Total
4306 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-12222 | 1 Bdtask | 1 Flight Booking Software | 2025-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security vulnerability has been detected in Bdtask Flight Booking Software up to 3.1. Affected by this issue is some unknown functionality of the file /admin/transaction/deposit of the component Deposit Handler. The manipulation leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-9804 | 1 Wso2 | 15 Api Control Plane, Api Manager, Api Manager Analytics and 12 more | 2025-11-21 | N/A | 9.6 CRITICAL |
| An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information. This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected. | |||||
| CVE-2025-13423 | 1 Campcodes | 1 Retro Basketball Shoes Online Store | 2025-11-21 | 5.8 MEDIUM | 4.7 MEDIUM |
| A flaw has been found in Campcodes Retro Basketball Shoes Online Store 1.0. The impacted element is an unknown function of the file /admin/admin_product.php. Executing manipulation of the argument product_image can lead to unrestricted upload. The attack may be launched remotely. The exploit has been published and may be used. | |||||
| CVE-2025-41737 | 1 Metz-connect | 6 Ewio2-bm, Ewio2-bm Firmware, Ewio2-m and 3 more | 2025-11-21 | N/A | 7.5 HIGH |
| Due to webserver misconfiguration an unauthenticated remote attacker is able to read the source of php modules. | |||||
| CVE-2025-12862 | 1 Projectworlds | 1 Online Notes Sharing Platform | 2025-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was identified in projectworlds Online Notes Sharing Platform 1.0. Affected by this issue is some unknown functionality of the file /dashboard/userprofile.php. Such manipulation of the argument image leads to unrestricted upload. The attack may be performed from remote. The exploit is publicly available and might be used. | |||||
| CVE-2025-7895 | 1 Harry0703 | 1 Moneyprinterturbo | 2025-11-20 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability, which was classified as critical, was found in harry0703 MoneyPrinterTurbo up to 1.2.6. Affected is the function upload_bgm_file of the file app/controllers/v1/video.py of the component File Extension Handler. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. | |||||
| CVE-2025-13250 | 1 Datax-web Project | 1 Datax-web | 2025-11-20 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was detected in WeiYe-Jing datax-web up to 2.1.2. This impacts the function remove/update/pause/start/triggerJob of the component Job Handler. Performing manipulation results in improper access controls. The attack may be initiated remotely. The exploit is now public and may be used. | |||||
| CVE-2025-59512 | 1 Microsoft | 13 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 10 more | 2025-11-20 | N/A | 7.8 HIGH |
| Improper access control in Customer Experience Improvement Program (CEIP) allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-54561 | 1 Desktopalert | 1 Pingalert Application Server | 2025-11-20 | N/A | 4.3 MEDIUM |
| An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows remote access to content despite lack of the correct permission through a Broken Authorization Schema. | |||||
| CVE-2025-54339 | 1 Desktopalert | 1 Pingalert Application Server | 2025-11-19 | N/A | 10.0 CRITICAL |
| An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 exploitable remotely for Escalation of Privileges. | |||||
| CVE-2025-54343 | 1 Desktopalert | 1 Pingalert Application Server | 2025-11-19 | N/A | 9.6 CRITICAL |
| An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 exploitable remotely for Escalation of Privileges. | |||||
| CVE-2025-53360 | 2025-11-19 | N/A | 4.3 MEDIUM | ||
| pluginsGLPI's Database Inventory Plugin "manages" the Teclib' inventory agents in order to perform an inventory of the databases present on the workstation. In versions prior to 1.0.3, any authenticated user could send requests to agents. This issue has been patched in version 1.0.3. | |||||
| CVE-2024-28390 | 1 Advancedplugins | 1 Ultimateimagetool | 2025-11-19 | N/A | 9.8 CRITICAL |
| An issue in Advanced Plugins ultimateimagetool module for PrestaShop before v.2.2.01, allows a remote attacker to escalate privileges and obtain sensitive information via Improper Access Control. | |||||
| CVE-2024-6364 | 1 Absolute | 1 Persistence | 2025-11-19 | N/A | 6.4 MEDIUM |
| A vulnerability in Absolute Persistence® versions before 2.8 exists when it is not activated. This may allow a skilled attacker with both physical access to the device, and full hostile network control, to initiate OS commands on the device. To remediate this vulnerability, update the device firmware to the latest available version. Please contact the device manufacturer for upgrade instructions or contact Absolute Security, see reference below. | |||||
| CVE-2015-6867 | 1 Opentext | 1 Vertica | 2025-11-19 | 7.5 HIGH | N/A |
| The vertica-udx-zygote process in HP Vertica 7.1.1 UDx does not require authentication, which allows remote attackers to execute arbitrary commands via a crafted packet, aka ZDI-CAN-2914. | |||||
| CVE-2025-45237 | 1 Dbsyncer Project | 1 Dbsyncer | 2025-11-18 | N/A | 7.5 HIGH |
| Incorrect access control in the component /config/download of DBSyncer v2.0.6 allows attackers to access the JSON file containing sensitive account information, including the encrypted password. | |||||
| CVE-2025-12182 | 2025-11-18 | N/A | 4.3 MEDIUM | ||
| The Qi Blocks plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the `resize_image_callback()` function in all versions up to, and including, 1.4.3. This is due to the plugin not properly verifying that a user has permission to resize a specific attachment. This makes it possible for authenticated attackers, with Contributor-level access and above, to resize arbitrary media library images belonging to other users, which can result in unintended file writes, disk consumption, and server resource abuse through processing of large images. | |||||
| CVE-2025-13198 | 2025-11-18 | 5.8 MEDIUM | 4.7 MEDIUM | ||
| A vulnerability has been found in DouPHP up to 1.8 Release 20251022. This impacts an unknown function of the file upload/include/file.class.php. The manipulation of the argument File leads to unrestricted upload. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-13249 | 2025-11-18 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A security vulnerability has been detected in Jiusi OA up to 20251102. This affects an unknown function of the file /OfficeServer?isAjaxDownloadTemplate=false of the component OfficeServer Interface. Such manipulation of the argument FileData leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2025-13275 | 2025-11-18 | 5.8 MEDIUM | 4.7 MEDIUM | ||
| A security vulnerability has been detected in Iqbolshoh php-business-website up to 10677743a8dfc281f85291a27cf63a0bce043c24. This affects an unknown part of the file /admin/about.php. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | |||||