CVE-2025-49829 Conjur OSS and Secrets Manager, Self-Hosted (formerly Conjur Enterprise) missing validations

Conjur provides secrets management and application identity for infrastructure. Missing validations in Secrets Manager, Self-Hosted allows authenticated attackers to inject resources into the database and to bypass permission checks. This issue affects Secrets Manager, Self-Hosted formerly Conjur...

CVE-2025-53895 ZITADEL has broken authN and authZ in session API and resulting session tokens

ZITADEL is an open source identity management system. Starting in version 2.53.0 and prior to versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14, vulnerability in ZITADEL's session management API allows any authenticated user to update a session if they know its ID, due to a missing permission chec...

CVE-2025-31267

An authentication issue was addressed with improved state management. This issue is fixed in App Store Connect 3.0. An attacker with physical access to an unlocked device may be able to view sensitive user information...

CVE-2023-39338

Enables an authenticated user enrolled device to access a service protected by Sentry even if they are not authorized according to the sentry policy to access that service. It does not enable the user to authenticate to or use the service, it just provides the tunnel access...

Vulnerabilities fixed in Zoom Clients

Zoom has fixed vulnerabilities in Zoom Clients Specifically versions for Linux, Windows, iOS and macOS. The vulnerabilities include incorrect certificate validation in Zoom Workplace for Linux, a buffer overflow in specific Zoom Clients for Windows, cross-site scripting in Zoom Clients for Window...

CVE-2025-31267

An authentication issue was addressed with improved state management. This issue is fixed in App Store Connect 3.0. An attacker with physical access to an unlocked device may be able to view sensitive user information...

CVE-2025-31267

An authentication issue was addressed with improved state management. This issue is fixed in App Store Connect 3.0. An attacker with physical access to an unlocked device may be able to view sensitive user information...

CVE-2025-31267

An authentication issue was addressed with improved state management. This issue is fixed in App Store Connect 3.0. An attacker with physical access to an unlocked device may be able to view sensitive user information...

CVE-2025-31267

An authentication issue was addressed with improved state management. This issue is fixed in App Store Connect 3.0. An attacker with physical access to an unlocked device may be able to view sensitive user information...

CVE-2025-31267

CVE-2025-31267 : Apple App Store Connect had an authentication issue caused by problematic state management. It could allow an attacker with physical access to an unlocked device to view sensitive user information. The issue is fixed in App Store Connect 3.0. Affected version: App Store Connect p...

CVE-2025-7031

Missing Authentication for Critical Function vulnerability in Drupal Config Pages Viewer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Config Pages Viewer: from 0.0.0 before 1.0.4...

CVE-2025-53364

Summary (Parse Server - GraphQL Schema Information Disclosure, CVE-2025-53364) The Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the master key. This could expose API structure metadata (not actual data), potentially increasin...

CVE-2025-3396

GitLab EE CVE-2025-3396 affects all versions 13.3 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2. The issue could allow authenticated project owners to bypass group-level forking restrictions by manipulating API requests. Connected sources confirm the vulnerability description across ...

PT-2025-29173 · Apple · App Store Connect

Name of the Vulnerable Software and Affected Versions: App Store Connect versions prior to 3.0 Description: An authentication issue existed due to improved state management. An attacker with physical access to an unlocked device may be able to view sensitive user information. Recommendations:...

GHSA-R64V-82FH-XC63 Juju vulnerable to sensitive log retrieval via authenticated endpoint without authorization

Impact Any user with a Juju account on a controller can read debug log messages from the /log endpoint. No specific permissions are required - it's just sufficient for the user to exist in the controller user database. The log messages may contain sensitive information. Details The /log endpoint ...

GHSA-24CH-W38V-XMH8 Juju zip slip vulnerability via authenticated endpoint

Impact Any user with a Juju account on a controller can upload a charm to the /charms endpoint. No specific permissions are required - it's just sufficient for the user to exist in the controller user database. A charm which exploits the zip slip vulnerability may be used to allow such a user to...

CVE-2025-7031 Config Pages Viewer - Critical - Access bypass - SA-CONTRIB-2025-086

Missing Authentication for Critical Function vulnerability in Drupal Config Pages Viewer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Config Pages Viewer: from 0.0.0 before 1.0.4...

CVE-2024-52965

A missing critical step in authentication vulnerability CWE-304 in Fortinet FortiOS version 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.10, and before 7.0.16 & FortiProxy version 7.6.0 through 7.6.1, 7.4.0 through 7.4.8, 7.2.0 through 7.2.13 and before 7.0.20 allows an API-user...

PT-2025-28756 · Unknown · Config Pages Viewer

Name of the Vulnerable Software and Affected Versions: Config Pages Viewer versions 0.0.0 through 1.0.4 Description: The issue is related to missing authentication for critical functions in Config Pages Viewer, which can be exploited due to incorrectly configured access control security levels...

CVE-2025-7114

CVE-2025-7114 targets SimStudioAI sim up to commit 37786d371e17d35e0764e1b5cd519d873d90d97b. The flaw resides in the POST handler for apps/sim/app/api/files/upload/route.ts (Session Handler), where the Request can be manipulated without authentication, enabling remote, unauthenticated access. Mul...