Total
277606 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-32687 | 1 Tgstation13 | 1 Tgstation-server | 2025-01-13 | 7.7 High |
| tgstation-server is a toolset to manage production BYOND servers. Starting in version 4.7.0 and prior to 5.12.1, instance users with the list chat bots permission can read chat bot connections strings without the associated permission. This issue is patched in version 5.12.1. As a workaround, remove the list chat bots permission from users that should not have the ability to view connection strings. Invalidate any credentials previously stored for safety. | ||||
| CVE-2025-23110 | 2025-01-13 | 6.1 Medium | ||
| An issue was discovered in REDCap 14.9.6. A Reflected cross-site scripting (XSS) vulnerability in the email-subject field exists while performing an upload of a CSV file containing a list of alert configurations. An attacker can send the victim a CSV file containing the XSS payload in the email-subject. Once the victim uploads the file, he automatically lands on a page to view the uploaded data. If the victim clicks on the email-subject value, it triggers the XSS payload. | ||||
| CVE-2025-23111 | 2025-01-13 | 4.7 Medium | ||
| An issue was discovered in REDCap 14.9.6. It allows HTML Injection via the Survey field name, exposing users to a redirection to a phishing website. An attacker can exploit this to trick the user that receives the survey into clicking on the field name, which redirects them to a phishing website. Thus, this allows malicious actions to be executed without user consent. | ||||
| CVE-2023-52718 | 1 Huawei | 18 Pt9030-15, Pt9030-15 Firmware, Ws7206-10 and 15 more | 2025-01-13 | 6.4 Medium |
| A connection hijacking vulnerability exists in some Huawei home routers. Successful exploitation of this vulnerability may cause DoS or information leakage.(Vulnerability ID:HWPSIRT-2023-34408) This vulnerability has been assigned a (CVE)ID:CVE-2023-52718 | ||||
| CVE-2024-3727 | 1 Redhat | 18 Acm, Advanced Cluster Security, Ansible Automation Platform and 15 more | 2025-01-13 | 8.3 High |
| A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks. | ||||
| CVE-2023-7266 | 1 Huawei | 6 Tc7001-10, Tc7001-10 Firmware, Ws7200-10 and 3 more | 2025-01-13 | 7.5 High |
| Some Huawei home routers have a connection hijacking vulnerability. Successful exploitation of this vulnerability may cause DoS or information leakage.(Vulnerability ID:HWPSIRT-2023-76605) This vulnerability has been assigned a (CVE)ID:CVE-2023-7266 | ||||
| CVE-2025-23112 | 2025-01-13 | 6.1 Medium | ||
| An issue was discovered in REDCap 14.9.6. A stored cross-site scripting (XSS) vulnerability allows authenticated users to inject malicious scripts into the Survey field name of Survey. When a user receive the survey, if he clicks on the field name, it triggers the XSS payload. | ||||
| CVE-2021-47207 | 1 Linux | 1 Linux Kernel | 2025-01-13 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: ALSA: gus: fix null pointer dereference on pointer block The pointer block return from snd_gf1_dma_next_block could be null, so there is a potential null pointer dereference issue. Fix this by adding a null check before dereference. | ||||
| CVE-2023-52527 | 1 Linux | 1 Linux Kernel | 2025-01-13 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data() Including the transhdrlen in length is a problem when the packet is partially filled (e.g. something like send(MSG_MORE) happened previously) when appending to an IPv4 or IPv6 packet as we don't want to repeat the transport header or account for it twice. This can happen under some circumstances, such as splicing into an L2TP socket. The symptom observed is a warning in __ip6_append_data(): WARNING: CPU: 1 PID: 5042 at net/ipv6/ip6_output.c:1800 __ip6_append_data.isra.0+0x1be8/0x47f0 net/ipv6/ip6_output.c:1800 that occurs when MSG_SPLICE_PAGES is used to append more data to an already partially occupied skbuff. The warning occurs when 'copy' is larger than the amount of data in the message iterator. This is because the requested length includes the transport header length when it shouldn't. This can be triggered by, for example: sfd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_L2TP); bind(sfd, ...); // ::1 connect(sfd, ...); // ::1 port 7 send(sfd, buffer, 4100, MSG_MORE); sendfile(sfd, dfd, NULL, 1024); Fix this by only adding transhdrlen into the length if the write queue is empty in l2tp_ip6_sendmsg(), analogously to how UDP does things. l2tp_ip_sendmsg() looks like it won't suffer from this problem as it builds the UDP packet itself. | ||||
| CVE-2023-0779 | 1 Zephyrproject | 1 Zephyr | 2025-01-13 | 6.7 Medium |
| At the most basic level, an invalid pointer can be input that crashes the device, but with more knowledge of the device’s memory layout, further exploitation is possible. | ||||
| CVE-2025-23113 | 2025-01-13 | 3.4 Low | ||
| An issue was discovered in REDCap 14.9.6. It has an action=myprojects&logout=1 CSRF issue in the alert-title while performing an upload of a CSV file containing a list of alert configuration. An attacker can send the victim a CSV file containing an HTML injection payload in the alert-title. Once the victim uploads the file, he automatically lands on a page to view the uploaded data. If the victim click on the alert-title value, it can trigger a logout request and terminates their session, or redirect to a phishing website. This vulnerability stems from the absence of CSRF protections on the logout functionality. | ||||
| CVE-2024-46481 | 2025-01-13 | 7.2 High | ||
| The login page of Venki Supravizio BPM up to 18.1.1 is vulnerable to open redirect leading to reflected XSS. | ||||
| CVE-2024-46480 | 2025-01-13 | 8.4 High | ||
| An NTLM hash leak in Venki Supravizio BPM up to 18.0.1 allows authenticated attackers with Application Administrator access to escalate privileges on the underlying host system. | ||||
| CVE-2025-23027 | 2025-01-13 | N/A | ||
| next-forge is a Next.js project boilerplate for modern web application. The BASEHUB_TOKEN commited in apps/web/.env.example. Users should avoid use of this token and should remove any access it may have in their systems. | ||||
| CVE-2024-57488 | 2025-01-13 | 6.5 Medium | ||
| Code-Projects Online Car Rental System 1.0 is vulnerable to Cross Site Scripting (XSS) via the vehicalorcview parameter in /admin/edit-vehicle.php. | ||||
| CVE-2024-57487 | 2025-01-13 | 6.5 Medium | ||
| In Code-Projects Online Car Rental System 1.0, the file upload feature does not validate file extensions or MIME types allowing an attacker to upload a PHP shell without any restrictions and execute commands on the server. | ||||
| CVE-2024-54687 | 2025-01-13 | 6.1 Medium | ||
| Vtiger CRM v.6.1 and before is vulnerable to Cross Site Scripting (XSS) via the Documents module and function uploadAndSaveFile in CRMEntity.php. | ||||
| CVE-2024-48883 | 2025-01-13 | 4.3 Medium | ||
| An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 9820, 9825, 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 9110, W920, W930, W1000, Modem 5123, and Modem 5300. The UE incorrectly handles a malformed uplink scheduling message, resulting in an information leak of the UE. | ||||
| CVE-2024-46920 | 2025-01-13 | 6.5 Medium | ||
| An issue was discovered in Samsung Mobile Processor Exynos 9820, 9825, 980, 990, 850, 1080, 2100, and 1280. Lack of a length check leads to a stack out-of-bounds write at loadInputBuffers. | ||||
| CVE-2024-46919 | 2025-01-13 | 5.3 Medium | ||
| An issue was discovered in Samsung Mobile Processor Exynos 9820, 9825, 980, 990, 850, 1080, 2100, and 1280. Lack of a length check leads to a stack out-of-bounds write at loadOutputBuffers. | ||||