Total
45 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-43491 | 2 Hp, Microsoft | 2 Poly Lens Desktop, Windows | 2026-01-16 | N/A | 9.8 CRITICAL |
|
A vulnerability in the Poly Lens Desktop application running on the Windows platform might allow modifications to the filesystem, which might lead to SYSTEM level privileges being granted.
|
|||||
| CVE-2025-12918 | 1 Yungifez | 1 Skuul | 2025-12-11 | 2.1 LOW | 3.1 LOW |
|
A security flaw has been discovered in yungifez Skuul School Management System up to 2.6.5. The impacted element is an unknown function of the file /dashboard/fees/fee-invoices/ of the component View Fee Invoice. Performing manipulation of the argument invoice_id results in improper control of resource identifiers. Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is regarded as difficult. The exploit has been released to the publ ...
Show More |
|||||
| CVE-2025-12919 | 1 Evershop | 1 Evershop | 2025-12-11 | 2.6 LOW | 3.7 LOW |
|
A vulnerability was detected in EverShop up to 2.0.1. Affected is an unknown function of the file /src/modules/oms/graphql/types/Order/Order.resolvers.js of the component Order Handler. The manipulation of the argument uuid results in improper control of resource identifiers. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit is now public and may be used. The vendor was contacted early about this disc ...
Show More |
|||||
| CVE-2023-6605 | 1 Ffmpeg | 1 Ffmpeg | 2025-11-03 | N/A | 7.2 HIGH |
|
A flaw was found in FFmpeg's DASH playlist support. This vulnerability allows arbitrary HTTP GET requests to be made on behalf of the machine running FFmpeg via a crafted DASH playlist containing malicious URLs.
|
|||||
| CVE-2023-6604 | 1 Ffmpeg | 1 Ffmpeg | 2025-11-03 | N/A | 5.3 MEDIUM |
|
A flaw was found in FFmpeg. This vulnerability allows unexpected additional CPU load and storage consumption, potentially leading to degraded performance or denial of service via the demuxing of arbitrary data as XBIN-formatted data without proper format validation.
|
|||||
| CVE-2023-6602 | 1 Ffmpeg | 1 Ffmpeg | 2025-11-03 | N/A | 5.3 MEDIUM |
|
A flaw was found in FFmpeg's TTY Demuxer. This vulnerability allows possible data exfiltration via improper parsing of non-TTY-compliant input files in HLS playlists.
|
|||||
| CVE-2023-6601 | 1 Ffmpeg | 1 Ffmpeg | 2025-11-03 | N/A | 4.7 MEDIUM |
|
A flaw was found in FFmpeg's HLS demuxer. This vulnerability allows bypassing unsafe file extension checks and triggering arbitrary demuxers via base64-encoded data URIs appended with specific file extensions.
|
|||||
| CVE-2025-12270 | 1 Learnhouse | 1 Learnhouse | 2025-10-31 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was determined in LearnHouse up to 98dfad76aad70711a8113f6c1fdabfccf10509ca. The impacted element is an unknown function of the file /api/v1/assignments/{assignment_id}/tasks/{task_id}/sub_file of the component Student Assignment Submission Handler. This manipulation causes improper control of resource identifiers. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. Continious delivery with rolling releases is used by this product. T ...
Show More |
|||||
| CVE-2025-9263 | 1 Xuxueli | 1 Xxl-job | 2025-09-11 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability has been found in Xuxueli xxl-job up to 3.1.1. Affected by this vulnerability is the function getJobsByGroup of the file /src/main/java/com/xxl/job/admin/controller/JobLogController.java. Such manipulation of the argument jobGroup leads to improper control of resource identifiers. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-9264 | 1 Xuxueli | 1 Xxl-job | 2025-09-11 | 5.5 MEDIUM | 5.4 MEDIUM |
|
A vulnerability was found in Xuxueli xxl-job up to 3.1.1. Affected by this issue is the function remove of the file /src/main/java/com/xxl/job/admin/controller/JobInfoController.java of the component Jobs Handler. Performing manipulation of the argument ID results in improper control of resource identifiers. Remote exploitation of the attack is possible. The exploit has been made public and could be used.
|
|||||
| CVE-2025-8793 | 1 Litmuschaos | 1 Litmus | 2025-09-02 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability classified as problematic was found in LitmusChaos Litmus up to 3.19.0. Affected by this vulnerability is an unknown functionality. The manipulation of the argument projectID leads to improper control of resource identifiers. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-9619 | 2025-08-29 | 5.0 MEDIUM | 5.3 MEDIUM | ||
|
A security flaw has been discovered in E4 Sistemas Mercatus ERP 2.00.019. The affected element is an unknown function of the file /basico/webservice/imprimir-danfe/id/. Performing manipulation results in improper control of resource identifiers. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-3855 | 1 Fairsketch | 1 Rise Ultimate Project Manager | 2025-08-01 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was found in CodeCanyon RISE Ultimate Project Manager 3.8.2 and classified as problematic. Affected by this issue is some unknown functionality of the file /index.php/team_members/save_profile_image/ of the component Profile Picture Handler. The manipulation of the argument profile_image_file leads to improper control of resource identifiers. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-6534 | 1 Xxyopen | 1 Novel-plus | 2025-07-09 | 3.6 LOW | 4.2 MEDIUM |
|
A vulnerability, which was classified as problematic, was found in xxyopen/201206030 novel-plus up to 5.1.3. This affects the function remove of the file novel-admin/src/main/java/com/java2nb/common/controller/FileController.java of the component File Handler. The manipulation leads to improper control of resource identifiers. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to t ...
Show More |
|||||
| CVE-2025-2410 | 2025-05-23 | N/A | 9.1 CRITICAL | ||
|
Port manipulation vulnerabilities in ASPECT provide attackers with the ability to con-trol TCP/IP port access if session administrator credentials become compromised.
This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03.
|
|||||
| CVE-2017-5159 | 1 Phoenixcontact | 1 Mguard Firmware | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was discovered on Phoenix Contact mGuard devices that have been updated to Version 8.4.0. When updating an mGuard device to Version 8.4.0 via the update-upload facility, the update will succeed, but it will reset the password of the admin user to its default value.
|
|||||
| CVE-2025-0756 | 2025-04-17 | N/A | 9.1 CRITICAL | ||
|
Overview
The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. (CWE-99)
Description
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.2, including 9.3.x and 8.3.x, do not restrict JNDI identifiers during the creation of platform data sources.
Impact
An attacker coul ...
Show More |
|||||
| CVE-2025-3405 | 2025-04-08 | 4.0 MEDIUM | 4.3 MEDIUM | ||
|
A vulnerability was found in FCJ Venture Builder appclientefiel 3.0.27. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /rest/cliente/ObterPedido/ of the component HTTP GET Request Handler. The manipulation of the argument ORDER_ID leads to improper control of resource identifiers. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but d ...
Show More |
|||||
| CVE-2025-0625 | 1 Campcodes | 1 School Management Software | 2025-03-28 | 2.1 LOW | 3.1 LOW |
|
A vulnerability, which was classified as problematic, was found in CampCodes School Management Software 1.0. This affects an unknown part of the component Attachment Handler. The manipulation leads to improper control of resource identifiers. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-2125 | 1 Assaabloy | 1 Control Id Rhid | 2025-03-24 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability has been found in Control iD RH iD 25.2.25.0 and classified as problematic. This vulnerability affects unknown code of the file /v2/report.svc/comprovante_marcacao/?companyId=1 of the component PDF Document Handler. The manipulation of the argument nsr leads to improper control of resource identifiers. The attack can be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-57971 | 2025-03-21 | N/A | 9.1 CRITICAL | ||
|
DataSourceResource.java in the SpagoBI API support in Knowage Server in KNOWAGE before 8.1.30 does not ensure that java:comp/env/jdbc/ occurs at the beginning of a JNDI Name.
|
|||||
| CVE-2024-4294 | 1 Phpgurukul | 1 Doctor Appointment Management System | 2025-03-10 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability, which was classified as critical, has been found in PHPGurukul Doctor Appointment Management System 1.0. Affected by this issue is some unknown functionality of the file /doctor/view-appointment-detail.php. The manipulation of the argument editid leads to improper control of resource identifiers. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-262226 is the identifier assigned to this vulnerability.
|
|||||
| CVE-2025-1645 | 2025-02-25 | 6.5 MEDIUM | 6.3 MEDIUM | ||
|
A vulnerability classified as critical was found in Benner Connecta 1.0.5330. Affected by this vulnerability is an unknown functionality of the file /Usuarios/Usuario/EditarLogado/. The manipulation of the argument Handle leads to improper control of resource identifiers. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-1642 | 2025-02-25 | 4.0 MEDIUM | 4.3 MEDIUM | ||
|
A vulnerability was found in Benner ModernaNet up to 1.1.0. It has been declared as critical. This vulnerability affects unknown code of the file /AGE0000700/GetImageMedico?fooId=1. The manipulation of the argument fooId leads to improper control of resource identifiers. The attack can be initiated remotely. Upgrading to version 1.1.1 is able to address this issue. It is recommended to upgrade the affected component.
|
|||||
| CVE-2025-1575 | 2025-02-23 | 4.0 MEDIUM | 4.3 MEDIUM | ||
|
A vulnerability classified as problematic has been found in Harpia DiagSystem 12. Affected is an unknown function of the file /diagsystem/PACS/atualatendimento_jpeg.php. The manipulation of the argument cod/codexame leads to improper control of resource identifiers. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-4817 | 1 Campcodes | 1 Online Laundry Management System | 2025-02-20 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability has been found in Campcodes Online Laundry Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file manage_user.php of the component HTTP Request Parameter Handler. The manipulation of the argument id leads to improper control of resource identifiers. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-263938 is the identifier assigned to this vulnerability.
|
|||||
| CVE-2024-5706 | 2025-02-19 | N/A | 8.8 HIGH | ||
|
The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. (CWE-99)
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not restrict JNDI identifiers during the creation of Community Dashboards, allowing control of system-level data sources.
An attacker could gain acc ...
Show More |
|||||
| CVE-2024-7658 | 1 Projectsend | 1 Projectsend | 2025-01-13 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A vulnerability, which was classified as problematic, has been found in projectsend up to r1605. This issue affects the function get_preview of the file process.php. The manipulation leads to improper control of resource identifiers. The attack may be initiated remotely. Upgrading to version r1720 is able to address this issue. The patch is named eb5a04774927e5855b9d0e5870a2aae5a3dc5a08. It is recommended to upgrade the affected component.
|
|||||
| CVE-2024-0231 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 2.7 LOW |
|
A resource misdirection vulnerability in GitLab CE/EE versions 12.0 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1 allows an attacker to craft a repository import in such a way as to misdirect commits.
|
|||||
| CVE-2023-3517 | 1 Hitachi | 1 Pentaho Data Integration And Analytics | 2024-11-21 | N/A | 8.5 HIGH |
|
Hitachi Vantara Pentaho Data Integration & Analytics versions before 9.5.0.1 and 9.3.0.5, including
8.3.x does not restrict JNDI identifiers during the creation of XActions, allowing control of system level data sources.
|
|||||
| CVE-2023-2980 | 1 Abstrium | 1 Pydio Cells | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability classified as critical was found in Abstrium Pydio Cells 4.2.0. This vulnerability affects unknown code of the component User Creation Handler. The manipulation leads to improper control of resource identifiers. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.2.1 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-230212.
|
|||||
| CVE-2022-3774 | 1 Train Scheduler App Project | 1 Train Scheduler App | 2024-11-21 | N/A | 5.4 MEDIUM |
|
A vulnerability was found in SourceCodester Train Scheduler App 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /train_scheduler_app/?action=delete. The manipulation of the argument id leads to improper control of resource identifiers. The attack may be launched remotely. The identifier of this vulnerability is VDB-212504.
|
|||||
| CVE-2022-39369 | 2 Apereo, Fedoraproject | 2 Phpcas, Fedora | 2024-11-21 | N/A | 8.0 HIGH |
|
phpCAS is an authentication library that allows PHP applications to easily authenticate users via a Central Authentication Service (CAS) server. The phpCAS library uses HTTP headers to determine the service URL used to validate tickets. This allows an attacker to control the host header and use a valid ticket granted for any authorized service in the same SSO realm (CAS server) to authenticate to the service protected by phpCAS. Depending on the settings of the CAS server service registry in wor ...
Show More |
|||||
| CVE-2022-27670 | 1 Sap | 1 Sql Anywhere | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
SAP SQL Anywhere - version 17.0, allows an authenticated attacker to prevent legitimate users from accessing a SQL Anywhere database server by crashing the server with some queries that use indirect identifiers.
|
|||||
| CVE-2022-1287 | 1 School Club Application System Project | 1 School Club Application System | 2024-11-21 | 7.5 HIGH | 6.5 MEDIUM |
|
A vulnerability classified as critical was found in School Club Application System 1.0. This vulnerability affects a request to the file /scas/classes/Users.php?f=save_user. The manipulation with a POST request leads to privilege escalation. The attack can be initiated remotely and does not require authentication. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2021-42360 | 1 Brainstormforce | 1 Starter Templates | 2024-11-21 | 3.5 LOW | 7.6 HIGH |
|
On sites that also had the Elementor plugin for WordPress installed, it was possible for users with the edit_posts capability, which includes Contributor-level users, to import blocks onto any page using the astra-page-elementor-batch-process AJAX action. An attacker could craft and host a block containing malicious JavaScript on a server they controlled, and then use it to overwrite any post or page by sending an AJAX request with the action set to astra-page-elementor-batch-process and the url ...
Show More |
|||||
| CVE-2021-22879 | 2 Fedoraproject, Nextcloud | 2 Fedora, Desktop | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowing a malicious server to execute remote commands. User interaction is needed for exploitation.
|
|||||
| CVE-2020-8177 | 5 Debian, Fujitsu, Haxx and 2 more | 16 Debian Linux, M10-1, M10-1 Firmware and 13 more | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.
|
|||||
| CVE-2020-6245 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2024-11-21 | 4.6 MEDIUM | 6.7 MEDIUM |
|
SAP Business Objects Business Intelligence Platform, version 4.2, allows an attacker with access to local instance, to inject file or code that can be executed by the application due to Improper Control of Resource Identifiers.
|
|||||
| CVE-2020-5230 | 1 Apereo | 1 Opencast | 2024-11-21 | 5.0 MEDIUM | 7.7 HIGH |
|
Opencast before 8.1 and 7.6 allows almost arbitrary identifiers for media packages and elements to be used. This can be problematic for operation and security since such identifiers are sometimes used for file system operations which may lead to an attacker being able to escape working directories and write files to other locations. In addition, Opencast's Id.toString(…) vs Id.compact(…) behavior, the latter trying to mitigate some of the file system problems, can cause errors due to identifier ...
Show More |
|||||