateChangePassword%C3%B1a. To exploit the vulnerability the PasswordActual parameter must be empty. | ||||
| CVE-2025-40669 | 1 Tcman | 1 Gim | 2025-10-06 | 6.5 Medium |
| Incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an unprivileged attacker to modify the permissions held by each of the application's users, including the user himself by sending a POST request to /PC/Options.aspx?Command=2&Page=-1. | ||||
| CVE-2025-40670 | 1 Tcman | 1 Gim | 2025-10-06 | 8.8 High |
| Incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an unprivileged attacker to create a user and assign it many privileges by sending a POST request to /PC/frmGestionUser.aspx/updateUser. | ||||
| CVE-2025-58134 | 2 Microsoft, Zoom | 9 Windows, Meeting Software Development Kit, Rooms and 6 more | 2025-10-06 | 4.3 Medium |
| Incorrect authorization in certain Zoom Workplace Clients for Windows may allow an authenticated user to conduct an impact to integrity via network access. | ||||
| CVE-2025-2570 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-10-06 | 2.7 Low |
| Mattermost versions 10.5.x <= 10.5.3, 9.11.x <= 9.11.11 fail to check `RestrictSystemAdmin` setting if user doesn't have access to `ExperimentalSettings` which allows a System Manager to access `ExperimentSettings` when `RestrictSystemAdmin` is true via System Console. | ||||
| CVE-2025-10696 | 1 Opensupports | 1 Opensupports | 2025-10-06 | N/A |
| OpenSupports exposes an endpoint that allows the list of 'supervised users' for any account to be edited, but it does not validate whether the actor is the owner of that list. A Level 1 staff member can modify the supervision relationship of a third party (the target user), who can then view the tickets of the added 'supervised' users. This breaks the authorization model and filters the content of other users' tickets.This issue affects OpenSupports: 4.11.0. | ||||
| CVE-2024-7096 | 1 Wso2 | 7 Api Manager, Enterprise Mobility Manager, Identity Server and 4 more | 2025-10-06 | 4.2 Medium |
| A privilege escalation vulnerability exists in multiple [Vendor Name] products due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when all of the following conditions are met: * SOAP admin services are accessible to the attacker. * The deployment includes an internally used attribute that is not part of the default WSO2 product configuration. * At least one custom role exists with non-default permissions. * The attacker has knowledge of the custom role and the internal attribute used in the deployment. Exploiting this vulnerability allows malicious actors to assign higher privileges to self-registered users, bypassing intended access control mechanisms. | ||||
| CVE-2024-6914 | 1 Wso2 | 6 Api Manager, Identity Server, Identity Server As Key Manager and 3 more | 2025-10-06 | 8.8 High |
| An incorrect authorization vulnerability exists in multiple WSO2 products due to a business logic flaw in the account recovery-related SOAP admin service. A malicious actor can exploit this vulnerability to reset the password of any user account, leading to a complete account takeover, including accounts with elevated privileges. This vulnerability is exploitable only through the account recovery SOAP admin services exposed via the "/services" context path in affected products. The impact may be reduced if access to these endpoints has been restricted based on the "Security Guidelines for Production Deployment" by disabling exposure to untrusted networks. | ||||
| CVE-2024-7097 | 1 Wso2 | 7 Api Manager, Enterprise Mobility Manager, Identity Server and 4 more | 2025-10-06 | 4.3 Medium |
| An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which allows user account creation regardless of the self-registration configuration settings. This vulnerability enables malicious actors to create new user accounts without proper authorization. Exploitation of this flaw could allow an attacker to create multiple low-privileged user accounts, gaining unauthorized access to the system. Additionally, continuous exploitation could lead to system resource exhaustion through mass user creation. | ||||
| CVE-2024-3511 | 1 Wso2 | 7 Api Manager, Carbon, Enterprise Integrator and 4 more | 2025-10-06 | 4.3 Medium |
| An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files stored in the registry. Due to flawed authorization logic, a malicious actor with access to the management console can exploit a specific bypass method to retrieve versioned files without proper authorization. Successful exploitation of this vulnerability could lead to unauthorized disclosure of configuration or resource files that may be stored as registry versions, potentially aiding further attacks or system reconnaissance. | ||||
| CVE-2024-2321 | 1 Wso2 | 2 Api Manager, Identity Server | 2025-10-03 | 5.6 Medium |
| An incorrect authorization vulnerability exists in multiple WSO2 products, allowing protected APIs to be accessed directly using a refresh token instead of the expected access token. Due to improper authorization checks and token mapping, session cookies are not required for API access, potentially enabling unauthorized operations. Exploitation requires an attacker to obtain a valid refresh token of an admin user. Since refresh tokens generally have a longer expiration time, this could lead to prolonged unauthorized access to API resources, impacting data confidentiality and integrity. | ||||
| CVE-2025-3913 | 1 Mattermost | 1 Mattermost Server | 2025-10-03 | 5.3 Medium |
| Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the /api/v4/teams/:teamId/privacy endpoint. | ||||
| CVE-2024-58260 | 2 Rancher, Suse | 2 Rancher, Rancher | 2025-10-03 | 7.6 High |
| A vulnerability has been identified within Rancher Manager where a missing server-side validation on the `.username` field in Rancher can allow users with update permissions on other User resources to cause denial of access for targeted accounts. | ||||
| CVE-2025-24397 | 1 Jenkins | 1 Gitlab | 2025-10-03 | 4.3 Medium |
| An incorrect permission check in Jenkins GitLab Plugin 1.9.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credential IDs of GitLab API token and Secret text credentials stored in Jenkins. | ||||