Total
833 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-15203 | 1 Kanboard | 1 Kanboard | 2025-04-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can remove categories from a private project of another user. | |||||
| CVE-2017-15197 | 1 Kanboard | 1 Kanboard | 2025-04-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can add a new category to a private project of another user. | |||||
| CVE-2017-15209 | 1 Kanboard | 1 Kanboard | 2025-04-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can remove attachments from a private project of another user. | |||||
| CVE-2017-15211 | 1 Kanboard | 1 Kanboard | 2025-04-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can add an external link to a private project of another user. | |||||
| CVE-2023-51141 | 1 Zkteco | 1 Biotime | 2025-04-18 | N/A | 6.5 MEDIUM |
| An issue in ZKTeko BioTime v.8.5.4 and before allows a remote attacker to obtain sensitive information via the Authentication & Authorization component | |||||
| CVE-2025-25952 | 2025-04-18 | N/A | 6.5 MEDIUM | ||
| An Insecure Direct Object References (IDOR) in the component /getStudemtAllDetailsById?studentId=XX of Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 allows attackers to access sensitive user information via a crafted API request. | |||||
| CVE-2025-39434 | 2025-04-17 | N/A | 4.3 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Scott Taylor Avatar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Avatar: from n/a through 0.1.4. | |||||
| CVE-2022-31683 | 1 Pivotal Software | 1 Concourse | 2025-04-16 | N/A | 5.4 MEDIUM |
| Concourse (7.x.y prior to 7.8.3 and 6.x.y prior to 6.7.9) contains an authorization bypass issue. A Concourse user can send a request with body including :team_name=team2 to bypass team scope check to gain access to certain resources belong to any other team. | |||||
| CVE-2025-24487 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| An unauthenticated attacker can infer the existence of usernames in the system by querying an API. | |||||
| CVE-2025-27939 | 2025-04-16 | N/A | 7.5 HIGH | ||
| An attacker can change registered email addresses of other users and take over arbitrary accounts. | |||||
| CVE-2025-30254 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| An unauthenticated attacker can obtain a serial number of a smart meter(s) using its owner's username. | |||||
| CVE-2025-27568 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| An unauthenticated attacker can get users' emails by knowing usernames. A password reset email will be sent in response to this unsolicited request. | |||||
| CVE-2025-27938 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "rooms"). | |||||
| CVE-2025-30514 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "scenes"). | |||||
| CVE-2025-31357 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| An unauthenticated attacker can obtain a user's plant list by knowing the username. | |||||
| CVE-2025-24850 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| An attacker can export other users' plant information. | |||||
| CVE-2025-27565 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| An unauthenticated attacker can delete any user's "rooms" by knowing the user's and room IDs. | |||||
| CVE-2025-30257 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| Unauthenticated attackers can retrieve serial number of smart meters associated to a specific user account. | |||||
| CVE-2025-25276 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| An unauthenticated attacker can hijack other users' devices and potentially control them. | |||||
| CVE-2025-31933 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| An unauthenticated attacker can check the existence of usernames in the system by querying an API. | |||||