| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| A vulnerability classified as critical was found in code-projects Library System 1.0. Affected by this vulnerability is an unknown functionality of the file /profile.php. The manipulation of the argument image leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. |
| A vulnerability has been found in code-projects Library System 1.0 and classified as critical. This vulnerability affects unknown code of the file /add-book.php. The manipulation of the argument image leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. |
| Veeam Backup Enterprise Manager allows unauthenticated users to log in as any user to enterprise manager web interface. |
| Veeam Backup Enterprise Manager allows high-privileged users to read backup session logs. |
| An authentication bypass vulnerability in Veeam Agent for Microsoft Windows allows for local privilege escalation. |
| Audiobookshelf is a self-hosted audiobook and podcast server. Starting in version 2.17.0 and prior to version 2.19.1, a flaw in the authentication bypass logic allows unauthenticated requests to match certain unanchored regex patterns in the URL. Attackers can craft URLs containing substrings like "/api/items/1/cover" in a query parameter (?r=/api/items/1/cover) to partially bypass authentication or trigger server crashes under certain routes. This could lead to information disclosure of otherwise protected data and, in some cases, a complete denial of service (server crash) if downstream code expects an authenticated user object. Version 2.19.1 contains a patch for the issue. |
| The Festo CECX-X-C1 Modular Master Controller with CoDeSys and CECX-X-M1 Modular Controller with CoDeSys and SoftMotion do not require authentication for connections to certain TCP ports, which allows remote attackers to (1) modify the configuration via a request to the debug service on port 4000 or (2) delete log entries via a request to the log service on port 4001. |
| The Festo CECX-X-C1 Modular Master Controller with CoDeSys and CECX-X-M1
Modular Controller with CoDeSys and SoftMotion provide an undocumented
access method involving the FTP protocol, which could allow a remote attacker to execute arbitrary code or cause a denial of service (application
crash) via unspecified vectors. |
| The Runtime Toolkit in CODESYS Runtime System 2.3.x and 2.4.x does not require authentication, which allows remote attackers to execute commands via the command-line interface in the TCP listener service or transfer files via requests to the TCP listener service. |
| An issue in NCR Terminal Handler v1.5.1 allows low-level privileged authenticated attackers to arbitrarily deactivate, lock, and delete user accounts via a crafted session cookie. |
| A vulnerability has been found in TOTOLINK A3000RU up to 5.9c.5185 and classified as problematic. This vulnerability affects unknown code of the file /cgi-bin/ExportIbmsConfig.sh of the component IBMS Configuration File Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. |
| A vulnerability classified as problematic was found in TOTOLINK A3000RU up to 5.9c.5185. Affected by this vulnerability is an unknown functionality of the file /cgi-bin/ExportSyslog.sh of the component Syslog Configuration File Handler. The manipulation leads to improper access controls. The attack needs to be done within the local network. The exploit has been disclosed to the public and may be used. |
| Client side access control bypass in the permission component in
Devolutions Remote Desktop Manager on Windows. An authenticated user can exploit this flaw to bypass certain permission restrictions—specifically View Password, Edit Asset, and Edit Permissions by performing specific actions.
This issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29. |
| Improper authorization in application password policy in Devolutions Remote Desktop Manager on Windows allows an authenticated user to
use a configuration different from the one mandated by the system administrators.
This issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29. |
| ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to an improper authentication vulnerability which could allow an attacker to bypass authentication and gain permissions in the product. |
| The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.
This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.
Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js. |
| Improper access control in users MFA feature in Devolutions Server 2025.1.7.0 and earlier allows a user with user management permission to remove or change administrators MFA. |
| If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied.
Users that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue.
Akka was affected by the same issue and has released the fix in version 1.6.1. |
| Improper access control in permissions component in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user to bypass the "Edit permission" permission by bypassing the client side validation. |
| Improper access control in Tor network blocking feature in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user to bypass the tor blocking feature when the Devolutions hosted endpoint is not reachable. |
