Total
2314 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-40668 | 1 Tcman | 1 Gim | 2025-10-06 | N/A | 6.5 MEDIUM |
| Incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an attacker, with low privilege level, to change the password of other users through a POST request using the parameters idUser, PasswordActual, PasswordNew and PasswordNewRepeat in /PC/WebService.aspx/validateChangePassword%C3%B1a. To exploit the vulnerability the PasswordActual parameter must be empty. | |||||
| CVE-2025-40669 | 1 Tcman | 1 Gim | 2025-10-06 | N/A | 6.5 MEDIUM |
| Incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an unprivileged attacker to modify the permissions held by each of the application's users, including the user himself by sending a POST request to /PC/Options.aspx?Command=2&Page=-1. | |||||
| CVE-2025-40670 | 1 Tcman | 1 Gim | 2025-10-06 | N/A | 8.8 HIGH |
| Incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an unprivileged attacker to create a user and assign it many privileges by sending a POST request to /PC/frmGestionUser.aspx/updateUser. | |||||
| CVE-2025-58134 | 1 Zoom | 5 Meeting Software Development Kit, Rooms, Rooms Controller and 2 more | 2025-10-06 | N/A | 4.3 MEDIUM |
| Incorrect authorization in certain Zoom Workplace Clients for Windows may allow an authenticated user to conduct an impact to integrity via network access. | |||||
| CVE-2025-2570 | 1 Mattermost | 1 Mattermost Server | 2025-10-06 | N/A | 2.7 LOW |
| Mattermost versions 10.5.x <= 10.5.3, 9.11.x <= 9.11.11 fail to check `RestrictSystemAdmin` setting if user doesn't have access to `ExperimentalSettings` which allows a System Manager to access `ExperimentSettings` when `RestrictSystemAdmin` is true via System Console. | |||||
| CVE-2025-10696 | 2025-10-06 | N/A | N/A | ||
| OpenSupports exposes an endpoint that allows the list of 'supervised users' for any account to be edited, but it does not validate whether the actor is the owner of that list. A Level 1 staff member can modify the supervision relationship of a third party (the target user), who can then view the tickets of the added 'supervised' users. This breaks the authorization model and filters the content of other users' tickets.This issue affects OpenSupports: 4.11.0. | |||||
| CVE-2024-7096 | 1 Wso2 | 6 Api Manager, Identity Server, Identity Server As Key Manager and 3 more | 2025-10-06 | N/A | 4.2 MEDIUM |
| A privilege escalation vulnerability exists in multiple [Vendor Name] products due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when all of the following conditions are met: * SOAP admin services are accessible to the attacker. * The deployment includes an internally used attribute that is not part of the default WSO2 product configuration. * At least one custom role exists with non-default permissions. * The attacker has knowledge of the custom role and the internal attribute used in the deployment. Exploiting this vulnerability allows malicious actors to assign higher privileges to self-registered users, bypassing intended access control mechanisms. | |||||
| CVE-2024-6914 | 1 Wso2 | 6 Api Manager, Identity Server, Identity Server As Key Manager and 3 more | 2025-10-06 | N/A | 9.8 CRITICAL |
| An incorrect authorization vulnerability exists in multiple WSO2 products due to a business logic flaw in the account recovery-related SOAP admin service. A malicious actor can exploit this vulnerability to reset the password of any user account, leading to a complete account takeover, including accounts with elevated privileges. This vulnerability is exploitable only through the account recovery SOAP admin services exposed via the "/services" context path in affected products. The impact may be reduced if access to these endpoints has been restricted based on the "Security Guidelines for Production Deployment" by disabling exposure to untrusted networks. | |||||
| CVE-2024-7097 | 1 Wso2 | 6 Api Manager, Identity Server, Identity Server As Key Manager and 3 more | 2025-10-06 | N/A | 4.3 MEDIUM |
| An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which allows user account creation regardless of the self-registration configuration settings. This vulnerability enables malicious actors to create new user accounts without proper authorization. Exploitation of this flaw could allow an attacker to create multiple low-privileged user accounts, gaining unauthorized access to the system. Additionally, continuous exploitation could lead to system resource exhaustion through mass user creation. | |||||
| CVE-2024-3511 | 1 Wso2 | 6 Api Manager, Enterprise Integrator, Identity Server and 3 more | 2025-10-06 | N/A | 4.3 MEDIUM |
| An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files stored in the registry. Due to flawed authorization logic, a malicious actor with access to the management console can exploit a specific bypass method to retrieve versioned files without proper authorization. Successful exploitation of this vulnerability could lead to unauthorized disclosure of configuration or resource files that may be stored as registry versions, potentially aiding further attacks or system reconnaissance. | |||||
| CVE-2024-2321 | 1 Wso2 | 2 Api Manager, Identity Server | 2025-10-03 | N/A | 5.6 MEDIUM |
| An incorrect authorization vulnerability exists in multiple WSO2 products, allowing protected APIs to be accessed directly using a refresh token instead of the expected access token. Due to improper authorization checks and token mapping, session cookies are not required for API access, potentially enabling unauthorized operations. Exploitation requires an attacker to obtain a valid refresh token of an admin user. Since refresh tokens generally have a longer expiration time, this could lead to prolonged unauthorized access to API resources, impacting data confidentiality and integrity. | |||||
| CVE-2025-3913 | 1 Mattermost | 1 Mattermost Server | 2025-10-03 | N/A | 5.3 MEDIUM |
| Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the /api/v4/teams/:teamId/privacy endpoint. | |||||
| CVE-2025-24397 | 1 Jenkins | 1 Gitlab | 2025-10-03 | N/A | 4.3 MEDIUM |
| An incorrect permission check in Jenkins GitLab Plugin 1.9.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credential IDs of GitLab API token and Secret text credentials stored in Jenkins. | |||||
| CVE-2025-24400 | 1 Jenkins | 1 Eiffel Broadcaster | 2025-10-03 | N/A | 4.3 MEDIUM |
| Jenkins Eiffel Broadcaster Plugin 2.8.0 through 2.10.2 (both inclusive) uses the credential ID as the cache key during signing operations, allowing attackers able to create a credential with the same ID as a legitimate one in a different credentials store to sign an event published to RabbitMQ with the legitimate credentials. | |||||
| CVE-2025-24401 | 1 Jenkins | 1 Folder-based Authorization Strategy | 2025-10-03 | N/A | 6.8 MEDIUM |
| Jenkins Folder-based Authorization Strategy Plugin 217.vd5b_18537403e and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they're no longer entitled to. | |||||
| CVE-2024-58260 | 2025-10-02 | N/A | 7.6 HIGH | ||
| A vulnerability has been identified within Rancher Manager where a missing server-side validation on the `.username` field in Rancher can allow users with update permissions on other User resources to cause denial of access for targeted accounts. | |||||
| CVE-2025-32093 | 1 Mattermost | 1 Mattermost Server | 2025-10-02 | N/A | 4.7 MEDIUM |
| Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to restrict certain operations on system admins to only other system admins, which allows delegated granular administration users with the "Edit Other Users" permission to perform unauthorized modifications to system administrators via improper permission validation. | |||||
| CVE-2025-24839 | 1 Mattermost | 1 Mattermost Server | 2025-10-02 | N/A | 3.1 LOW |
| Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to prevent Wrangler posts from triggering AI responses. This vulnerability allows users without access to the AI bot to activate it by attaching the activate_ai override property to a post via the Wrangler plugin, provided both the AI and Wrangler plugins are enabled. | |||||
| CVE-2025-46744 | 2025-10-01 | N/A | 2.7 LOW | ||
| An authenticated administrator could modify the Created By username for a user account | |||||
| CVE-2025-25010 | 1 Elastic | 1 Kibana | 2025-10-01 | N/A | 6.5 MEDIUM |
| Incorrect authorization in Kibana can lead to privilege escalation via the built-in reporting_user role which incorrectly has the ability to access all Kibana Spaces. | |||||