| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| A client-side enforcement of server-side security in Fortinet FortiPortal version 6.0.0 through 6.0.14 allows attacker to improper access control via crafted HTTP requests. |
| An authorization bypass through user-controlled key vulnerability [CWE-639] in Fortinet FortiPortal version 7.0.0 through 7.0.3 allows an authenticated attacker to interact with ressources of other organizations via HTTP or HTTPS requests. |
| Remote Desktop Licensing Diagnoser Information Disclosure Vulnerability |
| Missing session invalidation after user deletion. The following products are affected: Acronis Cyber Protect 16 (Windows) before build 39169. |
| Internet Connection Sharing (ICS) Denial of Service Vulnerability |
| Internet Connection Sharing (ICS) Remote Code Execution Vulnerability |
| Windows Remote Desktop Security Feature Bypass Vulnerability |
| DHCP Server Service Information Disclosure Vulnerability |
| Client Server Run-Time Subsystem (CSRSS) Information Disclosure Vulnerability |
| Windows Media Remote Code Execution Vulnerability |
| Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability |
| Client Server Run-Time Subsystem (CSRSS) Information Disclosure Vulnerability |
| Windows Bluetooth Driver Elevation of Privilege Vulnerability |
| Microsoft Office Information Disclosure Vulnerability |
| HTTP.sys Information Disclosure Vulnerability |
| Event Tracing for Windows Information Disclosure Vulnerability |
| Microsoft Office Visio Remote Code Execution Vulnerability |
| Windows Mark of the Web Security Feature Bypass Vulnerability |
| The QOCA aim from Quanta Computer has an Authorization Bypass Through User-Controlled Key vulnerability. By controlling the user ID parameter, remote attackers with regular privileges could access certain features as any user, modify any user's account information and privileges, leading to privilege escalation. |
| Khoj is a self-hostable artificial intelligence app. Prior to version 1.29.10, an Insecure Direct Object Reference (IDOR) vulnerability in the update_subscription endpoint allows any authenticated user to manipulate other users' Stripe subscriptions by simply modifying the email parameter in the request. The vulnerability exists in the subscription endpoint at `/api/subscription`. The endpoint uses an email parameter as a direct reference to user subscriptions without verifying object ownership. While authentication is required, there is no authorization check to verify if the authenticated user owns the referenced subscription. The issue was fixed in version 1.29.10. Support for arbitrarily presenting an email for update has been deprecated. |
