Export limit exceeded: 10679 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10679 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-2350 | 1 Iroadau | 2 Fx2, Fx2 Firmware | 2025-11-06 | 6.3 Medium |
| A vulnerability was found in IROAD Dash Cam FX2 up to 20250308. It has been rated as critical. Affected by this issue is some unknown functionality of the file /action/upload_file. The manipulation leads to unrestricted upload. Access to the local network is required for this attack to succeed. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-30133 | 2 Iroad, Iroadau | 3 Dashcam Fx2, Fx2, Fx2 Firmware | 2025-11-06 | 9.8 Critical |
| An issue was discovered on IROAD Dashcam FX2 devices. Bypass of Device Pairing/Registration can occur. It requires device registration via the "IROAD X View" app for authentication, but its HTTP server lacks this restriction. Once connected to the dashcam's Wi-Fi network via the default password ("qwertyuiop"), an attacker can directly access the HTTP server at http://192.168.10.1 without undergoing the pairing process. Additionally, no alert is triggered on the device when an attacker connects, making this intrusion completely silent. | ||||
| CVE-2025-12346 | 2 Max-3000, Maxsite | 2 Maxsite Cms, Cms | 2025-11-06 | 6.3 Medium |
| A vulnerability was detected in MaxSite CMS up to 109. This vulnerability affects unknown code of the file application/maxsite/admin/plugins/auto_post/uploads-require-maxsite.php of the component HTTP Header Handler. Performing manipulation of the argument X-Requested-FileName/X-Requested-FileUpDir results in unrestricted upload. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-12347 | 2 Max-3000, Maxsite | 2 Maxsite Cms, Cms | 2025-11-06 | 6.3 Medium |
| A flaw has been found in MaxSite CMS up to 109. This issue affects some unknown processing of the file application/maxsite/admin/plugins/editor_files/save-file-ajax.php. Executing manipulation of the argument file_path/content can lead to unrestricted upload. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-60800 | 1 Jishenghua | 1 Jsherp | 2025-11-06 | 7.5 High |
| Incorrect access control in the /jshERP-boot/user/info interface of jshERP up to commit 90c411a allows attackers to access sensitive information via a crafted GET request. | ||||
| CVE-2019-11634 | 1 Citrix | 2 Receiver, Workspace | 2025-11-06 | 9.8 Critical |
| Citrix Workspace App before 1904 for Windows has Incorrect Access Control. | ||||
| CVE-2025-7938 | 1 Jerryshensjf | 1 Jpacookieshop | 2025-11-06 | 4.3 Medium |
| A vulnerability was found in jerryshensjf JPACookieShop 蛋糕商城JPA版 1.0 and classified as critical. This issue affects the function updateGoods of the file GoodsController.java. The manipulation leads to authorization bypass. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-7939 | 1 Jerryshensjf | 1 Jpacookieshop | 2025-11-06 | 6.3 Medium |
| A vulnerability was found in jerryshensjf JPACookieShop 蛋糕商城JPA版 1.0. It has been classified as critical. Affected is the function addGoods of the file GoodsController.java. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. | ||||
| CVE-2022-0847 | 7 Fedoraproject, Linux, Netapp and 4 more | 42 Fedora, Linux Kernel, H300e and 39 more | 2025-11-06 | 7.8 High |
| A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system. | ||||
| CVE-2024-48932 | 2 Icewhaletech, Zimaspace | 2 Zimaos, Zimaos | 2025-11-05 | 5.3 Medium |
| ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions below 1.5.0, the API endpoint `http://<Server-ip>/v1/users/name` allows unauthenticated users to access sensitive information, such as usernames, without any authorization. This vulnerability could be exploited by an attacker to enumerate usernames and leverage them for further attacks, such as brute-force or phishing campaigns. As of time of publication, no known patched versions are available. | ||||
| CVE-2025-60424 | 1 Nagios | 1 Fusion | 2025-11-05 | 7.6 High |
| A lack of rate limiting in the OTP verification component of Nagios Fusion v2024R1.2 and v2024R2 allows attackers to bypass authentication via a bruteforce attack. | ||||
| CVE-2025-12297 | 2 Atjiu, Pybbs Project | 2 Pybbs, Pybbs | 2025-11-05 | 4.3 Medium |
| A vulnerability was detected in atjiu pybbs up to 6.0.0. This affects an unknown function of the file UserApiController.java. The manipulation results in information disclosure. The attack may be launched remotely. The exploit is now public and may be used. | ||||
| CVE-2025-63562 | 1 Summerpearlgroup | 1 Vacation Rental Management Platform | 2025-11-05 | 6.3 Medium |
| Summer Pearl Group Vacation Rental Management Platform prior to v1.0.2 suffers from insufficient server-side authorization. Authenticated attackers can call several endpoints and perform create/update/delete actions on resources owned by arbitrary users by manipulating request parameters (e.g., owner or resource id). | ||||
| CVE-2018-10561 | 1 Dasannetworks | 2 Gpon Router, Gpon Router Firmware | 2025-11-05 | 9.8 Critical |
| An issue was discovered on Dasan GPON home routers. It is possible to bypass authentication simply by appending "?images" to any URL of the device that requires authentication, as demonstrated by the /menu.html?images/ or /GponForm/diag_FORM?images/ URI. One can then manage the device. | ||||
| CVE-2025-63563 | 1 Summerpearlgroup | 1 Vacation Rental Management Platform | 2025-11-05 | 6.5 Medium |
| Summer Pearl Group Vacation Rental Management Platform prior to v1.0.2 does not properly invalidate active user sessions after a password change. This allows an attacker with a valid session token to maintain access to the account even after the legitimate user changes their password. | ||||
| CVE-2025-36091 | 1 Ibm | 1 Cloud Pak For Business Automation | 2025-11-05 | 4.3 Medium |
| IBM Cloud Pak For Business Automation 25.0.0, 24.0.1, and 24.0.0 could allow an authenticated user to cause dashboards to become inaccessible to legitimate users due to invalid ownership assignment. | ||||
| CVE-2025-34143 | 2025-11-04 | N/A | ||
| An authentication bypass vulnerability exists in ETQ Reliance on the CG (legacy) platform. The application allowed login as the privileged internal SYSTEM user by manipulating the username field. The SYSTEM account does not require a password, enabling attackers with network access to the login page to obtain elevated access. Once authenticated, an attacker could achieve remote code execution by modifying Jython scripts within the application. This issue was resolved by introducing stricter validation logic to exclude internal accounts from public authentication workflows in version MP-4583. | ||||
| CVE-2014-5412 | 2 Aveva, Schneider-electric | 2 Clearscada, Scada Expert Clearscada | 2025-11-04 | N/A |
| Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 allows remote attackers to read database records by leveraging access to the guest account. | ||||
| CVE-2025-58459 | 1 Jenkins | 3 Global-build-stats, Global Build Stats, Jenkins | 2025-11-04 | 4.3 Medium |
| Jenkins global-build-stats Plugin 322.v22f4db_18e2dd and earlier does not perform permission checks in its REST API endpoints, allowing attackers with Overall/Read permission to enumerate graph IDs. | ||||
| CVE-2025-58457 | 1 Apache | 1 Zookeeper | 2025-11-04 | 4.3 Medium |
| Improper permission check in ZooKeeper AdminServer lets authorized clients to run snapshot and restore command with insufficient permissions. This issue affects Apache ZooKeeper: from 3.9.0 before 3.9.4. Users are recommended to upgrade to version 3.9.4, which fixes the issue. The issue can be mitigated by disabling both commands (via admin.snapshot.enabled and admin.restore.enabled), disabling the whole AdminServer interface (via admin.enableServer), or ensuring that the root ACL does not provide open permissions. (Note that ZooKeeper ACLs are not recursive, so this does not impact operations on child nodes besides notifications from recursive watches.) | ||||