Search

Search Results (314234 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-60302 1 Code-projects 1 Client Details System 2025-10-14 6.1 Medium
code-projects Client Details System 1.0 is vulnerable to Cross Site Scripting (XSS). When adding customer information, the client details system fills in malicious JavaScript code in the username field.
CVE-2025-10281 1 Blsops 1 Bbot 2025-10-14 4.7 Medium
BBOT's git_clone module could be abused to disclose a GitHub API key to an attacker controlled server with a malicious formatted git URL.
CVE-2025-10283 1 Blsops 1 Bbot 2025-10-14 9.6 Critical
BBOT's gitdumper module could be abused to execute commands through a malicious git repository.
CVE-2025-10284 1 Blsops 1 Bbot 2025-10-14 9.6 Critical
BBOT's unarchive module could be abused by supplying malicious archives files and when extracted can then perform an arbitrary file write, resulting in remote code execution.
CVE-2025-59957 1 Juniper 1 Junos Os 2025-10-14 6.8 Medium
An Origin Validation Error vulnerability in an insufficient protected file of Juniper Networks Junos OS on EX4600 Series and QFX5000 Series allows an unauthenticated attacker with physical access to the device to create a backdoor which allows complete control of the system. When a device isn't configured with a root password, an attacker can modify a specific file. It's contents will be added to the Junos configuration of the device without being visible. This allows for the addition of any configuration unknown to the actual operator, which includes users, IP addresses and other configuration which could allow unauthorized access to the device. This exploit is persistent across reboots and even zeroization. The indicator of compromise is a modified /etc/config/<platform>-defaults[-flex].conf file. Review that file for unexpected configuration statements, or compare it to an unmodified version which can be extracted from the original Juniper software image file. For details on the extraction procedure please contact Juniper Technical Assistance Center (JTAC). To restore the device to a trusted initial configuration the system needs to be reinstalled from physical media.  This issue affects Junos OS on EX4600 Series and QFX5000 Series: * All versions before 21.4R3, * 22.2 versions before 22.2R3-S3.
CVE-2025-59974 1 Juniper 3 Junos, Junos Space, Space Security Director 2025-10-14 8.4 High
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Junos Space Security Director allows an attacker to inject malicious scripts into the application, which are then stored and executed in the context of other users' browsers when they access affected pages.This issue affects Juniper Security Director:  * All versions before 24.1R4.
CVE-2025-59980 1 Juniper 1 Junos 2025-10-14 6.5 Medium
An Authentication Bypass by Primary Weakness in the FTP server of Juniper Networks Junos OS allows an unauthenticated, network-based attacker to get limited read-write access to files on the device. When the FTP server is enabled and a user named "ftp" or "anonymous" is configured, that user can login without providing the configured password and then has read-write access to their home directory. This issue affects Junos OS:  * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S3, * 23.4 versions before 23.4R2.
CVE-2025-61861 2025-10-14 7.8 High
An out-of-bounds read vulnerability exists in VS6ComFile!load_link_inf of V-SFT v6.2.7.0 and earlier. Opening specially crafted V-SFT files may lead to information disclosure, affected system's abnormal end (ABEND), and arbitrary code execution.
CVE-2025-61864 2025-10-14 7.8 High
A use after free vulnerability exists in VS6ComFile!load_link_inf of V-SFT v6.2.7.0 and earlier. Opening specially crafted V-SFT files may lead to information disclosure, affected system's abnormal end (ABEND), and arbitrary code execution.
CVE-2025-62240 1 Liferay 2 Dxp, Portal 2025-10-14 N/A
Multiple cross-site scripting (XSS) vulnerabilities with Calendar events in Liferay Portal 7.4.3.35 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.7, 7.4 update 35 through update 92, and 7.3 update 25 through update 36 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user’s (1) First Name, (2) Middle Name or (3) Last Name text field.
CVE-2025-62292 2025-10-14 4.3 Medium
In SonarQube before 25.6, 2025.3 Commercial, and 2025.1.3 LTA, authenticated low-privileged users can query the /api/v2/users-management/users endpoint and obtain user fields intended for administrators only, including the email addresses of other accounts.
CVE-2025-11558 1 Code-projects 1 E-commerce Website 2025-10-14 7.3 High
A vulnerability was found in code-projects E-Commerce Website 1.0. Impacted is an unknown function of the file /pages/user_index_search.php. Performing manipulation of the argument Search results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used.
CVE-2025-43296 1 Apple 1 Macos 2025-10-14 5.5 Medium
A logic issue was addressed with improved validation. This issue is fixed in macOS Tahoe 26. An app may bypass Gatekeeper checks.
CVE-2025-61859 2025-10-14 7.8 High
An out-of-bounds write vulnerability exists in VS6ComFile!CItemDraw::is_motion_tween of V-SFT v6.2.7.0 and earlier. Opening specially crafted V-SFT files may lead to information disclosure, affected system's abnormal end (ABEND), and arbitrary code execution.
CVE-2025-61858 2025-10-14 7.8 High
An out-of-bounds write vulnerability exists in VS6ComFile!set_AnimationItem of V-SFT v6.2.7.0 and earlier. Opening specially crafted V-SFT files may lead to information disclosure, affected system's abnormal end (ABEND), and arbitrary code execution.
CVE-2025-21054 2025-10-14 4 Medium
Out-of-bounds read in the parsing header for JPEG decoding in libpadm.so prior to SMR Oct-2025 Release 1 allows local attackers to potentially access out-of-bounds memory.
CVE-2025-21057 2025-10-14 4 Medium
Use of implicit intent for sensitive communication in Samsung Notes prior to version 4.4.30.63 allows local attackers to access shared notes.
CVE-2025-10124 2025-10-14 6.5 Medium
The Booking Manager WordPress plugin before 2.1.15 registers a shortcode that deletes bookings and makes that shortcode available to anyone with contributor and above privileges. When a page containing the shortcode is visited, the bookings are deleted.
CVE-2025-61871 2025-10-14 N/A
NAS Navigator2 Windows version by BUFFALO INC. registers a Windows service with an unquoted file path. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege.
CVE-2025-35055 1 Newforma 1 Project Center Server 2025-10-14 8.8 High
Newforma Info Exchange (NIX) '/UserWeb/Common/UploadBlueimp.ashx' allows an authenticated attacker to upload an arbitrary file to any location writable by the NIX application. An attacker can upload and run a web shell or other content executable by the web server. An attacker can also delete directories. In Newforma before 2023.1, anonymous access is enabled by default (CVE-2025-35062), allowing an otherwise unauthenticated attacker to effectively authenticate as 'anonymous' and exploit this file upload vulnerability.