CVE-2025-1007

MEDIUM Year: 2025
Weakness Type
CWE-283
View all →

Vulnerability Description

In OpenVSX version v0.9.0 to v0.20.0, the /user/namespace/{namespace}/details API allows a user to edit all namespace details, even if the user is not a namespace Owner or Contributor. The details include: name, description, website, support link and social media links. The same issues existed in /user/namespace/{namespace}/details/logo and allowed a user to change the logo.

Related Vulnerabilities

CVE-2021-24500

HIGH
CVSS:8.1(High)

Several AJAX actions available in the Workreap WordPress theme before 2.2.2 lacked CSRF protections, as well as allowing insecure direct object references that were not validated. This allows an attac...

CWE-2832021

CVE-2021-24501

HIGH
CVSS:8.1(High)

The Workreap WordPress theme before 2.2.2 had several AJAX actions missing authorization checks to verify that a user was authorized to perform critical operations such as modifying or deleting object...

CWE-2832021

CVE-2024-27903

HIGH
CVSS:7.2(High)

OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier could be loaded from any directory, which allows an attacker to load an arbitrary plug-in which can be used to interact with the privileged O...

CWE-2832024

CVE-2025-47940

HIGH
CVSS:7.2(High)

TYPO3 is an open source, PHP based web content management system. Starting in version 10.0.0 and prior to versions 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, administrator-level backend...

CWE-2832025

CVE-2022-29220

MEDIUM
CVSS:6.5(Medium)

github-action-merge-dependabot is an action that automatically approves and merges dependabot pull requests (PRs). Prior to version 3.2.0, github-action-merge-dependabot does not check if a commit cre...

CWE-2832022

CVE-2024-1853

MEDIUM
CVSS:5.5(Medium)

Zemana AntiLogger v2.74.204.664 is vulnerable to an Arbitrary Process Termination vulnerability by triggering the 0x80002048 IOCTL code of the zam64.sys and zamguard64.sys drivers.

CWE-2832024