Export limit exceeded: 361357 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (9506 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-10275 | 2 Iocoder, Yunaiv | 2 Yudao-cloud, Yudao-cloud | 2025-11-14 | 6.3 Medium |
| A weakness has been identified in YunaiV yudao-cloud up to 2025.09. This affects an unknown part of the file /crm/business/transfer. Executing manipulation of the argument ids/newOwnerUserId can lead to improper authorization. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-10276 | 2 Iocoder, Ruoyi | 3 Ruoyi-vue-pro, Ruoyi, Ruoyi-vue | 2025-11-14 | 6.3 Medium |
| A security vulnerability has been detected in YunaiV ruoyi-vue-pro up to 2025.09. This vulnerability affects unknown code of the file /crm/contract/transfer. The manipulation of the argument id/newOwnerUserId leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-10277 | 2 Iocoder, Yunaiv | 2 Yudao-cloud, Yudao-cloud | 2025-11-14 | 6.3 Medium |
| A vulnerability was detected in YunaiV yudao-cloud up to 2025.09. This issue affects some unknown processing of the file /crm/receivable/submit. The manipulation of the argument ID results in improper authorization. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-10278 | 2 Iocoder, Ruoyi | 3 Ruoyi-vue-pro, Ruoyi, Ruoyi-vue | 2025-11-14 | 6.3 Medium |
| A flaw has been found in YunaiV ruoyi-vue-pro up to 2025.09. Impacted is an unknown function of the file /crm/contact/transfer. This manipulation of the argument ids/newOwnerUserId causes improper authorization. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-6527 | 1 70mai | 2 M300, M300 Firmware | 2025-11-14 | 3.1 Low |
| A vulnerability, which was classified as problematic, was found in 70mai M300 up to 20250611. Affected is an unknown function of the component Web Server. The manipulation leads to improper access controls. The attack can only be initiated within the local network. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-33093 | 1 Ibm | 1 Sterling Partner Engagement Manager | 2025-11-13 | 7.5 High |
| IBM Sterling Partner Engagement Manager 6.1.0, 6.2.0, 6.2.2 JWT secret is stored in public Helm Charts and is not stored as a Kubernetes secret. | ||||
| CVE-2024-2005 | 1 Ciena | 1 Blue Planet Inventory | 2025-11-13 | 9 Critical |
| In Blue Planet® products through 22.12, a misconfiguration in the SAML implementation allows for privilege escalation. Only products using SAML authentication are affected. Blue Planet® has released software updates that address this vulnerability for the affected products. Customers are advised to upgrade their Blue Planet products to the latest software version as soon as possible. The software updates can be downloaded from the Ciena Support Portal. | ||||
| CVE-2025-12436 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2025-11-13 | 5.9 Medium |
| Policy bypass in Extensions in Google Chrome prior to 142.0.7444.59 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. (Chromium security severity: Medium) | ||||
| CVE-2025-12445 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2025-11-13 | 6.5 Medium |
| Policy bypass in Extensions in Google Chrome prior to 142.0.7444.59 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Low) | ||||
| CVE-2024-2228 | 1 Sailpoint | 1 Identityiq | 2025-11-12 | 7.1 High |
| This vulnerability allows an authenticated user to perform a Lifecycle Manager flow or other QuickLink for a target user outside of the defined QuickLink Population. | ||||
| CVE-2024-12235 | 1 Tongzhouyun | 1 Agilebpm | 2025-11-12 | 6.3 Medium |
| A vulnerability was found in Shenzhen Dashi Tongzhou Information Technology AgileBPM up to 1.0.0. It has been declared as critical. Affected by this vulnerability is the function doFilter of the file \agile-bpm-basic-master\ab-auth\ab-auth-spring-security-oauth2\src\main\java\com\dstz\auth\filter\AuthorizationTokenCheckFilter.java. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-27095 | 2 Fit2cloud, Jumpserver | 2 Jumpserver, Jumpserver | 2025-11-12 | 4.3 Medium |
| JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to 4.8.0 and 3.10.18, an attacker with a low-privileged account can access the Kubernetes session feature and manipulate the kubeconfig file to redirect API requests to an external server controlled by the attacker. This allows the attacker to intercept and capture the Kubernetes cluster token. This can potentially allow unauthorized access to the cluster and compromise its security. This vulnerability is fixed in 4.8.0 and 3.10.18. | ||||
| CVE-2021-20021 | 2 Microsoft, Sonicwall | 20 Windows, Email Security, Email Security Appliance 3300 and 17 more | 2025-11-10 | 9.8 Critical |
| A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host. | ||||
| CVE-2025-12485 | 1 Devolutions | 1 Devolutions Server | 2025-11-10 | 8.8 High |
| Improper privilege management during pre-MFA cookie handling in Devolutions Server allows a low-privileged authenticated user to impersonate another account by replaying the pre-MFA cookie.This does not bypass the target account MFA verification step. This issue affects the following versions : * Devolutions Server 2025.3.2.0 through 2025.3.5.0 * Devolutions Server 2025.2.15.0 and earlier | ||||
| CVE-2020-8655 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2025-11-10 | 7.8 High |
| An issue was discovered in EyesOfNetwork 5.3. The sudoers configuration is prone to a privilege escalation vulnerability, allowing the apache user to run arbitrary commands as root via a crafted NSE script for nmap 7. | ||||
| CVE-2025-12424 | 2 Azure-access, Azure Access Technology | 6 Blu-ic2, Blu-ic2 Firmware, Blu-ic4 and 3 more | 2025-11-07 | 9.8 Critical |
| Privilege Escalation through SUID-bit Binary.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 . | ||||
| CVE-2025-12425 | 2 Azure-access, Azure Access Technology | 6 Blu-ic2, Blu-ic2 Firmware, Blu-ic4 and 3 more | 2025-11-07 | 7.8 High |
| Local Privilege Escalation.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 . | ||||
| CVE-2023-5408 | 1 Redhat | 2 Openshift, Openshift Container Platform | 2025-11-07 | 7.2 High |
| A privilege escalation flaw was found in the node restriction admission plugin of the kubernetes api server of OpenShift. A remote attacker who modifies the node role label could steer workloads from the control plane and etcd nodes onto different worker nodes and gain broader access to the cluster. | ||||
| CVE-2014-5415 | 1 Beckhoff | 2 Embedded Pc Images, Twincat | 2025-11-05 | 9.1 Critical |
| Beckhoff Embedded PC images before 2014-10-22 and Automation Device Specification (ADS) TwinCAT components might allow remote attackers to obtain access via the (1) Windows CE Remote Configuration Tool, (2) CE Remote Display service, or (3) TELNET service. | ||||
| CVE-2014-5412 | 2 Aveva, Schneider-electric | 2 Clearscada, Scada Expert Clearscada | 2025-11-04 | N/A |
| Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 allows remote attackers to read database records by leveraging access to the guest account. | ||||