Export limit exceeded: 365312 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 365312 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (365312 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-63435 | 2 Google, Xtooltech | 3 Android, Anyscan, Xtool Anyscan | 2025-11-28 | 4.3 Medium |
| Xtooltech Xtool AnyScan Android Application 4.40.40 is Missing Authentication for Critical Function. The server-side endpoint responsible for serving update packages for the application does not require any authentication. This allows an unauthenticated remote attacker to freely download official update packages.. | ||||
| CVE-2025-63434 | 2 Google, Xtooltech | 3 Android, Anyscan, Xtool Anyscan | 2025-11-28 | 8.8 High |
| The update mechanism in Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is insecure. The application downloads and extracts update packages containing executable code without performing a cryptographic integrity or authenticity check on their contents. An attacker who can control the update metadata can serve a malicious package, which the application will accept, extract, and later execute, leading to arbitrary code execution. | ||||
| CVE-2025-63433 | 2 Google, Xtooltech | 3 Android, Anyscan, Xtool Anyscan | 2025-11-28 | 4.6 Medium |
| Xtooltech Xtool AnyScan Android Application 4.40.40 and prior uses a hardcoded cryptographic key and IV to decrypt update metadata. The key is stored as a static value within the application's code. An attacker with the ability to intercept network traffic can use this hardcoded key to decrypt, modify, and re-encrypt the update manifest, allowing them to direct the application to download a malicious update package. | ||||
| CVE-2025-63432 | 1 Xtooltech | 1 Xtool Anyscan | 2025-11-28 | 4.6 Medium |
| Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is Missing SSL Certificate Validation. The application fails to properly validate the TLS certificate from its update server. An attacker on the same network can exploit this vulnerability by performing a Man-in-the-Middle (MITM) attack to intercept, decrypt, and modify traffic between the application and the update server. This serves as the basis for further attacks, including Remote Code Execution. | ||||
| CVE-2025-34245 | 1 Advantech | 2 Webaccess/vpn, Webaccess\/vpn | 2025-11-28 | 6.5 Medium |
| Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxStandaloneVpnClientsController.ajaxAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information. | ||||
| CVE-2022-50596 | 1 Dlink | 2 Dir-1260, Dir-1260 Firmware | 2025-11-28 | 9.8 Critical |
| D-Link DIR-1260 Wi-Fi router firmware versions up to and including v1.20B05 contain a command injection vulnerability within the web management interface that allows for unauthenticated attackers to execute arbitrary commands on the device with root privileges. The flaw specifically exists within the SetDest/Dest/Target arguments to the GetDeviceSettings form. The management interface is accessible over HTTP and HTTPS on the local and Wi-Fi networks and optionally from the Internet. | ||||
| CVE-2025-34247 | 1 Advantech | 2 Webaccess/vpn, Webaccess\/vpn | 2025-11-28 | 6.5 Medium |
| Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in NetworksController.addNetworkAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information. | ||||
| CVE-2025-34246 | 1 Advantech | 2 Webaccess/vpn, Webaccess\/vpn | 2025-11-28 | 6.5 Medium |
| Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxPrevalidationController.ajaxAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information. | ||||
| CVE-2023-5844 | 1 Pimcore | 1 Admin Classic Bundle | 2025-11-28 | 7.2 High |
| Unverified Password Change in GitHub repository pimcore/admin-ui-classic-bundle prior to 1.2.0. | ||||
| CVE-2025-34244 | 1 Advantech | 2 Webaccess/vpn, Webaccess\/vpn | 2025-11-28 | 6.5 Medium |
| Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxFwRulesController.ajaxDeviceFwRulesAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information. | ||||
| CVE-2025-34243 | 1 Advantech | 2 Webaccess/vpn, Webaccess\/vpn | 2025-11-28 | 6.5 Medium |
| Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxFwRulesController.ajaxNetworkFwRulesAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information. | ||||
| CVE-2025-34242 | 1 Advantech | 2 Webaccess/vpn, Webaccess\/vpn | 2025-11-28 | 6.5 Medium |
| Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxNetworkController.ajaxAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information. | ||||
| CVE-2025-34241 | 1 Advantech | 2 Webaccess/vpn, Webaccess\/vpn | 2025-11-28 | 6.5 Medium |
| Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxDeviceController.ajaxDeviceAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information. | ||||
| CVE-2025-34240 | 1 Advantech | 2 Webaccess/vpn, Webaccess\/vpn | 2025-11-28 | 6.5 Medium |
| Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AppManagementController.appUpgradeAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information. | ||||
| CVE-2024-53015 | 1 Qualcomm | 182 Aqt1000, Aqt1000 Firmware, Fastconnect 6200 and 179 more | 2025-11-28 | 6.6 Medium |
| Memory corruption while processing IOCTL command to handle buffers associated with a session. | ||||
| CVE-2024-53010 | 1 Qualcomm | 386 Aqt1000, Aqt1000 Firmware, Ar8035 and 383 more | 2025-11-28 | 7.8 High |
| Memory corruption may occur while attaching VM when the HLOS retains access to VM. | ||||
| CVE-2024-53020 | 1 Qualcomm | 468 205 Mobile Platform, 205 Mobile Platform Firmware, 215 Mobile Platform and 465 more | 2025-11-28 | 8.2 High |
| Information disclosure may occur while decoding the RTP packet with invalid header extension from network. | ||||
| CVE-2025-34236 | 1 Advantech | 2 Webaccess/vpn, Webaccess\/vpn | 2025-11-28 | 5.4 Medium |
| Advantech WebAccess/VPN versions prior to 1.1.5 contain a stored cross-site scripting (XSS) vulnerability via NetworksController.addNetworkAction(). Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2025-34237 | 1 Advantech | 2 Webaccess/vpn, Webaccess\/vpn | 2025-11-28 | 5.4 Medium |
| Advantech WebAccess/VPN versions prior to 1.1.5 contain a stored cross-site scripting (XSS) vulnerability via StandaloneVpnClientsController.addStandaloneVpnClientAction(). Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2025-52584 | 1 Ashlar | 5 Argon, Cobalt, Cobalt Share and 2 more | 2025-11-28 | 7.8 High |
| In Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions prior to 12.6.1204.204, the affected applications lack proper validation of user-supplied data when parsing XE files. This could lead to a heap-based buffer overflow. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process. | ||||