Total
277570 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-33961 | 1 Leantime | 1 Leantime | 2025-01-10 | 8.9 High |
| Leantime is a lean open source project management system. Starting in version 2.3.21, an authenticated user with commenting privileges can inject malicious Javascript into a comment. Once the malicious comment is loaded in the browser by a user, the malicious Javascript code executes. As of time of publication, a patch does not exist. | ||||
| CVE-2024-33061 | 1 Qualcomm | 18 Qcs8550, Qcs8550 Firmware, Sw5100 and 15 more | 2025-01-10 | 6.8 Medium |
| Information disclosure while processing IOCTL call made for releasing a trusted VM process release or opening a channel without initializing the process. | ||||
| CVE-2023-33962 | 1 Jstachio Project | 1 Jstachio | 2025-01-10 | 5.4 Medium |
| JStachio is a type-safe Java Mustache templating engine. Prior to version 1.0.1, JStachio fails to escape single quotes `'` in HTML, allowing an attacker to inject malicious code. This vulnerability can be exploited by an attacker to execute arbitrary JavaScript code in the context of other users visiting pages that use this template engine. This can lead to various consequences, including session hijacking, defacement of web pages, theft of sensitive information, or even the propagation of malware. Version 1.0.1 contains a patch for this issue. To mitigate this vulnerability, the template engine should properly escape special characters, including single quotes. Common practice is to escape `'` as `'`. As a workaround, users can avoid this issue by using only double quotes `"` for HTML attributes. | ||||
| CVE-2024-4404 | 1 Wpmet | 1 Elementskit | 2025-01-10 | 8.5 High |
| The ElementsKit PRO plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 3.6.2 via the 'render_raw' function. This can allow authenticated attackers, with contributor-level permissions and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | ||||
| CVE-2023-2612 | 1 Canonical | 1 Ubuntu Linux | 2025-01-10 | 4.4 Medium |
| Jean-Baptiste Cayrou discovered that the shiftfs file system in the Ubuntu Linux kernel contained a race condition when handling inode locking in some situations. A local attacker could use this to cause a denial of service (kernel deadlock). | ||||
| CVE-2024-56511 | 2025-01-10 | N/A | ||
| DataEase is an open source data visualization analysis tool. Prior to 2.10.4, there is a flaw in the authentication in the io.dataease.auth.filter.TokenFilter class, which can be bypassed and cause the risk of unauthorized access. In the io.dataease.auth.filter.TokenFilter class, ”request.getRequestURI“ is used to obtain the request URL, and it is passed to the "WhitelistUtils.match" method to determine whether the URL request is an interface that does not require authentication. The "match" method filters semicolons, but this is not enough. When users set "server.servlet.context-path" when deploying products, there is still a risk of being bypassed, which can be bypassed by any whitelist prefix /geo/../context-path/. The vulnerability has been fixed in v2.10.4. | ||||
| CVE-2023-28079 | 1 Dell | 1 Powerpath | 2025-01-10 | 7 High |
| PowerPath for Windows, versions 7.0, 7.1 & 7.2 contains Insecure File and Folder Permissions vulnerability. A regular user (non-admin) can exploit the weak folder and file permissions to escalate privileges and execute arbitrary code in the context of NT AUTHORITY\SYSTEM. | ||||
| CVE-2023-28080 | 1 Dell | 1 Powerpath | 2025-01-10 | 6.7 Medium |
| PowerPath for Windows, versions 7.0, 7.1 & 7.2 contains DLL Hijacking Vulnerabilities. A regular user (non-admin) can exploit these issues to potentially escalate privileges and execute arbitrary code in the context of NT AUTHORITY\SYSTEM. | ||||
| CVE-2023-32448 | 1 Dell | 1 Powerpath | 2025-01-10 | 5.5 Medium |
| PowerPath for Windows, versions 7.0, 7.1 & 7.2 contains License Key Stored in Cleartext vulnerability. A local user with access to the installation directory can retrieve the license key of the product and use it to install and license PowerPath on different systems. | ||||
| CVE-2023-2998 | 1 Phpmyfaq | 1 Phpmyfaq | 2025-01-10 | 6.1 Medium |
| Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.14. | ||||
| CVE-2023-2999 | 1 Phpmyfaq | 1 Phpmyfaq | 2025-01-10 | 6.1 Medium |
| Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.14. | ||||
| CVE-2025-22600 | 2025-01-10 | 6.5 Medium | ||
| WeGIA is a web manager for charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the configuracao_doacao.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the avulso parameter. This vulnerability is fixed in 3.2.8. | ||||
| CVE-2025-22599 | 2025-01-10 | 6.5 Medium | ||
| WeGIA is a web manager for charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the home.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the msg_c parameter. This vulnerability is fixed in 3.2.8. | ||||
| CVE-2025-22598 | 2025-01-10 | 8.3 High | ||
| WeGIA is a web manager for charitable institutions. A Stored Cross-Site Scripting (XSS) vulnerability was identified in the cadastrarSocio.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the local_recepcao parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. This vulnerability is fixed in 3.2.8. | ||||
| CVE-2025-22597 | 2025-01-10 | 8.3 High | ||
| WeGIA is a web manager for charitable institutions. A Stored Cross-Site Scripting (XSS) vulnerability was identified in the CobrancaController.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the local_recepcao parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. This vulnerability is fixed in 3.2.8. | ||||
| CVE-2025-22596 | 2025-01-10 | 6.5 Medium | ||
| WeGIA is a web manager for charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the modulos_visiveis.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the msg_c parameter. This vulnerability is fixed in 3.2.8. | ||||
| CVE-2025-22152 | 2025-01-10 | 9.1 Critical | ||
| Atheos is a self-hosted browser-based cloud IDE. Prior to v600, the $path and $target parameters are not properly validated across multiple components, allowing an attacker to read, modify, or execute arbitrary files on the server. These vulnerabilities can be exploited through various attack vectors present in multiple PHP files. This vulnerability is fixed in v600. | ||||
| CVE-2024-57687 | 2025-01-10 | 9.8 Critical | ||
| An OS Command Injection vulnerability was found in /landrecordsys/admin/dashboard.php in PHPGurukul Land Record System v1.0, which allows remote attackers to execute arbitrary code via the "Cookie" GET request parameter. | ||||
| CVE-2024-54762 | 2025-01-10 | 6.3 Medium | ||
| Ruoyi v.4.7.9 and before contains an authenticated SQL injection vulnerability. This is because the filterKeyword method does not completely filter SQL injection keywords, resulting in the risk of SQL injection. | ||||
| CVE-2024-54761 | 2025-01-10 | 6.3 Medium | ||
| BigAnt Office Messenger 5.6.06 is vulnerable to SQL Injection via the 'dev_code' parameter. | ||||