Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-44208

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-12 Jun, 2026 | 14:26
Updated At-12 Jun, 2026 | 14:26
Rejected At-
Credits

Frappe: IDOR in `submit_discussion()`

Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, lack of validations in the "submit_discussion()" endpoint allows for unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:12 Jun, 2026 | 14:26
Updated At:12 Jun, 2026 | 14:26
Rejected At:
â–¼CVE Numbering Authority (CNA)
Frappe: IDOR in `submit_discussion()`

Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, lack of validations in the "submit_discussion()" endpoint allows for unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0.

Affected Products
Vendor
frappe
Product
frappe
Versions
Affected
  • < 15.107.0
  • < 16.17.0
Problem Types
TypeCWE IDDescription
CWECWE-284CWE-284: Improper Access Control
CWECWE-285CWE-285: Improper Authorization
Type: CWE
CWE ID: CWE-284
Description: CWE-284: Improper Access Control
Type: CWE
CWE ID: CWE-285
Description: CWE-285: Improper Authorization
Metrics
VersionBase scoreBase severityVector
4.06.9MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Version: 4.0
Base score: 6.9
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/frappe/frappe/security/advisories/GHSA-xh7m-j2j2-82f2
x_refsource_CONFIRM
Hyperlink: https://github.com/frappe/frappe/security/advisories/GHSA-xh7m-j2j2-82f2
Resource:
x_refsource_CONFIRM
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:12 Jun, 2026 | 16:16
Updated At:12 Jun, 2026 | 16:17

Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, lack of validations in the "submit_discussion()" endpoint allows for unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.06.9MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 4.0
Base score: 6.9
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-284Primarysecurity-advisories@github.com
CWE-285Primarysecurity-advisories@github.com
CWE ID: CWE-284
Type: Primary
Source: security-advisories@github.com
CWE ID: CWE-285
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/frappe/frappe/security/advisories/GHSA-xh7m-j2j2-82f2security-advisories@github.com
N/A
Hyperlink: https://github.com/frappe/frappe/security/advisories/GHSA-xh7m-j2j2-82f2
Source: security-advisories@github.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

44Records found
CVE-2026-44205
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-6.9||MEDIUM
EPSS-Not Assigned
Published-12 Jun, 2026 | 14:23
Updated-12 Jun, 2026 | 16:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frappe: Stored Cross-Site Scripting (XSS) in User Profile through Image Upload

Frappe is a full-stack web application framework. Prior to version 15.106.0, a stored XSS vulnerability in the user profile image section allows an attacker to execute malicious scripts in the browsers of other users. This issue has been patched in version 15.106.0.

Action-Not Available
Vendor-frappe
Product-frappe
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-47739
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-6.9||MEDIUM
EPSS-Not Assigned
Published-12 Jun, 2026 | 14:22
Updated-12 Jun, 2026 | 16:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frappe: Stored XSS in Note

Frappe is a full-stack web application framework. Prior to versions 15.106.0 and 16.16.0, stored XSS in Note was possible due to lack of sanitization. This issue has been patched in versions 15.106.0 and 16.16.0.

Action-Not Available
Vendor-frappe
Product-frappe
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-53568
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-6.9||MEDIUM
EPSS-Not Assigned
Published-12 Jun, 2026 | 14:45
Updated-12 Jun, 2026 | 16:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frappe: Stored XSS in Frappe Report/List View via 'set_link_title_field_value'

Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, there is a stored XSS vulnerablity in Frappe Report/List View. This issue has been patched in versions 15.107.2 and 16.17.4.

Action-Not Available
Vendor-frappe
Product-frappe
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-34606
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.04% / 12.53%
||
7 Day CHG+0.01%
Published-02 Apr, 2026 | 17:50
Updated-07 Apr, 2026 | 19:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS in Frappe LMS

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. From version 2.27.0 to before version 2.48.0, Frappe LMS was vulnerable to stored XSS. This issue has been patched in version 2.48.0.

Action-Not Available
Vendor-frappefrappe
Product-learninglms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-47182
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-12 Jun, 2026 | 14:39
Updated-12 Jun, 2026 | 16:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frappe: Broken Access Control on Private Files

Frappe is a full-stack web application framework. Prior to version 16.17.4, any authenticated user can access private files by guessing the file path. This issue has been patched in version 16.17.4.

Action-Not Available
Vendor-frappe
Product-frappe
CWE ID-CWE-284
Improper Access Control
CVE-2026-44976
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-12 Jun, 2026 | 14:38
Updated-12 Jun, 2026 | 16:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frappe: IDOR in update_onboarding_step

Frappe is a full-stack web application framework. Prior to version 16.17.4, any user can modify any field in any Onboarding Step record. This issue has been patched in version 16.17.4.

Action-Not Available
Vendor-frappe
Product-frappe
CWE ID-CWE-284
Improper Access Control
CVE-2026-29077
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-7.1||HIGH
EPSS-0.07% / 21.51%
||
7 Day CHG~0.00%
Published-05 Mar, 2026 | 20:22
Updated-09 Mar, 2026 | 19:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frappe: Broken Access Control in DocShare

Frappe is a full-stack web application framework. Prior to versions 15.98.0 and 14.100.0, due to a lack of validation when sharing documents, a user could share a document with a permission that they themselves didn't have. This issue has been patched in versions 15.98.0 and 14.100.0.

Action-Not Available
Vendor-frappefrappe
Product-frappefrappe
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-602
Client-Side Enforcement of Server-Side Security
CVE-2026-26977
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.01% / 2.84%
||
7 Day CHG~0.00%
Published-20 Feb, 2026 | 00:56
Updated-20 Feb, 2026 | 15:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frappe Learning Management System exposes details of unpublished courses to unauthorized users

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.44.0 and below, unauthorized users are able to access the details of unpublished courses via API endpoints. A fix for this issue is planned for the 2.45.0 release.

Action-Not Available
Vendor-frappe
Product-lms
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-862
Missing Authorization
CVE-2026-27471
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-9.3||CRITICAL
EPSS-0.05% / 15.07%
||
7 Day CHG~0.00%
Published-21 Feb, 2026 | 06:38
Updated-24 Feb, 2026 | 18:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ERP: Document access through endpoints due to missing validation

ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 and through 16.6.0, certain endpoints lacked access validation which allowed for unauthorized document access. This issue has been fixed in versions 15.98.1 and 16.6.1.

Action-Not Available
Vendor-frappefrappe
Product-erpnexterpnext
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-306
Missing Authentication for Critical Function
CWE ID-CWE-862
Missing Authorization
CVE-2026-40888
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.04% / 12.12%
||
7 Day CHG~0.00%
Published-21 Apr, 2026 | 19:28
Updated-27 Apr, 2026 | 19:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frappe HR vulnerable to Improper Access Control

Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are available.

Action-Not Available
Vendor-frappefrappe
Product-frappe_hrhrms
CWE ID-CWE-284
Improper Access Control
CVE-2026-40889
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.04% / 11.17%
||
7 Day CHG~0.00%
Published-21 Apr, 2026 | 19:32
Updated-27 Apr, 2026 | 19:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frappe HR has Improper Access Control on Files

Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.2 and 16.4.2, authenticated users can access unauthorized files by exploiting certain api endpoint. Versions 15.58.2 and 16.4.2 contain a patch. No known workarounds are available.

Action-Not Available
Vendor-frappefrappe
Product-frappe_hrhrms
CWE ID-CWE-284
Improper Access Control
CVE-2025-11281
Matching Score-6
Assigner-VulDB
ShareView Details
Matching Score-6
Assigner-VulDB
CVSS Score-2.3||LOW
EPSS-0.05% / 14.51%
||
7 Day CHG~0.00%
Published-05 Oct, 2025 | 04:02
Updated-07 Oct, 2025 | 20:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frappe LMS Unpublished Course courses access control

A vulnerability has been found in Frappe LMS 2.35.0. The affected element is an unknown function of the file /courses/ of the component Unpublished Course Handler. Such manipulation leads to improper access controls. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is described as difficult. The exploit has been disclosed to the public and may be used. You should upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them.

Action-Not Available
Vendor-frappeFrappe
Product-learningLMS
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2025-5649
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.21% / 43.15%
||
7 Day CHG~0.00%
Published-05 Jun, 2025 | 09:00
Updated-10 Jun, 2025 | 15:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Student Result Management System Register Interface new_user access control

A vulnerability classified as critical has been found in SourceCodester Student Result Management System 1.0. This affects an unknown part of the file /admin/core/new_user of the component Register Interface. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-razormistSourceCodester
Product-student_result_management_systemStudent Result Management System
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2024-27891
Matching Score-4
Assigner-Arista Networks, Inc.
ShareView Details
Matching Score-4
Assigner-Arista Networks, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.12% / 30.64%
||
7 Day CHG~0.00%
Published-04 Jun, 2026 | 22:08
Updated-05 Jun, 2026 | 18:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
On affected platforms running Arista EOS with MACsec and egress ACLs configured on the same interfaces, the ACL policies may not be enforced for packets egressing on those ports.

On affected platforms running Arista EOS with MACsec and egress ACLs configured on the same interfaces, the ACL policies may not be enforced for packets egressing on those ports. This can cause outgoing packets to incorrectly be allowed or denied.

Action-Not Available
Vendor-Arista Networks, Inc.
Product-EOS
CWE ID-CWE-284
Improper Access Control
CVE-2024-13103
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.13% / 31.65%
||
7 Day CHG~0.00%
Published-02 Jan, 2025 | 10:00
Updated-02 May, 2025 | 17:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DIR-816 A2 Virtual Service form2AddVrtsrv.cgi access control

A vulnerability, which was classified as critical, has been found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210. This issue affects some unknown processing of the file /goform/form2AddVrtsrv.cgi of the component Virtual Service Handler. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-D-Link Corporation
Product-dir-816dir-816_firmwareDIR-816 A2
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2024-13106
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-1.81% / 83.23%
||
7 Day CHG~0.00%
Published-02 Jan, 2025 | 11:31
Updated-02 May, 2025 | 17:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DIR-816 A2 IP QoS form2IPQoSTcAdd access control

A vulnerability was found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210 and classified as critical. Affected by this issue is some unknown functionality of the file /goform/form2IPQoSTcAdd of the component IP QoS Handler. The manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-D-Link Corporation
Product-dir-816dir-816_firmwareDIR-816 A2
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2024-13105
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.15% / 35.20%
||
7 Day CHG~0.00%
Published-02 Jan, 2025 | 11:00
Updated-02 May, 2025 | 17:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DIR-816 A2 DHCPD Setting form2Dhcpd.cgi access control

A vulnerability has been found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /goform/form2Dhcpd.cgi of the component DHCPD Setting Handler. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-D-Link Corporation
Product-dir-816dir-816_firmwareDIR-816 A2
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2026-33951
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.11% / 28.54%
||
7 Day CHG+0.01%
Published-02 Apr, 2026 | 16:11
Updated-06 Apr, 2026 | 15:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
signalk-server: Unauthenticated Source Priorities Manipulation

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.1, the SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint, accessible via PUT /signalk/v1/api/sourcePriorities, does not enforce authentication or authorization checks and directly assigns user-controlled input to the server configuration. As a result, attackers can influence which GPS, AIS, or other sensor data sources are trusted by the system. The changes are immediately applied and persisted to disk, allowing the manipulation to survive server restarts. This issue has been patched in version 2.24.0-beta.1.

Action-Not Available
Vendor-signalkSignalK
Product-signal_k_serversignalk-server
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2024-12901
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.14% / 33.93%
||
7 Day CHG~0.00%
Published-23 Dec, 2024 | 02:00
Updated-15 Jul, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FoxCMS API Endpoint Site.php improper authorization

A vulnerability classified as critical was found in FoxCMS up to 1.2. Affected by this vulnerability is an unknown functionality of the file /app/api/controller/Site.php of the component API Endpoint. The manipulation of the argument password leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-qianfoxn/a
Product-foxcmsFoxCMS
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-285
Improper Authorization
CVE-2024-13108
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.15% / 35.20%
||
7 Day CHG~0.00%
Published-02 Jan, 2025 | 12:31
Updated-02 May, 2025 | 17:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DIR-816 A2 form2NetSniper.cgi access control

A vulnerability was found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210. It has been declared as critical. This vulnerability affects unknown code of the file /goform/form2NetSniper.cgi. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-D-Link Corporation
Product-dir-816dir-816_firmwareDIR-816 A2
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2024-13102
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.20% / 42.30%
||
7 Day CHG~0.00%
Published-02 Jan, 2025 | 09:31
Updated-02 May, 2025 | 17:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DIR-816 A2 DDNS Service access control

A vulnerability classified as critical was found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210. This vulnerability affects unknown code of the file /goform/DDNS of the component DDNS Service. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-D-Link Corporation
Product-dir-816dir-816_firmwareDIR-816 A2
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2025-3663
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-2.15% / 84.62%
||
7 Day CHG-0.64%
Published-16 Apr, 2025 | 02:31
Updated-12 May, 2025 | 19:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TOTOLINK A3700R Password cstecgi.cgi setWiFiEasyGuestCfg access control

A vulnerability, which was classified as critical, has been found in TOTOLINK A3700R 9.1.2u.5822_B20200513. This issue affects the function setWiFiEasyCfg/setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi of the component Password Handler. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-TOTOLINK
Product-a3700ra3700r_firmwareA3700R
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2025-3666
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.22% / 45.31%
||
7 Day CHG~0.00%
Published-16 Apr, 2025 | 03:31
Updated-12 May, 2025 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TOTOLINK A3700R cstecgi.cgi setDdnsCfg access control

A vulnerability was found in TOTOLINK A3700R 9.1.2u.5822_B20200513 and classified as critical. Affected by this issue is the function setDdnsCfg of the file /cgi-bin/cstecgi.cgi. The manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-TOTOLINK
Product-a3700ra3700r_firmwareA3700R
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2025-3665
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.27% / 50.35%
||
7 Day CHG~0.00%
Published-16 Apr, 2025 | 03:00
Updated-22 Apr, 2025 | 16:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TOTOLINK A3700R cstecgi.cgi setSmartQosCfg access control

A vulnerability has been found in TOTOLINK A3700R 9.1.2u.5822_B20200513 and classified as critical. Affected by this vulnerability is the function setSmartQosCfg of the file /cgi-bin/cstecgi.cgi. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-TOTOLINK
Product-a3700r_firmwarea3700rA3700R
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2025-3667
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.22% / 45.31%
||
7 Day CHG~0.00%
Published-16 Apr, 2025 | 04:31
Updated-12 May, 2025 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TOTOLINK A3700R cstecgi.cgi setUPnPCfg access control

A vulnerability was found in TOTOLINK A3700R 9.1.2u.5822_B20200513. It has been classified as critical. This affects the function setUPnPCfg of the file /cgi-bin/cstecgi.cgi. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-TOTOLINK
Product-a3700ra3700r_firmwareA3700R
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2025-3668
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.22% / 45.31%
||
7 Day CHG~0.00%
Published-16 Apr, 2025 | 04:31
Updated-12 May, 2025 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TOTOLINK A3700R cstecgi.cgi setScheduleCfg access control

A vulnerability was found in TOTOLINK A3700R 9.1.2u.5822_B20200513. It has been declared as critical. This vulnerability affects the function setScheduleCfg of the file /cgi-bin/cstecgi.cgi. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-TOTOLINK
Product-a3700ra3700r_firmwareA3700R
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2025-3537
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.22% / 44.58%
||
7 Day CHG~0.00%
Published-13 Apr, 2025 | 12:00
Updated-05 Jun, 2025 | 19:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tutorials-Website Employee Management System update-user.php improper authorization

A vulnerability was found in Tutorials-Website Employee Management System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/update-user.php. The manipulation of the argument ID leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-tutorials-websiteTutorials-Website
Product-employee_management_systemEmployee Management System
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2025-3675
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.43% / 63.37%
||
7 Day CHG~0.00%
Published-16 Apr, 2025 | 07:00
Updated-12 May, 2025 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TOTOLINK A3700R cstecgi.cgi setL2tpServerCfg access control

A vulnerability was found in TOTOLINK A3700R 9.1.2u.5822_B20200513. It has been rated as critical. Affected by this issue is the function setL2tpServerCfg of the file /cgi-bin/cstecgi.cgi. The manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-TOTOLINK
Product-a3700ra3700r_firmwareA3700R
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2025-3237
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.26% / 49.65%
||
7 Day CHG~0.00%
Published-04 Apr, 2025 | 10:00
Updated-28 May, 2025 | 14:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tenda FH1202 wrlwpsset access control

A vulnerability was found in Tenda FH1202 1.2.0.14(408). It has been rated as critical. This issue affects some unknown processing of the file /goform/wrlwpsset. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-Tenda Technology Co., Ltd.
Product-fh1202_firmwarefh1202FH1202
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2025-3236
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.30% / 54.18%
||
7 Day CHG~0.00%
Published-04 Apr, 2025 | 09:31
Updated-28 May, 2025 | 14:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tenda FH1202 Web Management Interface VirSerDMZ access control

A vulnerability was found in Tenda FH1202 1.2.0.14(408). It has been declared as critical. This vulnerability affects unknown code of the file /goform/VirSerDMZ of the component Web Management Interface. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-Tenda Technology Co., Ltd.
Product-fh1202_firmwarefh1202FH1202
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2025-2991
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.30% / 54.18%
||
7 Day CHG~0.00%
Published-31 Mar, 2025 | 10:31
Updated-07 Apr, 2025 | 14:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tenda FH1202 Web Management Interface AdvSetWrlmacfilter access control

A vulnerability classified as critical has been found in Tenda FH1202 1.2.0.14(408). Affected is an unknown function of the file /goform/AdvSetWrlmacfilter of the component Web Management Interface. The manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-Tenda Technology Co., Ltd.
Product-fh1202fh1202_firmwareFH1202
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2025-2994
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.39% / 60.24%
||
7 Day CHG~0.00%
Published-31 Mar, 2025 | 12:00
Updated-07 Apr, 2025 | 14:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tenda FH1202 Web Management Interface qossetting access control

A vulnerability, which was classified as critical, was found in Tenda FH1202 1.2.0.14(408). This affects an unknown part of the file /goform/qossetting of the component Web Management Interface. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-Tenda Technology Co., Ltd.
Product-fh1202fh1202_firmwareFH1202
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2025-2990
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.27% / 50.83%
||
7 Day CHG~0.00%
Published-31 Mar, 2025 | 10:00
Updated-07 Apr, 2025 | 14:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tenda FH1202 Web Management Interface AdvSetWrlGstset access control

A vulnerability was found in Tenda FH1202 1.2.0.14(408). It has been rated as critical. This issue affects some unknown processing of the file /goform/AdvSetWrlGstset of the component Web Management Interface. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-Tenda Technology Co., Ltd.
Product-fh1202fh1202_firmwareFH1202
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2025-2995
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.21% / 43.46%
||
7 Day CHG~0.00%
Published-31 Mar, 2025 | 12:31
Updated-01 Apr, 2025 | 20:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tenda FH1202 Web Management Interface SysToolChangePwd access control

A vulnerability has been found in Tenda FH1202 1.2.0.14(408) and classified as critical. This vulnerability affects unknown code of the file /goform/SysToolChangePwd of the component Web Management Interface. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-Tenda Technology Co., Ltd.
Product-FH1202
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2025-2989
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.27% / 50.83%
||
7 Day CHG~0.00%
Published-31 Mar, 2025 | 09:31
Updated-07 Apr, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tenda FH1202 Web Management Interface AdvSetWrl access control

A vulnerability was found in Tenda FH1202 1.2.0.14(408). It has been declared as critical. This vulnerability affects unknown code of the file /goform/AdvSetWrl of the component Web Management Interface. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-Tenda Technology Co., Ltd.
Product-fh1202fh1202_firmwareFH1202
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2025-2996
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.35% / 58.14%
||
7 Day CHG~0.00%
Published-31 Mar, 2025 | 13:00
Updated-01 Apr, 2025 | 20:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tenda FH1202 Web Management Interface SysToolDDNS access control

A vulnerability was found in Tenda FH1202 1.2.0.14(408) and classified as critical. This issue affects some unknown processing of the file /goform/SysToolDDNS of the component Web Management Interface. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-Tenda Technology Co., Ltd.
Product-FH1202
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2025-2992
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.30% / 54.18%
||
7 Day CHG~0.00%
Published-31 Mar, 2025 | 11:00
Updated-07 Apr, 2025 | 14:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tenda FH1202 Web Management Interface AdvSetWrlsafeset access control

A vulnerability classified as critical was found in Tenda FH1202 1.2.0.14(408). Affected by this vulnerability is an unknown functionality of the file /goform/AdvSetWrlsafeset of the component Web Management Interface. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-Tenda Technology Co., Ltd.
Product-fh1202fh1202_firmwareFH1202
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2025-2218
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.12% / 30.87%
||
7 Day CHG~0.00%
Published-12 Mar, 2025 | 00:31
Updated-25 Mar, 2025 | 17:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LoveCards LoveCardsV2 Setting other access control

A vulnerability has been found in LoveCards LoveCardsV2 up to 2.3.2 and classified as critical. This vulnerability affects unknown code of the file /api/system/other of the component Setting Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-lovecardsLoveCards
Product-lovecardsLoveCardsV2
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2024-10598
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.12% / 30.61%
||
7 Day CHG~0.00%
Published-31 Oct, 2024 | 21:31
Updated-04 Nov, 2024 | 19:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tongda OA Annual Leave data.php improper authorization

A vulnerability classified as critical was found in Tongda OA 11.2/11.3/11.4/11.5/11.6. This vulnerability affects unknown code of the file general/hr/setting/attendance/leave/data.php of the component Annual Leave Handler. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-tongda2000Tongdatongda
Product-office_anywhereOAoa_2017
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-862
Missing Authorization
CVE-2025-1007
Matching Score-4
Assigner-Eclipse Foundation
ShareView Details
Matching Score-4
Assigner-Eclipse Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.43% / 62.93%
||
7 Day CHG~0.00%
Published-19 Feb, 2025 | 08:40
Updated-31 Jul, 2025 | 12:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Authorization in /user/namespace/{namespace}/details

In OpenVSX version v0.9.0 to v0.20.0, the /user/namespace/{namespace}/details API allows a user to edit all namespace details, even if the user is not a namespace Owner or Contributor. The details include: name, description, website, support link and social media links. The same issues existed in /user/namespace/{namespace}/details/logo and allowed a user to change the logo.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-open_vsxOpenVSX
CWE ID-CWE-283
Unverified Ownership
CWE ID-CWE-285
Improper Authorization
CVE-2024-13107
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.20% / 42.30%
||
7 Day CHG~0.00%
Published-02 Jan, 2025 | 12:00
Updated-02 May, 2025 | 17:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DIR-816 A2 ACL form2LocalAclEditcfg.cgi access control

A vulnerability was found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210. It has been classified as critical. This affects an unknown part of the file /goform/form2LocalAclEditcfg.cgi of the component ACL Handler. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-D-Link Corporation
Product-dir-816dir-816_firmwareDIR-816 A2
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2025-3664
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.27% / 50.35%
||
7 Day CHG~0.00%
Published-16 Apr, 2025 | 03:00
Updated-22 Apr, 2025 | 16:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TOTOLINK A3700R cstecgi.cgi setWiFiEasyGuestCfg access control

A vulnerability, which was classified as critical, was found in TOTOLINK A3700R 9.1.2u.5822_B20200513. Affected is the function setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi. The manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-TOTOLINK
Product-a3700r_firmwarea3700rA3700R
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2025-3674
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.36% / 58.63%
||
7 Day CHG~0.00%
Published-16 Apr, 2025 | 07:00
Updated-22 Apr, 2025 | 16:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TOTOLINK A3700R cstecgi.cgi setUrlFilterRules access control

A vulnerability was found in TOTOLINK A3700R 9.1.2u.5822_B20200513. It has been declared as critical. Affected by this vulnerability is the function setUrlFilterRules of the file /cgi-bin/cstecgi.cgi. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-TOTOLINK
Product-a3700r_firmwarea3700rA3700R
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2024-13104
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.15% / 35.20%
||
7 Day CHG~0.00%
Published-02 Jan, 2025 | 10:31
Updated-02 May, 2025 | 17:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DIR-816 A2 WiFi Settings form2AdvanceSetup.cgi access control

A vulnerability, which was classified as critical, was found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210. Affected is an unknown function of the file /goform/form2AdvanceSetup.cgi of the component WiFi Settings Handler. The manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-D-Link Corporation
Product-dir-816dir-816_firmwareDIR-816 A2
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
Details not found