Total
180 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-5877 | 2025-06-12 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability, which was classified as problematic, has been found in Fengoffice Feng Office 3.2.2.1. Affected by this issue is some unknown functionality of the file /application/models/ApplicationDataObject.class.php of the component Document Upload Handler. The manipulation leads to xml external entity reference. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-1225 | 1 Yimihome | 1 Ywoa | 2025-06-05 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in ywoa up to 2024.07.03. This issue affects the function extract of the file c-main/src/main/java/com/redmoon/weixin/aes/XMLParse.java of the component WXCallBack Interface. The manipulation leads to xml external entity reference. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2024.07.04 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2020-36772 | 1 Cloudlinux | 1 Cagefs | 2025-05-30 | N/A | 4.4 MEDIUM |
| CloudLinux CageFS 7.0.8-2 or below insufficiently restricts file paths supplied to the sendmail proxy command. This allows local users to read and write arbitrary files of certain file formats outside the CageFS environment. | |||||
| CVE-2025-26684 | 1 Microsoft | 1 Defender For Endpoint | 2025-05-19 | N/A | 6.7 MEDIUM |
| External control of file name or path in Microsoft Defender for Endpoint allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2024-8207 | 2 Linux, Mongodb | 2 Linux Kernel, Mongodb | 2025-05-16 | N/A | 6.4 MEDIUM |
| In certain highly specific configurations of the host system and MongoDB server binary installation on Linux Operating Systems, it may be possible for a unintended actor with host-level access to cause the MongoDB Server binary to load unintended actor-controlled shared libraries when the server binary is started, potentially resulting in the unintended actor gaining full control over the MongoDB server process. This issue affects MongoDB Server v5.0 versions prior to 5.0.14 and MongoDB Server v6.0 versions prior to 6.0.3. Required Configuration: Only environments with Linux as the underlying operating system is affected by this issue | |||||
| CVE-2025-2875 | 2025-05-16 | N/A | 7.5 HIGH | ||
| CWE-610: Externally Controlled Reference to a Resource in Another Sphere vulnerability exists that could cause a loss of confidentiality when an unauthenticated attacker manipulates controller’s webserver URL to access resources. | |||||
| CVE-2024-42168 | 1 Hcltech | 1 Dryice Myxalytics | 2025-05-16 | N/A | 8.9 HIGH |
| HCL MyXalytics is affected by out-of-band resource load (HTTP) vulnerability. An attacker can deploy a web server that returns malicious content, and then induce the application to retrieve and process that content. | |||||
| CVE-2025-22144 | 1 Namelessmc | 1 Nameless | 2025-05-13 | N/A | 9.8 CRITICAL |
| NamelessMC is a free, easy to use & powerful website software for Minecraft servers. A user with admincp.core.emails or admincp.users.edit permissions can validate users and an attacker can reset their password. When the account is successfully approved by email the reset code is NULL, but when the account is manually validated by a user with admincp.core.emails or admincp.users.edit permissions then the reset_code will no longer be NULL but empty. An attacker can request http://localhost/nameless/index.php?route=/forgot_password/&c= and reset the password. As a result an attacker may compromise another users password and take over their account. This issue has been addressed in release version 2.1.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2022-43428 | 1 Jenkins | 2 Compuware Topaz For Total Test, Jenkins | 2025-05-08 | N/A | 5.3 MEDIUM |
| Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. | |||||
| CVE-2022-43423 | 1 Jenkins | 2 Compuware Source Code Download For Endevor\, Pds\, And Ispw, Jenkins | 2025-05-08 | N/A | 5.3 MEDIUM |
| Jenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.12 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. | |||||
| CVE-2022-42893 | 1 Siemens | 1 Syngo Dynamics Cardiovascular Imaging And Information System | 2025-04-30 | N/A | 7.5 HIGH |
| A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper write access control that could allow to write data in any folder accessible to the account assigned to the website’s application pool. | |||||
| CVE-2022-42732 | 1 Siemens | 1 Syngo Dynamics Cardiovascular Imaging And Information System | 2025-04-29 | N/A | 7.5 HIGH |
| A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper read access control that could allow files to be retrieved from any folder accessible to the account assigned to the website’s application pool. | |||||
| CVE-2022-42891 | 1 Siemens | 1 Syngo Dynamics Cardiovascular Imaging And Information System | 2025-04-29 | N/A | 7.5 HIGH |
| A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper write access control that could allow to write data in any folder accessible to the account assigned to the website’s application pool. | |||||
| CVE-2022-42734 | 1 Siemens | 1 Syngo Dynamics Cardiovascular Imaging And Information System | 2025-04-29 | N/A | 7.5 HIGH |
| A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper write access control that could allow to write data in any folder accessible to the account assigned to the website’s application pool. | |||||
| CVE-2022-42733 | 1 Siemens | 1 Syngo Dynamics Cardiovascular Imaging And Information System | 2025-04-29 | N/A | 7.5 HIGH |
| A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper read access control that could allow files to be retrieved from any folder accessible to the account assigned to the website’s application pool. | |||||
| CVE-2022-20199 | 1 Google | 1 Android | 2025-04-21 | N/A | 5.5 MEDIUM |
| In multiple locations of NfcService.java, there is a possible disclosure of NFC tags due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-199291025 | |||||
| CVE-2017-15269 | 1 Psftp | 1 Psftpd | 2025-04-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| The PSFTPd 10.0.4 Build 729 server does not prevent FTP bounce scans by default. These can be performed using "nmap -b" and allow performing scans via the FTP server. | |||||
| CVE-2017-0211 | 1 Microsoft | 5 Windows 10, Windows 8.1, Windows Rt 8.1 and 2 more | 2025-04-20 | 4.3 MEDIUM | 5.5 MEDIUM |
| An elevation of privilege vulnerability exists in Windows 10, Windows 8.1, Windows RT 8.1, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 versions of Microsoft Windows OLE when it fails an integrity-level check, aka "Windows OLE Elevation of Privilege Vulnerability." | |||||
| CVE-2022-20550 | 1 Google | 1 Android | 2025-04-18 | N/A | 7.8 HIGH |
| In Multiple Locations, there is a possibility to launch arbitrary protected activities due to a confused deputy. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-242845514 | |||||
| CVE-2022-20515 | 1 Google | 1 Android | 2025-04-18 | N/A | 5.5 MEDIUM |
| In onPreferenceClick of AccountTypePreferenceLoader.java, there is a possible way to retrieve protected files from the Settings app due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-220733496 | |||||