Total
29612 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-38313 | 1 Mozilla | 1 Firefox | 2025-03-14 | 4.3 Medium |
| In certain scenarios a malicious website could attempt to display a fake location URL bar which could mislead users as to the actual website address This vulnerability affects Firefox for iOS < 127. | ||||
| CVE-2024-54840 | 1 Cyberark | 1 Privileged Access Manager | 2025-03-14 | 4.2 Medium |
| PVWA (Password Vault Web Access) in CyberArk Privileged Access Manager Self-Hosted before 14.4 does not properly address environment issues that can contribute to Host header injection. | ||||
| CVE-2024-34314 | 1 Cmseasy | 1 Cmseasy | 2025-03-14 | 7.5 High |
| CmsEasy v7.7.7.9 was discovered to contain a local file inclusion vunerability via the file_get_contents function in the fetch_action method of /admin/template_admin.php. This vulnerability allows attackers to read arbitrary files. | ||||
| CVE-2024-1898 | 1 Devolutions | 1 Devolutions Server | 2025-03-14 | 3.9 Low |
| Improper access control in the notification feature in Devolutions Server 2023.3.14.0 and earlier allows a low privileged user to change notifications settings configured by an administrator. | ||||
| CVE-2023-38124 | 1 Inductiveautomation | 1 Ignition | 2025-03-13 | 8.8 High |
| Inductive Automation Ignition OPC UA Quick Client Task Scheduling Exposed Dangerous Function Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability. The specific flaw exists within the Ignition Gateway server. The issue results from the exposure of a dangerous function. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-20541. | ||||
| CVE-2023-34282 | 1 Dlink | 2 Dir-2150, Dir-2150 Firmware | 2025-03-13 | 8.8 High |
| D-Link DIR-2150 HNAP Incorrect Implementation of Authentication Algorithm Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-2150 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SOAP API interface, which listens on TCP port 80 by default. A crafted authentication header can cause authentication to succeed without providing proper credentials. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-20910. | ||||
| CVE-2023-34274 | 1 Dlink | 2 Dir-2150, Dir-2150 Firmware | 2025-03-13 | 8.8 High |
| D-Link DIR-2150 LoginPassword Incorrect Implementation of Authentication Algorithm Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-2150 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SOAP API interface, which listens on TCP port 80 by default. A crafted login request can cause authentication to succeed without providing proper credentials. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-20552. | ||||
| CVE-2024-41251 | 2 Kashipara, Lopalopa | 2 Responsive School Management System, Responsive School Management System | 2025-03-13 | 6.5 Medium |
| An Incorrect Access Control vulnerability was found in /smsa/admin_teacher_register_approval.php and /smsa/admin_teacher_register_approval_submit.php in Kashipara Responsive School Management System v3.2.0, which allows remote unauthenticated attackers to view and approve Teacher registration. | ||||
| CVE-2024-37371 | 3 Debian, Mit, Redhat | 9 Debian Linux, Kerberos 5, Enterprise Linux and 6 more | 2025-03-13 | 9.1 Critical |
| In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields. | ||||
| CVE-2024-43084 | 1 Google | 1 Android | 2025-03-13 | 6.2 Medium |
| In visitUris of multiple files, there is a possible information disclosure due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2025-25616 | 1 Changeweb | 1 Unifiedtransform | 2025-03-13 | 7.6 High |
| Unifiedtransform 2.0 is vulnerable to Incorrect Access Control, which allows students to modify rules for exams. The affected endpoint is /exams/edit-rule?exam_rule_id=1. | ||||
| CVE-2025-25615 | 1 Changeweb | 1 Unifiedtransform | 2025-03-13 | 6 Medium |
| Unifiedtransform 2.0 is vulnerable to Incorrect Access Control which allows viewing attendance list for all class sections. | ||||
| CVE-2024-37279 | 1 Elastic | 1 Kibana | 2025-03-13 | 4.3 Medium |
| A flaw was discovered in Kibana, allowing view-only users of alerting to use the run_soon API making the alerting rule run continuously, potentially affecting the system availability if the alerting rule is running complex queries. | ||||
| CVE-2024-31398 | 1 Cybozu | 1 Garoon | 2025-03-13 | 4.3 Medium |
| Insertion of sensitive information into sent data issue exists in Cybozu Garoon 5.0.0 to 5.15.2. If this vulnerability is exploited, a user who can log in to the product may obtain information on the list of users. | ||||
| CVE-2024-27855 | 1 Apple | 4 Ipad Os, Ipados, Iphone Os and 1 more | 2025-03-13 | 8.8 High |
| The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.5, macOS Ventura 13.6.7, iOS 17.5 and iPadOS 17.5, iOS 16.7.8 and iPadOS 16.7.8. A shortcut may be able to use sensitive data with certain actions without prompting the user. | ||||
| CVE-2024-3061 | 1 Pluginus | 1 Husky - Products Filter Professional For Woocommerce | 2025-03-13 | 7.2 High |
| The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.5.2 via the 'type' parameter. This makes it possible for authenticated attackers, with administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | ||||
| CVE-2022-40231 | 3 Ibm, Linux, Microsoft | 4 Aix, Sterling B2b Integrator, Linux Kernel and 1 more | 2025-03-12 | 4.3 Medium |
| IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.7 and 6.1.0.0 through 6.1.2.0 could allow an authenticated user to perform unauthorized actions due to improper access controls. IBM X-Force ID: 235533. | ||||
| CVE-2022-48341 | 1 Thingsboard | 1 Thingsboard | 2025-03-12 | 8.8 High |
| ThingsBoard 3.4.1 could allow a remote authenticated attacker to achieve Vertical Privilege Escalation. A Tenant Administrator can obtain System Administrator dashboard access by modifying the scope via the scopes parameter. | ||||
| CVE-2023-38122 | 1 Inductiveautomation | 1 Ignition | 2025-03-12 | 7.2 High |
| Inductive Automation Ignition OPC UA Quick Client Permissive Cross-domain Policy Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the configuration of the web server. The issue results from the lack of appropriate Content Security Policy headers. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of SYSTEM. Was ZDI-CAN-20539. | ||||
| CVE-2023-22920 | 1 Zyxel | 4 Lte3202-m437, Lte3202-m437 Firmware, Lte3316-m604 and 1 more | 2025-03-12 | 9.8 Critical |
| A security misconfiguration vulnerability exists in the Zyxel LTE3316-M604 firmware version V2.00(ABMP.6)C0 due to a factory default misconfiguration intended for testing purposes. A remote attacker could leverage this vulnerability to access an affected device using Telnet. | ||||