Lista CVE - 2025 / Ottobre
Visualizzazione 2501 - 2600 di 4280 CVE per Ottobre 2025 (Pagina 26 di 43)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2025-56223 | 2025-10-20 | A lack of rate limiting in the component /Home/UploadStreamDocument of SigningHub v8.6.8 allows attackers to cause a Denial of Service (DoS) via uploading an excessive number of files. |
| CVE-2025-56224 | 2025-10-20 | A lack of rate limiting in the One-Time Password (OTP) verification endpoint of SigningHub v8.6.8 allows attackers to bypass verification via a bruteforce attack. |
| CVE-2025-60781 | 2025-10-20 | PHP Education Manager v1.0 is vulnerable to Cross Site Scripting (XSS) in the worksheet.php file via the participant_name parameter. |
| CVE-2025-60783 | 2025-10-20 | There is a SQL injection vulnerability in Restaurant Management System DBMS Project v1.0 via login.php. The vulnerability allows attackers to manipulate the application's database through specially crafted SQL query strings. |
| CVE-2025-60856 | 2025-10-20 | Reolink Video Doorbell WiFi DB_566128M5MP_W allows root shell access through an unsecured UART/serial console. An attacker with physical access can connect to the exposed interface and execute arbitrary commands with... |
| CVE-2025-61301 | 2025-10-20 | Denial-of-analysis in reporting/mongodb.py and reporting/jsondump.py in CAPEv2 (commit 52e4b43, on 2025-05-17) allows attackers who can submit samples to cause incomplete or missing behavioral analysis reports by generating deeply nested or... |
| CVE-2025-61303 | 2025-10-20 | Hatching Triage Sandbox Windows 10 build 2004 (2025-08-14) and Windows 10 LTSC 2021(2025-08-14) contains a vulnerability in its Windows behavioral analysis engine that allows a submitted malware sample to evade... |
| CVE-2025-61417 | 2025-10-20 | Cross-Site Scripting (XSS) vulnerability exists in TastyIgniter 3.7.7, affecting the /admin/media_manager component. Attackers can upload a malicious SVG file containing JavaScript code. When an administrator previews the file, the code... |
| CVE-2025-61454 | 2025-10-20 | A Cross-Site Scripting (XSS) vulnerability exists in Bhabishya-123 E-commerce 1.0, specifically within the search endpoint. Unsanitized input in the /search parameter is directly reflected back into the response HTML, allowing... |
| CVE-2025-61455 | 2025-10-20 | SQL Injection vulnerability exists in Bhabishya-123 E-commerce 1.0, specifically within the signup.inc.php endpoint. The application directly incorporates unsanitized user inputs into SQL queries, allowing unauthenticated attackers to bypass authentication and... |
| CVE-2025-61456 | 2025-10-20 | A Cross-Site Scripting (XSS) vulnerability exists in Bhabishya-123 E-commerce 1.0, specifically within the index endpoint. Unsanitized input in the /index parameter is directly reflected back into the response HTML, allowing... |
| CVE-2025-61488 | 2025-10-20 | An issue in Senayan Library Management System (SLiMS) 9 Bulian v.9.6.1 allows a remote attacker to execute arbitrary code via the scrap_image.php component and the imageURL parameter |
| CVE-2025-11948 | 2025-10-20 | Excellent Infotek|Document Management System - Arbitrary File Upload |
| CVE-2025-40004 | 2025-10-20 | net/9p: Fix buffer overflow in USB transport layer |
| CVE-2025-62577 | 2025-10-20 | ETERNUS SF provided by Fsas Technologies Inc. contains an incorrect default permissions vulnerability. A low-privileged user with access to the management server may obtain database credentials, potentially allowing execution of... |
| CVE-2025-61932 | 2025-10-20 | Lanscope Endpoint Manager (On-Premises) (Client program (MR) and Detection agent (DA)) improperly verifies the origin of incoming requests, allowing an attacker to execute arbitrary code by sending specially crafted packets. |
| CVE-2025-31342 | 2025-10-20 | Galaxy Software Services Vitals ESP Forum Module - Unrestricted Upload of File with Dangerous Type |
| CVE-2025-57838 | 2025-10-20 | Some Honor products are affected by information leak vulnerability, successful exploitation of this vulnerability may affect service confidentiality. |
| CVE-2025-57839 | 2025-10-20 | Photo module is affected by information leak vulnerability, successful exploitation of this vulnerability may affect service confidentiality. |
| CVE-2025-57837 | 2025-10-20 | Tileservice module is affected by information leak vulnerability, successful exploitation of this vulnerability may affect service confidentiality. |
| CVE-2025-41028 | 2025-10-20 | SQL injection in Epsilon RH |
| CVE-2025-8349 | 2025-10-20 | Cross-Site Scripting (XSS) stored in Tawk Live Chat |
| CVE-2025-11677 | 2025-10-20 | Use After Free in libwebsockets WebSocket server |
| CVE-2025-11678 | 2025-10-20 | Stack-based Buffer Overflow in libwebsockets DNS response parsing |
| CVE-2025-11679 | 2025-10-20 | Out-of-bounds Read in libwebsockets PNG parsing |
| CVE-2025-11680 | 2025-10-20 | Out-of-bounds Write in libwebsockets PNG parsing |
| CVE-2025-41390 | 2025-10-20 | An arbitrary code execution vulnerability exists in the git functionality of Truffle Security Co. TruffleHog 3.90.2. A specially crafted repository can lead to a arbitrary code execution. An attacker can... |
| CVE-2025-8884 | 2025-10-20 | IDOR in VHS Electronic Software's ACE Center |
| CVE-2025-57738 | 2025-10-20 | Apache Syncope: Remote Code Execution by delegated administrators |
| CVE-2025-40005 | 2025-10-20 | spi: cadence-quadspi: Implement refcount to handle unbind during busy |
| CVE-2025-40006 | 2025-10-20 | mm/hugetlb: fix folio is still mapped when deleted |
| CVE-2025-40007 | 2025-10-20 | netfs: fix reference leak |
| CVE-2025-40008 | 2025-10-20 | kmsan: fix out-of-bounds access to shadow memory |
| CVE-2025-40009 | 2025-10-20 | fs/proc/task_mmu: check p->vec_buf for NULL |
| CVE-2025-40010 | 2025-10-20 | afs: Fix potential null pointer dereference in afs_put_server |
| CVE-2025-40011 | 2025-10-20 | drm/gma500: Fix null dereference in hdmi teardown |
| CVE-2025-40012 | 2025-10-20 | net/smc: fix warning in smc_rx_splice() when calling get_page() |
| CVE-2025-40013 | 2025-10-20 | ASoC: qcom: audioreach: fix potential null pointer dereference |
| CVE-2025-40015 | 2025-10-20 | media: stm32-csi: Fix dereference before NULL check |
| CVE-2025-40016 | 2025-10-20 | media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID |
| CVE-2025-40017 | 2025-10-20 | media: iris: Fix memory leak by freeing untracked persist buffer |
| CVE-2025-10678 | 2025-10-20 | Admin with default credentials in NetBird VPN |
| CVE-2025-62429 | 2025-10-20 | ClipBucket v5 executes arbitrary PHP code |
| CVE-2025-6515 | 2025-10-20 | Reuse of session IDs in oatpp-mcp leads to session hijacking and prompt hijacking by remote attackers |
| CVE-2025-9574 | 2025-10-20 | Missing Authentication Vulnerability |
| CVE-2025-62509 | 2025-10-20 | FileRise improper ownership/permission validation allowed cross-tenant file operations |
| CVE-2025-62510 | 2025-10-20 | FileRise insecure folder visibility via name-based mapping and incomplete ACL checks |
| CVE-2025-47900 | 2025-10-20 | RCE on backup configuration password |
| CVE-2025-11979 | 2025-10-20 | Use-after-free in the MongoDB server query planner may lead to crash or undefined behavior |
| CVE-2025-47901 | 2025-10-20 | RCE on restore configuration password |
| CVE-2025-55086 | 2025-10-20 | In NetXDuo version before 6.4.4, a networking support module for Eclipse Foundation ThreadX, in the DHCPV6 client there was an unchecked index extracting the server DUID from the server reply.... |
| CVE-2025-62693 | 2025-10-20 | Stored XSS through system messages in LastModified |
| CVE-2025-3465 | 2025-10-20 | Path Traversal Vulnerability |
| CVE-2025-47902 | 2025-10-20 | SQL Injection in web resource |
| CVE-2025-62700 | 2025-10-20 | Stored XSS through a system message in MultiBoilerplate |
| CVE-2025-62698 | 2025-10-20 | Stored XSS through system messages in ExternalGuidance |
| CVE-2025-5517 | 2025-10-20 | Heap Memory Corruption Vulnerability |
| CVE-2025-62697 | 2025-10-20 | Improperly sanitized style parameter in LanguageSelector |
| CVE-2025-8053 | 2025-10-20 | Insufficient access control vulnerability has been discovered in Opentext Flipper. |
| CVE-2025-8051 | 2025-10-20 | Path traversal validation vulnerability has been discovered in opentext Flipper. |
| CVE-2025-8049 | 2025-10-20 | Insufficient Access Control vulnerability has been discovered in OpenText Flipper. |
| CVE-2025-8048 | 2025-10-20 | External Control of File path vulnerability has been discovered on Openext Flipper. |
| CVE-2025-62522 | 2025-10-20 | vite allows server.fs.deny bypass via backslash on Windows |
| CVE-2025-8052 | 2025-10-20 | HQL Injection vulnerability has been discovered in Opentext Flipper. |
| CVE-2025-62527 | 2025-10-20 | Taguette vulnerable to password reset link poisoning |
| CVE-2025-62528 | 2025-10-20 | Taguette cross-site scripting vulnerability via tag name, tag description, document name and document description |
| CVE-2025-62656 | 2025-10-20 | GlobalBlocking Special:GlobalBlockList vulnerable to message key stored XSS |
| CVE-2025-62657 | 2025-10-20 | Stored XSS through system messages in PageForms |
| CVE-2025-62658 | 2025-10-20 | SQL injection in WatchAnalytics through Special:ClearPendingReviews |
| CVE-2018-25118 | 2025-10-20 | GeoVision Command Injection RCE via /PictureCatch.cgi |
| CVE-2025-11536 | 2025-10-20 | Element Pack Addons for Elementor <= 8.2.5 - Authenticated (Subscriber+) Blind Server-Side Request Forgery |
| CVE-2025-12001 | 2025-10-20 | Incorrect Content-Type Header |
| CVE-2025-52079 | 2025-10-21 | The administrator password setting of the D-Link DIR-820L 1.06B02 is has Improper Access Control and is vulnerable to Unverified Password Change via crafted POST request to /get_set.ccp. |
| CVE-2025-56450 | 2025-10-21 | Log2Space Subscriber Management Software 1.1 is vulnerable to unauthenticated SQL injection via the `lead_id` parameter in the `/l2s/api/selfcareLeadHistory` endpoint. A remote attacker can exploit this by sending a specially crafted... |
| CVE-2025-56799 | 2025-10-21 | Reolink desktop application 8.18.12 contains a command injection vulnerability in its scheduled cache-clearing mechanism via a crafted folder name. NOTE: this is disputed by the Supplier because a crafted folder... |
| CVE-2025-56800 | 2025-10-21 | Reolink desktop application 8.18.12 contains a vulnerability in its local authentication mechanism. The application implements lock screen password logic entirely on the client side using JavaScript within an Electron resource... |
| CVE-2025-56801 | 2025-10-21 | The Reolink Desktop Application 8.18.12 contains hardcoded credentials as the Initialization Vector (IV) in its AES-CFB encryption implementation allowing attackers with access to the application environment to reliably decrypt encrypted... |
| CVE-2025-56802 | 2025-10-21 | The Reolink desktop application uses a hard-coded and predictable AES encryption key to encrypt user configuration files allowing attackers with local access to decrypt sensitive application data stored in %APPDATA%.... |
| CVE-2025-57521 | 2025-10-21 | Bambu Studio 2.1.1.52 and earlier is affected by a vulnerability that allows arbitrary code execution during application startup. The application loads a network plugin without validating its digital signature or... |
| CVE-2025-59438 | 2025-10-21 | Mbed TLS through 3.6.4 has an Observable Timing Discrepancy. |
| CVE-2025-60280 | 2025-10-21 | Cross-Site Scripting (XSS) vulnerability in Bang Resto v1.0 could allow an attacker to inject malicious JavaScript code into the application's web pages. This vulnerability exists due to insufficient input sanitization... |
| CVE-2025-60344 | 2025-10-21 | An unauthenticated Local File Inclusion (LFI) vulnerability in D-Link DSR series routers allows remote attackers to retrieve sensitive configuration files in clear text. The exposed files contain administrative credentials, VPN... |
| CVE-2025-60427 | 2025-10-21 | LibreTime 3.0.0-alpha.10 and possibly earlier is vulnerable to Broken Access Control, where a user with the DJ role can access analytics data via the Web UI and direct API calls.... |
| CVE-2025-60500 | 2025-10-21 | QDocs Smart School Management System 7.1 allows authenticated users with roles such as "accountant" or "admin" to bypass file type restrictions in the media upload feature by abusing the alternate... |
| CVE-2025-60506 | 2025-10-21 | Moodle PDF Annotator plugin v1.5 release 9 allows stored cross-site scripting (XSS) via the Public Comments feature. An attacker with a low-privileged account (e.g., Student) can inject arbitrary JavaScript payloads... |
| CVE-2025-60507 | 2025-10-21 | Cross site scripting vulnerability in Moodle GeniAI plugin (local_geniai) 2.3.6. An authenticated user with Teacher role can upload a PDF containing embedded JavaScript. The assistant outputs a direct HTML link... |
| CVE-2025-60511 | 2025-10-21 | Moodle OpenAI Chat Block plugin 3.0.1 (2025021700) suffers from an Insecure Direct Object Reference (IDOR) vulnerability due to insufficient validation of the blockId parameter in /blocks/openai_chat/api/completion.php. An authenticated student can... |
| CVE-2025-60751 | 2025-10-21 | GeographicLib 2.5 is vulnerable to Buffer Overflow in GeoConvert DMS::InternalDecode. |
| CVE-2025-60772 | 2025-10-21 | Improper authentication in the web-based management interface of NETLINK HG322G V1.0.00-231017, allows a remote unauthenticated attacker to escalate privileges and lock out the legitimate administrator via crafted HTTP requests. |
| CVE-2025-60790 | 2025-10-21 | ProcessWire CMS 3.0.246 allows a low-privileged user with lang-edit to upload a crafted ZIP to Language Support that is auto-extracted without limits prior to validation, enabling resource-exhaustion Denial of Service. |
| CVE-2025-60932 | 2025-10-21 | Multiple stored cross-site scripting (XSS) vulnerabilities in the Current Goals function of HR Performance Solutions Performance Pro v3.19.17 allows attackers to execute arbitrary web scripts or HTML via a crafted... |
| CVE-2025-60933 | 2025-10-21 | Multiple stored cross-site scripting (XSS) vulnerabilities in the Future Goals function of HR Performance Solutions Performance Pro v3.19.17 allows attackers to execute arbitrary web scripts or HTML via a crafted... |
| CVE-2025-60934 | 2025-10-21 | Multiple stored cross-site scripting (XSS) vulnerabilities in the index.php component of HR Performance Solutions Performance Pro v3.19.17 allows attackers to execute arbitrary web scripts or HTML via a crafted payload... |
| CVE-2025-61181 | 2025-10-21 | daicuocms V1.3.13 contains an arbitrary file upload vulnerability in the image upload feature. |
| CVE-2025-61194 | 2025-10-21 | daicuocms V1.3.13 contains a SQL injection vulnerability in the file library\think\db\Builder.php. |
| CVE-2025-61220 | 2025-10-21 | The incomplete verification mechanism in the AutoBizLine com.mysecondline.app 1.2.91 allows attackers to log in as other users and gain unauthorized access to their personal information. |
| CVE-2025-61255 | 2025-10-21 | Bank Locker Management System by PHPGurukul is affected by a Cross-Site Scripting (XSS) vulnerability via the /search parameter, where unsanitized input allows arbitrary HTML and JavaScript injection, potentially resulting in... |
| CVE-2025-61457 | 2025-10-21 | code16 Sharp v9.6.6 is vulnerable to Cross Site Scripting (XSS) src/Form/Fields/SharpFormUploadField.php. |
| CVE-2025-62763 | 2025-10-21 | Zimbra Collaboration (ZCS) before 10.1.12 allows SSRF because of the configuration of the chat proxy. |
| CVE-2025-6541 | 2025-10-21 | OS command injection using information obtained from the web management interface |