Export limit exceeded: 364625 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (364625 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-3652 2 Port389, Redhat 4 389-ds-base, Directory Server, Enterprise Linux and 1 more 2025-11-03 6.5 Medium
A flaw was found in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This flaw allows an attacker to successfully authenticate as a user whose password was disabled.
CVE-2021-3621 2 Fedoraproject, Redhat 10 Fedora, Sssd, Enterprise Linux and 7 more 2025-11-03 8.8 High
A flaw was found in SSSD, where the sssctl command was vulnerable to shell command injection via the logs-fetch and cache-expire subcommands. This flaw allows an attacker to trick the root user into running a specially crafted sssctl command, such as via sudo, to gain root access. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVE-2021-33646 4 Fedoraproject, Feep, Openatom and 1 more 4 Fedora, Libtar, Openeuler and 1 more 2025-11-03 7.5 High
The th_read() function doesn’t free a variable t->th_buf.gnu_longname after allocating memory, which may cause a memory leak.
CVE-2021-33645 4 Fedoraproject, Feep, Openatom and 1 more 4 Fedora, Libtar, Openeuler and 1 more 2025-11-03 7.5 High
The th_read() function doesn’t free a variable t->th_buf.gnu_longlink after allocating memory, which may cause a memory leak.
CVE-2021-33644 4 Fedoraproject, Feep, Openatom and 1 more 4 Fedora, Libtar, Openeuler and 1 more 2025-11-03 8.1 High
An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longname, causing an out-of-bounds read.
CVE-2020-10136 4 Cisco, Digi, Hp and 1 more 63 Nexus 1000v, Nexus 1000ve, Nexus 3016 and 60 more 2025-11-03 5.3 Medium
IP-in-IP protocol specifies IP Encapsulation within IP standard (RFC 2003, STD 1) that decapsulate and route IP-in-IP traffic is vulnerable to spoofing, access-control bypass and other unexpected behavior due to the lack of validation to verify network packets before decapsulation and routing.
CVE-2025-62783 2 Inventorygui, Phoenix616 2 Inventorygui, Inventorygui 2025-11-03 5 Medium
InventoryGui is a library for creating chest GUIs for Bukkit/Spigot plugins. Versions 1.6.1-SNAPSHOT and earlier contain a vulnerability where any plugin using the `GuiStorageElement can allow item duplication when the experimental Bundle item feature is enabled on the server. The vulnerability is resolved in version 1.6.2-SNAPSHOT.
CVE-2025-7954 1 Shopware 1 Shopware 2025-11-03 8.1 High
A race condition vulnerability has been identified in Shopware's voucher system of Shopware v6.6.10.4 that allows attackers to bypass intended voucher restrictions and exceed usage limitations.
CVE-2025-5283 2 Google, Redhat 7 Chrome, Enterprise Linux, Rhel Aus and 4 more 2025-11-03 5.4 Medium
Use after free in libvpx in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
CVE-2025-5054 1 Canonical 2 Apport, Ubuntu Linux 2025-11-03 4.7 Medium
Race condition in Canonical apport up to and including 2.32.0 allows a local attacker to leak sensitive information via PID-reuse by leveraging namespaces. When handling a crash, the function `_check_global_pid_and_forward`, which detects if the crashing process resided in a container, was being called before `consistency_checks`, which attempts to detect if the crashing process had been replaced. Because of this, if a process crashed and was quickly replaced with a containerized one, apport could be made to forward the core dump to the container, potentially leaking sensitive information. `consistency_checks` is now being called before `_check_global_pid_and_forward`. Additionally, given that the PID-reuse race condition cannot be reliably detected from userspace alone, crashes are only forwarded to containers if the kernel provided a pidfd, or if the crashing process was unprivileged (i.e., if dump mode == 1).
CVE-2025-54798 1 Raszi 2 Node-tmp, Tmp 2025-11-03 2.5 Low
tmp is a temporary file and directory creator for node.js. In versions 0.2.3 and below, tmp is vulnerable to an arbitrary temporary file / directory write via symbolic link dir parameter. This is fixed in version 0.2.4.
CVE-2025-54769 1 Xorux 1 Lpar2rrd 2025-11-03 8.8 High
An authenticated, read-only user can upload a file and perform a directory traversal to have the uploaded file placed in a location of their choosing. This can be used to overwrite existing PERL modules within the application to achieve remote code execution (RCE) by an attacker.
CVE-2025-54768 1 Xorux 1 Lpar2rrd 2025-11-03 5.3 Medium
An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to download logs from the appliance configuration, exposing sensitive information.
CVE-2025-54767 1 Xorux 1 Lpar2rrd 2025-11-03 6.5 Medium
An authenticated, read-only user can kill any processes running on the Xormon Original virtual appliance as the lpar2rrd user.
CVE-2025-54766 1 Xorux 2 Xormon, Xormon-ng 2025-11-03 5.3 Medium
An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to export the appliance configuration, exposing sensitive information.
CVE-2025-54765 1 Xorux 2 Xormon, Xormon-ng 2025-11-03 5.3 Medium
An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to import the appliance configuration, allowing an attacker to control the configuration of the appliance, to include granting themselves administrative level permissions.
CVE-2025-53084 1 Wwbn 1 Avideo 2025-11-03 9 Critical
A cross-site scripting (xss) vulnerability exists in the videosList page parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability.
CVE-2025-52497 2 Arm, Mbed 2 Mbed Tls, Mbedtls 2025-11-03 4.8 Medium
Mbed TLS before 3.6.4 has a PEM parsing one-byte heap-based buffer underflow, in mbedtls_pem_read_buffer and two mbedtls_pk_parse functions, via untrusted PEM input.
CVE-2025-52496 2 Arm, Mbed 2 Mbed Tls, Mbedtls 2025-11-03 7.8 High
Mbed TLS before 3.6.4 has a race condition in AESNI detection if certain compiler optimizations occur. An attacker may be able to extract an AES key from a multithreaded program, or perform a GCM forgery.
CVE-2025-52187 1 Getprojects 1 Create School Management System 2025-11-03 8.2 High
GetProjectsIdea Create School Management System 1.0 is vulnerable to Cross Site Scripting (XSS) in my_profile_update_form1.php.