Total
3971 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-37136 | 2025-10-14 | N/A | 6.5 MEDIUM | ||
| Arbitrary file deletion vulnerabilities have been identified in the command-line interface of an AOS-8 Controller/Mobility Conductor. Successful exploitation of these vulnerabilities could allow an authenticated remote malicious actor to delete arbitrary files within the affected system. | |||||
| CVE-2025-37135 | 2025-10-14 | N/A | 6.5 MEDIUM | ||
| Arbitrary file deletion vulnerabilities have been identified in the command-line interface of an AOS-8 Controller/Mobility Conductor. Successful exploitation of these vulnerabilities could allow an authenticated remote malicious actor to delete arbitrary files within the affected system. | |||||
| CVE-2025-48707 | 1 Stormshield | 1 Stormshield Network Security | 2025-10-14 | N/A | 7.5 HIGH |
| An issue was discovered in Stormshield Network Security (SNS) before 5.0.1. TPM authentication information could, in some HA use cases, be shared among administrators, which can cause secret sharing. | |||||
| CVE-2025-10398 | 1 Fcba Zzm | 1 Smart Park Management System | 2025-10-14 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security flaw has been discovered in fcba_zzm ics-park Smart Park Management System 2.0. This vulnerability affects unknown code of the file FileUploadUtils.java. The manipulation of the argument File results in unrestricted upload. The attack can be launched remotely. The exploit has been released to the public and may be exploited. | |||||
| CVE-2025-11655 | 2025-10-14 | 5.8 MEDIUM | 4.7 MEDIUM | ||
| A security flaw has been discovered in Total.js Flow up to 673ef9144dd25d4f4fd4fdfda5af27f230198924. The impacted element is an unknown function of the component SVG File Handler. Performing manipulation results in unrestricted upload. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-11641 | 2025-10-14 | 3.7 LOW | 3.9 LOW | ||
| A vulnerability was determined in Tomofun Furbo 360 and Furbo Mini. This impacts an unknown function of the component Trial Restriction Handler. This manipulation causes improper access controls. It is feasible to perform the attack on the physical device. The attack is considered to have high complexity. The exploitability is said to be difficult. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-11634 | 2025-10-14 | 2.1 LOW | 2.4 LOW | ||
| A security flaw has been discovered in Tomofun Furbo 360 and Furbo Mini. This affects an unknown part of the component UART Interface. The manipulation results in information disclosure. An attack on the physical device is feasible. The exploit has been released to the public and may be exploited. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-62159 | 2025-10-14 | N/A | N/A | ||
| External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. A vulnerability was discovered in the BeyondTrust provider implementation for External Secrets Operator versions 0.10.1 through 0.19.2. The provider previously retrieved Kubernetes secrets directly, without validating the namespace context or the type of secret store. This allowed unauthorized cross-namespace secret access, violating security boundaries and potentially exposing sensitive credentials. In version 0.20.0, the provider code was updated to use the `resolvers.SecretKeyRef` utility, which enforces namespace validation and only allows cross-namespace access for `ClusterSecretStore` types. This ensures secrets are only retrieved from the correct namespace, mitigating the risk of unauthorized access. All users should upgrade to the latest version containing this fix. As a workaround, use a policy engine such as Kyverno or OPA to prevent using BeyondTrust provider and/or validate the `(Cluster)SecretStore` and ensure the namespace may only be set when using a `ClusterSecretStore`. | |||||
| CVE-2025-0033 | 2025-10-14 | N/A | 6.0 MEDIUM | ||
| Improper access control within AMD SEV-SNP could allow an admin privileged attacker to write to the RMP during SNP initialization, potentially resulting in a loss of SEV-SNP guest memory integrity. | |||||
| CVE-2025-55694 | 2025-10-14 | N/A | 7.8 HIGH | ||
| Improper access control in Windows Error Reporting allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-58726 | 2025-10-14 | N/A | 7.5 HIGH | ||
| Improper access control in Windows SMB Server allows an authorized attacker to elevate privileges over a network. | |||||
| CVE-2025-58714 | 2025-10-14 | N/A | 7.8 HIGH | ||
| Improper access control in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-37143 | 2025-10-14 | N/A | 4.9 MEDIUM | ||
| An arbitrary file download vulnerability exists in the web-based management interface of AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an Authenticated malicious actor to download arbitrary files through carefully constructed exploits. | |||||
| CVE-2025-54603 | 2025-10-14 | N/A | 6.5 MEDIUM | ||
| An incorrect OIDC authentication flow in Claroty Secure Access 3.3.0 through 4.0.2 can result in unauthorized user creation or impersonation of existing OIDC users. | |||||
| CVE-2025-59199 | 2025-10-14 | N/A | 7.8 HIGH | ||
| Improper access control in Software Protection Platform (SPP) allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-11354 | 1 Fabian | 1 Online Hotel Reservation System | 2025-10-14 | 6.5 MEDIUM | 6.3 MEDIUM |
| A flaw has been found in code-projects Online Hotel Reservation System 1.0. Affected is an unknown function of the file /admin/addslideexec.php. Executing manipulation of the argument image can lead to unrestricted upload. The attack may be performed from remote. The exploit has been published and may be used. | |||||
| CVE-2024-28805 | 1 Italtel | 1 I-mcs Nfv | 2025-10-14 | N/A | 9.1 CRITICAL |
| An issue was discovered in Italtel i-MCS NFV 12.1.0-20211215. There is Incorrect Access Control. | |||||
| CVE-2024-25653 | 1 Delinea | 1 Secret Server | 2025-10-14 | N/A | 4.3 MEDIUM |
| Broken Access Control in the Report functionality of Delinea PAM Secret Server 11.4 allows unprivileged users, when Unlimited Admin Mode is enabled, to view system reports and modify custom reports via the Report functionality in the Web UI. | |||||
| CVE-2025-23367 | 1 Redhat | 2 Jboss Enterprise Application Platform, Wildfly | 2025-10-14 | N/A | 6.5 MEDIUM |
| A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action. | |||||
| CVE-2025-11347 | 1 Code-projects | 1 Crud Operation System | 2025-10-14 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in code-projects Student Crud Operation up to 3.3. This vulnerability affects the function move_uploaded_file of the file add.php of the component Add Student Page/Edit Student Page. Performing manipulation results in unrestricted upload. The attack can be initiated remotely. The exploit has been made public and could be used. | |||||