| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| WordPress Ultimate Addons for Beaver Builder 1.2.4.1 contains an authentication bypass vulnerability that allows attackers to gain unauthorized access by exploiting the social media login form functionality. Attackers can submit a POST request to the admin-ajax.php endpoint with the uabb-lf-google-submit action, a valid administrator email address, and a valid nonce to obtain session cookies and authenticate as that user. |
| Hirschmann HiOS and HiSecOS products RSP, RSPE, RSPS, RSPL, MSP, EES, EESX, GRS, OS, RED, EAGLE contain an authentication bypass vulnerability in the HTTP(S) management module that allows unauthenticated remote attackers to gain administrative access by crafting specially formed HTTP requests. Attackers can exploit improper authentication handling to obtain the authentication status and privileges of a previously authenticated user without providing valid credentials. |
| The charging station websocket endpoint accepts connections without
proper authentication, which could lead to privilege escalation. |
| Cockpit CMS contains a missing authorization vulnerability in the Bucket file storage API (/system/buckets/api). The api() method in modules/System/Controller/Buckets.php executes bucket commands (ls, upload, removefiles, rename, createfolder) without performing any ACL or role check. Any authenticated user, regardless of role, can perform all bucket operations on any named bucket, including buckets intended for admin use only. |
| Insufficient policy enforcement in XML in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) |
| Improper authentication in Windows RPC API allows an unauthorized attacker to elevate privileges over an adjacent network. |
| Improper access control in Windows Win32K allows an authorized attacker to elevate privileges locally. |
| Improper access control in Windows Win32K allows an authorized attacker to elevate privileges locally. |
| Improper access control in Microsoft Configuration Manager allows an authorized attacker to elevate privileges over a network. |
| Insufficient policy enforcement in StorageAccessAPI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) |
| Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 6.4.40, 7.4.12, and 8.0.12, the Mailjet mailer bridge and LOX24 notifier bridge webhook parsers received configured webhook secrets but did not verify them, allowing unauthenticated POST requests to inject forged Mailjet and LOX24 event payloads. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12. |
| Improper access control in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. |
| Improper access control in Windows Kernel allows an authorized attacker to bypass a security feature locally. |
| Improper authorization in Microsoft Office SharePoint allows an authorized attacker to elevate privileges over a network. |
| Improper authentication in Azure Spring Apps allows an authorized attacker to elevate privileges over a network. |
| Improper authorization in Windows Admin Center allows an authorized attacker to execute code locally. |
| Improper access control in Windows Server allows an authorized attacker to elevate privileges locally. |
| Improper access control in Windows Win32K allows an authorized attacker to elevate privileges locally. |
| Improper authorization in Windows Installer allows an authorized attacker to elevate privileges locally. |
| Improper access control in Extensible Storage Engine (ESENT) allows an authorized attacker to elevate privileges locally. |