Total
2179 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-10696 | 2025-10-03 | N/A | N/A | ||
| OpenSupports exposes an endpoint that allows the list of 'supervised users' for any account to be edited, but it does not validate whether the actor is the owner of that list. A Level 1 staff member can modify the supervision relationship of a third party (the target user), who can then view the tickets of the added 'supervised' users. This breaks the authorization model and filters the content of other users' tickets.This issue affects OpenSupports: 4.11.0. | |||||
| CVE-2024-2321 | 1 Wso2 | 2 Api Manager, Identity Server | 2025-10-03 | N/A | 5.6 MEDIUM |
| An incorrect authorization vulnerability exists in multiple WSO2 products, allowing protected APIs to be accessed directly using a refresh token instead of the expected access token. Due to improper authorization checks and token mapping, session cookies are not required for API access, potentially enabling unauthorized operations. Exploitation requires an attacker to obtain a valid refresh token of an admin user. Since refresh tokens generally have a longer expiration time, this could lead to prolonged unauthorized access to API resources, impacting data confidentiality and integrity. | |||||
| CVE-2025-3913 | 1 Mattermost | 1 Mattermost Server | 2025-10-03 | N/A | 5.3 MEDIUM |
| Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the /api/v4/teams/:teamId/privacy endpoint. | |||||
| CVE-2025-49641 | 2025-10-03 | N/A | N/A | ||
| A regular Zabbix user with no permission to the Monitoring -> Problems view is still able to call the problem.view.refresh action and therefore still retrieve a list of active problems. | |||||
| CVE-2025-27236 | 2025-10-03 | N/A | N/A | ||
| A regular Zabbix user can search other users in their user group via Zabbix API by select fields the user does not have access to view. This allows data-mining some field values the user does not have access to. | |||||
| CVE-2025-24397 | 1 Jenkins | 1 Gitlab | 2025-10-03 | N/A | 4.3 MEDIUM |
| An incorrect permission check in Jenkins GitLab Plugin 1.9.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credential IDs of GitLab API token and Secret text credentials stored in Jenkins. | |||||
| CVE-2025-24400 | 1 Jenkins | 1 Eiffel Broadcaster | 2025-10-03 | N/A | 4.3 MEDIUM |
| Jenkins Eiffel Broadcaster Plugin 2.8.0 through 2.10.2 (both inclusive) uses the credential ID as the cache key during signing operations, allowing attackers able to create a credential with the same ID as a legitimate one in a different credentials store to sign an event published to RabbitMQ with the legitimate credentials. | |||||
| CVE-2025-24401 | 1 Jenkins | 1 Folder-based Authorization Strategy | 2025-10-03 | N/A | 6.8 MEDIUM |
| Jenkins Folder-based Authorization Strategy Plugin 217.vd5b_18537403e and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they're no longer entitled to. | |||||
| CVE-2025-11239 | 2025-10-02 | N/A | N/A | ||
| Potentially sensitive information in jobs on KNIME Business Hub prior to 1.16.0 were visible to all members of the user's team. Starting with KNIME Business Hub 1.16.0 only metadata of jobs is shown to team members. Only the creator of a job can see all information including in- and output data (if present). | |||||
| CVE-2024-58260 | 2025-10-02 | N/A | 7.6 HIGH | ||
| A vulnerability has been identified within Rancher Manager where a missing server-side validation on the `.username` field in Rancher can allow users with update permissions on other User resources to cause denial of access for targeted accounts. | |||||
| CVE-2025-32093 | 1 Mattermost | 1 Mattermost Server | 2025-10-02 | N/A | 4.7 MEDIUM |
| Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to restrict certain operations on system admins to only other system admins, which allows delegated granular administration users with the "Edit Other Users" permission to perform unauthorized modifications to system administrators via improper permission validation. | |||||
| CVE-2025-24839 | 1 Mattermost | 1 Mattermost Server | 2025-10-02 | N/A | 3.1 LOW |
| Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to prevent Wrangler posts from triggering AI responses. This vulnerability allows users without access to the AI bot to activate it by attaching the activate_ai override property to a post via the Wrangler plugin, provided both the AI and Wrangler plugins are enabled. | |||||
| CVE-2025-21479 | 1 Qualcomm | 150 Aqt1000, Aqt1000 Firmware, Fastconnect 6200 and 147 more | 2025-10-02 | N/A | 8.6 HIGH |
| Memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands. | |||||
| CVE-2025-46744 | 2025-10-01 | N/A | 2.7 LOW | ||
| An authenticated administrator could modify the Created By username for a user account | |||||
| CVE-2025-25010 | 1 Elastic | 1 Kibana | 2025-10-01 | N/A | 6.5 MEDIUM |
| Incorrect authorization in Kibana can lead to privilege escalation via the built-in reporting_user role which incorrectly has the ability to access all Kibana Spaces. | |||||
| CVE-2024-12247 | 1 Mattermost | 1 Mattermost Server | 2025-10-01 | N/A | 4.6 MEDIUM |
| Mattermost versions 9.7.x <= 9.7.5, 9.8.x <= 9.8.2 and 9.9.x <= 9.9.2 fail to properly propagate permission scheme updates across cluster nodes which allows a user to keep old permissions, even if the permission scheme has been updated. | |||||
| CVE-2025-27571 | 1 Mattermost | 1 Mattermost Server | 2025-10-01 | N/A | 4.3 MEDIUM |
| Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to check the "Allow Users to View Archived Channels" configuration when fetching channel metadata of a post from archived channels, which allows authenticated users to access such information when a channel is archived. | |||||
| CVE-2025-2424 | 1 Mattermost | 1 Mattermost Server | 2025-10-01 | N/A | 3.1 LOW |
| Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to check if a file has been deleted when creating a bookmark which allows an attacker who knows the IDs of deleted files to obtain metadata of the files via bookmark creation. | |||||
| CVE-2025-24866 | 1 Mattermost | 1 Mattermost Server | 2025-10-01 | N/A | 2.7 LOW |
| Mattermost versions 9.11.x <= 9.11.8 fail to enforce proper access controls on the /api/v4/audits endpoint, allowing users with delegated granular administration roles who lack access to Compliance Monitoring to retrieve User Activity Logs. | |||||
| CVE-2025-1472 | 1 Mattermost | 1 Mattermost Server | 2025-10-01 | N/A | 4.3 MEDIUM |
| Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics. | |||||