Search Results (14091 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2022-4068 1 Librenms 1 Librenms 2025-04-25 5.4 Medium
A user is able to enable their own account if it was disabled by an admin while the user still holds a valid session. Moreover, the username is not properly sanitized in the admin user overview. This enables an XSS attack that enables an attacker with a low privilege user to execute arbitrary JavaScript in the context of an admin's account.
CVE-2024-22371 2 Apache, Redhat 2 Camel, Openshift Serverless 2025-04-25 2.9 Low
Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data. Vulnerability in Apache Camel.This issue affects Apache Camel: from 3.21.X through 3.21.3, from 3.22.X through 3.22.0, from 4.0.X through 4.0.3, from 4.X through 4.3.0. Users are recommended to upgrade to version 3.21.4, 3.22.1, 4.0.4 or 4.4.0, which fixes the issue.
CVE-2024-50960 1 Extron 8 Sme 211, Sme 211 Firmware, Smp 111 and 5 more 2025-04-25 7.2 High
A command injection vulnerability in the Nmap diagnostic tool in the admin web console of Extron SMP 111 <=3.01, SMP 351 <=2.16, SMP 352 <= 2.16, and SME 211 <= 3.02, allows a remote authenticated attacker to execute arbitrary commands as root on the underlying operating system.
CVE-2025-29039 1 Dlink 2 Dir-823x, Dir-823x Firmware 2025-04-25 7.2 High
An issue in dlink DIR 832x 240802 allows a remote attacker to execute arbitrary code via the function 0x41dda8
CVE-2025-29449 1 Lm21 1 Twonav 2025-04-25 6.5 Medium
An issue in twonav v.2.1.18-20241105 allows a remote attacker to obtain sensitive information via the link identification function.
CVE-2025-29460 1 Mybb 1 Mybb 2025-04-25 7.6 High
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Add Mycode function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.
CVE-2022-44038 1 Russound 2 Xsourceplayer 777d, Xsourceplayer 777d Firmware 2025-04-25 9.8 Critical
Russound XSourcePlayer 777D v06.08.03 was discovered to contain a remote code execution vulnerability via the scriptRunner.cgi component.
CVE-2022-3713 1 Sophos 2 Xg Firewall, Xg Firewall Firmware 2025-04-24 8.8 High
A code injection vulnerability allows adjacent attackers to execute code in the Wifi controller of Sophos Firewall releases older than version 19.5 GA.
CVE-2022-41412 1 Perfsonar 1 Perfsonar 2025-04-24 8.6 High
An issue in the graphData.cgi component of perfSONAR v4.4.5 and prior allows attackers to access sensitive data and execute Server-Side Request Forgery (SSRF) attacks.
CVE-2022-3696 1 Sophos 2 Xg Firewall, Xg Firewall Firmware 2025-04-24 7.2 High
A post-auth code injection vulnerability allows admins to execute code in Webadmin of Sophos Firewall releases older than version 19.5 GA.
CVE-2022-43333 1 Teleniasoftware 1 Tvox 2025-04-24 9.8 Critical
Telenia Software s.r.l TVox before v22.0.17 was discovered to contain a remote code execution (RCE) vulnerability in the component action_export_control.php.
CVE-2023-6294 2 Popup Builder, Sygnoos 2 Popup Builder, Popup Builder 2025-04-24 7.5 High
The Popup Builder WordPress plugin before 4.2.6 does not validate a parameter before making a request to it, which could allow users with the administrator role to perform SSRF attack in Multisite WordPress configurations.
CVE-2023-50386 1 Apache 1 Solr 2025-04-24 8.8 High
Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. In the affected versions, Solr ConfigSets accepted Java jar and class files to be uploaded through the ConfigSets API. When backing up Solr Collections, these configSet files would be saved to disk when using the LocalFileSystemRepository (the default for backups). If the backup was saved to a directory that Solr uses in its ClassPath/ClassLoaders, then the jar and class files would be available to use with any ConfigSet, trusted or untrusted. When Solr is run in a secure way (Authorization enabled), as is strongly suggested, this vulnerability is limited to extending the Backup permissions with the ability to add libraries. Users are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue. In these versions, the following protections have been added: * Users are no longer able to upload files to a configSet that could be executed via a Java ClassLoader. * The Backup API restricts saving backups to directories that are used in the ClassLoader.
CVE-2022-35508 1 Proxmox 3 Proxmox Mail Gateway, Pve Http Server, Virtual Environment 2025-04-24 9.8 Critical
Proxmox Virtual Environment (PVE) and Proxmox Mail Gateway (PMG) are vulnerable to SSRF when proxying HTTP requests between pve(pmg)proxy and pve(pmg)daemon. An attacker with an unprivileged account can craft an HTTP request to achieve SSRF and file disclosure of any files on the server. Also, in Proxmox Mail Gateway, privilege escalation to the root@pam account is possible if the backup feature has ever been used, because backup files such as pmg-backup_YYYY_MM_DD_*.tgz have 0644 permissions and contain an authkey value. This is fixed in pve-http-server 4.1-3.
CVE-2024-24091 1 Yealink 2 Meeting Server, Yealink Meeting Server 2025-04-24 9.8 Critical
Yealink Meeting Server before v26.0.0.66 was discovered to contain an OS command injection vulnerability via the file upload interface.
CVE-2025-3821 1 Senior-walter 1 Web-based Pharmacy Product Management System 2025-04-24 2.4 Low
A vulnerability was found in SourceCodester Web-based Pharmacy Product Management System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file add-admin.php. The manipulation of the argument txtpassword/txtfullname/txtemail leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2023-42374 1 Mystenlabs 2 Sui, Sui Blockchain 2025-04-24 9.8 Critical
An issue in mystenlabs Sui Blockchain before v.1.6.3 allow a remote attacker to execute arbitrary code and cause a denial of service via a crafted compressed script to the Sui node component.
CVE-2025-3822 1 Senior-walter 1 Web-based Pharmacy Product Management System 2025-04-24 2.4 Low
A vulnerability was found in SourceCodester Web-based Pharmacy Product Management System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file changepassword.php. The manipulation of the argument txtconfirm_password/txtnew_password/txtold_password leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2023-49032 1 Ltb-project 1 Self Service Password 2025-04-24 9.8 Critical
An issue in LTB Self Service Password before v.1.5.4 allows a remote attacker to execute arbitrary code and obtain sensitive information via hijack of the SMS verification code function to arbitrary phone.
CVE-2022-44533 1 Arubanetworks 1 Edgeconnect Enterprise 2025-04-24 7.2 High
A vulnerability in the Aruba EdgeConnect Enterprise web management interface allows remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise in Aruba EdgeConnect Enterprise Software version(s): ECOS 9.2.1.0 and below; ECOS 9.1.3.0 and below; ECOS 9.0.7.0 and below; ECOS 8.3.7.1 and below.