Total
3792 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-36259 | 2025-02-25 | 7.5 High | ||
| Improper access control in mail module of Odoo Community 17.0 and Odoo Enterprise 17.0 allows remote authenticated attackers to extract sensitive information via an oracle-based (yes/no response) crafted attack. | ||||
| CVE-2024-12368 | 2025-02-25 | 8.1 High | ||
| Improper access control in the auth_oauth module of Odoo Community 15.0 and Odoo Enterprise 15.0 allows an internal user to export the OAuth tokens of other users. | ||||
| CVE-2024-13855 | 1 Nilambar | 1 Prime Addons For Elementor | 2025-02-25 | 4.3 Medium |
| The Prime Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.1 via the pae_global_block shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract information from posts that are not public, including drafts, private, password protected, and restricted posts. This applies to posts created with Elementor only. | ||||
| CVE-2023-27578 | 1 Galaxyproject | 1 Galaxy | 2025-02-25 | 9.1 Critical |
| Galaxy is an open-source platform for data analysis. All supported versions of Galaxy are affected prior to 22.01, 22.05, and 23.0 are affected by an insufficient permission check. Unsupported versions are likely affected as far back as the functionality of Visualizations/Pages exists. Due to this issue, an attacker can modify or delete any Galaxy Visualization or Galaxy Page given they know the encoded ID of it. Additionally, they can copy or import any Galaxy Visualization given they know the encoded ID of it. Patches are available for versions 22.01, 22.05, and 23.0. For the changes to take effect, you must restart all Galaxy server processes. There are no supported workarounds. | ||||
| CVE-2025-27140 | 2025-02-25 | N/A | ||
| WeGIA is a Web manager for charitable institutions. An OS Command Injection vulnerability was discovered in versions prior to 3.2.15 of the WeGIA application, `importar_dump.php` endpoint. This vulnerability could allow an attacker to execute arbitrary code remotely. The command is basically a command to move a temporary file, so a webshell upload is also possible. Version 3.2.15 contains a patch for the issue. | ||||
| CVE-2025-1646 | 2025-02-25 | 7.3 High | ||
| A vulnerability, which was classified as critical, has been found in Lumsoft ERP 8. Affected by this issue is some unknown functionality of the file /Api/TinyMce/UploadAjaxAPI.ashx of the component ASPX File Handler. The manipulation of the argument file leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-1355 | 1 Needyamin | 1 Library Card System | 2025-02-25 | 7.3 High |
| A vulnerability was found in needyamin Library Card System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /signup.php of the component Add Picture. The manipulation leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-45519 | 1 Zimbra | 2 Collaboration, Zimbra Collaboration Suite | 2025-02-25 | 10 Critical |
| The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes allows unauthenticated users to execute commands. | ||||
| CVE-2024-13229 | 1 Rankmath | 1 Seo | 2025-02-24 | 4.3 Medium |
| The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the update_metadata() function in all versions up to, and including, 1.0.235. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete any schema metadata assigned to any post. | ||||
| CVE-2025-1555 | 2025-02-24 | 7.3 High | ||
| A vulnerability classified as critical was found in hzmanyun Education and Training System 3.1.1. This vulnerability affects the function saveImage. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-1595 | 2025-02-24 | 5.3 Medium | ||
| A vulnerability has been found in Anhui Xufan Information Technology EasyCVR up to 2.7.0 and classified as problematic. This vulnerability affects unknown code of the file /api/v1/getbaseconfig. The manipulation leads to information disclosure. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-28443 | 1 Monospace | 1 Directus | 2025-02-21 | 4.2 Medium |
| Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the `directus_refresh_token` is not redacted properly from the log outputs and can be used to impersonate users without their permission. This issue is patched in version 9.23.3. | ||||
| CVE-2024-34068 | 1 Pterodactyl | 1 Wings | 2025-02-21 | 6.4 Medium |
| Pterodactyl wings is the server control plane for Pterodactyl Panel. An authenticated user who has access to a game server is able to bypass the previously implemented access control (GHSA-6rg3-8h8x-5xfv) that prevents accessing internal endpoints of the node hosting Wings in the pull endpoint. This would allow malicious users to potentially access resources on local networks that would otherwise be inaccessible. This issue has been addressed in version 1.11.2 and users are advised to upgrade. Users unable to upgrade may enable the `api.disable_remote_download` option as a workaround. | ||||
| CVE-2022-31475 | 1 Givewp | 1 Givewp | 2025-02-20 | 5.5 Medium |
| Authenticated (custom plugin role) Arbitrary File Read via Export function vulnerability in GiveWP's GiveWP plugin <= 2.20.2 at WordPress. | ||||
| CVE-2022-23981 | 1 Quadlayers | 1 Perfect Brands For Woocommerce | 2025-02-20 | 4.3 Medium |
| The vulnerability allows Subscriber+ level users to create brands in WordPress Perfect Brands for WooCommerce plugin (versions <= 2.0.4). | ||||
| CVE-2022-29417 | 1 Shortpixel | 1 Shortpixel Adaptive Images | 2025-02-20 | 4.3 Medium |
| Plugin Settings Update vulnerability in ShortPixel's ShortPixel Adaptive Images plugin <= 3.3.1 at WordPress allows an attacker with a low user role like a subscriber or higher to change the plugin settings. | ||||
| CVE-2022-28612 | 1 Custom Popup Builder Project | 1 Custom Popup Builder | 2025-02-20 | 5.4 Medium |
| Improper Access Control vulnerability leading to multiple Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerabilities in Muneeb's Custom Popup Builder plugin <= 1.3.1 at WordPress. | ||||
| CVE-2025-25968 | 2025-02-20 | 6.0 Medium | ||
| DDSN Interactive cm3 Acora CMS version 10.1.1 contains an improper access control vulnerability. An editor-privileged user can access sensitive information, such as system administrator credentials, by force browsing the endpoint and exploiting the 'file' parameter. By referencing specific files (e.g., cm3.xml), attackers can bypass access controls, leading to account takeover and potential privilege escalation. | ||||
| CVE-2022-41652 | 1 Expresstech | 1 Quiz And Survey Master | 2025-02-20 | 6.5 Medium |
| Bypass vulnerability in Quiz And Survey Master plugin <= 7.3.10 on WordPress. | ||||
| CVE-2022-41155 | 1 Webence | 1 Iq Block Country | 2025-02-20 | 5.3 Medium |
| Block BYPASS vulnerability in iQ Block Country plugin <= 1.2.18 on WordPress. | ||||