Total
1026 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-41096 | 1 Boldworkplanner | 1 Bold Workplanner | 2025-10-08 | N/A | 4.3 MEDIUM |
| Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplanner in versions prior to 2.5.25 (4935b438f9b), consisting of a lack of adequate validation of user input, allowing an authenticated user to access to the dates of the current contract details using unauthorised internal identifiers. | |||||
| CVE-2025-41095 | 1 Boldworkplanner | 1 Bold Workplanner | 2025-10-08 | N/A | 4.3 MEDIUM |
| Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplanner in versions prior to 2.5.25 (4935b438f9b), consisting of a lack of adequate validation of user input, allowing an authenticated user to access to planning counter details using unauthorised internal identifiers. | |||||
| CVE-2025-41094 | 1 Boldworkplanner | 1 Bold Workplanner | 2025-10-08 | N/A | 4.3 MEDIUM |
| Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplanner in versions prior to 2.5.25 (4935b438f9b), consisting of a lack of adequate validation of user input, allowing an authenticated user to access to functional contract details using unauthorised internal identifiers. | |||||
| CVE-2025-41093 | 1 Boldworkplanner | 1 Bold Workplanner | 2025-10-08 | N/A | 4.3 MEDIUM |
| Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplanner in versions prior to 2.5.25 (4935b438f9b), consisting of a lack of adequate validation of user input, allowing an authenticated user to access to basic contract details using unauthorised internal identifiers. | |||||
| CVE-2025-41092 | 1 Boldworkplanner | 1 Bold Workplanner | 2025-10-08 | N/A | 4.3 MEDIUM |
| Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplanner in versions prior to 2.5.25 (4935b438f9b), consisting of a lack of adequate validation of user input, allowing an authenticated user to access to time records details using unauthorised internal identifiers. | |||||
| CVE-2025-7900 | 1 Typo3 | 1 Typo3 | 2025-10-07 | N/A | 6.5 MEDIUM |
| The femanager extension for TYPO3 allows Insecure Direct Object Reference resulting in unauthorized modification of userdata. This issue affects femanager version 6.4.1 and below, 7.0.0 to 7.5.2 and 8.0.0 to 8.3.0 | |||||
| CVE-2025-11321 | 2025-10-06 | 4.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability was detected in zhuimengshaonian wisdom-education up to 1.0.4. The affected element is an unknown function of the file src/main/java/com/education/api/controller/student/WrongBookController.java. Performing manipulation of the argument subjectId results in authorization bypass. The attack can be initiated remotely. The exploit is now public and may be used. | |||||
| CVE-2025-0606 | 2025-10-06 | N/A | 6.0 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Logo Software Inc. Logo Cloud allows Forceful Browsing, Resource Leak Exposure.This issue affects Logo Cloud: before 0.67. | |||||
| CVE-2025-43827 | 2025-10-02 | N/A | N/A | ||
| Insecure Direct Object Reference (IDOR) vulnerability with audit events in Liferay Portal 7.4.0 through 7.4.3.117, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote authenticated users to from one virtual instance to view the audit events from a different virtual instance via the _com_liferay_portal_security_audit_web_portlet_AuditPortlet_auditEventId parameter. | |||||
| CVE-2025-0642 | 2025-10-02 | N/A | 6.3 MEDIUM | ||
| Use of Hard-coded Credentials, Authorization Bypass Through User-Controlled Key vulnerability in PosCube Hardware Software and Consulting Ltd. Co. Assist allows Excavation, Authentication Bypass.This issue affects Assist: through 10.02.2025. | |||||
| CVE-2025-55621 | 1 Reolink | 1 Reolink | 2025-10-02 | N/A | 6.5 MEDIUM |
| An Insecure Direct Object Reference (IDOR) vulnerability in Reolink v4.54.0.4.20250526 allows unauthorized attackers to access and download other users' profile photos via a crafted URL. NOTE: this is disputed by the Supplier because it is intentional behavior; the photos are part of a social platform on which users expect to find one another. | |||||
| CVE-2025-51533 | 1 Sagedpw | 1 Sage Dpw | 2025-10-01 | N/A | 5.3 MEDIUM |
| An Insecure Direct Object Reference (IDOR) in Sage DPW v2024_12_004 and below allows unauthorized attackers to access internal forms via sending a crafted GET request. | |||||
| CVE-2024-52507 | 1 Nextcloud | 1 Tables | 2025-10-01 | N/A | 3.5 LOW |
| Nextcloud Tables allows users to to create tables with individual columns. The information which Table (numeric ID) is shared with which groups and users and the respective permissions was not limited to affected users. It is recommended that the Nextcloud Tables app is upgraded to 0.8.1. | |||||
| CVE-2024-52511 | 1 Nextcloud | 1 Tables | 2025-10-01 | N/A | 6.3 MEDIUM |
| Nextcloud Tables allows users to to create tables with individual columns. By directly specifying the ID of a table or view, a malicious user could blindly insert new rows into tables they have no access to. It is recommended that the Nextcloud Tables is upgraded to 0.8.0. | |||||
| CVE-2024-32045 | 1 Mattermost | 1 Mattermost Server | 2025-09-30 | N/A | 5.9 MEDIUM |
| Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to enforce proper access controls for channel and team membership when linking a playbook run to a channel which allows members to link their runs to private channels they were not members of. | |||||
| CVE-2025-8532 | 2025-09-30 | N/A | 6.4 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key, Improper Authorization vulnerability in Bimser Solution Software Trade Inc. EBA Document and Workflow Management System allows Forceful Browsing.This issue affects eBA Document and Workflow Management System: from 6.7.164 before 6.7.166. | |||||
| CVE-2025-8463 | 2025-09-30 | N/A | 5.3 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in SecHard Information Technologies SecHard allows Forceful Browsing.This issue affects SecHard: before 3.6.2-20250805. | |||||
| CVE-2024-33542 | 1 Crelly Slider Project | 1 Crelly Slider | 2025-09-29 | N/A | 4.3 MEDIUM |
| Authorization Bypass Through User-Controlled Key vulnerability in Fabio Rinaldi Crelly Slider.This issue affects Crelly Slider: from n/a through 1.4.5. | |||||
| CVE-2025-10947 | 2025-09-26 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A flaw has been found in Sistemas Pleno Gestão de Locação up to 2025.7.x. The impacted element is an unknown function of the file /api/areacliente/pessoa/validarCpf of the component CPF Handler. Executing manipulation of the argument pes_cpf can lead to authorization bypass. The attack can be executed remotely. The exploit has been published and may be used. Upgrading to version 2025.8.0 is sufficient to resolve this issue. It is advisable to upgrade the affected component. | |||||
| CVE-2025-8789 | 1 Portabilis | 1 I-educar | 2025-09-25 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in Portabilis i-Educar up to 2.9.0. It has been classified as problematic. This affects an unknown part of the file /module/Api/Diario of the component API Endpoint. The manipulation leads to authorization bypass. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||