Export limit exceeded: 341845 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 341845 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (1433 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-15201 | 1 Kanboard | 1 Kanboard | 2025-04-20 | N/A |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can edit tags of a private project of another user. | ||||
| CVE-2017-15202 | 1 Kanboard | 1 Kanboard | 2025-04-20 | N/A |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can edit columns of a private project of another user. | ||||
| CVE-2017-15203 | 1 Kanboard | 1 Kanboard | 2025-04-20 | N/A |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can remove categories from a private project of another user. | ||||
| CVE-2017-15206 | 1 Kanboard | 1 Kanboard | 2025-04-20 | N/A |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can add an internal link to a private project of another user. | ||||
| CVE-2017-15207 | 1 Kanboard | 1 Kanboard | 2025-04-20 | N/A |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can edit tasks of a private project of another user. | ||||
| CVE-2017-15208 | 1 Kanboard | 1 Kanboard | 2025-04-20 | N/A |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can remove automatic actions from a private project of another user. | ||||
| CVE-2017-15209 | 1 Kanboard | 1 Kanboard | 2025-04-20 | N/A |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can remove attachments from a private project of another user. | ||||
| CVE-2017-15211 | 1 Kanboard | 1 Kanboard | 2025-04-20 | N/A |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can add an external link to a private project of another user. | ||||
| CVE-2023-51141 | 1 Zkteco | 1 Biotime | 2025-04-18 | 6.5 Medium |
| An issue in ZKTeko BioTime v.8.5.4 and before allows a remote attacker to obtain sensitive information via the Authentication & Authorization component | ||||
| CVE-2022-34150 | 1 Micodus | 2 Mv720, Mv720 Firmware | 2025-04-16 | 7.1 High |
| The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object reference vulnerability on endpoint and parameter device IDs, which accept arbitrary device IDs without further verification. | ||||
| CVE-2022-33944 | 1 Micodus | 2 Mv720, Mv720 Firmware | 2025-04-16 | 6.5 Medium |
| The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object references vulnerability on endpoint and POST parameter “Device ID,” which accepts arbitrary device IDs. | ||||
| CVE-2022-31683 | 1 Pivotal Software | 1 Concourse | 2025-04-16 | 5.4 Medium |
| Concourse (7.x.y prior to 7.8.3 and 6.x.y prior to 6.7.9) contains an authorization bypass issue. A Concourse user can send a request with body including :team_name=team2 to bypass team scope check to gain access to certain resources belong to any other team. | ||||
| CVE-2025-3575 | 2025-04-15 | N/A | ||
| Insecure Direct Object Reference vulnerability in Deporsite from T-INNOVA allows an attacker to retrieve sensitive information from others users via "idUsuario" parameter in "/helper/Familia/establecerUsuarioSeleccion" endpoint. | ||||
| CVE-2025-3574 | 2025-04-15 | N/A | ||
| Insecure Direct Object Reference vulnerability in Deporsite from T-INNOVA allows an attacker to retrieve sensitive information from others users via "idUsuario" parameter in "/helper/Familia/obtenerFamiliaUsuario" endpoint. | ||||
| CVE-2024-33668 | 1 Zammad | 1 Zammad | 2025-04-15 | 9.1 Critical |
| An issue was discovered in Zammad before 6.3.0. The Zammad Upload Cache uses insecure, partially guessable FormIDs to identify content. An attacker could try to brute force them to upload malicious content to article drafts they have no access to. | ||||
| CVE-2017-20101 | 1 Projectsend | 1 Projectsend | 2025-04-15 | 3.5 Low |
| A vulnerability, which was classified as problematic, was found in ProjectSend r754. This affects an unknown part of the file process.php?do=zip_download. The manipulation of the argument client/file leads to information disclosure. It is possible to initiate the attack remotely. | ||||
| CVE-2022-3876 | 1 Clickstudios | 1 Passwordstate | 2025-04-15 | 4.3 Medium |
| A vulnerability, which was classified as problematic, has been found in Click Studios Passwordstate and Passwordstate Browser Extension Chrome. This issue affects some unknown processing of the file /api/browserextension/UpdatePassword/ of the component API. The manipulation of the argument PasswordID leads to authorization bypass. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. The identifier VDB-216245 was assigned to this vulnerability. | ||||
| CVE-2022-4097 | 1 Updraftplus | 1 All-in-one Security | 2025-04-14 | 5.3 Medium |
| The All-In-One Security (AIOS) WordPress plugin before 5.0.8 is susceptible to IP Spoofing attacks, which can lead to bypassed security features (like IP blocks, rate limiting, brute force protection, and more). | ||||
| CVE-2024-12335 | 1 Theme-fusion | 1 Avada Builder | 2025-04-14 | 4.3 Medium |
| The Avada (Fusion) Builder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.11.12 via the handle_clone_post() function and the 'fusion_blog' shortcode and due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to. | ||||
| CVE-2022-4505 | 1 Open-emr | 1 Openemr | 2025-04-14 | 8.8 High |
| Authorization Bypass Through User-Controlled Key in GitHub repository openemr/openemr prior to 7.0.0.2. | ||||