Export limit exceeded: 10879 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10879 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-27578 | 1 Galaxyproject | 1 Galaxy | 2025-02-25 | 9.1 Critical |
| Galaxy is an open-source platform for data analysis. All supported versions of Galaxy are affected prior to 22.01, 22.05, and 23.0 are affected by an insufficient permission check. Unsupported versions are likely affected as far back as the functionality of Visualizations/Pages exists. Due to this issue, an attacker can modify or delete any Galaxy Visualization or Galaxy Page given they know the encoded ID of it. Additionally, they can copy or import any Galaxy Visualization given they know the encoded ID of it. Patches are available for versions 22.01, 22.05, and 23.0. For the changes to take effect, you must restart all Galaxy server processes. There are no supported workarounds. | ||||
| CVE-2023-28114 | 1 Cilium | 1 Cilium-cli | 2025-02-25 | 4.8 Medium |
| `cilium-cli` is the command line interface to install, manage, and troubleshoot Kubernetes clusters running Cilium. Prior to version 0.13.2,`cilium-cli`, when used to configure cluster mesh functionality, can remove the enforcement of user permissions on the `etcd` store used to mirror local cluster information to remote clusters. Users who have set up cluster meshes using the Cilium Helm chart are not affected by this issue. Due to an incorrect mount point specification, the settings specified by the `initContainer` that configures `etcd` users and their permissions are overwritten when using `cilium-cli` to configure a cluster mesh. An attacker who has already gained access to a valid key and certificate for an `etcd` cluster compromised in this manner could then modify state in that `etcd` cluster. This issue is patched in `cilium-cli` 0.13.2. As a workaround, one may use Cilium's Helm charts to create their cluster. | ||||
| CVE-2025-27140 | 2025-02-25 | N/A | ||
| WeGIA is a Web manager for charitable institutions. An OS Command Injection vulnerability was discovered in versions prior to 3.2.15 of the WeGIA application, `importar_dump.php` endpoint. This vulnerability could allow an attacker to execute arbitrary code remotely. The command is basically a command to move a temporary file, so a webshell upload is also possible. Version 3.2.15 contains a patch for the issue. | ||||
| CVE-2025-1646 | 2025-02-25 | 7.3 High | ||
| A vulnerability, which was classified as critical, has been found in Lumsoft ERP 8. Affected by this issue is some unknown functionality of the file /Api/TinyMce/UploadAjaxAPI.ashx of the component ASPX File Handler. The manipulation of the argument file leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-1355 | 1 Needyamin | 1 Library Card System | 2025-02-25 | 7.3 High |
| A vulnerability was found in needyamin Library Card System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /signup.php of the component Add Picture. The manipulation leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-13229 | 1 Rankmath | 1 Seo | 2025-02-24 | 4.3 Medium |
| The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the update_metadata() function in all versions up to, and including, 1.0.235. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete any schema metadata assigned to any post. | ||||
| CVE-2025-1361 | 2025-02-24 | 7.5 High | ||
| The IP2Location Country Blocker plugin for WordPress is vulnerable to Regular Information Exposure in all versions up to, and including, 2.38.8 due to missing capability checks on the admin_init() function. This makes it possible for unauthenticated attackers to view the plugin's settings. | ||||
| CVE-2024-5174 | 2025-02-24 | N/A | ||
| A flaw in Gliffy results in broken authentication through the reset functionality of the application. | ||||
| CVE-2025-1595 | 2025-02-24 | 5.3 Medium | ||
| A vulnerability has been found in Anhui Xufan Information Technology EasyCVR up to 2.7.0 and classified as problematic. This vulnerability affects unknown code of the file /api/v1/getbaseconfig. The manipulation leads to information disclosure. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-28443 | 1 Monospace | 1 Directus | 2025-02-21 | 4.2 Medium |
| Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the `directus_refresh_token` is not redacted properly from the log outputs and can be used to impersonate users without their permission. This issue is patched in version 9.23.3. | ||||
| CVE-2025-0981 | 1 Churchcrm | 1 Churchcrm | 2025-02-21 | 6.1 Medium |
| A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to hijack a user's session by exploiting a Stored Cross Site Scripting (XSS) vulnerability in the Group Editor page. This allows admin users to inject malicious JavaScript in the description field, which captures the session cookie of authenticated users. The cookie can then be sent to an external server, enabling session hijacking. It can also lead to information disclosure, as exposed session cookies can be used to impersonate users and gain unauthorised access to sensitive information. | ||||
| CVE-2024-34068 | 1 Pterodactyl | 1 Wings | 2025-02-21 | 6.4 Medium |
| Pterodactyl wings is the server control plane for Pterodactyl Panel. An authenticated user who has access to a game server is able to bypass the previously implemented access control (GHSA-6rg3-8h8x-5xfv) that prevents accessing internal endpoints of the node hosting Wings in the pull endpoint. This would allow malicious users to potentially access resources on local networks that would otherwise be inaccessible. This issue has been addressed in version 1.11.2 and users are advised to upgrade. Users unable to upgrade may enable the `api.disable_remote_download` option as a workaround. | ||||
| CVE-2024-21543 | 2025-02-20 | 7.1 High | ||
| Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate() function fails. This is because the system falls back to querying the database directly, granting access to users with valid credentials, and eventually bypassing custom authentication checks such as two-factor authentication, LDAP validations, or requirements from configured AUTHENTICATION_BACKENDS. | ||||
| CVE-2022-35726 | 1 Yotuwp | 1 Video Gallery | 2025-02-20 | 4.3 Medium |
| Broken Authentication vulnerability in yotuwp Video Gallery plugin <= 1.3.4.5 at WordPress. | ||||
| CVE-2022-34839 | 1 Codexshaper | 1 Wp Oauth2 Server | 2025-02-20 | 5.9 Medium |
| Authentication Bypass vulnerability in CodexShaper's WP OAuth2 Server plugin <= 1.0.1 at WordPress. | ||||
| CVE-2022-31475 | 1 Givewp | 1 Givewp | 2025-02-20 | 5.5 Medium |
| Authenticated (custom plugin role) Arbitrary File Read via Export function vulnerability in GiveWP's GiveWP plugin <= 2.20.2 at WordPress. | ||||
| CVE-2022-23981 | 1 Quadlayers | 1 Perfect Brands For Woocommerce | 2025-02-20 | 4.3 Medium |
| The vulnerability allows Subscriber+ level users to create brands in WordPress Perfect Brands for WooCommerce plugin (versions <= 2.0.4). | ||||
| CVE-2022-29417 | 1 Shortpixel | 1 Shortpixel Adaptive Images | 2025-02-20 | 4.3 Medium |
| Plugin Settings Update vulnerability in ShortPixel's ShortPixel Adaptive Images plugin <= 3.3.1 at WordPress allows an attacker with a low user role like a subscriber or higher to change the plugin settings. | ||||
| CVE-2022-28612 | 1 Custom Popup Builder Project | 1 Custom Popup Builder | 2025-02-20 | 5.4 Medium |
| Improper Access Control vulnerability leading to multiple Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerabilities in Muneeb's Custom Popup Builder plugin <= 1.3.1 at WordPress. | ||||
| CVE-2022-28666 | 1 Yikesinc | 1 Custom Product Tabs For Woocommerce | 2025-02-20 | 5.3 Medium |
| Broken Access Control vulnerability in YIKES Inc. Custom Product Tabs for WooCommerce plugin <= 1.7.7 at WordPress leading to &yikes-the-content-toggle option update. | ||||