Total
4468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-31982 | 1 Xwiki | 1 Xwiki | 2025-01-21 | N/A | 10.0 CRITICAL |
| XWiki Platform is a generic wiki platform. Starting in version 2.4-milestone-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, XWiki's database search allows remote code execution through the search text. This allows remote code execution for any visitor of a public wiki or user of a closed wiki as the database search is by default accessible for all users. This impacts the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10RC1. As a workaround, one may manually apply the patch to the page `Main.DatabaseSearch`. Alternatively, unless database search is explicitly used by users, this page can be deleted as this is not the default search interface of XWiki. | |||||
| CVE-2024-31984 | 1 Xwiki | 1 Xwiki | 2025-01-21 | N/A | 9.9 CRITICAL |
| XWiki Platform is a generic wiki platform. Starting in version 7.2-rc-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, by creating a document with a specially crafted title, it is possible to trigger remote code execution in the (Solr-based) search in XWiki. This allows any user who can edit the title of a space (all users by default) to execute any Groovy code in the XWiki installation which compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 14.10.20, 15.5.4 and 15.10 RC1. As a workaround, manually apply the patch to the `Main.SolrSpaceFacet` page. | |||||
| CVE-2024-54724 | 2025-01-21 | N/A | 9.8 CRITICAL | ||
| PHPYun before 7.0.2 is vulnerable to code execution through backdoor-restricted arbitrary file writing and file inclusion. | |||||
| CVE-2025-0581 | 2025-01-20 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability classified as problematic has been found in CampCodes School Management Software 1.0. This affects an unknown part of the file /chat/group/send of the component Chat History. The manipulation of the argument message leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-0578 | 2025-01-20 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability was found in Facile Sistemas Cloud Apps up to 20250107. It has been classified as problematic. Affected is an unknown function of the file /account/forgotpassword of the component Password Reset Handler. The manipulation of the argument reterros leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-0576 | 2025-01-20 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability was found in Mobotix M15 4.3.4.83 and classified as problematic. This issue affects some unknown processing of the file /control/player?center&eventlist&pda&dummy_for_reload=1736177631&p_evt. The manipulation of the argument p_qual leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-0917 | 1 Paddlepaddle | 1 Paddlepaddle | 2025-01-19 | N/A | 9.8 CRITICAL |
| remote code execution in paddlepaddle/paddle 2.6.0 | |||||
| CVE-2025-0557 | 2025-01-18 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability classified as problematic has been found in Hyland Alfresco Community Edition and Alfresco Enterprise Edition up to 6.2.2. This affects an unknown part of the file /share/s/ of the component URL Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.0 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2023-25953 | 1 Worksmobile | 1 Drive Explorer | 2025-01-17 | N/A | 9.8 CRITICAL |
| Code injection vulnerability in Drive Explorer for macOS versions 3.5.4 and earlier allows an attacker who can login to the client where the affected product is installed to inject arbitrary code while processing the product execution. Since a full disk access privilege is required to execute LINE WORKS Drive Explorer, the attacker may be able to read and/or write to arbitrary files without the access privileges. | |||||
| CVE-2023-47542 | 1 Fortinet | 1 Fortimanager | 2025-01-17 | N/A | 6.7 MEDIUM |
| A improper neutralization of special elements used in a template engine [CWE-1336] in FortiManager versions 7.4.1 and below, versions 7.2.4 and below, and 7.0.10 and below allows attacker to execute unauthorized code or commands via specially crafted templates. | |||||
| CVE-2023-45590 | 1 Fortinet | 1 Forticlient | 2025-01-17 | N/A | 9.6 CRITICAL |
| An improper control of generation of code ('code injection') in Fortinet FortiClientLinux version 7.2.0, 7.0.6 through 7.0.10 and 7.0.3 through 7.0.4 allows attacker to execute unauthorized code or commands via tricking a FortiClientLinux user into visiting a malicious website | |||||
| CVE-2025-0530 | 2025-01-17 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability has been found in code-projects Job Recruitment 1.0 and classified as problematic. This vulnerability affects unknown code of the file /_parse/_feedback_system.php. The manipulation of the argument type leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-29991 | 1 Microsoft | 1 Edge Chromium | 2025-01-17 | N/A | 5.0 MEDIUM |
| Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability | |||||
| CVE-2024-4202 | 1 Progress | 1 Telerik Reporting | 2025-01-16 | N/A | 7.7 HIGH |
| In Progress® Telerik® Reporting versions prior to 2024 Q2 (18.1.24.514), a code execution attack is possible through an insecure instantiation vulnerability. | |||||
| CVE-2023-30145 | 1 Tuzitio | 1 Camaleon Cms | 2025-01-16 | N/A | 9.8 CRITICAL |
| Camaleon CMS v2.7.0 was discovered to contain a Server-Side Template Injection (SSTI) vulnerability via the formats parameter. | |||||
| CVE-2024-10970 | 2025-01-16 | N/A | 5.4 MEDIUM | ||
| The The Motors – Car Dealer, Classifieds & Listing plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.43. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes. | |||||
| CVE-2025-0485 | 2025-01-15 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability was found in Fanli2012 native-php-cms 1.0. It has been classified as problematic. Affected is an unknown function of the file /fladmin/sysconfig_doedit.php. The manipulation of the argument info leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-23061 | 2025-01-15 | N/A | 9.0 CRITICAL | ||
| Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900. | |||||
| CVE-2023-33440 | 1 Faculty Evaluation System Project | 1 Faculty Evaluation System | 2025-01-14 | N/A | 7.2 HIGH |
| Sourcecodester Faculty Evaluation System v1.0 is vulnerable to arbitrary code execution via /eval/ajax.php?action=save_user. | |||||
| CVE-2024-49375 | 2025-01-14 | N/A | 9.0 CRITICAL | ||
| Open source machine learning framework. A vulnerability has been identified in Rasa that enables an attacker who has the ability to load a maliciously crafted model remotely into a Rasa instance to achieve Remote Code Execution. The prerequisites for this are: 1. The HTTP API must be enabled on the Rasa instance eg with `--enable-api`. This is not the default configuration. 2. For unauthenticated RCE to be exploitable, the user must not have configured any authentication or other security controls recommended in our documentation. 3. For authenticated RCE, the attacker must posses a valid authentication token or JWT to interact with the Rasa API. This issue has been addressed in rasa version 3.6.21 and all users are advised to upgrade. Users unable to upgrade should ensure that they require authentication and that only trusted users are given access. | |||||