Total
3082 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-1646 | 2025-02-25 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability, which was classified as critical, has been found in Lumsoft ERP 8. Affected by this issue is some unknown functionality of the file /Api/TinyMce/UploadAjaxAPI.ashx of the component ASPX File Handler. The manipulation of the argument file leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-1355 | 1 Needyamin | 1 Library Card System | 2025-02-25 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in needyamin Library Card System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /signup.php of the component Add Picture. The manipulation leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-27140 | 2025-02-24 | N/A | N/A | ||
| WeGIA is a Web manager for charitable institutions. An OS Command Injection vulnerability was discovered in versions prior to 3.2.15 of the WeGIA application, `importar_dump.php` endpoint. This vulnerability could allow an attacker to execute arbitrary code remotely. The command is basically a command to move a temporary file, so a webshell upload is also possible. Version 3.2.15 contains a patch for the issue. | |||||
| CVE-2024-13229 | 1 Rankmath | 1 Seo | 2025-02-24 | N/A | 4.3 MEDIUM |
| The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the update_metadata() function in all versions up to, and including, 1.0.235. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete any schema metadata assigned to any post. | |||||
| CVE-2025-1555 | 2025-02-24 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability classified as critical was found in hzmanyun Education and Training System 3.1.1. This vulnerability affects the function saveImage. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-1595 | 2025-02-23 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability has been found in Anhui Xufan Information Technology EasyCVR up to 2.7.0 and classified as problematic. This vulnerability affects unknown code of the file /api/v1/getbaseconfig. The manipulation leads to information disclosure. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-1593 | 2025-02-23 | 5.8 MEDIUM | 4.7 MEDIUM | ||
| A vulnerability classified as critical has been found in SourceCodester Best Employee Management System 1.0. This affects an unknown part of the file /_hr_soft/assets/uploadImage/Profile/ of the component Profile Picture Handler. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. | |||||
| CVE-2024-34068 | 1 Pterodactyl | 1 Wings | 2025-02-21 | N/A | 6.4 MEDIUM |
| Pterodactyl wings is the server control plane for Pterodactyl Panel. An authenticated user who has access to a game server is able to bypass the previously implemented access control (GHSA-6rg3-8h8x-5xfv) that prevents accessing internal endpoints of the node hosting Wings in the pull endpoint. This would allow malicious users to potentially access resources on local networks that would otherwise be inaccessible. This issue has been addressed in version 1.11.2 and users are advised to upgrade. Users unable to upgrade may enable the `api.disable_remote_download` option as a workaround. | |||||
| CVE-2022-31475 | 1 Givewp | 1 Givewp | 2025-02-20 | N/A | 5.5 MEDIUM |
| Authenticated (custom plugin role) Arbitrary File Read via Export function vulnerability in GiveWP's GiveWP plugin <= 2.20.2 at WordPress. | |||||
| CVE-2022-41652 | 1 Expresstech | 1 Quiz And Survey Master | 2025-02-20 | N/A | 6.5 MEDIUM |
| Bypass vulnerability in Quiz And Survey Master plugin <= 7.3.10 on WordPress. | |||||
| CVE-2022-41155 | 1 Webence | 1 Iq Block Country | 2025-02-20 | N/A | 5.3 MEDIUM |
| Block BYPASS vulnerability in iQ Block Country plugin <= 1.2.18 on WordPress. | |||||
| CVE-2022-40216 | 1 Wordplus | 1 Better Messages | 2025-02-20 | N/A | 4.3 MEDIUM |
| Auth. (subscriber+) Messaging Block Bypass vulnerability in Better Messages plugin <= 1.9.10.69 on WordPress. | |||||
| CVE-2020-35546 | 2025-02-20 | N/A | 9.1 CRITICAL | ||
| Lexmark MX6500 LW75.JD.P296 and previous devices have Incorrect Access Control via the access control settings. | |||||
| CVE-2023-27517 | 1 Intel | 16 Nma1xxd128gpsu4, Nma1xxd128gpsuf, Nma1xxd256gpsu4 and 13 more | 2025-02-20 | N/A | 6.6 MEDIUM |
| Improper access control in some Intel(R) Optane(TM) PMem software before versions 01.00.00.3547, 02.00.00.3915, 03.00.00.0483 may allow an athenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2023-22311 | 1 Intel | 7 Nma1xxd128gpsu4, Nma1xxd128gpsuf, Nma1xxd256gpsu4 and 4 more | 2025-02-20 | N/A | 6.7 MEDIUM |
| Improper access control in some Intel(R) Optane(TM) PMem 100 Series Management Software before version 01.00.00.3547 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2024-13854 | 2025-02-19 | N/A | 4.3 MEDIUM | ||
| The Education Addon for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.1 via the naedu_elementor_template shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract information from posts that are not public, including drafts, password protected, and restricted posts. This applies to posts created with Elementor only. | |||||
| CVE-2022-47542 | 1 Red-gate | 1 Sql Monitor | 2025-02-18 | N/A | 8.8 HIGH |
| Red Gate SQL Monitor 11.0.14 through 12.1.46 has Incorrect Access Control, exploitable remotely for Escalation of Privileges. | |||||
| CVE-2025-1165 | 2025-02-18 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability, which was classified as critical, was found in Lumsoft ERP 8. Affected is the function DoUpload/DoWebUpload of the file /Api/FileUploadApi.ashx. The manipulation of the argument file leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2023-29140 | 1 Mediawiki | 1 Mediawiki | 2025-02-18 | N/A | 5.3 MEDIUM |
| An issue was discovered in the GrowthExperiments extension for MediaWiki through 1.39.3. Attackers might be able to see edits for which the username has been hidden, because there is no check for rev_deleted. | |||||
| CVE-2025-1390 | 2025-02-18 | N/A | 6.1 MEDIUM | ||
| The PAM module pam_cap.so of libcap configuration supports group names starting with “@”, during actual parsing, configurations not starting with “@” are incorrectly recognized as group names. This may result in nonintended users being granted an inherited capability set, potentially leading to security risks. Attackers can exploit this vulnerability to achieve local privilege escalation on systems where /etc/security/capability.conf is used to configure user inherited privileges by constructing specific usernames. | |||||