Total
4525 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-25717 | 1 Ruckuswireless | 61 E510, H320, H350 and 58 more | 2025-01-29 | N/A | 9.8 CRITICAL |
| Ruckus Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request, as demonstrated by a /forms/doLogin?login_username=admin&password=password$(curl substring. | |||||
| CVE-2025-0790 | 2025-01-29 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability classified as problematic was found in ESAFENET CDG V5. This vulnerability affects unknown code of the file /doneDetail.jsp. The manipulation of the argument curpage leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-0787 | 2025-01-29 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability was found in ESAFENET CDG V5. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /appDetail.jsp. The manipulation of the argument curpage leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-0795 | 2025-01-29 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability was found in ESAFENET CDG V5. It has been classified as problematic. This affects an unknown part of the file /todolistjump.jsp. The manipulation of the argument flowId leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-0794 | 2025-01-29 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability was found in ESAFENET CDG V5 and classified as problematic. Affected by this issue is some unknown functionality of the file /todoDetail.jsp. The manipulation of the argument curpage leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-0785 | 2025-01-28 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability was found in ESAFENET CDG V5 and classified as problematic. This issue affects some unknown processing of the file /SysConfig.jsp. The manipulation of the argument help leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-24482 | 2025-01-28 | N/A | N/A | ||
| A Local Code Injection Vulnerability exists in the product and version listed above. The vulnerability is due to incorrect default permissions and allows for DLLs to be executed with higher level permissions. | |||||
| CVE-2024-3892 | 1 Telerik | 1 Ui For Winforms | 2025-01-28 | N/A | 7.2 HIGH |
| A local code execution vulnerability is possible in Telerik UI for WinForms beginning in v2021.1.122 but prior to v2024.2.514. This vulnerability could allow an untrusted theme assembly to execute arbitrary code on the local Windows system. | |||||
| CVE-2023-41783 | 1 Zte | 1 Zxcloud Irai | 2025-01-28 | N/A | 4.3 MEDIUM |
| There is a command injection vulnerability of ZTE's ZXCLOUD iRAI. Due to the program failed to adequately validate the user's input, an attacker could exploit this vulnerability to escalate local privileges. | |||||
| CVE-2018-14667 | 1 Redhat | 2 Enterprise Linux, Richfaces | 2025-01-27 | 7.5 HIGH | 9.8 CRITICAL |
| The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData. | |||||
| CVE-2024-4040 | 1 Crushftp | 1 Crushftp | 2025-01-27 | N/A | 9.8 CRITICAL |
| A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server. | |||||
| CVE-2023-6548 | 1 Citrix | 2 Netscaler Application Delivery Controller, Netscaler Gateway | 2025-01-27 | N/A | 5.5 MEDIUM |
| Improper Control of Generation of Code ('Code Injection') in NetScaler ADC and NetScaler Gateway allows an attacker with access to NSIP, CLIP or SNIP with management interface to perform Authenticated (low privileged) remote code execution on Management Interface. | |||||
| CVE-2024-23692 | 1 Rejetto | 1 Http File Server | 2025-01-27 | N/A | 9.8 CRITICAL |
| Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. As of the CVE assignment date, Rejetto HFS 2.3m is no longer supported. | |||||
| CVE-2024-20359 | 1 Cisco | 2 Adaptive Security Appliance Software, Firepower Threat Defense | 2025-01-27 | N/A | 6.0 MEDIUM |
| A vulnerability in a legacy capability that allowed for the preloading of VPN clients and plug-ins and that has been available in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary code with root-level privileges. Administrator-level privileges are required to exploit this vulnerability. This vulnerability is due to improper validation of a file when it is read from system flash memory. An attacker could exploit this vulnerability by copying a crafted file to the disk0: file system of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the affected device after the next reload of the device, which could alter system behavior. Because the injected code could persist across device reboots, Cisco has raised the Security Impact Rating (SIR) of this advisory from Medium to High. | |||||
| CVE-2024-21546 | 2025-01-27 | N/A | 9.8 CRITICAL | ||
| Versions of the package unisharp/laravel-filemanager before 2.9.1 are vulnerable to Remote Code Execution (RCE) through using a valid mimetype and inserting the . character after the php file extension. This allows the attacker to execute malicious code. | |||||
| CVE-2022-47129 | 1 Phpok | 1 Phpok | 2025-01-27 | N/A | 9.8 CRITICAL |
| PHPOK v6.3 was discovered to contain a remote code execution (RCE) vulnerability. | |||||
| CVE-2025-21292 | 1 Microsoft | 10 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 7 more | 2025-01-24 | N/A | 8.8 HIGH |
| Windows Search Service Elevation of Privilege Vulnerability | |||||
| CVE-2025-0710 | 2025-01-24 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability classified as problematic has been found in CampCodes School Management Software 1.0. Affected is an unknown function of the file /notice-list of the component Notice Board Page. The manipulation of the argument Notice leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-0709 | 2025-01-24 | 3.3 LOW | 2.4 LOW | ||
| A vulnerability was found in Dcat-Admin 2.2.1-beta. It has been rated as problematic. This issue affects some unknown processing of the file /admin/auth/roles of the component Roles Page. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-13495 | 1 Gamipress | 1 Gamipress | 2025-01-24 | N/A | 7.3 HIGH |
| The The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution via the gamipress_ajax_get_logs() function in all versions up to, and including, 7.2.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | |||||