Search

Search Results (363165 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-25457 1 Tenda 2 Ac10, Ac10 Firmware 2025-04-22 7.5 High
Tenda AC10 V4.0si_V16.03.10.20 is vulnerable to Buffer Overflow in AdvSetMacMtuWan via cloneType2.
CVE-2025-25453 1 Tenda 2 Ac10, Ac10 Firmware 2025-04-22 4.6 Medium
Tenda AC10 V4.0si_V16.03.10.20 is vulnerable to Buffer Overflow in AdvSetMacMtuWan via serviceName2.
CVE-2025-25458 1 Tenda 2 Ac10, Ac10 Firmware 2025-04-22 4.6 Medium
Tenda AC10 V4.0si_V16.03.10.20 is vulnerable to Buffer Overflow in AdvSetMacMtuWan via serverName2.
CVE-2025-25456 1 Tenda 2 Ac10, Ac10 Firmware 2025-04-22 9.8 Critical
Tenda AC10 V4.0si_V16.03.10.20 is vulnerable to Buffer Overflow in AdvSetMacMtuWan via mac2.
CVE-2025-25454 1 Tenda 2 Ac10, Ac10 Firmware 2025-04-22 7.5 High
Tenda AC10 V4.0si_V16.03.10.20 is vulnerable to Buffer Overflow in AdvSetMacMtuWan via wanSpeed2.
CVE-2025-25455 1 Tenda 2 Ac10, Ac10 Firmware 2025-04-22 7.5 High
Tenda AC10 V4.0si_V16.03.10.20 is vulnerable to Buffer Overflow in AdvSetMacMtuWan via wanMTU2.
CVE-2025-3786 1 Tenda 2 Ac15, Ac15 Firmware 2025-04-22 8.8 High
A vulnerability was found in Tenda AC15 up to 15.03.05.19 and classified as critical. This issue affects the function fromSetWirelessRepeat of the file /goform/WifiExtraSet. The manipulation of the argument mac leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-29462 1 Tenda 2 Ac15, Ac15 Firmware 2025-04-22 9.8 Critical
A buffer overflow vulnerability has been discovered in Tenda Ac15 V15.13.07.13. The vulnerability occurs when the webCgiGetUploadFile function calls the socketRead function to process HTTP request messages, resulting in the overwriting of a buffer on the stack.
CVE-2025-29453 1 Personal-management-system 1 Personal Management System 2025-04-22 6.5 Medium
An issue in personal-management-system Personal Management System 1.4.65 allows a remote attacker to obtain sensitive information via the my-contacts-settings component.
CVE-2025-29454 1 Personal-management-system 1 Personal Management System 2025-04-22 6.5 Medium
An issue in personal-management-system Personal Management System 1.4.65 allows a remote attacker to obtain sensitive information via the Upload function.
CVE-2025-29455 1 Personal-management-system 1 Personal Management System 2025-04-22 6.5 Medium
An issue in personal-management-system Personal Management System 1.4.65 allows a remote attacker to obtain sensitive information via the Travel Ideas" function.
CVE-2025-29456 1 Personal-management-system 1 Personal Management System 2025-04-22 6.5 Medium
An issue in personal-management-system Personal Management System 1.4.65 allows a remote attacker to obtain sensitive information via the create Notes function.
CVE-2024-26135 2 Meshcentral, Ylianst 2 Meshcentral, Meshcentral 2025-04-22 8.4 High
MeshCentral is a full computer management web site. Versions prior to 1.1.21 a cross-site websocket hijacking (CSWSH) vulnerability within the control.ashx endpoint. This component is the primary mechanism used within MeshCentral to perform administrative actions on the server. The vulnerability is exploitable when an attacker is able to convince a victim end-user to click on a malicious link to a page hosting an attacker-controlled site. The attacker can then originate a cross-site websocket connection using client-side JavaScript code to connect to `control.ashx` as the victim user within MeshCentral. Version 1.1.21 contains a patch for this issue.
CVE-2024-25897 1 Churchcrm 1 Churchcrm 2025-04-22 9.8 Critical
ChurchCRM 5.5.0 FRCatalog.php is vulnerable to Blind SQL Injection (Time-based) via the CurrentFundraiser GET parameter.
CVE-2024-25147 1 Liferay 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more 2025-04-22 9.6 Critical
Cross-site scripting (XSS) vulnerability in HtmlUtil.escapeJsLink in Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via crafted javascript: style links.
CVE-2024-26269 1 Liferay 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more 2025-04-22 9.6 Critical
Cross-site scripting (XSS) vulnerability in the Frontend JS module's portlet.js in Liferay Portal 7.2.0 through 7.4.3.37, and Liferay DXP 7.4 before update 38, 7.3 before update 11, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via the anchor (hash) part of a URL.
CVE-2024-56169 1 Nicmx 1 Fort Validator 2025-04-22 5.3 Medium
A validation integrity issue was discovered in Fort through 1.6.4 before 2.0.0. RPKI Relying Parties (such as Fort) are supposed to maintain a backup cache of the remote RPKI data. This can be employed as a fallback in case a new fetch fails or yields incorrect files. However, the product currently uses its cache merely as a bandwidth saving tool (because fetching is performed through deltas). If a fetch fails midway or yields incorrect files, there is no viable fallback. This leads to incomplete route origin validation data.
CVE-2024-26138 2 Xwiki, Xwikisas 2 Application Licensing, Application Licensing 2025-04-22 5.3 Medium
The XWiki licensor application, which manages and enforce application licenses for paid extensions, includes the document `Licenses.Code.LicenseJSON` that provides information for admins regarding active licenses. This document is public and thus exposes this information publicly. The information includes the instance's id as well as first and last name and email of the license owner. This is a leak of information that isn't supposed to be public. The instance id allows associating data on the active installs data with the concrete XWiki instance. Active installs assures that "there's no way to find who's having a given UUID" (referring to the instance id). Further, the information who the license owner is and information about the obtained licenses can be used for targeted phishing attacks. Also, while user information is normally public, email addresses might only be displayed obfuscated, depending on the configuration. This has been fixed in Application Licensing 1.24.2. There are no known workarounds besides upgrading.
CVE-2024-23654 1 Discourse 1 Ai 2025-04-22 4.1 Medium
discourse-ai is the AI plugin for the open-source discussion platform Discourse. Prior to commit 94ba0dadc2cf38e8f81c3936974c167219878edd, interactions with different AI services are vulnerable to admin-initiated SSRF attacks. Versions of the plugin that include commit 94ba0dadc2cf38e8f81c3936974c167219878edd contain a patch. As a workaround, one may disable the discourse-ai plugin.
CVE-2024-26483 1 Getkirby 1 Kirby 2025-04-22 8.8 High
An arbitrary file upload vulnerability in the Profile Image module of Kirby CMS v4.1.0 allows attackers to execute arbitrary code via a crafted PDF file.