| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Null pointer dereference in Windows Remote Access Connection Manager allows an unauthorized attacker to deny service locally. |
| Reliance on untrusted inputs in a security decision in Microsoft Office Word allows an unauthorized attacker to bypass a security feature locally. |
| Improper neutralization of input during web page generation ('cross-site scripting') in Azure HDInsights allows an authorized attacker to perform spoofing over a network. |
| Protection mechanism failure in Windows Shell allows an unauthorized attacker to bypass a security feature over a network. |
| Deserialization of untrusted data in Azure SDK allows an unauthorized attacker to execute code over a network. |
| Azure Function Information Disclosure Vulnerability |
| Azure Arc Elevation of Privilege Vulnerability |
| Azure Front Door Elevation of Privilege Vulnerability |
| User interface (ui) misrepresentation of critical information in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network. |
| Protection mechanism failure in MSHTML Framework allows an unauthorized attacker to bypass a security feature over a network. |
| Improper privilege management in Windows Remote Desktop allows an authorized attacker to elevate privileges locally. |
| Exposure of sensitive information to an unauthorized actor in Microsoft Office Outlook allows an unauthorized attacker to perform spoofing over a network. |
| Improper input validation in Microsoft Office Excel allows an unauthorized attacker to disclose information locally. |
| Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to elevate privileges locally. |
| Access of resource using incompatible type ('type confusion') in Desktop Window Manager allows an authorized attacker to elevate privileges locally. |
| A TOCTOU and symlink race in svenstaro/miniserve 0.32.0 upload finalization (when uploads are enabled) can allow an attacker to overwrite arbitrary files outside the intended upload/document root in deployments where the attacker can create/replace filesystem entries in the upload destination directory (e.g., shared writable directory/volume). |
| A signed integer overflow in docopt.cpp v0.6.2 (LeafPattern::match in docopt_private.h) when merging occurrence counters (e.g., default LONG_MAX + first user "-v/--verbose") can cause counter wrap (negative/unbounded semantics) and lead to logic/policy bypass in applications that rely on occurrence-based limits, rate-gating, or safety toggles. In hardened builds (e.g., UBSan or -ftrapv), the overflow may also result in process abort (DoS). |
| PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The admin authorization middleware trusts client-controlled JWT claims (role and scope) without enforcing server-side role verification. |
| An unauthenticated information disclosure vulnerability in Newgen OmniApp allows attackers to enumerate valid privileged usernames via a publicly accessible client-side JavaScript resource. |
| A vulnerability in TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an attacker on the adjacent network to inject, tamper with, or forge log entries in \Nomad Branch.log via crafted data sent to the UDP network handler. This can impact log integrity and nonrepudiation. |
