| DataType | ProblemTypes | Impact | Publishdate | |
|---|---|---|---|---|
Threat detailsA vulnerability was found in Open Asset Import Library Assimp 5.4.3. It has been rated as critical. Affected by this issue is the function Assimp::AC3DImporter::ConvertObjectSection of the file code/AssetLib/AC/ACLoader.cpp of the component AC3D File Handler. The manipulation of the argument src.entries leads to out-of-bounds read. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-119, CWE-125 | NETWORK: LOW | 03-25-2025 |
Threat detailsA vulnerability was found in Open Asset Import Library Assimp 5.4.3. It has been classified as critical. Affected is the function SceneCombiner::MergeScenes of the file code/AssetLib/LWS/LWSLoader.cpp of the component LWS File Handler. The manipulation leads to out-of-bounds read. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-119, CWE-125 | NETWORK: LOW | 03-25-2025 |
Threat detailsA flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOfMemoryError. This issue could result in a denial of service condition, preventing legitimate users from accessing the system. | CVE | CWE-770 | NETWORK: LOW | 03-25-2025 |
Threat detailsThe Frndzk Expandable Bottom Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'text' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | CVE | CWE-79 | NETWORK: LOW | 03-25-2025 |
Threat detailsThe EZ SQL Reports Shortcode Widget and DB Backup plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 4.11.13 to 5.25.08. This is due to missing or incorrect nonce validation on the 'ELISQLREPORTS_menu' function. This makes it possible for unauthenticated attackers to execute code on the server via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Version 5.25.10 adds a nonce check, which makes this vulnerability exploitable by admins only. | CVE | CWE-352 | NETWORK: LOW | 03-25-2025 |
Threat detailsThe Alert Box Block – Display notice/alerts in the front end. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Alert Box block in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | CVE | CWE-79 | NETWORK: LOW | 03-25-2025 |
Threat detailsThe Estatebud – Properties & Listings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.5.0. This is due to missing or incorrect nonce validation on the 'estatebud_settings' page. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | CVE | CWE-352 | NETWORK: LOW | 03-25-2025 |
Threat detailsThe WP Church Donation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several donation form submission parameters in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | CVE | CWE-79 | NETWORK: LOW | 03-25-2025 |
Threat detailsA vulnerability was found in Open Asset Import Library Assimp 5.4.3. It has been declared as critical. Affected by this vulnerability is the function Assimp::AC3DImporter::ConvertObjectSection of the file code/AssetLib/AC/ACLoader.cpp of the component AC3D File Handler. The manipulation of the argument it leads to heap-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-119, CWE-122 | NETWORK: LOW | 03-25-2025 |
Threat detailsA vulnerability was found in Open Asset Import Library Assimp 5.4.3 and classified as problematic. This issue affects the function fast_atoreal_move in the library include/assimp/fast_atof.h of the component CSM File Handler. The manipulation leads to out-of-bounds read. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-119, CWE-125 | NETWORK: LOW | 03-25-2025 |
Threat detailsA vulnerability has been found in Open Asset Import Library Assimp 5.4.3 and classified as problematic. This vulnerability affects the function Assimp::CSMImporter::InternReadFile of the file code/AssetLib/CSM/CSMLoader.cpp of the component CSM File Handler. The manipulation of the argument na leads to out-of-bounds read. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-119, CWE-125 | NETWORK: LOW | 03-25-2025 |
Threat detailsA vulnerability, which was classified as critical, was found in Open Asset Import Library Assimp 5.4.3. This affects the function Assimp::CSMImporter::InternReadFile of the file code/AssetLib/CSM/CSMLoader.cpp of the component CSM File Handler. The manipulation leads to out-of-bounds write. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-119, CWE-787 | NETWORK: LOW | 03-25-2025 |
Threat detailsThe Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.6.1 via the edd_ajax_get_download_title() function. This makes it possible for unauthenticated attackers to extract private post titles of downloads. The impact here is minimal. | CVE | CWE-200 | NETWORK: LOW | 03-25-2025 |
Threat detailsThe DICOM Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dcm' shortcode in all versions up to, and including, 0.10.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | CVE | CWE-79 | NETWORK: LOW | 03-25-2025 |
Threat detailsThe teachPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.0.9. This is due to missing or incorrect nonce validation on the import.php page. This makes it possible for unauthenticated attackers to delete imports via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | CVE | CWE-352 | NETWORK: LOW | 03-25-2025 |
Threat detailsA vulnerability classified as critical has been found in PHPGurukul Old Age Home Management System 1.0. Affected is an unknown function of the file /admin/eligibility.php. The manipulation of the argument pagetitle leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-89, CWE-74 | NETWORK: LOW | 03-25-2025 |
Threat detailsA vulnerability, which was classified as problematic, has been found in zhijiantianya ruoyi-vue-pro 2.4.1. This issue affects some unknown processing of the file /admin-api/mp/material/upload-temporary of the component Material Upload Interface. The manipulation of the argument File leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | CVE | CWE-22 | NETWORK: LOW | 03-25-2025 |
Threat detailsA vulnerability, which was classified as critical, was found in zhijiantianya ruoyi-vue-pro 2.4.1. Affected is an unknown function of the file /admin-api/mp/material/upload-news-image of the component Material Upload Interface. The manipulation of the argument File leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | CVE | CWE-22 | NETWORK: LOW | 03-25-2025 |
Threat detailsA vulnerability classified as critical was found in zhijiantianya ruoyi-vue-pro 2.4.1. This vulnerability affects unknown code of the file /admin-api/mp/material/upload-permanent of the component Material Upload Interface. The manipulation of the argument File leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | CVE | CWE-22 | NETWORK: LOW | 03-25-2025 |
Threat detailsThe Product Labels For Woocommerce (Sale Badges) WordPress plugin before 1.5.11 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks | CVE | LOW | 03-25-2025 | |
Threat detailsThe Product Labels For Woocommerce (Sale Badges) WordPress plugin before 1.5.9 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks | CVE | LOW | 03-25-2025 | |
Threat detailsThe WP Tabs WordPress plugin before 2.2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | CVE | LOW | 03-25-2025 | |
Threat detailsThe Contact Form & SMTP Plugin for WordPress by PirateForms WordPress plugin before 2.6.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | CVE | LOW | 03-25-2025 | |
Threat detailsThe Contact Form & SMTP Plugin for WordPress by PirateForms WordPress plugin before 2.6.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | CVE | LOW | 03-25-2025 | |
Threat detailsThe Registrations for the Events Calendar WordPress plugin before 2.13.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | CVE | LOW | 03-25-2025 | |
Threat detailsThe Quiz and Survey Master (QSM) WordPress plugin before 9.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | CVE | LOW | 03-25-2025 | |
Threat detailsThe Slider by 10Web WordPress plugin before 1.2.62 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | CVE | LOW | 03-25-2025 | |
Threat detailsThe Slider by 10Web WordPress plugin before 1.2.62 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | CVE | LOW | 03-25-2025 | |
Threat detailsThe Form Maker by 10Web WordPress plugin before 1.15.30 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | CVE | LOW | 03-25-2025 | |
Threat detailsThe WordPress WP-Advanced-Search WordPress plugin before 3.3.9.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | CVE | LOW | 03-25-2025 | |
Threat detailsThe Stylish Price List WordPress plugin before 7.1.12 does not sanitise and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | CVE | LOW | 03-25-2025 | |
Threat detailsAn External Control of File Name or Path vulnerability in the APROL Web Portal used in B&R APROL <4.4-005P may allow an authenticated network-based attacker to access data from the file system. | CVE | CWE-73 | LOW | 03-25-2025 |
Threat detailsThe Job Postings WordPress plugin before 2.7.11 does not sanitise and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | CVE | LOW | 03-25-2025 | |
Threat detailsThe Simple Banner WordPress plugin before 3.0.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | CVE | LOW | 03-25-2025 | |
Threat detailsThe Smart Maintenance Mode WordPress plugin before 1.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | CVE | LOW | 03-25-2025 | |
Threat detailsThe IP Based Login WordPress plugin before 2.4.1 does not have CSRF checks in some places, which could allow attackers to make logged in users delete all logs via a CSRF attack | CVE | LOW | 03-25-2025 | |
Threat detailsMbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname. | CVE | LOW | 03-25-2025 | |
Threat detailsThe does not sanitise and escape some parameters when outputting them back in a page, allowing unauthenticated users the ability to perform stored Cross-Site Scripting attacks. | CVE | LOW | 03-25-2025 | |
Threat detailsThe AFI WordPress plugin before 1.100.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | CVE | LOW | 03-25-2025 | |
Threat detailsA vulnerability was found in PHPGurukul Old Age Home Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /admin/manage-services.php. The manipulation of the argument sertitle leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-89, CWE-74 | NETWORK: LOW | 03-25-2025 |
Threat detailsA vulnerability was found in PHPGurukul Old Age Home Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/manage-scdetails.php. The manipulation of the argument namesc leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-89, CWE-74 | NETWORK: LOW | 03-25-2025 |
Threat detailsA vulnerability was found in PHPGurukul Old Age Home Management System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/contactus.php. The manipulation of the argument pagetitle leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-89, CWE-74 | NETWORK: LOW | 03-25-2025 |
Threat detailsThe Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'parse_query' function in all versions up to, and including, 8.2. This makes it possible for unauthenticated attackers to update the post_status of any post to 'publish'. | CVE | CWE-862 | NETWORK: LOW | 03-25-2025 |
Threat detailsMbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of failed memory allocation or hardware errors, uses uninitialized stack memory to compose the TLS Finished message, potentially leading to authentication bypasses such as replays. | CVE | LOW | 03-25-2025 | |
Threat detailsThe Favorites WordPress plugin before 2.3.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | CVE | LOW | 03-25-2025 | |
Threat detailsThe DesignThemes Core Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | CVE | CWE-79 | NETWORK: LOW | 03-25-2025 |
| CVE | LOW | 03-25-2025 | ||
Threat detailsThe WP-Recall WordPress plugin before 16.26.12 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks | CVE | LOW | 03-25-2025 | |
Threat detailsSQL Injection can occur in the SirsiDynix Horizon Information Portal (IPAC20) through 3.25_9382; however, a patch is available from the vendor. This is in ipac.jsp in a SELECT WHERE statement, in a part of the uri= variable in the second part of the full= inner variable. | CVE | LOW | 03-25-2025 | |
Threat detailsThe Stylish Google Sheet Reader 4.0 WordPress plugin before 4.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | CVE | LOW | 03-25-2025 | |
Threat detailsThe aoa-downloadable WordPress plugin through 0.1.0 lacks authorization and authentication for requests to its download.php endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs. | CVE | LOW | 03-25-2025 | |
Threat detailsThe aoa-downloadable WordPress plugin through 0.1.0 doesn't validate a parameter in its download function, allowing unauthenticated attackers to download arbitrary files from the server | CVE | LOW | 03-25-2025 | |
Threat detailsThe AFI WordPress plugin before 1.100.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | CVE | LOW | 03-25-2025 | |
Threat detailsAn Improper Neutralization of Input During Web Page Generation vulnerability in the APROL Web Portal used in B&R APROL <4.4-00P5 may allow an authenticated network-based attacker to insert malicious code which is then executed in the context of the user’s browser session. | CVE | CWE-79 | LOW | 03-25-2025 |
Threat detailsAn improper control of generation of code ('Code Injection') vulnerability in the AprolCreateReport component of B&R APROL <4.4-00P5 may allow an unauthenticated network-based attacker to read files from the local system. | CVE | CWE-94 | LOW | 03-25-2025 |
Threat detailsAn Incorrect Permission Assignment for Critical Resource vulnerability in the file system used in B&R APROL <4.4-01 may allow an authenticated local attacker to read and alter the configuration of another engineering or runtime user. | CVE | CWE-732 | LOW | 03-25-2025 |
Threat detailsA vulnerability has been found in PHPGurukul Old Age Home Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/add-services.php. The manipulation of the argument sertitle leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-89, CWE-74 | NETWORK: LOW | 03-25-2025 |
Threat detailsA Server-Side Request Forgery vulnerability in the APROL Web Portal used in B&R APROL <4.4-00P5 may allow an authenticated network-based attacker to force the web server to request arbitrary URLs. | CVE | CWE-918 | LOW | 03-25-2025 |
Threat detailsA Server-Side Request Forgery vulnerability in the APROL Web Portal used in B&R APROL <4.4-00P5 may allow an unauthenticated network-based attacker to force the web server to request arbitrary URLs. | CVE | CWE-918 | LOW | 03-25-2025 |
Threat detailsAn Inclusion of Functionality from Untrusted Control Sphere vulnerability in the SSH server on B&R APROL <4.4-00P1 may allow an authenticated local attacker from a trusted remote server to execute malicious commands. | CVE | CWE-829 | LOW | 03-25-2025 |
Threat detailsAn Incomplete Filtering of Special Elements vulnerability in scripts using the SSH server on B&R APROL <4.4-00P5 may allow an authenticated local attacker to authenticate as another legitimate user. | CVE | CWE-791 | LOW | 03-25-2025 |
Threat detailsA vulnerability was found in PHPGurukul Old Age Home Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/bwdates-report-details.php. The manipulation of the argument fromdate leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | CVE | CWE-89, CWE-74 | NETWORK: LOW | 03-25-2025 |
Threat detailsA Missing Authentication for Critical Function vulnerability in the GRUB configuration used B&R APROL <4.4-01 may allow an unauthenticated physical attacker to alter the boot configuration of the operating system. | CVE | CWE-306 | LOW | 03-25-2025 |
Threat detailsAn Allocation of Resources Without Limits or Throttling vulnerability in the operating system network configuration used in B&R APROL <4.4-00P5 may allow an unauthenticated adjacent attacker to per-form Denial-of-Service (DoS) attacks against the product. | CVE | CWE-770 | LOW | 03-25-2025 |
Threat detailsAn Exposure of Sensitive System Information to an Unauthorized Control Sphere and Initialization of a Resource with an Insecure Default vulnerability in the SNMP component of B&R APROL <4.4-00P5 may allow an unauthenticated adjacent-based attacker to read and alter configuration using SNMP. | CVE | CWE-1188, CWE-497 | LOW | 03-25-2025 |
Threat detailsAn Incorrect Implementation of Authentication Algorithm and Exposure of Data Element to Wrong Ses-sion vulnerability in the session handling used in B&R APROL <4.4-00P5 may allow an authenticated network attacker to take over a currently active user session without login credentials. | CVE | CWE-303, CWE-488 | LOW | 03-25-2025 |
Threat detailsAn Improper Handling of Insufficient Permissions or Privileges vulnerability in scripts used in B&R APROL <4.4-00P5 may allow an authenticated local attacker to read credential information. | CVE | CWE-280 | LOW | 03-25-2025 |
Threat detailsA vulnerability classified as critical has been found in mannaandpoem OpenManus up to 2025.3.13. This affects an unknown part of the file app/tool/python_execute.py of the component Prompt Handler. The manipulation leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | CVE | CWE-78, CWE-77 | NETWORK: LOW | 03-25-2025 |
Threat detailsA vulnerability, which was classified as critical, was found in PHPGurukul Old Age Home Management System 1.0. Affected is an unknown function of the file /admin/aboutus.php. The manipulation of the argument pagetitle leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-89, CWE-74 | NETWORK: LOW | 03-25-2025 |
Threat detailsA vulnerability was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014. It has been rated as critical. Affected by this issue is some unknown functionality of the file /api/wizard/getWifiNeighbour of the component HTTP POST Request Handler. The manipulation leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | CVE | CWE-77, CWE-74 | NETWORK: LOW | 03-25-2025 |
Threat detailsA vulnerability was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /api/wizard/getDualbandSync of the component HTTP POST Request Handler. The manipulation leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | CVE | CWE-77, CWE-74 | NETWORK: LOW | 03-25-2025 |
Threat detailsA vulnerability, which was classified as critical, has been found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014. Affected by this issue is some unknown functionality of the file /api/esps of the component HTTP POST Request Handler. The manipulation leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | CVE | CWE-77, CWE-74 | NETWORK: LOW | 03-25-2025 |
Threat detailsA vulnerability classified as critical was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014. Affected by this vulnerability is an unknown functionality of the file /api/login/auth of the component HTTP POST Request Handler. The manipulation leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | CVE | CWE-77, CWE-74 | NETWORK: LOW | 03-25-2025 |
Threat detailsA vulnerability has been found in H3C Magic NX30 Pro and Magic NX400 up to V100R014 and classified as critical. This vulnerability affects unknown code of the file /api/wizard/getNetworkConf. The manipulation leads to command injection. The attack can be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way. | CVE | CWE-77, CWE-74 | NETWORK: LOW | 03-25-2025 |
Threat detailsA vulnerability, which was classified as critical, was found in H3C Magic NX30 Pro up to V100R007. This affects an unknown part of the file /api/wizard/getNetworkStatus of the component HTTP POST Request Handler. The manipulation leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | CVE | CWE-77, CWE-74 | NETWORK: LOW | 03-25-2025 |
Threat detailsA vulnerability was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014 and classified as critical. This issue affects some unknown processing of the file /api/wizard/networkSetup of the component HTTP POST Request Handler. The manipulation leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | CVE | CWE-77, CWE-74 | NETWORK: LOW | 03-25-2025 |
Threat detailsA vulnerability was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014. It has been classified as critical. Affected is an unknown function of the file /api/wizard/getssidname of the component HTTP POST Request Handler. The manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | CVE | CWE-77, CWE-74 | NETWORK: LOW | 03-25-2025 |
Threat detailsA vulnerability classified as problematic has been found in GNOME libgsf up to 1.14.53. Affected is the function sorting_key_copy. The manipulation of the argument Name leads to out-of-bounds read. It is possible to launch the attack on the local host. The vendor was contacted early about this disclosure but did not respond in any way. | CVE | CWE-119, CWE-125 | LOCAL: LOW | 03-25-2025 |
Threat detailsA vulnerability was found in GNOME libgsf up to 1.14.53. It has been rated as critical. This issue affects the function gsf_property_settings_collec. The manipulation of the argument n_alloced_params leads to heap-based buffer overflow. Attacking locally is a requirement. The vendor was contacted early about this disclosure but did not respond in any way. | CVE | CWE-119, CWE-122 | LOCAL: LOW | 03-25-2025 |
Threat detailsA vulnerability was found in GNOME libgsf up to 1.14.53. It has been declared as critical. This vulnerability affects the function gsf_prop_settings_collect_va. The manipulation of the argument n_alloced_params leads to heap-based buffer overflow. Local access is required to approach this attack. The vendor was contacted early about this disclosure but did not respond in any way. | CVE | CWE-119, CWE-122 | LOCAL: LOW | 03-25-2025 |
Threat detailsreviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos. | CVE | CWE-506 | LOW | 03-25-2025 |
Threat detailsA security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) | CVE | LOW | 03-25-2025 | |
Threat detailsA security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) | CVE | LOW | 03-25-2025 | |
Threat detailsA security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `mirror-target` and `mirror-host` Ingress annotations can be used to inject arbitrary configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) | CVE | LOW | 03-25-2025 | |
Threat detailsA security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) | CVE | LOW | 03-25-2025 | |
Threat detailsA security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where attacker-provided data are included in a filename by the ingress-nginx Admission Controller feature, resulting in directory traversal within the container. This could result in denial of service, or when combined with other vulnerabilities, limited disclosure of Secret objects from the cluster. | CVE | LOW | 03-25-2025 | |
Threat detailsA vulnerability, which was classified as critical, has been found in D-Link DIR-823X 240126/240802. This issue affects the function sub_41710C of the file /goform/diag_nslookup of the component HTTP POST Request Handler. The manipulation of the argument target_addr leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-78, CWE-77 | NETWORK: LOW | 03-25-2025 |
Threat detailsA vulnerability was found in GNOME libgsf up to 1.14.53 and classified as problematic. Affected by this issue is the function gsf_base64_encode_simple. The manipulation of the argument size leads to use of uninitialized variable. The attack needs to be approached locally. The vendor was contacted early about this disclosure but did not respond in any way. | CVE | CWE-453, CWE-457 | LOCAL: LOW | 03-25-2025 |
Threat detailsA vulnerability was found in GNOME libgsf up to 1.14.53. It has been classified as critical. This affects the function gsf_base64_encode_simple. The manipulation of the argument size_t leads to heap-based buffer overflow. An attack has to be approached locally. The vendor was contacted early about this disclosure but did not respond in any way. | CVE | CWE-119, CWE-122 | LOCAL: LOW | 03-25-2025 |
Threat detailsSnapCenter versions prior to 6.0.1P1 and 6.1P1 are susceptible to a vulnerability which may allow an authenticated SnapCenter Server user to become an admin user on a remote system where a SnapCenter plug-in has been installed. | CVE | LOW | 03-25-2025 | |
Threat detailsA vulnerability classified as problematic was found in China Mobile P22g-CIac 1.0.00.488. This vulnerability affects unknown code of the component Samba Path Handler. The manipulation leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | CVE | CWE-22 | NETWORK: LOW | 03-24-2025 |
Threat detailsA vulnerability classified as problematic has been found in timschofield webERP up to 5.0.0.rc+13. This affects an unknown part of the file ConfirmDispatch_Invoice.php of the component Confirm Dispatch and Invoice Page. The manipulation of the argument Narrative leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The vendor was contacted early about this disclosure but did not respond in any way. | CVE | CWE-79, CWE-94 | NETWORK: LOW | 03-24-2025 |
Threat detailsOn IROAD v9 devices, one can Remotely Dump Video Footage and the Live Video Stream. The dashcam exposes endpoints that allow unauthorized users, who gained access through other means, to list and download recorded videos, as well as access live video streams without proper authentication. | CVE | LOW | 03-24-2025 | |
Threat detailsOn IROAD V9 devices, Managing Settings and Obtaining Sensitive Data and Sabotaging the Car Battery can be performed by unauthorized parties. A vulnerability in the dashcam's configuration management allows unauthorized users to modify settings, disable critical functions, and turn off battery protection, potentially causing physical damage to the vehicle. | CVE | LOW | 03-24-2025 | |
Threat detailsA vulnerability was found in Yonyou UFIDA ERP-NC 5.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /help/top.jsp. The manipulation of the argument langcode leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | CVE | CWE-79, CWE-94 | NETWORK: LOW | 03-24-2025 |
Threat detailsA vulnerability was found in JoomlaUX JUX Real Estate 3.4.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /extensions/realestate/index.php/agents/agent-register/addagent. The manipulation of the argument plan_id leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | CVE | CWE-79, CWE-94 | NETWORK: LOW | 03-24-2025 |
Threat detailsA vulnerability was found in Yonyou UFIDA ERP-NC 5.0 and classified as problematic. This issue affects some unknown processing of the file /menu.jsp. The manipulation of the argument flag leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | CVE | CWE-79, CWE-94 | NETWORK: LOW | 03-24-2025 |
Threat detailsThe bundle management module lacks authentication and control mechanisms in some APIs. Successful exploitation of this vulnerability may affect data confidentiality. | CVE | CWE-306 | NETWORK: LOW | 03-24-2025 |
Threat detailsThe AMS module has a vulnerability of lacking permission verification in APIs.Successful exploitation of this vulnerability may affect data confidentiality. | CVE | NVD-CWE-Other | NETWORK: LOW | 03-24-2025 |
Threat detailsThe IHwAttestationService interface has a defect in authentication. Successful exploitation of this vulnerability may affect data confidentiality. | CVE | CWE-287 | NETWORK: LOW | 03-24-2025 |
| DataType | ProblemTypes | Impact | Publishdate | |
|---|---|---|---|---|
| CVE | CWE-119, CWE-125 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-119, CWE-125 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-770 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-352 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-352 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-119, CWE-122 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-119, CWE-125 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-119, CWE-125 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-119, CWE-787 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-200 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-352 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-89, CWE-74 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-22 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-22 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-22 | NETWORK: LOW | 03-25-2025 | |
| CVE | LOW | 03-25-2025 | ||
| CVE | LOW | 03-25-2025 | ||
| CVE | LOW | 03-25-2025 | ||
| CVE | LOW | 03-25-2025 | ||
| CVE | LOW | 03-25-2025 | ||
| CVE | LOW | 03-25-2025 | ||
| CVE | LOW | 03-25-2025 | ||
| CVE | LOW | 03-25-2025 | ||
| CVE | LOW | 03-25-2025 | ||
| CVE | LOW | 03-25-2025 | ||
| CVE | LOW | 03-25-2025 | ||
| CVE | LOW | 03-25-2025 | ||
| CVE | CWE-73 | LOW | 03-25-2025 | |
| CVE | LOW | 03-25-2025 | ||
| CVE | LOW | 03-25-2025 | ||
| CVE | LOW | 03-25-2025 | ||
| CVE | LOW | 03-25-2025 | ||
| CVE | LOW | 03-25-2025 | ||
| CVE | LOW | 03-25-2025 | ||
| CVE | LOW | 03-25-2025 | ||
| CVE | CWE-89, CWE-74 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-89, CWE-74 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-89, CWE-74 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-862 | NETWORK: LOW | 03-25-2025 | |
| CVE | LOW | 03-25-2025 | ||
| CVE | LOW | 03-25-2025 | ||
| CVE | CWE-79 | NETWORK: LOW | 03-25-2025 | |
| CVE | LOW | 03-25-2025 | ||
| CVE | LOW | 03-25-2025 | ||
| CVE | LOW | 03-25-2025 | ||
| CVE | LOW | 03-25-2025 | ||
| CVE | LOW | 03-25-2025 | ||
| CVE | LOW | 03-25-2025 | ||
| CVE | LOW | 03-25-2025 | ||
| CVE | CWE-79 | LOW | 03-25-2025 | |
| CVE | CWE-94 | LOW | 03-25-2025 | |
| CVE | CWE-732 | LOW | 03-25-2025 | |
| CVE | CWE-89, CWE-74 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-918 | LOW | 03-25-2025 | |
| CVE | CWE-918 | LOW | 03-25-2025 | |
| CVE | CWE-829 | LOW | 03-25-2025 | |
| CVE | CWE-791 | LOW | 03-25-2025 | |
| CVE | CWE-89, CWE-74 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-306 | LOW | 03-25-2025 | |
| CVE | CWE-770 | LOW | 03-25-2025 | |
| CVE | CWE-1188, CWE-497 | LOW | 03-25-2025 | |
| CVE | CWE-303, CWE-488 | LOW | 03-25-2025 | |
| CVE | CWE-280 | LOW | 03-25-2025 | |
| CVE | CWE-78, CWE-77 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-89, CWE-74 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-77, CWE-74 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-77, CWE-74 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-77, CWE-74 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-77, CWE-74 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-77, CWE-74 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-77, CWE-74 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-77, CWE-74 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-77, CWE-74 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-119, CWE-125 | LOCAL: LOW | 03-25-2025 | |
| CVE | CWE-119, CWE-122 | LOCAL: LOW | 03-25-2025 | |
| CVE | CWE-119, CWE-122 | LOCAL: LOW | 03-25-2025 | |
| CVE | CWE-506 | LOW | 03-25-2025 | |
| CVE | LOW | 03-25-2025 | ||
| CVE | LOW | 03-25-2025 | ||
| CVE | LOW | 03-25-2025 | ||
| CVE | LOW | 03-25-2025 | ||
| CVE | LOW | 03-25-2025 | ||
| CVE | CWE-78, CWE-77 | NETWORK: LOW | 03-25-2025 | |
| CVE | CWE-453, CWE-457 | LOCAL: LOW | 03-25-2025 | |
| CVE | CWE-119, CWE-122 | LOCAL: LOW | 03-25-2025 | |
| CVE | LOW | 03-25-2025 | ||
| CVE | CWE-22 | NETWORK: LOW | 03-24-2025 | |
| CVE | CWE-79, CWE-94 | NETWORK: LOW | 03-24-2025 | |
| CVE | LOW | 03-24-2025 | ||
| CVE | LOW | 03-24-2025 | ||
| CVE | CWE-79, CWE-94 | NETWORK: LOW | 03-24-2025 | |
| CVE | CWE-79, CWE-94 | NETWORK: LOW | 03-24-2025 | |
| CVE | CWE-79, CWE-94 | NETWORK: LOW | 03-24-2025 | |
| CVE | CWE-306 | NETWORK: LOW | 03-24-2025 | |
| CVE | NVD-CWE-Other | NETWORK: LOW | 03-24-2025 | |
| CVE | CWE-287 | NETWORK: LOW | 03-24-2025 |
