Total
284430 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-9670 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-02-25 | 9.8 Critical |
| mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability, as demonstrated by Autodiscover/Autodiscover.xml. | ||||
| CVE-2022-27924 | 1 Zimbra | 1 Collaboration | 2025-02-25 | 7.5 High |
| Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance. These memcache commands becomes unescaped, causing an overwrite of arbitrary cached entries. | ||||
| CVE-2022-27925 | 1 Zimbra | 1 Collaboration | 2025-02-25 | 7.2 High |
| Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal. | ||||
| CVE-2022-27926 | 1 Zimbra | 1 Collaboration | 2025-02-25 | 6.1 Medium |
| A reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow.jsp component of Zimbra Collaboration (aka ZCS) 9.0 allows unauthenticated attackers to execute arbitrary web script or HTML via request parameters. | ||||
| CVE-2024-45519 | 1 Zimbra | 2 Collaboration, Zimbra Collaboration Suite | 2025-02-25 | 10 Critical |
| The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes allows unauthenticated users to execute commands. | ||||
| CVE-2024-13636 | 2025-02-24 | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2024-24926. Reason: This candidate is a reservation duplicate of CVE-2024-24926. Notes: All CVE users should reference CVE-2024-24926 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | ||||
| CVE-2025-27364 | 2025-02-24 | 10 Critical | ||
| In MITRE Caldera through 4.2.0 and 5.0.0 before 35bc06e, a Remote Code Execution (RCE) vulnerability was found in the dynamic agent (implant) compilation functionality of the server. This allows remote attackers to execute arbitrary code on the server that Caldera is running on via a crafted web request to the Caldera server API used for compiling and downloading of Caldera's Sandcat or Manx agent (implants). This web request can use the gcc -extldflags linker flag with sub-commands. | ||||
| CVE-2025-26530 | 2025-02-24 | 8.3 High | ||
| The question bank filter required additional sanitizing to prevent a reflected XSS risk. | ||||
| CVE-2025-26529 | 2025-02-24 | 8.3 High | ||
| Description information displayed in the site administration live log required additional sanitizing to prevent a stored XSS risk. | ||||
| CVE-2025-26528 | 2025-02-24 | 3.4 Low | ||
| The drag-and-drop onto image (ddimageortext) question type required additional sanitizing to prevent a stored XSS risk. | ||||
| CVE-2025-26527 | 2025-02-24 | 5.3 Medium | ||
| Tags not expected to be visible to a user could still be discovered by them via the tag search page or in the tags block. | ||||
| CVE-2025-26526 | 2025-02-24 | 6.5 Medium | ||
| Separate Groups mode restrictions were not factored into permission checks before allowing viewing or deletion of responses in Feedback activities. | ||||
| CVE-2025-26525 | 2025-02-24 | 8.6 High | ||
| Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available (such as those with TeX Live installed). | ||||
| CVE-2023-21048 | 1 Google | 1 Android | 2025-02-24 | 4.4 Medium |
| In handleEvent of nan.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-259304053References: N/A | ||||
| CVE-2023-21045 | 1 Google | 1 Android | 2025-02-24 | 4.4 Medium |
| When cpif handles probe failures, there is a possible out of bounds read due to a use after free. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-259323725References: N/A | ||||
| CVE-2023-21044 | 1 Google | 1 Android | 2025-02-24 | 4.4 Medium |
| In init of VendorGraphicBufferMeta, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-253425086References: N/A | ||||
| CVE-2022-2237 | 1 Redhat | 3 Keycloak Node.js Adapter, Red Hat Single Sign On, Single Sign-on | 2025-02-24 | 6.1 Medium |
| A flaw was found in the Keycloak Node.js Adapter. This flaw allows an attacker to benefit from an Open Redirect vulnerability in the checkSso function. | ||||
| CVE-2021-3923 | 3 Fedoraproject, Linux, Redhat | 3 Fedora, Linux Kernel, Enterprise Linux | 2025-02-24 | 2.3 Low |
| A flaw was found in the Linux kernel's implementation of RDMA over infiniband. An attacker with a privileged local account can leak kernel stack information when issuing commands to the /dev/infiniband/rdma_cm device node. While this access is unlikely to leak sensitive user information, it can be further used to defeat existing kernel protection mechanisms. | ||||
| CVE-2018-25083 | 1 Pull It Project | 1 Pull It | 2025-02-24 | 9.8 Critical |
| The pullit package before 1.4.0 for Node.js allows OS Command Injection because eval is used on an attacker-supplied Git branch name. | ||||
| CVE-2024-10222 | 1 Benbodhi | 1 Svg Support | 2025-02-24 | 6.4 Medium |
| The SVG Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.5.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. By default, this can only be exploited by administrators, but the ability to upload SVG files can be extended to authors. | ||||