Lista CVE - 2025 / Ottobre
Visualizzazione 3101 - 3200 di 4280 CVE per Ottobre 2025 (Pagina 32 di 43)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2025-62613 | 2025-10-22 | VDO.Ninja Reflected XSS Vulnerability in control.html |
| CVE-2025-62614 | 2025-10-22 | BookLore Media API Authentication Bypass |
| CVE-2025-62617 | 2025-10-22 | Admidio Vulnerable to Authenticated SQL Injection in Member Assignment Functionality |
| CVE-2025-62705 | 2025-10-22 | OpenBao and Vault Leak []byte Fields in Audit Logs |
| CVE-2025-62706 | 2025-10-22 | Authlib : JWE zip=DEF decompression bomb enables DoS |
| CVE-2025-62707 | 2025-10-22 | pypdf affected by possible infinite loop when reading DCT inline images without EOF marker |
| CVE-2025-62708 | 2025-10-22 | pypdf manipulated LZWDecode streams can exhaust RAM |
| CVE-2025-62710 | 2025-10-22 | Sakai kernel-impl: predictable PRNG used to generate server‑side encryption key in EncryptionUtilityServiceImpl |
| CVE-2025-50949 | 2025-10-23 | FontForge v20230101 was discovered to contain a memory leak via the component DlgCreate8. |
| CVE-2025-50950 | 2025-10-23 | Audiofile v0.3.7 was discovered to contain a NULL pointer dereference via the ModuleState::setup function. |
| CVE-2025-50951 | 2025-10-23 | FontForge v20230101 was discovered to contain a memory leak via the utf7toutf8_copy function at /fontforge/sfd.c. |
| CVE-2025-54963 | 2025-10-23 | An issue was discovered in BAE SOCET GXP before 4.6.0.2. An attacker with the ability to interact with the GXP Job Service may submit a crafted job request that grants... |
| CVE-2025-54964 | 2025-10-23 | An issue was discovered in BAE SOCET GXP before 4.6.0.2. An attacker with the ability to interact with the GXP Job Service may inject arbitrary executables. If the Job Service... |
| CVE-2025-54966 | 2025-10-23 | An issue was discovered in BAE SOCET GXP before 4.6.0.2. Some endpoints on the SOCET GXP Job Status Service may return sensitive information in certain situations, including local file paths... |
| CVE-2025-56007 | 2025-10-23 | CRLF-injection in KeeneticOS before 4.3 at "/auth" API endpoint allows attackers to take over the device via adding additional users with full permissions by managing the victim to open page... |
| CVE-2025-56008 | 2025-10-23 | Cross site scripting (XSS) vulnerability in KeeneticOS before 4.3 at "Wireless ISP" page allows attackers located near to the router to takeover the device via adding additional users with full... |
| CVE-2025-56009 | 2025-10-23 | Cross site request forgery (CSRF) vulnerability in KeeneticOS before 4.3 at "/rci" API endpoint allows attackers to take over the device via adding additional users with full permissions by managing... |
| CVE-2025-57240 | 2025-10-23 | Cross site scripting (XSS) vulnerability in 17gz International Student service system 1.0 allows attackers to execute arbitrary code via the registration step. |
| CVE-2025-60837 | 2025-10-23 | A reflected cross-site scripting (XSS) vulnerability in MCMS v6.0.1 allows attackers to execute arbitrary Javascript in the context of a user's browser via a crafted payload. |
| CVE-2025-60852 | 2025-10-23 | A CSV Injection vulnerability existed in Instant Developer Foundation versions prior to 25.0.9600. Applications built with affected versions of the framework did not properly sanitize user-controlled input before including it... |
| CVE-2025-60859 | 2025-10-23 | Cross Site Scripting (XSS) vulnerability in Gnuboard 5.6.15 allows authenticated attackers to execute arbitrary code via crafted c_id parameter in bbs/view_comment.php. |
| CVE-2025-61132 | 2025-10-23 | A Host Header Injection vulnerability in the password reset component in levlaz braindump v0.4.14 allows remote attackers to conduct password reset poisoning and account takeover via manipulation of the Host... |
| CVE-2025-61136 | 2025-10-23 | A Host Header Injection vulnerability in the password reset component in axewater sharewarez v2.4.3 allows remote attackers to conduct password reset poisoning and account takeover via manipulation of the Host... |
| CVE-2025-61413 | 2025-10-23 | A stored cross-site scripting (XSS) vulnerability in the /manager/pages component of Piranha CMS v12.0 allows attackers to execute arbitrary web scripts or HTML via creating a page and injecting a... |
| CVE-2025-61464 | 2025-10-23 | gnuboard gnuboard4 v4.36.04 and before is vulnerable to Second-order SQL Injection via the search_table in bbs/search.php. |
| CVE-2025-62820 | 2025-10-23 | Slack Nebula before 1.9.7 mishandles CIDR in some configurations and thus accepts arbitrary source IP addresses within the Nebula network. |
| CVE-2025-11575 | 2025-10-23 | MongoDB Atlas SQL ODBC driver installation via MSI may leave ACLs unset on custom installation directories |
| CVE-2025-35981 | 2025-10-23 | Exposure of Private Personal Information to an Unauthorized Actor (CWE-359) in the Command Centre Server allows a privileged Operator to view limited personal data about a Cardholder they would not... |
| CVE-2025-41402 | 2025-10-23 | Client-Side Enforcement of Server-Side Security (CWE-602) in the Command Centre Server allows a privileged operator to enter invalid competency data, bypassing expiry checks. This issue affects Command Centre Server: 9.30... |
| CVE-2025-47699 | 2025-10-23 | Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) in the Gallagher Morpho integration could allow an authenticated operator with limited site permissions to make critical changes to... |
| CVE-2025-48428 | 2025-10-23 | Cleartext Storage of Sensitive Information (CWE-312) in the Gallagher Morpho integration could allow an authenticated user with access to the Command Centre Server to export a specific signing key while... |
| CVE-2025-48430 | 2025-10-23 | Uncaught Exception (CWE-248) in the Command Centre Server allows an Authorized and Privileged Operator to crash the Command Centre Server at will. This issue affects Command Centre Server: 9.30 prior... |
| CVE-2025-12104 | 2025-10-23 | Incorrect Content-Type Header |
| CVE-2025-54856 | 2025-10-23 | Movable Type contains a stored cross-site scripting vulnerability in Edit ContentData page. If crafted input is stored by an attacker with "ContentType Management" privilege, an arbitrary script may be executed... |
| CVE-2025-62499 | 2025-10-23 | Movable Type contains a stored cross-site scripting vulnerability in Edit CategorySet of ContentType page. If crafted input is stored by an attacker with "ContentType Management" privilege, an arbitrary script may... |
| CVE-2025-54806 | 2025-10-23 | GROWI v4.2.7 and earlier contains a cross-site scripting vulnerability in the page alert function. If a user accesses a crafted URL while logged in to the affected product, an arbitrary... |
| CVE-2025-61865 | 2025-10-23 | NarSuS App registers a Windows service with an unquoted file path. A user with the write permission on the root directory of the system drive may execute arbitrary code with... |
| CVE-2025-10727 | 2025-10-23 | Reflected XSS in ArkSigner's AcBakImzala |
| CVE-2025-10914 | 2025-10-23 | Reflected XSS in Proliz's OBS |
| CVE-2025-12105 | 2025-10-23 | Libsoup: heap use-after-free in libsoup message queue handling during http/2 read completion |
| CVE-2025-9980 | 2025-10-23 | Multiple Stored XSS in QuickCMS |
| CVE-2025-9981 | 2025-10-23 | Multiple Stored XSS in QuickCMS |
| CVE-2025-40643 | 2025-10-23 | Stored Cross-Site Scripting (XSS) in Energy CRM by Status Tracker |
| CVE-2025-41073 | 2025-10-23 | Path Traversal in Gandia Integra Total by TESI |
| CVE-2025-10355 | 2025-10-23 | Open redirection vulnerability in MOLGENIS EMX2 |
| CVE-2025-62393 | 2025-10-23 | Moodle: course access permissions not properly checked in course_output_fragment_course_overview |
| CVE-2025-62394 | 2025-10-23 | Moodle: quiz notifications sent to suspended participants |
| CVE-2025-62396 | 2025-10-23 | Moodle: router (r.php) could expose application directories |
| CVE-2025-62397 | 2025-10-23 | Moodle: router produces json instead of 404 error for invalid course id |
| CVE-2025-62398 | 2025-10-23 | Moodle: possible to bypass mfa |
| CVE-2025-62399 | 2025-10-23 | Moodle: password brute force risk when mobile/web services enabled |
| CVE-2025-62400 | 2025-10-23 | Moodle: hidden group names visible to event creators |
| CVE-2025-62395 | 2025-10-23 | Moodle: external cohort search service leaks system cohort data |
| CVE-2025-62401 | 2025-10-23 | Moodle: possible to bypass timer in timed assignments |
| CVE-2025-11023 | 2025-10-23 | Local File Inclusion in ArkSigner's AcBakImzala |
| CVE-2025-8427 | 2025-10-23 | Beaver Builder Plugin (Starter Version) <= 2.9.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'auto_play' |
| CVE-2025-11128 | 2025-10-23 | Feedzy RSS Feeds Lite <= 5.1.0 - Authenticated (Subscriber+) Server-Side Request Forgery |
| CVE-2025-10705 | 2025-10-23 | MxChat – AI Chatbot for WordPress <= 2.4.6 - Unauthenticated Blind Server-Side Request Forgery |
| CVE-2025-53702 | 2025-10-23 | DoS vulnerability in Vilar VS-IPC1002 IP cameras |
| CVE-2025-53701 | 2025-10-23 | XSS vulnerability in Vilar VS-IPC1002 IP cameras |
| CVE-2025-62256 | 2025-10-23 | Liferay Portal 7.4.0 through 7.4.3.109, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.7, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not... |
| CVE-2025-1679 | 2025-10-23 | Cross-site Scripting has been identified in Moxa’s Ethernet switches, which allows an authenticated administrative attacker to inject malicious scripts to an affected device’s web service that could impact authenticated users... |
| CVE-2025-1680 | 2025-10-23 | An acceptance of extraneous untrusted data with trusted data vulnerability has been identified in Moxa’s Ethernet switches, which allows attackers with administrative privileges to manipulate HTTP Host headers by injecting... |
| CVE-2025-11429 | 2025-10-23 | Keycloak-server: too long and not settings compliant session |
| CVE-2025-12110 | 2025-10-23 | Keycloak: org.keycloak:keycloak-services: user can refresh offline session even after client's offline_access scope was removed |
| CVE-2025-59048 | 2025-10-23 | OpenBao AWS Plugin Vulnerable to Cross-Account IAM Role Impersonation in AWS Auth Method |
| CVE-2025-12114 | 2025-10-23 | Serial Console Enabled |
| CVE-2025-62169 | 2025-10-23 | OctoPrint-SpoolManager Plugin APIs do not enforce authentication |
| CVE-2025-62713 | 2025-10-23 | Kottster app reinitialization can be re-triggered allowing command injection in development mode |
| CVE-2025-34155 | 2025-10-23 | Tibbo AggreGate Network Manager < 6.40.05 Login Functionality User Enumeration |
| CVE-2025-34156 | 2025-10-23 | Tibbo AggreGate Network Manager < 6.40.05 System Information Exposure |
| CVE-2025-54808 | 2025-10-23 | Oxford Nanopore Technologies MinKNOW Insufficiently Protected Credentials |
| CVE-2025-23300 | 2025-10-23 | NVIDIA Display Driver for Linux contains a vulnerability in the kernel driver, where a user could cause a null pointer dereference by allocating a specific memory resource. A successful exploit... |
| CVE-2025-10937 | 2025-10-23 | Oxford Nanopore Technologies MinKNOW Improper Check for Unusual or Exceptional Conditions |
| CVE-2025-23330 | 2025-10-23 | NVIDIA Display Driver for Linux contains a vulnerability where an attacker might be able to trigger a null pointer dereference. A successful exploit of this vulnerability might lead to denial... |
| CVE-2025-23332 | 2025-10-23 | NVIDIA Display Driver for Linux contains a vulnerability in a kernel module, where an attacker might be able to trigger a null pointer deference. A successful exploit of this vulnerability... |
| CVE-2025-23345 | 2025-10-23 | NVIDIA Display Driver for Windows and Linux contains a vulnerability in a video decoder, where an attacker might cause an out-of-bounds read. A successful exploit of this vulnerability might lead... |
| CVE-2025-23347 | 2025-10-23 | NVIDIA Project G-Assist contains a vulnerability where an attacker might be able to escalate permissions. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data... |
| CVE-2025-23352 | 2025-10-23 | NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager, where a malicious guest could cause uninitialized pointer access. A successful exploit of this vulnerability might lead to code... |
| CVE-2025-6980 | 2025-10-23 | Captive Portal can expose sensitive information |
| CVE-2025-6979 | 2025-10-23 | Captive Portal can allow authentication bypass |
| CVE-2025-62255 | 2025-10-23 | Self Cross-site scripting (XSS) vulnerability on the edit Knowledge Base article page in Liferay Portal 7.4.0 through 7.4.3.101, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.5, 7.4 GA... |
| CVE-2025-6978 | 2025-10-23 | Diagnostics command injection vulnerability |
| CVE-2025-11621 | 2025-10-23 | Vault AWS auth method bypass due to AWS client cache |
| CVE-2025-12044 | 2025-10-23 | Vault Vulnerable to Denial of Service Due to Rate Limit Regression |
| CVE-2025-62236 | 2025-10-23 | Frontier Airlines publicly available email address validation |
| CVE-2025-55067 | 2025-10-23 | Integer Overflow or Wraparound in Veeder-Root TLS4B Automatic Tank Gauge System |
| CVE-2025-58428 | 2025-10-23 | Command Injection in Veeder-Root TLS4B Automatic Tank Gauge System |
| CVE-2025-62517 | 2025-10-23 | Rollbar.js Prototype Pollution Vulnerability in merge() |
| CVE-2025-57848 | 2025-10-23 | Container-native-virtualization: privilege escalation via excessive /etc/passwd permissions |
| CVE-2025-12100 | 2025-10-23 | MongoDB BI Connector ODBC driver installation via MSI may leave ACLs unset on custom installation directories |
| CVE-2025-59500 | 2025-10-23 | Azure Notification Service Elevation of Privilege Vulnerability |
| CVE-2025-59273 | 2025-10-23 | Azure Event Grid System Elevation of Privilege Vulnerability |
| CVE-2025-59503 | 2025-10-23 | Azure Compute Resource Provider Elevation of Privilege Vulnerability |
| CVE-2025-62498 | 2025-10-23 | AutomationDirect Productivity Suite Relative Path Traversal |
| CVE-2025-61977 | 2025-10-23 | AutomationDirect Productivity Suite Weak Password Recovery Mechanism for Forgotten Password |
| CVE-2025-62688 | 2025-10-23 | AutomationDirect Productivity Suite Incorrect Permission Assignment for Critical Resource |
| CVE-2025-61934 | 2025-10-23 | AutomationDirect Productivity Suite Binding to an Unrestricted IP Address CWE-1327 |
| CVE-2025-58456 | 2025-10-23 | AutomationDirect Productivity Suite Relative Path Traversal |
| CVE-2025-58078 | 2025-10-23 | AutomationDirect Productivity Suite Relative Path Traversal |