Total
5748 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-41343 | 1 Canaldenuncia | 2 Canaldenuncia.app, Canaldenuncia App | 2025-11-05 | 7.5 High |
| A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameter 'email' in '/backend/api/users/searchUserByEmail.php'. | ||||
| CVE-2025-41344 | 1 Canaldenuncia | 2 Canaldenuncia.app, Canaldenuncia App | 2025-11-05 | 7.5 High |
| A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameter 'id_archivo' in '/backend/api/verArchivo.php'. | ||||
| CVE-2025-41345 | 1 Canaldenuncia | 2 Canaldenuncia.app, Canaldenuncia App | 2025-11-05 | 7.5 High |
| A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameters 'id_denuncia' and 'id_user' in '/backend/api/buscarDenunciasById.php'. | ||||
| CVE-2025-50171 | 1 Microsoft | 6 Server, Windows, Windows Server and 3 more | 2025-11-04 | 9.1 Critical |
| Missing authorization in Remote Desktop Server allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2025-64150 | 1 Jenkins | 2 Jenkins, Publish To Bitbucket | 2025-11-04 | 5.4 Medium |
| A missing permission check in Jenkins Publish to Bitbucket Plugin 0.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | ||||
| CVE-2025-64148 | 1 Jenkins | 2 Jenkins, Publish To Bitbucket | 2025-11-04 | 4.3 Medium |
| A missing permission check in Jenkins Publish to Bitbucket Plugin 0.4 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | ||||
| CVE-2025-64142 | 1 Jenkins | 2 Jenkins, Nexus Task Runner | 2025-11-04 | 4.3 Medium |
| A missing permission check in Jenkins Nexus Task Runner Plugin 0.9.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. | ||||
| CVE-2025-64139 | 1 Jenkins | 2 Jenkins, Start Windocks Container | 2025-11-04 | 4.3 Medium |
| A missing permission check in Jenkins Start Windocks Containers Plugin 1.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. | ||||
| CVE-2025-64137 | 1 Jenkins | 2 Jenkins, Themis | 2025-11-04 | 4.3 Medium |
| A missing permission check in Jenkins Themis Plugin 1.4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server. | ||||
| CVE-2025-64132 | 1 Jenkins | 1 Jenkins | 2025-11-04 | 5.4 Medium |
| Jenkins MCP Server Plugin 0.84.v50ca_24ef83f2 and earlier does not perform permission checks in multiple MCP tools, allowing attackers to trigger builds and obtain information about job and cloud configuration they should not be able to access. | ||||
| CVE-2025-59475 | 1 Jenkins | 1 Jenkins | 2025-11-04 | 4.3 Medium |
| Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check for the authenticated user profile dropdown menu, allowing attackers without Overall/Read permission to obtain limited information about the Jenkins configuration by listing available options in this menu (e.g., whether Credentials Plugin is installed). | ||||
| CVE-2025-59474 | 1 Jenkins | 1 Jenkins | 2025-11-04 | 5.3 Medium |
| Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers without Overall/Read permission to list agent names through its sidepanel executors widget. | ||||
| CVE-2025-58460 | 1 Jenkins | 2 Jenkins, Opentelemetry | 2025-11-04 | 4.2 Medium |
| A missing permission check in Jenkins OpenTelemetry Plugin 3.1543.v8446b_92b_cd64 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | ||||
| CVE-2025-49829 | 1 Cyberark | 1 Conjur | 2025-11-04 | 6.5 Medium |
| Conjur provides secrets management and application identity for infrastructure. Missing validations in Secrets Manager, Self-Hosted allows authenticated attackers to inject resources into the database and to bypass permission checks. This issue affects Secrets Manager, Self-Hosted (formerly Conjur Enterprise) prior to versions 13.5.1 and 13.6.1 and Conjur OSS prior to version 1.22.1. Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1 fix the issue. | ||||
| CVE-2025-11758 | 2 Codebangers, Wordpress | 2 All In One Time Clock Lite, Wordpress | 2025-11-04 | 6.5 Medium |
| The All in One Time Clock Lite plugin for WordPress is vulnerable to unauthorized access due to a missing authorization check in all versions up to, and including, 2.0.3. This is due to the plugin exposing admin-level AJAX actions to unauthenticated users via wp_ajax_nopriv_ hooks, while relying only on a nonce check without capability checks. This makes it possible for unauthenticated attackers to create published pages, create shift records with integrity issues, and download time reports containing PII (employee names and work schedules). | ||||
| CVE-2025-12350 | 1 Wordpress | 1 Wordpress | 2025-11-04 | 5.3 Medium |
| The DominoKit plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wp_ajax_nopriv_dominokit_option_admin_action AJAX endpoint in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to update plugin settings. | ||||
| CVE-2025-10896 | 3 Elementor, Litonice13, Wordpress | 3 Elementor, Image Hover Effects For Elementor, Wordpress | 2025-11-04 | 8.8 High |
| Multiple plugins for WordPress with the Jewel Theme Recommended Plugins Library are vulnerable to Unrestricted Upload of File with Dangerous Type via arbitrary plugin installation in all versions up to, and including, 1.0.2.3. This is due to missing capability checks on the '*_recommended_upgrade_plugin' function which allows arbitrary plugin URLs to be installed. This makes it possible for authenticated attackers with subscriber-level access and above to upload arbitrary plugin packages to the affected site's server via a crafted plugin URL, which may make remote code execution possible. | ||||
| CVE-2023-42896 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2025-11-04 | 5.5 Medium |
| An issue was addressed with improved handling of temporary files. This issue is fixed in macOS Monterey 12.7.2, macOS Ventura 13.6.3, iOS 17.2 and iPadOS 17.2, iOS 16.7.3 and iPadOS 16.7.3, macOS Sonoma 14.2. An app may be able to modify protected parts of the file system. | ||||
| CVE-2023-39167 | 1 Enbw | 2 Senec Storage Box, Senec Storage Box Firmware | 2025-11-04 | 7.5 High |
| In SENEC Storage Box V1,V2 and V3 an unauthenticated remote attacker can obtain the devices' logfiles that contain sensitive data. | ||||
| CVE-2024-23230 | 1 Apple | 1 Macos | 2025-11-04 | 5.5 Medium |
| This issue was addressed with improved file handling. This issue is fixed in macOS Sonoma 14.4, macOS Monterey 12.7.4, macOS Ventura 13.6.5. An app may be able to access sensitive user data. | ||||