Total
833 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-25276 | 2025-04-16 | 5.3 Medium | ||
| An unauthenticated attacker can hijack other users' devices and potentially control them. | ||||
| CVE-2025-31360 | 2025-04-16 | 6.5 Medium | ||
| Unauthenticated attackers can trigger device actions associated with specific "scenes" of arbitrary users. | ||||
| CVE-2025-31147 | 2025-04-16 | 5.3 Medium | ||
| Unauthenticated attackers can query information about total energy consumed by EV chargers of arbitrary users. | ||||
| CVE-2025-24487 | 2025-04-16 | 5.3 Medium | ||
| An unauthenticated attacker can infer the existence of usernames in the system by querying an API. | ||||
| CVE-2025-24850 | 2025-04-16 | 5.3 Medium | ||
| An attacker can export other users' plant information. | ||||
| CVE-2025-27927 | 2025-04-16 | 5.3 Medium | ||
| An unauthenticated attackers can obtain a list of smart devices by knowing a valid username through an unprotected API. | ||||
| CVE-2025-27561 | 2025-04-16 | 5.3 Medium | ||
| Unauthenticated attackers can rename "rooms" of arbitrary users. | ||||
| CVE-2025-24315 | 2025-04-16 | 5.3 Medium | ||
| Unauthenticated attackers can add devices of other users to their scenes (or arbitrary scenes of other arbitrary users). | ||||
| CVE-2025-27929 | 2025-04-16 | 5.3 Medium | ||
| Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts. | ||||
| CVE-2022-31683 | 1 Pivotal Software | 1 Concourse | 2025-04-16 | 5.4 Medium |
| Concourse (7.x.y prior to 7.8.3 and 6.x.y prior to 6.7.9) contains an authorization bypass issue. A Concourse user can send a request with body including :team_name=team2 to bypass team scope check to gain access to certain resources belong to any other team. | ||||
| CVE-2025-30257 | 2025-04-16 | 5.3 Medium | ||
| Unauthenticated attackers can retrieve serial number of smart meters associated to a specific user account. | ||||
| CVE-2025-31949 | 2025-04-16 | 5.3 Medium | ||
| An authenticated attacker can obtain any plant name by knowing the plant ID. | ||||
| CVE-2025-26977 | 1 Ninjateam | 1 Filebird | 2025-04-15 | 3.8 Low |
| Authorization Bypass Through User-Controlled Key vulnerability in Ninja Team Filebird allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Filebird: from n/a through 6.4.2.1. | ||||
| CVE-2025-3574 | 2025-04-15 | N/A | ||
| Insecure Direct Object Reference vulnerability in Deporsite from T-INNOVA allows an attacker to retrieve sensitive information from others users via "idUsuario" parameter in "/helper/Familia/obtenerFamiliaUsuario" endpoint. | ||||
| CVE-2025-3292 | 2025-04-15 | 4.3 Medium | ||
| The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.3 via the user_registration_update_profile_details() due to missing validation on the 'user_id' user controlled key. This makes it possible for unauthenticated attackers to update other user's passwords, if they have access to the user ID and email. | ||||
| CVE-2025-3282 | 2025-04-15 | 5.3 Medium | ||
| The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.3 via the user_registration_membership_register_member() due to missing validation on the 'membership_id' user controlled key. This makes it possible for unauthenticated attackers to update any user's membership to any other active or non-active membership type. | ||||
| CVE-2025-3575 | 2025-04-15 | N/A | ||
| Insecure Direct Object Reference vulnerability in Deporsite from T-INNOVA allows an attacker to retrieve sensitive information from others users via "idUsuario" parameter in "/helper/Familia/establecerUsuarioSeleccion" endpoint. | ||||
| CVE-2024-33668 | 1 Zammad | 1 Zammad | 2025-04-15 | 9.1 Critical |
| An issue was discovered in Zammad before 6.3.0. The Zammad Upload Cache uses insecure, partially guessable FormIDs to identify content. An attacker could try to brute force them to upload malicious content to article drafts they have no access to. | ||||
| CVE-2017-20101 | 1 Projectsend | 1 Projectsend | 2025-04-15 | 3.5 Low |
| A vulnerability, which was classified as problematic, was found in ProjectSend r754. This affects an unknown part of the file process.php?do=zip_download. The manipulation of the argument client/file leads to information disclosure. It is possible to initiate the attack remotely. | ||||
| CVE-2022-3876 | 1 Clickstudios | 1 Passwordstate | 2025-04-15 | 4.3 Medium |
| A vulnerability, which was classified as problematic, has been found in Click Studios Passwordstate and Passwordstate Browser Extension Chrome. This issue affects some unknown processing of the file /api/browserextension/UpdatePassword/ of the component API. The manipulation of the argument PasswordID leads to authorization bypass. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. The identifier VDB-216245 was assigned to this vulnerability. | ||||