Search Results (37331 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-2003 1 Devolutions 1 Devolutions Server 2025-03-28 7.1 High
Incorrect authorization in PAM vaults in Devolutions Server 2024.3.12 and earlier allows an authenticated user to bypass the 'add in root' permission.
CVE-2024-12148 1 Devolutions 1 Devolutions Server 2025-03-28 4.3 Medium
Incorrect authorization in permission validation component in Devolutions Server 2024.3.6.0 and earlier allows an authenticated user to access some reporting endpoints.
CVE-2024-12196 1 Devolutions 1 Devolutions Server 2025-03-28 6.5 Medium
Incorrect authorization in the permission component in Devolutions Server 2024.3.7.0 and earlier allows an authenticated user to view the password history of an entry without the view password permission.
CVE-2024-11670 1 Devolutions 1 Remote Desktop Manager 2025-03-28 5.4 Medium
Incorrect authorization in the permission validation component of Devolutions Remote Desktop Manager 2024.2.21 and earlier on Windows allows a malicious authenticated user to bypass the "View Password" permission via specific actions.
CVE-2024-11672 1 Devolutions 1 Remote Desktop Manager 2025-03-28 4.3 Medium
Incorrect authorization in the add permission component in Devolutions Remote Desktop Manager 2024.2.21 and earlier on Windows allows an authenticated malicious user to bypass the "Add" permission via the import in vault feature.
CVE-2023-0565 1 Froxlor 1 Froxlor 2025-03-28 5.5 Medium
Business Logic Errors in GitHub repository froxlor/froxlor prior to 2.0.10.
CVE-2023-0529 1 Online Tours \& Travels Management System Project 1 Online Tours \& Travels Management System 2025-03-28 4.7 Medium
A vulnerability was found in SourceCodester Online Tours & Travels Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file admin/add_payment.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-219598 is the identifier assigned to this vulnerability.
CVE-2023-0532 1 Online Tours \& Travels Management System Project 1 Online Tours \& Travels Management System 2025-03-28 4.7 Medium
A vulnerability classified as critical was found in SourceCodester Online Tours & Travels Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/disapprove_user.php. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-219601 was assigned to this vulnerability.
CVE-2024-4317 2 Postgresql, Redhat 3 Postgresql, Enterprise Linux, Rhel Eus 2025-03-28 3.1 Low
Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected.
CVE-2023-22324 1 Contec 1 Conprosys Hmi System 2025-03-28 6.5 Medium
SQL injection vulnerability in the CONPROSYS HMI System (CHS) Ver.3.5.0 and earlier allows a remote authenticated attacker to execute an arbitrary SQL command. As a result, information stored in the database may be obtained.
CVE-2022-44298 1 Sscms 1 Siteserver Cms 2025-03-28 9.8 Critical
SiteServer CMS 7.1.3 is vulnerable to SQL Injection.
CVE-2024-27746 1 Mayurik 1 Petrol Pump Management 2025-03-28 9.8 Critical
SQL Injection vulnerability in Petrol Pump Mangement Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the email address parameter in the index.php component.
CVE-2023-49546 1 Oretnom23 1 Customer Support System 2025-03-28 8.8 High
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the email parameter at /customer_support/ajax.php.
CVE-2023-49547 1 Oretnom23 1 Customer Support System 2025-03-28 9.8 Critical
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the username parameter at /customer_support/ajax.php?action=login.
CVE-2023-49548 1 Oretnom23 1 Customer Support System 2025-03-28 8.8 High
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the lastname parameter at /customer_support/ajax.php?action=save_user.
CVE-2023-49968 1 Oretnom23 1 Customer Support System 2025-03-28 7.3 High
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the id parameter at /customer_support/manage_department.php.
CVE-2023-49969 1 Oretnom23 1 Customer Support System 2025-03-28 4.3 Medium
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the id parameter at /customer_support/index.php?page=edit_customer.
CVE-2023-49970 1 Oretnom23 1 Customer Support System 2025-03-28 9.8 Critical
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the subject parameter at /customer_support/ajax.php?action=save_ticket.
CVE-2023-49544 1 Oretnom23 1 Customer Support System 2025-03-28 4.9 Medium
A local file inclusion (LFI) in Customer Support System v1 allows attackers to include internal PHP files and gain unauthorized acces via manipulation of the page= parameter at /customer_support/index.php.
CVE-2025-20125 1 Cisco 1 Identity Services Engine 2025-03-28 9.1 Critical
A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker with valid read-only credentials to obtain sensitive information, change node configurations, and restart the node. This vulnerability is due to a lack of authorization in a specific API and improper validation of user-supplied data. An attacker could exploit this vulnerability by sending a crafted HTTP request to a specific API on the device. A successful exploit could allow the attacker to attacker to obtain information, modify system configuration, and reload the device. Note: To successfully exploit this vulnerability, the attacker must have valid read-only administrative credentials. In a single-node deployment, new devices will not be able to authenticate during the reload time.