Total
29869 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-27010 | 1 Wondershare | 1 Dr.fone | 2025-03-03 | N/A | 7.8 HIGH |
|
Wondershare Dr.Fone v12.9.6 was discovered to contain weak permissions for the service WsDrvInst. This vulnerability allows attackers to escalate privileges via modifying or overwriting the executable.
|
|||||
| CVE-2025-1160 | 1 Remyandrade | 1 Employee Management System | 2025-03-03 | 7.5 HIGH | 7.3 HIGH |
|
A vulnerability was found in SourceCodester Employee Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file index.php. The manipulation of the argument username/password leads to use of default credentials. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2023-25134 | 1 Mcafee | 1 Total Protection | 2025-02-28 | N/A | 6.7 MEDIUM |
|
McAfee Total Protection prior to 16.0.50 may allow an adversary (with full administrative access) to modify a McAfee specific Component Object Model (COM) in the Windows Registry. This can result in the loading of a malicious payload.
|
|||||
| CVE-2023-20929 | 1 Google | 1 Android | 2025-02-28 | N/A | 5.5 MEDIUM |
|
In sendHalfSheetCancelBroadcast of HalfSheetActivity.java, there is a possible way to learn nearby BT MAC addresses due to an unrestricted broadcast intent. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-234442700
|
|||||
| CVE-2022-20467 | 1 Google | 1 Android | 2025-02-28 | N/A | 5.5 MEDIUM |
|
In isBluetoothShareUri of BluetoothOppUtility.java, there is a possible incorrect file read due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-225880741
|
|||||
| CVE-2023-34188 | 1 Cesanta | 1 Mongoose | 2025-02-28 | N/A | 7.5 HIGH |
|
The HTTP server in Mongoose before 7.10 accepts requests containing negative Content-Length headers. By sending a single attack payload over TCP, an attacker can cause an infinite loop in which the server continuously reparses that payload, and does not respond to any other requests.
|
|||||
| CVE-2025-1262 | 1 Webfactoryltd | 1 Advanced Google Recaptcha | 2025-02-28 | N/A | 5.3 MEDIUM |
|
The Advanced Google reCaptcha plugin for WordPress is vulnerable to CAPTCHA Bypass in versions up to, and including, 1.27 . This makes it possible for unauthenticated attackers to bypass the Built-in Math Captcha Verification.
|
|||||
| CVE-2024-47059 | 1 Acquia | 1 Mautic | 2025-02-27 | N/A | 4.3 MEDIUM |
|
When logging in with the correct username and incorrect weak password, the user receives the notification, that their password is too weak.
However when an incorrect username is provided alongside with a weak password, the application responds with ’Invalid credentials’ notification.
This difference could be used to perform username enumeration.
|
|||||
| CVE-2023-25589 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2025-02-27 | N/A | 9.8 CRITICAL |
|
A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an unauthenticated remote attacker to create arbitrary users on the platform. A successful exploit allows an attacker to achieve total cluster compromise.
|
|||||
| CVE-2024-52052 | 3 Linux, Microsoft, Wowza | 3 Linux Kernel, Windows, Streaming Engine | 2025-02-26 | N/A | 7.2 HIGH |
|
Wowza Streaming Engine below 4.9.1 permits an authenticated Streaming Engine Manager administrator to define a custom application property and poison a stream target for high-privilege remote code execution.
|
|||||
| CVE-2023-1305 | 1 Rapid7 | 2 Insightappsec, Insightcloudsec | 2025-02-26 | N/A | 8.1 HIGH |
|
An authenticated attacker can leverage an exposed “box” object to read and write arbitrary files from disk, provided those files can be parsed as yaml or JSON. This issue was resolved in the Managed and SaaS deployments on February 1, 2023, and in version 23.2.1 of the Self-Managed version of InsightCloudSec.
|
|||||
| CVE-2023-27094 | 1 Opengoofy | 1 Hippo4j | 2025-02-26 | N/A | 8.8 HIGH |
|
An issue found in OpenGoofy Hippo4j v.1.4.3 allows attackers to escalate privileges via the ThreadPoolController of the tenant Management module.
|
|||||
| CVE-2023-27875 | 3 Ibm, Linux, Microsoft | 3 Aspera Faspex, Linux Kernel, Windows | 2025-02-26 | N/A | 7.5 HIGH |
|
IBM Aspera Faspex 5.0.4 could allow a user to change other user's credentials due to improper access controls. IBM X-Force ID: 249847.
|
|||||
| CVE-2024-2745 | 1 Rapid7 | 1 Insightvm | 2025-02-25 | N/A | 3.3 LOW |
|
Rapid7's InsightVM maintenance mode login page suffers from a sensitive information exposure vulnerability whereby, sensitive information is exposed through query strings in the URL when login is attempted before the page is fully loaded. This vulnerability allows attackers to acquire sensitive information such as passwords, auth tokens, usernames etc.
The vulnerability is remediated in version 6.6.244.
|
|||||
| CVE-2023-20964 | 1 Google | 1 Android | 2025-02-25 | N/A | 7.8 HIGH |
|
In multiple functions of MediaSessionRecord.java, there is a possible Intent rebroadcast due to a confused deputy. This could lead to local denial of service or escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12 Android-12L Android-13Android ID: A-238177121
|
|||||
| CVE-2023-20957 | 1 Google | 1 Android | 2025-02-25 | N/A | 7.8 HIGH |
|
In onAttach of SettingsPreferenceFragment.java, there is a possible bypass of Factory Reset Protections due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12LAndroid ID: A-258422561
|
|||||
| CVE-2024-13318 | 1 Smartdatasoft | 1 Essential Wp Real Estate | 2025-02-25 | N/A | 5.3 MEDIUM |
|
The Essential WP Real Estate plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the cl_delete_listing_func() function in all versions up to, and including, 1.1.3. This makes it possible for unauthenticated attackers to delete arbitrary pages and posts.
|
|||||
| CVE-2023-20975 | 1 Google | 1 Android | 2025-02-25 | N/A | 7.8 HIGH |
|
In getAvailabilityStatus of EnableContentCapturePreferenceController.java, there is a possible way to bypass DISALLOW_CONTENT_CAPTURE due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-250573776
|
|||||
| CVE-2022-48350 | 1 Huawei | 2 Emui, Harmonyos | 2025-02-24 | N/A | 7.5 HIGH |
|
The HUAWEI Messaging app has a vulnerability of unauthorized file access. Successful exploitation of this vulnerability may affect confidentiality.
|
|||||
| CVE-2024-12041 | 1 Wpwax | 1 Directorist | 2025-02-24 | N/A | 5.3 MEDIUM |
|
The Directorist: AI-Powered WordPress Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 8.0.12 via the /wp-json/directorist/v1/users/ endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including including usernames, email addresses, names, and more information about users.
|
|||||
| CVE-2025-0366 | 1 Artbees | 1 Jupiter X Core | 2025-02-24 | N/A | 8.8 HIGH |
|
The Jupiter X Core plugin for WordPress is vulnerable to Local File Inclusion to Remote Code Execution in all versions up to, and including, 4.8.7 via the get_svg() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution. In this specific case, an at ...
Show More |
|||||
| CVE-2024-12314 | 1 Megaoptim | 1 Rapid Cache | 2025-02-24 | N/A | 7.2 HIGH |
|
The Rapid Cache plugin for WordPress is vulnerable to Cache Poisoning in all versions up to, and including, 1.2.3. This is due to plugin storing HTTP headers in the cached data. This makes it possible for unauthenticated attackers to poison the cache with custom HTTP headers that may be unsanitized which can lead to Cross-Site Scripting.
|
|||||
| CVE-2023-6937 | 1 Wolfssl | 1 Wolfssl | 2025-02-21 | N/A | 5.3 MEDIUM |
|
wolfSSL prior to 5.6.6 did not check that messages in one (D)TLS record do not span key boundaries. As a result, it was possible to combine (D)TLS messages using different keys into one (D)TLS record. The most extreme edge case is that, in (D)TLS 1.3, it was possible that an unencrypted (D)TLS 1.3 record from the server containing first a ServerHello message and then the rest of the first server flight would be accepted by a wolfSSL client. In (D)TLS 1.3 the handshake is encrypted after the Serv ...
Show More |
|||||
| CVE-2023-20558 | 1 Amd | 178 Athlon Gold 3150u, Athlon Gold 3150u Firmware, Athlon Silver 3050u and 175 more | 2025-02-20 | N/A | 8.8 HIGH |
|
Insufficient control flow management in AmdCpmOemSmm may allow a privileged attacker to tamper with the SMM handler potentially leading to an escalation of privileges.
|
|||||
| CVE-2022-44634 | 1 Villatheme | 1 S2w - Import Shopify To Woocommerce | 2025-02-20 | N/A | 4.9 MEDIUM |
|
Auth. (admin+) Arbitrary File Read vulnerability in S2W – Import Shopify to WooCommerce plugin <= 1.1.12 on WordPress.
|
|||||
| CVE-2022-40216 | 1 Wordplus | 1 Better Messages | 2025-02-20 | N/A | 4.3 MEDIUM |
|
Auth. (subscriber+) Messaging Block Bypass vulnerability in Better Messages plugin <= 1.9.10.69 on WordPress.
|
|||||
| CVE-2022-40208 | 1 Moodle | 1 Moodle | 2025-02-20 | N/A | 4.3 MEDIUM |
|
In Moodle, insufficient limitations in some quiz web services made it possible for students to bypass sequential navigation during a quiz attempt.
|
|||||
| CVE-2024-2917 | 1 Campcodes | 1 House Rental Management System | 2025-02-20 | 5.5 MEDIUM | 5.4 MEDIUM |
|
A vulnerability was found in Campcodes House Rental Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file index.php. The manipulation of the argument page leads to file inclusion. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257983.
|
|||||
| CVE-2024-4818 | 1 Campcodes | 1 Online Laundry Management System | 2025-02-20 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A vulnerability was found in Campcodes Online Laundry Management System 1.0 and classified as problematic. This issue affects some unknown processing of the file /index.php. The manipulation of the argument page leads to file inclusion. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-263939.
|
|||||
| CVE-2024-28114 | 1 Peering-manager | 1 Peering Manager | 2025-02-20 | N/A | 8.1 HIGH |
|
Peering Manager is a BGP session management tool. There is a Server Side Template Injection vulnerability that leads to Remote Code Execution in Peering Manager <=1.8.2. As a result arbitrary commands can be executed on the operating system that is running Peering Manager. This issue has been addressed in version 1.8.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
|
|||||
| CVE-2024-56511 | 1 Dataease | 1 Dataease | 2025-02-20 | N/A | 9.8 CRITICAL |
|
DataEase is an open source data visualization analysis tool. Prior to 2.10.4, there is a flaw in the authentication in the io.dataease.auth.filter.TokenFilter class, which can be bypassed and cause the risk of unauthorized access. In the io.dataease.auth.filter.TokenFilter class, ”request.getRequestURI“ is used to obtain the request URL, and it is passed to the "WhitelistUtils.match" method to determine whether the URL request is an interface that does not require authentication. The "match" met ...
Show More |
|||||
| CVE-2022-46397 | 1 Lfprojects | 1 Vector Packet Processor | 2025-02-19 | N/A | 7.5 HIGH |
|
FP.io VPP (Vector Packet Processor) 22.10, 22.06, 22.02, 21.10, 21.06, 21.01, 20.09, 20.05, 20.01, 19.08, and 19.04 Generates a Predictable IV with CBC Mode.
|
|||||
| CVE-2020-15945 | 1 Lua | 1 Lua | 2025-02-19 | 2.1 LOW | 5.5 MEDIUM |
|
Lua 5.4.0 (fixed in 5.4.1) has a segmentation fault in changedline in ldebug.c (e.g., when called by luaG_traceexec) because it incorrectly expects that an oldpc value is always updated upon a return of the flow of control to a function.
|
|||||
| CVE-2022-3787 | 1 Redhat | 2 Device-mapper-multipath, Enterprise Linux | 2025-02-18 | N/A | 7.8 HIGH |
|
A vulnerability was found in the device-mapper-multipath. The device-mapper-multipath allows local users to obtain root access, exploited alone or in conjunction with CVE-2022-41973. Local users that are able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This issue occurs because an attacker can repeat a keyword, which is mishandled when arithmetic ADD is used instead of bitwise OR. This could lead to local privilege escalation to root.
|
|||||
| CVE-2022-47542 | 1 Red-gate | 1 Sql Monitor | 2025-02-18 | N/A | 8.8 HIGH |
|
Red Gate SQL Monitor 11.0.14 through 12.1.46 has Incorrect Access Control, exploitable remotely for Escalation of Privileges.
|
|||||
| CVE-2024-7809 | 1 Tamparongj03 | 1 Online Graduate Tracer System | 2025-02-18 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A vulnerability was found in SourceCodester Online Graduate Tracer System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /tracking/nbproject/. The manipulation leads to exposure of information through directory listing. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-8584 | 1 Learningdigital | 1 Orca Hcm | 2025-02-17 | N/A | 9.8 CRITICAL |
|
Orca HCM from LEARNING DIGITAL has an Missing Authentication vulnerability, allowing unauthenticated remote attacker to exploit this functionality to create an account with administrator privilege and subsequently use it to log in.
|
|||||
| CVE-2023-28877 | 1 Vtex | 1 Apps-graphql | 2025-02-14 | N/A | 7.5 HIGH |
|
The VTEX [email protected] GraphQL API module does not properly restrict unauthorized access to private configuration data. ([email protected] is unaffected by this issue.)
|
|||||
| CVE-2024-20840 | 2 Google, Samsung | 2 Android, Voice Recorder | 2025-02-14 | N/A | 5.7 MEDIUM |
|
Improper access control in Samsung Voice Recorder prior to versions 21.5.16.01 in Android 12 and Android 13, 21.4.51.02 in Android 14 allows physical attackers using hardware keyboard to use VoiceRecorder on the lock screen.
|
|||||
| CVE-2023-4809 | 1 Freebsd | 1 Freebsd | 2025-02-13 | N/A | 7.5 HIGH |
|
In pf packet processing with a 'scrub fragment reassemble' rule, a packet containing multiple IPv6 fragment headers would be reassembled, and then immediately processed. That is, a packet with multiple fragment extension headers would not be recognized as the correct ultimate payload. Instead a packet with multiple IPv6 fragment headers would unexpectedly be interpreted as a fragmented packet, rather than as whatever the real payload is.
As a result, IPv6 fragments may bypass pf firewall ru ...
Show More |
|||||