Vulnerabilities (CVE)

Filtered by CWE-863
Total 2061 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-3960 1 Withstars 1 Books-management-system 2025-05-12 7.5 HIGH 7.3 HIGH
A vulnerability was found in withstars Books-Management-System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /allreaders.html of the component Background Interface. The manipulation leads to missing authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2025-3963 1 Withstars 1 Books-management-system 2025-05-12 7.5 HIGH 7.3 HIGH
A vulnerability, which was classified as critical, has been found in withstars Books-Management-System 1.0. This issue affects some unknown processing of the file /admin/article/list of the component Background Interface. The manipulation leads to missing authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2022-42975 1 Phoenixframework 1 Phoenix 2025-05-10 N/A 7.5 HIGH
socket/transport.ex in Phoenix before 1.6.14 mishandles check_origin wildcarding. NOTE: LiveView applications are unaffected by default because of the presence of a LiveView CSRF token.
CVE-2023-23918 1 Nodejs 1 Node.js 2025-05-08 N/A 7.5 HIGH
A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.
CVE-2025-36546 2025-05-08 N/A 8.1 HIGH
On an F5OS system, if the root user had previously configured the system to allow login via SSH key-based authentication, and then enabled Appliance Mode; access via SSH key-based authentication is still allowed. For an attacker to exploit this vulnerability they must obtain the root user's SSH private key.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2025-46265 2025-05-08 N/A 8.8 HIGH
On F5OS, an improper authorization vulnerability exists where remotely authenticated users (LDAP, RADIUS, TACACS+) may be authorized with higher privilege F5OS roles. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2025-3272 2025-05-08 N/A N/A
Incorrect Authorization vulnerability in OpenText™ Operations Bridge Manager.  The vulnerability could allow authenticated users to change their password without providing their old password. This issue affects Operations Bridge Manager: 24.2, 24.4.
CVE-2025-3476 2025-05-08 N/A N/A
Incorrect Authorization vulnerability in OpenText™ Operations Bridge Manager. The vulnerability could allows privilege escalation by authenticated users.This issue affects Operations Bridge Manager: 2023.05, 23.4, 24.2, 24.4.
CVE-2024-2557 1 Kishor-23 1 Food Waste Management System 2025-05-07 5.0 MEDIUM 5.3 MEDIUM
A vulnerability was found in kishor-23 Food Waste Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/admin.php. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257056. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-3609 2025-05-07 N/A 5.3 MEDIUM
The Reales WP STPT plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 2.1.2. This is due to the 'reales_user_signup_form' AJAX action not verifying if user registration is enabled, prior to registering a user. This makes it possible for unauthenticated attackers to create new user accounts, which can be leveraged with CVE-XX to achieve privilege escalation.
CVE-2024-37002 1 Autodesk 9 Advance Steel, Autocad, Autocad Architecture and 6 more 2025-05-06 N/A 7.8 HIGH
A maliciously crafted MODEL file, when parsed in ASMkern229A.dllthrough Autodesk applications, can be used to uninitialized variables. This vulnerability, along with other vulnerabilities, could lead to code execution in the current process.
CVE-2023-6036 1 Miniorange 1 Web3 - Crypto Wallet Login \& Nft Token Gating 2025-05-06 N/A 9.8 CRITICAL
The Web3 WordPress plugin before 3.0.0 is vulnerable to an authentication bypass due to incorrect authentication checking in the login flow in functions 'handle_auth_request' and 'hadle_login_request'. This makes it possible for non authenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.
CVE-2025-3879 2025-05-05 N/A 6.6 MEDIUM
Vault Community, Vault Enterprise (“Vault”) Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the bound_locations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18.
CVE-2022-42788 1 Apple 1 Macos 2025-05-05 N/A 5.5 MEDIUM
A permissions issue existed. This issue was addressed with improved permission validation. This issue is fixed in macOS Ventura 13. A malicious application may be able to read sensitive location information.
CVE-2022-22967 1 Saltstack 1 Salt 2025-05-05 6.5 MEDIUM 8.8 HIGH
An issue was discovered in SaltStack Salt in versions before 3002.9, 3003.5, 3004.2. PAM auth fails to reject locked accounts, which allows a previously authorized user whose account is locked still run Salt commands when their account is locked. This affects both local shell accounts with an active session and salt-api users that authenticate via PAM eauth.
CVE-2021-37409 1 Intel 26 Killer Ac 1550, Killer Ac 1550 Firmware, Killer Wi-fi 6 Ax1650 and 23 more 2025-05-05 N/A 7.8 HIGH
Improper access control for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi products may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2023-3920 1 Gitlab 1 Gitlab 2025-05-05 N/A 4.3 MEDIUM
An issue has been discovered in GitLab affecting all versions starting from 11.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that a maintainer to create a fork relationship between existing projects contrary to the documentation.
CVE-2023-3444 1 Gitlab 1 Gitlab 2025-05-05 N/A 5.7 MEDIUM
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.3 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attacker to merge arbitrary code into protected branches.
CVE-2024-57683 1 Dlink 2 Dir-816, Dir-816 Firmware 2025-05-02 N/A 4.3 MEDIUM
An access control issue in the component websURLFilterAddDel of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the filter settings of the device via a crafted POST request.
CVE-2024-57681 1 Dlink 2 Dir-816, Dir-816 Firmware 2025-05-02 N/A 5.3 MEDIUM
An access control issue in the component form2alg.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the agl service of the device via a crafted POST request.