Search Results (14090 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-28593 1 Moodle 1 Moodle 2025-05-01 5.4 Medium
The Chat activity in Moodle 4.3.3 allows students to insert a potentially unwanted HTML A element or IMG element, or HTML content that leads to a performance degradation. NOTE: the vendor's Using_Chat page says "If you know some HTML code, you can use it in your text to do things like insert images, play sounds or create different coloured and sized text." This page also says "Chat is due to be removed from standard Moodle."
CVE-2024-24520 1 Lepton-cms 1 Leptoncms 2025-05-01 7.8 High
An issue in Lepton CMS v.7.0.0 allows a local attacker to execute arbitrary code via the upgrade.php file in the languages place.
CVE-2025-31674 1 Drupal 1 Drupal 2025-05-01 7.5 High
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
CVE-2024-30202 1 Gnu 2 Emacs, Org Mode 2025-05-01 7.8 High
In Emacs before 29.3, arbitrary Lisp code is evaluated as part of turning on Org mode. This affects Org Mode before 9.6.23.
CVE-2022-44089 1 Ecisp 1 Espcms 2025-05-01 9.8 Critical
ESPCMS P8.21120101 was discovered to contain a remote code execution (RCE) vulnerability in the component IS_GETCACHE.
CVE-2022-44088 1 Ecisp 1 Espcms 2025-05-01 9.8 Critical
ESPCMS P8.21120101 was discovered to contain a remote code execution (RCE) vulnerability in the component INPUT_ISDESCRIPTION.
CVE-2022-44087 1 Ecisp 1 Espcms 2025-05-01 9.8 Critical
ESPCMS P8.21120101 was discovered to contain a remote code execution (RCE) vulnerability in the component UPFILE_PIC_ZOOM_HIGHT.
CVE-2024-21892 3 Linux, Nodejs, Redhat 4 Linux Kernel, Node.js, Enterprise Linux and 1 more 2025-04-30 7.8 High
On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set. This allows unprivileged users to inject code that inherits the process's elevated privileges.
CVE-2022-21824 5 Debian, Netapp, Nodejs and 2 more 16 Debian Linux, Oncommand Insight, Oncommand Workflow Automation and 13 more 2025-04-30 8.2 High
Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.
CVE-2021-37498 1 Reprisesoftware 1 Reprise License Manager 2025-04-30 6.5 Medium
An SSRF issue was discovered in Reprise License Manager (RLM) web interface through 14.2BL4 that allows remote attackers to trigger outbound requests to intranet servers, conduct port scans via the actserver parameter in License Activation function.
CVE-2022-34312 1 Ibm 1 Cics Tx 2025-04-30 4 Medium
IBM CICS TX 11.1 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 229447.
CVE-2022-40127 1 Apache 1 Airflow 2025-04-30 8.8 High
A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0.
CVE-2025-20934 1 Samsung 1 Android 2025-04-30 5.5 Medium
Improper access control in Sticker Center prior to SMR Apr-2025 Release 1 allows local attackers to access image files with system privilege.
CVE-2025-45947 1 Phpgurukul 1 Online Banquet Booking System 2025-04-30 9.8 Critical
An issue in phpgurukul Online Banquet Booking System V1.2 allows an attacker to execute arbitrary code via the /obbs/change-password.php file of the My Account - Change Password component
CVE-2025-3823 1 Senior-walter 1 Web-based Pharmacy Product Management System 2025-04-30 2.4 Low
A vulnerability classified as problematic has been found in SourceCodester Web-based Pharmacy Product Management System 1.0. Affected is an unknown function of the file add-stock.php. The manipulation of the argument txttotalcost/txtproductID/txtprice/txtexpirydate leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-3824 1 Senior-walter 1 Web-based Pharmacy Product Management System 2025-04-30 2.4 Low
A vulnerability classified as problematic was found in SourceCodester Web-based Pharmacy Product Management System 1.0. Affected by this vulnerability is an unknown functionality of the file add-product.php. The manipulation of the argument txtprice/txtproduct_name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-3825 1 Senior-walter 1 Web-based Pharmacy Product Management System 2025-04-30 2.4 Low
A vulnerability, which was classified as problematic, has been found in SourceCodester Web-based Pharmacy Product Management System 1.0. Affected by this issue is some unknown functionality of the file add-category.php. The manipulation of the argument txtcategory_name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-3826 1 Senior-walter 1 Web-based Pharmacy Product Management System 2025-04-30 2.4 Low
A vulnerability, which was classified as problematic, was found in SourceCodester Web-based Pharmacy Product Management System 1.0. This affects an unknown part of the file add-supplier.php. The manipulation of the argument txtsupplier_name/txtaddress leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-39331 2 Gnu, Redhat 6 Emacs, Enterprise Linux, Rhel Aus and 3 more 2025-04-30 9.8 Critical
In Emacs before 29.4, org-link-expand-abbrev in lisp/ol.el expands a %(...) link abbrev even when it specifies an unsafe function, such as shell-command-to-string. This affects Org Mode before 9.7.5.
CVE-2024-48951 1 Logpoint 2 Logpoint, Siem 2025-04-30 7.5 High
An issue was discovered in Logpoint before 7.5.0. Server-Side Request Forgery (SSRF) on SOAR can be used to leak Logpoint's API Token leading to authentication bypass.