Export limit exceeded: 336659 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (336659 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-6021 | 1 Bharatkambariya | 1 Donation Block For Paypal | 2025-05-30 | 6.8 Medium |
| The Donation Block For PayPal WordPress plugin through 2.1.0 does not sanitise and escape form submissions, leading to a stored cross-site scripting vulnerability | ||||
| CVE-2024-3113 | 1 Devsabbirahmed | 1 Simple Form | 2025-05-30 | 5.9 Medium |
| The FormFlow: WhatsApp Social and Advanced Form Builder with Easy Lead Collection WordPress plugin before 2.12.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2024-36782 | 1 Totolink | 2 Cp300, Cp300 Firmware | 2025-05-30 | 9.8 Critical |
| TOTOLINK CP300 V2.0.4-B20201102 was discovered to contain a hardcoded password vulnerability in /etc/shadow.sample, which allows attackers to log in as root. | ||||
| CVE-2024-34009 | 1 Moodle | 1 Moodle | 2025-05-30 | 7.5 High |
| Insufficient checks whether ReCAPTCHA was enabled made it possible to bypass the checks on the login page. This did not affect other pages where ReCAPTCHA is utilized. | ||||
| CVE-2024-34007 | 1 Moodle | 1 Moodle | 2025-05-30 | 8.8 High |
| The logout option within MFA did not include the necessary token to avoid the risk of users inadvertently being logged out via CSRF. | ||||
| CVE-2024-34006 | 1 Moodle | 1 Moodle | 2025-05-30 | 4.3 Medium |
| The site log report required additional encoding of event descriptions to ensure any HTML in the content is displayed in plaintext instead of being rendered. | ||||
| CVE-2024-34001 | 1 Moodle | 1 Moodle | 2025-05-30 | 8.4 High |
| Actions in the admin preset tool did not include the necessary token to prevent a CSRF risk. | ||||
| CVE-2024-34000 | 1 Moodle | 1 Moodle | 2025-05-30 | 4.3 Medium |
| ID numbers displayed in the lesson overview report required additional sanitizing to prevent a stored XSS risk. | ||||
| CVE-2024-33999 | 1 Moodle | 1 Moodle | 2025-05-30 | 9.8 Critical |
| The referrer URL used by MFA required additional sanitizing, rather than being used directly. | ||||
| CVE-2024-33998 | 1 Moodle | 1 Moodle | 2025-05-30 | 5.4 Medium |
| Insufficient escaping of participants' names in the participants page table resulted in a stored XSS risk when interacting with some features. | ||||
| CVE-2019-25071 | 1 Apple | 1 Iphone Os | 2025-05-30 | 6.3 Medium |
| A vulnerability was found in Apple iPhone up to 12.4.1. It has been declared as critical. Affected by this vulnerability is Siri. Playing an audio or video file might be able to initiate Siri on the same device which makes it possible to execute commands remotely. Exploit details have been disclosed to the public. The existence and implications of this vulnerability are doubted by Apple even though multiple public videos demonstrating the attack exist. Upgrading to version 13.0 migt be able to address this issue. It is recommended to upgrade affected devices. NOTE: Apple claims, that after examining the report they do not see any actual security implications. | ||||
| CVE-2024-33997 | 1 Moodle | 1 Moodle | 2025-05-30 | 6.1 Medium |
| Additional sanitizing was required when opening the equation editor to prevent a stored XSS risk when editing another user's equation. | ||||
| CVE-2024-33996 | 1 Moodle | 1 Moodle | 2025-05-30 | 6.2 Medium |
| Incorrect validation of allowed event types in a calendar web service made it possible for some users to create events with types/audiences they did not have permission to publish to. | ||||
| CVE-2023-30309 | 1 Dlink | 2 Di-7003g, Di-7003g Firmware | 2025-05-30 | 5.7 Medium |
| An issue discovered in D-Link DI-7003GV2 routers allows attackers to hijack TCP sessions which could lead to a denial of service. | ||||
| CVE-2025-5323 | 2025-05-30 | 3.7 Low | ||
| A vulnerability, which was classified as problematic, has been found in fossasia open-event-server 1.19.1. This issue affects the function send_email_change_user_email of the file /fossasia/open-event-server/blob/development/app/api/helpers/mail.py of the component Mail Verification Handler. The manipulation leads to reliance on obfuscation or encryption of security-relevant inputs without integrity checking. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-5190 | 2025-05-30 | 8.8 High | ||
| The Browse As plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 0.2. This is due to incorrect authentication checking in the 'IS_BA_Browse_As::notice' function with the 'is_ba_original_user_COOKIEHASH' cookie value. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator, if they have access to the user id. | ||||
| CVE-2025-4944 | 2025-05-30 | 6.4 Medium | ||
| The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Compare and Google Maps widgets in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-48491 | 2025-05-30 | N/A | ||
| Project AI is a platform designed to create AI agents. Prior to the pre-beta version, a hardcoded API key was present in the source code. This issue has been patched in the pre-beta version. | ||||
| CVE-2025-48490 | 2025-05-30 | N/A | ||
| Laravel Rest Api is an API generator. Prior to version 2.13.0, a validation bypass vulnerability was discovered where multiple validations defined for the same attribute could be silently overridden. Due to how the framework merged validation rules across multiple contexts (such as index, store, and update actions), malicious actors could exploit this behavior by crafting requests that bypass expected validation rules, potentially injecting unexpected or dangerous parameters into the application. This could lead to unauthorized data being accepted or processed by the API, depending on the context in which the validation was bypassed. This issue has been patched in version 2.13.0. | ||||
| CVE-2025-48336 | 2025-05-30 | 9.8 Critical | ||
| Deserialization of Untrusted Data vulnerability in ThimPress Course Builder allows Object Injection.This issue affects Course Builder: from n/a before 3.6.6. | ||||