Total
277416 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2025-23061 | 2025-01-15 | N/A | 9.0 CRITICAL | ||
Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.
|
|||||
CVE-2025-22394 | 2025-01-15 | N/A | 6.7 MEDIUM | ||
Dell Display Manager, versions prior to 2.3.2.18, contain a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to code execution and possibly privilege escalation.
|
|||||
CVE-2025-21101 | 2025-01-15 | N/A | 6.6 MEDIUM | ||
Dell Display Manager, versions prior to 2.3.2.20, contain a race condition vulnerability.
A local malicious user could potentially exploit this vulnerability during installation, leading to arbitrary folder or file deletion.
|
|||||
CVE-2025-23013 | 2025-01-15 | N/A | N/A | ||
In Yubico pam-u2f before 1.3.1, local privilege escalation can sometimes occur. This product implements a Pluggable Authentication Module (PAM) that can be deployed to support authentication using a YubiKey or other FIDO compliant authenticators on macOS or Linux. This software package has an issue that allows for an authentication bypass in some configurations. An attacker would require the ability to access the system as an unprivileged user. Depending on the configuration, the attacker may al ...
Show More |
|||||
CVE-2024-54982 | 2025-01-15 | N/A | 9.8 CRITICAL | ||
An issue in Quectel BC25 with firmware version BC25PAR01A06 allows attackers to bypass authentication via a crafted NAS message. NOTE: Quectel disputes this because the issue is in the chipset supply chain and is not localized to one or more Quectel products.
|
|||||
CVE-2024-13334 | 2025-01-15 | N/A | 6.1 MEDIUM | ||
The Car Demon plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'search_condition' parameter in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
CVE-2024-50312 | 1 Redhat | 1 Openshift Container Platform | 2025-01-15 | N/A | 5.3 MEDIUM |
A vulnerability was found in GraphQL due to improper access controls on the GraphQL introspection query. This flaw allows unauthorized users to retrieve a comprehensive list of available queries and mutations. Exposure to this flaw increases the attack surface, as it can facilitate the discovery of flaws or errors specific to the application's GraphQL implementation.
|
|||||
CVE-2025-21335 | 2025-01-15 | N/A | 7.8 HIGH | ||
Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability
|
|||||
CVE-2025-21334 | 2025-01-15 | N/A | 7.8 HIGH | ||
Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability
|
|||||
CVE-2024-55591 | 2025-01-15 | N/A | 9.8 CRITICAL | ||
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
|
|||||
CVE-2025-21333 | 2025-01-15 | N/A | 7.8 HIGH | ||
Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability
|
|||||
CVE-2025-0343 | 2025-01-15 | N/A | N/A | ||
Swift ASN.1 can be caused to crash when parsing certain BER/DER constructions. This crash is caused by a confusion in the ASN.1 library itself which assumes that certain objects can only be provided in either constructed or primitive forms, and will trigger a preconditionFailure if that constraint isn't met.
Importantly, these constraints are actually required to be true in DER, but that correctness wasn't enforced on the early node parser side so it was incorrect to rely on it later on in deco ...
Show More |
|||||
CVE-2025-22997 | 2025-01-15 | N/A | N/A | ||
A stored cross-site scripting (XSS) vulnerability in the prf_table_content component of Linksys E5600 Router Ver. 1.1.0.26 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the desc parameter.
|
|||||
CVE-2025-22996 | 2025-01-15 | N/A | N/A | ||
A stored cross-site scripting (XSS) vulnerability in the spf_table_content component of Linksys E5600 Router Ver. 1.1.0.26 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the desc parameter.
|
|||||
CVE-2025-21362 | 2025-01-15 | N/A | 8.4 HIGH | ||
Microsoft Excel Remote Code Execution Vulnerability
|
|||||
CVE-2025-21354 | 2025-01-15 | N/A | 8.4 HIGH | ||
Microsoft Excel Remote Code Execution Vulnerability
|
|||||
CVE-2024-57767 | 2025-01-15 | N/A | N/A | ||
MSFM before v2025.01.01 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /file/download.
|
|||||
CVE-2024-57766 | 2025-01-15 | N/A | N/A | ||
MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/editField.
|
|||||
CVE-2024-57765 | 2025-01-15 | N/A | N/A | ||
MSFM before 2025.01.01 was discovered to contain a SQL injection vulnerability via the s_name parameter at table/list.
|
|||||
CVE-2024-57764 | 2025-01-15 | N/A | N/A | ||
MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/add.
|
|||||
CVE-2024-57763 | 2025-01-15 | N/A | N/A | ||
MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/addField.
|
|||||
CVE-2024-57762 | 2025-01-15 | N/A | N/A | ||
MSFM before v2025.01.01 was discovered to contain a deserialization vulnerability via the pom.xml configuration file.
|
|||||
CVE-2024-57761 | 2025-01-15 | N/A | N/A | ||
An arbitrary file upload vulnerability in the parserXML() method of JeeWMS before v2025.01.01 allows attackers to execute arbitrary code via uploading a crafted file.
|
|||||
CVE-2024-57760 | 2025-01-15 | N/A | N/A | ||
JeeWMS before v2025.01.01 was discovered to contain a SQL injection vulnerability via the ReportId parameter at /core/CGReportDao.java.
|
|||||
CVE-2024-57757 | 2025-01-15 | N/A | N/A | ||
JeeWMS before v2025.01.01 was discovered to contain a permission bypass in the component /interceptors/AuthInterceptor.cava.
|
|||||
CVE-2024-50861 | 2025-01-15 | N/A | N/A | ||
The ip_mod_dns_key_form.cgi request in GestioIP v3.5.7 is vulnerable to Stored XSS. An attacker can inject malicious code into the "TSIG Key" field, which is saved in the database and triggers XSS when viewed, enabling data exfiltration and CSRF attacks.
|
|||||
CVE-2024-50859 | 2025-01-15 | N/A | N/A | ||
The ip_import_acl_csv request in GestioIP v3.5.7 is vulnerable to Reflected XSS. When a user uploads an improperly formatted file, the content may be reflected in the HTML response, allowing the attacker to execute malicious scripts or exfiltrate data.
|
|||||
CVE-2024-50858 | 2025-01-15 | N/A | N/A | ||
Multiple endpoints in GestioIP v3.5.7 are vulnerable to Cross-Site Request Forgery (CSRF). An attacker can execute actions via the admin's browser by hosting a malicious URL, leading to data modification, deletion, or exfiltration.
|
|||||
CVE-2024-50857 | 2025-01-15 | N/A | N/A | ||
The ip_do_job request in GestioIP v3.5.7 is vulnerable to Cross-Site Scripting (XSS). It allows data exfiltration and enables CSRF attacks. The vulnerability requires specific user permissions within the application to exploit successfully.
|
|||||
CVE-2024-48760 | 2025-01-15 | N/A | N/A | ||
An issue in GestioIP v3.5.7 allows a remote attacker to execute arbitrary code via the file upload function. The attacker can upload a malicious perlcmd.cgi file that overwrites the original upload.cgi file, enabling remote command execution.
|
|||||
CVE-2024-57483 | 2025-01-14 | N/A | N/A | ||
Tenda i24 V2.0.0.5 is vulnerable to Buffer Overflow in the addWifiMacFilter function.
|
|||||
CVE-2024-57473 | 2025-01-14 | N/A | N/A | ||
H3C N12 V100R005 contains a buffer overflow vulnerability due to the lack of length verification in the mac address editing function. Attackers who successfully exploit this vulnerability can cause the remote target device to crash or execute arbitrary commands by sending a POST request to /bin/webs.
|
|||||
CVE-2024-54730 | 2025-01-14 | N/A | N/A | ||
Flatnotes <v5.3.1 is vulnerable to denial of service through the upload image function.
|
|||||
CVE-2024-54142 | 2025-01-14 | N/A | 9.0 CRITICAL | ||
Discourse AI is a Discourse plugin which provides a number of AI features. When sharing Discourse AI Bot conversations into posts, if the conversation had HTML entities those could leak into the Discourse application when a user visited a post with a onebox to said conversation. This issue has been addressed in commit `92f122c`. Users are advised to update. Users unable to update may remove all groups from `ai bot public sharing allowed groups` site setting.
|
|||||
CVE-2024-53277 | 2025-01-14 | N/A | 5.4 MEDIUM | ||
Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. In some cases, form messages can contain HTML markup. This is an intentional feature, allowing links and other relevant HTML markup for the given message. Some form messages include content that the user can provide. There are scenarios in the CMS where that content doesn't get correctly sanitised prior to being included in the form message, resulting in an XSS vulnerability. This issue has been addressed in silverstrip ...
Show More |
|||||
CVE-2024-47605 | 2025-01-14 | N/A | 5.4 MEDIUM | ||
silverstripe-asset-admin is a silverstripe assets gallery for asset management. When using the "insert media" functionality, the linked oEmbed JSON includes an HTML attribute which will replace the embed shortcode. The HTML is not sanitized before replacing the shortcode, allowing a script payload to be executed on both the CMS and the front-end of the website. This issue has been addressed in silverstripe/framework version 5.3.8 and users are advised to upgrade. There are no known workarounds f ...
Show More |
|||||
CVE-2024-42911 | 2025-01-14 | N/A | N/A | ||
ECOVACS Robotics Deebot T20 OMNI and T20e OMNI before 1.24.0 was discovered to contain a WiFi Remote Code Execution vulnerability.
|
|||||
CVE-2024-57482 | 2025-01-14 | N/A | N/A | ||
H3C N12 V100R005 contains a buffer overflow vulnerability due to the lack of length verification in the 5G wireless network processing function. Attackers who successfully exploit this vulnerability can cause the remote target device to crash or execute arbitrary commands by sending a POST request to /bin/webs.
|
|||||
CVE-2024-57480 | 2025-01-14 | N/A | N/A | ||
H3C N12 V100R005 contains a buffer overflow vulnerability due to the lack of length verification in the AP configuration function. Attackers who successfully exploit this vulnerability can cause the remote target device to crash or execute arbitrary commands by sending a POST request to /bin/webs.
|
|||||
CVE-2024-57479 | 2025-01-14 | N/A | N/A | ||
H3C N12 V100R005 contains a buffer overflow vulnerability due to the lack of length verification in the mac address update function. Attackers who successfully exploit this vulnerability can cause the remote target device to crash or execute arbitrary commands by sending a POST request to /bin/webs.
|