| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Missing Authorization vulnerability in Vito Peleg Atarim atarim-visual-collaboration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Atarim: from n/a through <= 4.2.1. |
| Missing Authorization vulnerability in VillaTheme HAPPY happy-helpdesk-support-ticket-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HAPPY: from n/a through <= 1.0.8. |
| Missing Authorization vulnerability in WP Legal Pages WPLegalPages wplegalpages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPLegalPages: from n/a through <= 3.5.4. |
| Missing Authorization vulnerability in vertim Schedula schedula-smart-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Schedula: from n/a through <= 1.0. |
| Missing Authorization vulnerability in Arya Dhiratara Optimize More! – Images optimize-more-images allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Optimize More! – Images: from n/a through <= 1.1.3. |
| A cross-site scripting (XSS) vulnerability in a FileMaker WebDirect custom homepage could lead to unauthorized access and remote code execution. This vulnerability has been fully addressed in FileMaker Server 22.0.4 and FileMaker Server 21.1.7. |
| Flask is a web server gateway interface (WSGI) web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked. The severity and risk depend on the application being hosted behind a caching proxy that doesn't ignore responses with cookies, not setting a Cache-Control header to mark pages as private or non-cacheable, and accessing the session in a way that only touches keys without reading values or mutating the session. The issue has been fixed in version 3.1.3. |
| Dell Repository Manager (DRM), versions prior to 3.4.8, contains an Uncontrolled Search Path Element vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary code execution and escalation of privileges. |
| Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
| JIT miscompilation, use-after-free in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
| Incorrect boundary conditions in the WebRTC: Audio/Video component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
| NVIDIA Delegated Licensing Service for all appliance platforms contains a vulnerability where an attacker could exploit an improper authentication issue. A successful exploit of this vulnerability might lead to information disclosure. |
| Dell Wyse Management Suite, versions prior to WMS 5.5, contain a Client-Side Enforcement of Server-Side Security vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability to Protection mechanism bypass. |
| Dell Wyse Management Suite, versions prior to WMS 5.5, contain an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Script Injection. |
| NVIDIA Cumulus Linux and NVOS products contain a vulnerability in the NVUE interface, where a low-privileged user could inject a command. A successful exploit of this vulnerability might lead to escalation of privileges. |
| NVIDIA Cumulus Linux and NVOS products contain a vulnerability in the NVUE interface, where a low-privileged user could inject a command. A successful exploit of this vulnerability might lead to escalation of privileges. |
| A vulnerability was found in Intelbras TIP 635G 1.12.3.5. This vulnerability affects unknown code of the component Ping Handler. The manipulation results in os command injection. The attack can be executed remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. |
| Use-after-free in the DOM: Core & HTML component. This vulnerability affects Firefox < 148 and Thunderbird < 148. |
| WWBN AVideo is an open source video platform. Prior to version 22.0, the `aVideoEncoder.json.php` API endpoint accepts a `downloadURL` parameter and fetches the referenced resource server-side without proper validation or an allow-list. This allows authenticated users to trigger server-side requests to arbitrary URLs (including internal network endpoints). An authenticated attacker can leverage SSRF to interact with internal services and retrieve sensitive data (e.g., internal APIs, metadata services), potentially leading to further compromise depending on the deployment environment. This issue has been fixed in AVideo version 22.0. |
| Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1 fixes the issue. |
