Search

Search Results (363962 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-4226 1 Octopus 1 Octopus Server 2025-06-27 3.5 Low
It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. This functionality was removed in versions of Octopus Server after the fixed versions listed.
CVE-2024-24818 1 Espocrm 1 Espocrm 2025-06-27 5.9 Medium
EspoCRM is an Open Source Customer Relationship Management software. An attacker can inject arbitrary IP or domain in "Password Change" page and redirect victim to malicious page that could lead to credential stealing or another attack. This vulnerability is fixed in 8.1.2.
CVE-2024-28640 1 Totolink 4 A7000r, A7000r Firmware, X5000r and 1 more 2025-06-27 7.5 High
Buffer Overflow vulnerability in TOTOLink X5000R V9.1.0u.6118-B20201102 and A7000R V9.1.0u.6115-B20201022 allows a remote attacker to cause a denial of service (D0S) via the command field.
CVE-2024-2241 1 Devolutions 1 Workspace 2025-06-27 6.3 Medium
Improper access control in the user interface in Devolutions Workspace 2024.1.0 and earlier allows an authenticated user to perform unintended actions via specific permissions
CVE-2022-36263 2 Logitech, Microsoft 2 Streamlabs Desktop, Windows 2025-06-27 7.3 High
StreamLabs Desktop Application 1.9.0 is vulnerable to Incorrect Access Control via obs64.exe. An attacker can execute arbitrary code via a crafted .exe file.
CVE-2024-1316 1 Liquidweb 1 Event Tickets 2025-06-27 6.5 Medium
The Event Tickets and Registration WordPress plugin before 5.8.1, Events Tickets Plus WordPress plugin before 5.9.1 does not prevent users with at least the contributor role from leaking the existence of certain events they shouldn't have access to. (e.g. draft, private, pending review, pw-protected, and trashed events).
CVE-2024-27497 1 Linksys 2 E2000, E2000 Firmware 2025-06-27 8.8 High
Linksys E2000 Ver.1.0.06 build 1 is vulnerable to authentication bypass via the position.js file.
CVE-2024-3165 1 Dotcms 1 Dotcms 2025-06-27 4.5 Medium
System->Maintenance-> Log Files in dotCMS dashboard is providing the username/password for database connections in the log output. Nevertheless, this is a moderate issue as it requires a backend admin as well as that dbs are locked down by environment.   OWASP Top 10 - A05) Insecure Design OWASP Top 10 - A05) Security Misconfiguration OWASP Top 10 - A09) Security Logging and Monitoring Failure
CVE-2024-3164 1 Dotcms 1 Dotcms 2025-06-27 4.5 Medium
In dotCMS dashboard, the Tools and Log Files tabs under System → Maintenance Portlet, which is and always has been an Admin portlet, is accessible to anyone with that portlet and not just to CMS Admins. Users that get site admin but not a system admin, should not have access to the System Maintenance → Tools portlet. This would share database username and password under Log Files and download DB Dump and other dotCMS Content under Tools. Nothing in the System → Maintenance should be displayed for users with site admin role. Only system admins must have access to System Maintenance. OWASP Top 10 - A01) Broken Access Control OWASP Top 10 - A04) Insecure Design
CVE-2025-27583 1 Serosoft 1 Academia Student Information System 2025-06-27 9.1 Critical
Incorrect access control in the component /rest/staffResource/findAllUsersAcrossOrg of Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 allows create and modify user accounts, including an Administrator account.
CVE-2025-27584 1 Serosoft 1 Academia Student Information System 2025-06-27 5.4 Medium
A stored cross-site scripting (XSS) vulnerability in Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the First Name parameter at /rest/staffResource/update.
CVE-2024-37087 1 Vmware 2 Cloud Foundation, Vcenter Server 2025-06-27 5.3 Medium
The vCenter Server contains a denial-of-service vulnerability. A malicious actor with network access to vCenter Server may create a denial-of-service condition.
CVE-2024-37086 1 Vmware 2 Cloud Foundation, Esxi 2025-06-27 6.8 Medium
VMware ESXi contains an out-of-bounds read vulnerability. A malicious actor with local administrative privileges on a virtual machine with an existing snapshot may trigger an out-of-bounds read leading to a denial-of-service condition of the host.
CVE-2024-22275 1 Vmware 2 Cloud Foundation, Vcenter Server 2025-06-27 4.9 Medium
The vCenter Server contains a partial file read vulnerability. A malicious actor with administrative privileges on the vCenter appliance shell may exploit this issue to partially read arbitrary files containing sensitive data.
CVE-2024-22274 1 Vmware 2 Cloud Foundation, Vcenter Server 2025-06-27 7.2 High
The vCenter Server contains an authenticated remote code execution vulnerability. A malicious actor with administrative privileges on the vCenter appliance shell may exploit this issue to run arbitrary commands on the underlying operating system.
CVE-2024-22270 2 Apple, Vmware 3 Macos, Fusion, Workstation 2025-06-27 7.1 High
VMware Workstation and Fusion contain an information disclosure vulnerability in the Host Guest File Sharing (HGFS) functionality. A malicious actor with local administrative privileges on a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine.
CVE-2024-22269 2 Apple, Vmware 3 Macos, Fusion, Workstation 2025-06-27 7.1 High
VMware Workstation and Fusion contain an information disclosure vulnerability in the vbluetooth device. A malicious actor with local administrative privileges on a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine.
CVE-2024-24401 1 Nagios 1 Nagios Xi 2025-06-27 9.8 Critical
SQL Injection vulnerability in Nagios XI 2024R1.01 allows a remote attacker to execute arbitrary code via a crafted payload to the monitoringwizard.php component.
CVE-2025-27585 1 Serosoft 1 Academia Student Information System 2025-06-27 5.4 Medium
A stored cross-site scripting (XSS) vulnerability in Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Print Name parameter at /rest/staffResource/update.
CVE-2024-27297 1 Nixos 1 Nix 2025-06-27 6.3 Medium
Nix is a package manager for Linux and other Unix systems. A fixed-output derivations on Linux can send file descriptors to files in the Nix store to another program running on the host (or another fixed-output derivation) via Unix domain sockets in the abstract namespace. This allows to modify the output of the derivation, after Nix has registered the path as "valid" and immutable in the Nix database. In particular, this allows the output of fixed-output derivations to be modified from their expected content. This issue has been addressed in versions 2.3.18 2.18.2 2.19.4 and 2.20.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.