Total
9398 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2009-2516 | 1 Microsoft | 5 Windows 2000, Windows Server 2003, Windows Server 2008 and 2 more | 2025-01-21 | 6.9 MEDIUM | N/A |
| The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold and SP1, and Server 2008 Gold does not properly validate data sent from user mode, which allows local users to gain privileges via a crafted PE .exe file that triggers a NULL pointer dereference during chain traversal, aka "Windows Kernel NULL Pointer Dereference Vulnerability." | |||||
| CVE-2009-0082 | 1 Microsoft | 5 Windows 2000, Windows Server 2003, Windows Server 2008 and 2 more | 2025-01-21 | 7.2 HIGH | N/A |
| The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 does not properly validate handles, which allows local users to gain privileges via a crafted application that triggers unspecified "actions," aka "Windows Kernel Handle Validation Vulnerability." | |||||
| CVE-2025-23202 | 2025-01-17 | N/A | N/A | ||
| Bible Module is a tool designed for ROBLOX developers to integrate Bible functionality into their games. The `FetchVerse` and `FetchPassage` functions in the Bible Module are susceptible to injection attacks due to the absence of input validation. This vulnerability could allow an attacker to manipulate the API request URLs, potentially leading to unauthorized access or data tampering. This issue has been addressed in version 0.0.3. All users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2013-3735 | 1 Php | 1 Php | 2025-01-16 | 5.0 MEDIUM | N/A |
| The Zend Engine in PHP before 5.4.16 RC1, and 5.5.0 before RC2, does not properly determine whether a parser error occurred, which allows context-dependent attackers to cause a denial of service (memory consumption and application crash) via a crafted function definition, as demonstrated by an attack within a shared web-hosting environment. NOTE: the vendor's http://php.net/security-note.php page says "for critical security situations you should be using OS-level security by running multiple web servers each as their own user id. | |||||
| CVE-2010-4335 | 2 Cakefoundation, Cakephp | 2 Cakephp, Cakephp | 2025-01-15 | 7.5 HIGH | N/A |
| The _validatePost function in libs/controller/components/security.php in CakePHP 1.3.x through 1.3.5 and 1.2.8 allows remote attackers to modify the internal Cake cache and execute arbitrary code via a crafted data[_Token][fields] value that is processed by the unserialize function, as demonstrated by modifying the file_map cache to execute arbitrary local files. | |||||
| CVE-2025-23041 | 2025-01-14 | N/A | N/A | ||
| Umbraco.Forms is a web form framework written for the nuget ecosystem. Character limits configured by editors for short and long answer fields are validated only client-side, not server-side. This issue has been patched in versions 8.13.16, 10.5.7, 13.2.2, and 14.1.2. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2025-0465 | 2025-01-14 | N/A | N/A | ||
| A vulnerability was found in AquilaCMS 1.412.13. It has been rated as critical. Affected by this issue is some unknown functionality of the file /api/v2/categories. The manipulation of the argument PostBody.populate leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-23754 | 1 Joomla | 1 Joomla\! | 2025-01-09 | N/A | 6.1 MEDIUM |
| An issue was discovered in Joomla! 4.2.0 through 4.3.1. Lack of input validation caused an open redirect and XSS issue within the new mfa selection screen. | |||||
| CVE-2025-22137 | 2025-01-08 | N/A | N/A | ||
| Pingvin Share is a self-hosted file sharing platform and an alternative for WeTransfer. This vulnerability allows an authenticated or unauthenticated (if anonymous shares are allowed) user to overwrite arbitrary files on the server, including sensitive system files, via HTTP POST requests. The issue has been patched in version 1.4.0. | |||||
| CVE-2024-51741 | 2025-01-06 | N/A | N/A | ||
| Redis is an open source, in-memory database that persists on disk. An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service. The problem is fixed in Redis 7.2.7 and 7.4.2. | |||||
| CVE-2009-2055 | 1 Cisco | 1 Ios Xr | 2025-01-06 | 4.3 MEDIUM | N/A |
| Cisco IOS XR 3.4.0 through 3.8.1 allows remote attackers to cause a denial of service (session reset) via a BGP UPDATE message with an invalid attribute, as demonstrated in the wild on 17 August 2009. | |||||
| CVE-2024-12994 | 2024-12-28 | N/A | N/A | ||
| A vulnerability was found in running-elephant Datart 1.0.0-rc3. It has been rated as critical. Affected by this issue is the function extractModel of the file /import of the component File Upload. The manipulation of the argument file leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-25131 | 2024-12-19 | N/A | 8.8 HIGH | ||
| A flaw was found in the MustGather.managed.openshift.io Custom Defined Resource (CRD) of OpenShift Dedicated. A non-privileged user on the cluster can create a MustGather object with a specially crafted file and set the most privileged service account to run the job. This can allow a standard developer user to escalate their privileges to a cluster administrator and pivot to the AWS environment. | |||||
| CVE-2020-3390 | 1 Cisco | 7 Catalyst 9800-40, Catalyst 9800-80, Catalyst 9800-cl and 4 more | 2024-12-19 | 5.7 MEDIUM | 7.4 HIGH |
| A vulnerability in Simple Network Management Protocol (SNMP) trap generation for wireless clients of the Cisco IOS XE Wireless Controller Software for the Cisco Catalyst 9000 Family could allow an unauthenticated, adjacent attacker to cause the device to unexpectedly reload, causing a denial of service (DoS) condition on an affected device. The vulnerability is due to the lack of input validation of the information used to generate an SNMP trap in relation to a wireless client connection. An attacker could exploit this vulnerability by sending an 802.1x packet with crafted parameters during the wireless authentication setup phase of a connection. A successful exploit could allow the attacker to cause the device to reload, causing a DoS condition. | |||||
| CVE-2020-3359 | 1 Cisco | 15 2610xm, 2611xm, 2612 and 12 more | 2024-12-19 | 7.8 HIGH | 8.6 HIGH |
| A vulnerability in the multicast DNS (mDNS) feature of Cisco IOS XE Software for Cisco Catalyst 9800 Series Wireless Controllers could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to improper validation of mDNS packets. An attacker could exploit this vulnerability by sending a crafted mDNS packet to an affected device. A successful exploit could cause a device to reload, resulting in a DoS condition. | |||||
| CVE-2020-3393 | 1 Cisco | 128 1100-4g Integrated Services Router, 1100-4gltegb Integrated Services Router, 1100-4gltena Integrated Services Router and 125 more | 2024-12-19 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability in the application-hosting subsystem of Cisco IOS XE Software could allow an authenticated, local attacker to elevate privileges to root on an affected device. The attacker could execute IOS XE commands outside the application-hosting subsystem Docker container as well as on the underlying Linux operating system. These commands could be run as the root user. The vulnerability is due to a combination of two factors: (a) incomplete input validation of the user payload of CLI commands, and (b) improper role-based access control (RBAC) when commands are issued at the command line within the application-hosting subsystem. An attacker could exploit this vulnerability by using a CLI command with crafted user input. A successful exploit could allow the lower-privileged attacker to execute arbitrary CLI commands with root privileges. The attacker would need valid user credentials to exploit this vulnerability. | |||||
| CVE-2024-52590 | 2024-12-18 | N/A | N/A | ||
| Misskey is an open source, federated social media platform. In affected versions missing validation in `ApRequestService.signedGet` allows an attacker to create fake user profiles that appear to be from a different instance than the one where they actually exist. These profiles can be used to impersonate existing users from the target instance. Vulnerable Misskey instances will accept spoofed users as valid, allowing an attacker to impersonate users on another instance. Attackers have full control of the spoofed user and can post, renote, or otherwise interact like a real account. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-52593 | 2024-12-18 | N/A | N/A | ||
| Misskey is an open source, federated social media platform.In affected versions missing validation in `NoteCreateService.insertNote`, `ApPersonService.createPerson`, and `ApPersonService.updatePerson` allows an attacker to control the target of any "origin" links (such as the "view on remote instance" banner). Any HTTPS URL can be set, even if it belongs to a different domain than the note / user. Vulnerable Misskey instances will use the unverified URL for several clickable links, allowing an attacker to conduct phishing or other attacks against remote users. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-52591 | 2024-12-18 | N/A | N/A | ||
| Misskey is an open source, federated social media platform. In affected versions missing validation in `ApRequestService.signedGet` and `HttpRequestService.getActivityJson` allows an attacker to create fake user profiles and forged notes. The spoofed users will appear to be from a different instance than the one where they actually exist, and the forged notes will appear to be posted by a different user. Vulnerable Misskey instances will accept the spoofed objects as valid, allowing an attacker to impersonate other users and instances. The attacker retains full control of the spoofed user / note and can interact like a real account. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-52579 | 2024-12-18 | N/A | N/A | ||
| Misskey is an open source, federated social media platform. Some APIs using `HttpRequestService` do not properly check the target host. This vulnerability allows an attacker to send POST or GET requests to the internal server, which may result in a SSRF attack.It allows an attacker to send POST or GET requests (with some controllable URL parameters) to private IPs, enabling further attacks on internal servers. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||