Total
29422 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2012-0216 | 1 Debian | 1 Apache2 | 2025-04-29 | 4.4 MEDIUM | N/A |
| The default configuration of the apache2 package in Debian GNU/Linux squeeze before 2.2.16-6+squeeze7, wheezy before 2.2.22-4, and sid before 2.2.22-4, when mod_php or mod_rivet is used, provides example scripts under the doc/ URI, which might allow local users to conduct cross-site scripting (XSS) attacks, gain privileges, or obtain sensitive information via vectors involving localhost HTTP requests to the Apache HTTP Server. | |||||
| CVE-2025-0482 | 1 Native-php-cms Project | 1 Native-php-cms | 2025-04-29 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability, which was classified as critical, was found in Fanli2012 native-php-cms 1.0. This affects an unknown part of the file /fladmin/user_recoverpwd.php. The manipulation leads to use of default credentials. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-44801 | 1 Dlink | 2 Dir-878, Dir-878 Firmware | 2025-04-29 | N/A | 9.8 CRITICAL |
| D-Link DIR-878 1.02B05 is vulnerable to Incorrect Access Control. | |||||
| CVE-2022-34827 | 1 Carel | 2 Boss Mini, Boss Mini Firmware | 2025-04-29 | N/A | 9.9 CRITICAL |
| Carel Boss Mini 1.5.0 has Improper Access Control. | |||||
| CVE-2022-44786 | 1 Maggioli | 1 Appalti \& Contratti | 2025-04-29 | N/A | 7.5 HIGH |
| An issue was discovered in Appalti & Contratti 9.12.2. The target web applications allow Local File Inclusion in any page relying on the href parameter to specify the JSP page to be rendered. This affects ApriPagina.do POST and GET requests to each application. | |||||
| CVE-2022-44784 | 1 Maggioli | 1 Appalti \& Contratti | 2025-04-29 | N/A | 8.8 HIGH |
| An issue was discovered in Appalti & Contratti 9.12.2. The target web applications LFS and DL229 expose a set of services provided by the Axis 1.4 instance, embedded directly into the applications, as hinted by the WEB-INF/web.xml file leaked through Local File Inclusion. Among the exposed services, there is the Axis AdminService, which, through the default configuration, should normally be accessible only by the localhost. Nevertheless, by trying to access the mentioned service, both in LFS and DL229, the service can actually be reached even by remote users, allowing creation of arbitrary services on the server side. When an attacker can reach the AdminService, they can use it to instantiate arbitrary services on the server. The exploit procedure is well known and described in Generic AXIS-SSRF exploitation. Basically, the attack consists of writing a JSP page inside the root directory of the web application, through the org.apache.axis.handlers.LogHandler class. | |||||
| CVE-2022-41326 | 1 Mitel | 1 Micollab | 2025-04-29 | N/A | 9.8 CRITICAL |
| The web conferencing component of Mitel MiCollab through 9.6.0.13 could allow an unauthenticated attacker to upload arbitrary scripts due to improper authorization controls. A successful exploit could allow remote code execution within the context of the application. | |||||
| CVE-2022-40282 | 1 Belden | 2 Hirschmann Bat-c2, Hirschmann Bat-c2 Firmware | 2025-04-29 | N/A | 8.8 HIGH |
| The web server of Hirschmann BAT-C2 before 09.13.01.00R04 allows authenticated command injection. This allows an authenticated attacker to pass commands to the shell of the system because the dir parameter of the FsCreateDir Ajax function is not sufficiently sanitized. The vendor's ID is BSECV-2022-21. | |||||
| CVE-2022-45475 | 1 Tiny File Manager Project | 1 Tiny File Manager | 2025-04-29 | N/A | 6.5 MEDIUM |
| Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to access the application's internal files. This is possible because the application is vulnerable to broken access control. | |||||
| CVE-2022-44654 | 1 Trendmicro | 1 Apex One | 2025-04-29 | N/A | 7.5 HIGH |
| Affected builds of Trend Micro Apex One and Apex One as a Service contain a monitor engine component that is complied without the /SAFESEH memory protection mechanism which helps to monitor for malicious payloads. The affected component's memory protection mechanism has been updated to enhance product security. | |||||
| CVE-2022-39070 | 1 Zte | 4 Zxa10 C300m, Zxa10 C300m Firmware, Zxa10 C350m and 1 more | 2025-04-29 | N/A | 9.8 CRITICAL |
| There is an access control vulnerability in some ZTE PON OLT products. Due to improper access control settings, remote attackers could use the vulnerability to log in to the device and execute any operation. | |||||
| CVE-2022-41446 | 1 Record Management System Project | 1 Record Management System | 2025-04-28 | N/A | 5.4 MEDIUM |
| An access control issue in /Admin/dashboard.php of Record Management System using CodeIgniter v1.0 allows attackers to access and modify user data. | |||||
| CVE-2024-58136 | 1 Yiiframework | 1 Yii | 2025-04-28 | N/A | 9.0 CRITICAL |
| Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025. | |||||
| CVE-2024-8372 | 2 Angularjs, Netapp | 2 Angular.js, Active Iq Unified Manager | 2025-04-28 | N/A | 4.8 MEDIUM |
| Improper sanitization of the value of the 'srcset' attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing . This issue affects AngularJS versions 1.3.0-rc.4 and greater. Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status . | |||||
| CVE-2024-20069 | 1 Mediatek | 17 Mt6833, Mt6853, Mt6855 and 14 more | 2025-04-25 | N/A | 6.5 MEDIUM |
| In modem, there is a possible selection of less-secure algorithm during the VoWiFi IKE due to a missing DH downgrade check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01286330; Issue ID: MSV-1430. | |||||
| CVE-2022-44037 | 1 Apsystems | 2 Ecu-c, Ecu-c Firmware | 2025-04-25 | N/A | 8.8 HIGH |
| An access control issue in APsystems ENERGY COMMUNICATION UNIT (ECU-C) Power Control Software V4.1NA, V3.11.4, W2.1NA, V4.1SAA, C1.2.2 allows attackers to access sensitive data and execute specific commands and functions with full admin rights without authenticating allows him to perform multiple attacks, such as attacking wireless network in the product's range. | |||||
| CVE-2024-3227 | 1 Weaver | 1 E-office | 2025-04-25 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was found in Panwei eoffice OA up to 9.5. It has been declared as critical. This vulnerability affects unknown code of the file /general/system/interface/theme_set/save_image.php of the component Backend. The manipulation of the argument image_type leads to path traversal: '../filedir'. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259072. | |||||
| CVE-2022-44211 | 1 Gl-inet | 1 Goodcloud | 2025-04-24 | N/A | 7.4 HIGH |
| In GL.iNet Goodcloud 1.1 Incorrect access control allows a remote attacker to access/change devices' settings. | |||||
| CVE-2020-35605 | 2 Debian, Kovidgoyal | 2 Debian Linux, Kitty | 2025-04-24 | 7.5 HIGH | 9.8 CRITICAL |
| The Graphics Protocol feature in graphics.c in kitty before 0.19.3 allows remote attackers to execute arbitrary code because a filename containing special characters can be included in an error message. | |||||
| CVE-2022-44929 | 1 D-link | 2 Dvg-g5402sp, Dvg-g5402sp Firmware | 2025-04-24 | N/A | 9.8 CRITICAL |
| An access control issue in D-Link DVG-G5402SP GE_1.03 allows unauthenticated attackers to escalate privileges via arbitrarily editing VoIP SIB profiles. | |||||