Lista CVE - 2025 / Ottobre
Visualizzazione 3801 - 3900 di 4280 CVE per Ottobre 2025 (Pagina 39 di 43)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2025-62367 | 2025-10-28 | Taiga Blind SQL Injection Time Based |
| CVE-2025-62368 | 2025-10-28 | Taiga Authenticated Remote Code Execution |
| CVE-2025-11375 | 2025-10-28 | Consul's event endpoint is vulnerable to denial of service |
| CVE-2025-62727 | 2025-10-28 | Starlette vulnerable to O(n^2) DoS via Range header merging in starlette.responses.FileResponse |
| CVE-2025-11374 | 2025-10-28 | Consul's KV endpoint is vulnerable to denial of service |
| CVE-2025-61598 | 2025-10-28 | Discourse is missing Cache-Control response header on error responses |
| CVE-2025-43017 | 2025-10-28 | HP ThinPro 8.1 SP8 Security Updates |
| CVE-2025-62796 | 2025-10-28 | PrivateBin persistent HTML injection in attachment filename enables redirect and defacement |
| CVE-2025-62794 | 2025-10-28 | GitHub Workflow Updater stored the optional Github token in plaintext |
| CVE-2025-62798 | 2025-10-28 | Sharp user-provided input can be evaluated in a SharpShowTextField with Vue template syntax |
| CVE-2025-62800 | 2025-10-28 | FastMCP vulnerable to reflected XSS in client's callback page |
| CVE-2025-62801 | 2025-10-28 | FastMCP vulnerable to windows command injection in FastMCP Cursor installer via server_name |
| CVE-2025-62802 | 2025-10-28 | DNN CKEditor Provider allows unauthenticated upload out-of-the-box |
| CVE-2025-64094 | 2025-10-28 | DNN vulnerable to stored cross-site-scripting (XSS) via SVG upload |
| CVE-2025-64095 | 2025-10-28 | DNN Insufficient Access Control - Image Upload allows for Site Content Overwrite |
| CVE-2025-4665 | 2025-10-28 | WordPress plugin Contact Form CFDB7 versions up to and including 1.3.2 are affected by a pre-authentication SQL injection vulnerability that cascades into insecure deserialization (PHP Object Injection). The weakness arises... |
| CVE-2024-45161 | 2025-10-29 | A CSRF issue was discovered in the administrative web GUI in Blu-Castle BCUM221E 1.0.0P220507. This can be exploited via a URL, an image load, an XMLHttpRequest, etc. and can result... |
| CVE-2024-45162 | 2025-10-29 | A stack-based buffer overflow issue was discovered in the phddns client in Blu-Castle BCUM221E 1.0.0P220507 via the password field. |
| CVE-2025-56558 | 2025-10-29 | An issue discovered in Dyson App v6.1.23041-23595 allows unauthenticated attackers to control other users' Dyson IoT devices remotely via MQTT. |
| CVE-2025-57227 | 2025-10-29 | An unquoted service path in Kingosoft Technology Ltd Kingo ROOT v1.5.8.3353 allows attackers to escalate privileges via placing a crafted executable file into a parent folder. |
| CVE-2025-60320 | 2025-10-29 | memoQ 10.1.13.ef1b2b52aae and earlier contains an unquoted service path vulnerability in the memoQ Auto Update Service (memoQauhlp101). The affected service is installed with a path containing spaces and without surrounding... |
| CVE-2025-60542 | 2025-10-29 | SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false. |
| CVE-2025-60595 | 2025-10-29 | SPH Engineering UgCS 5.13.0 is vulnerable to Arbitary code execution. |
| CVE-2025-60898 | 2025-10-29 | An unauthenticated server-side request forgery (SSRF) vulnerability in the Thumbnail via-uri endpoint of Halo CMS 2.21 allows a remote attacker to cause the server to issue HTTP requests to attacker-controlled... |
| CVE-2025-61156 | 2025-10-29 | Incorrect access control in the kernel driver of ThreatFire System Monitor v4.7.0.53 allows attackers to escalate privileges and execute arbitrary commands via an insecure IOCTL. |
| CVE-2025-61161 | 2025-10-29 | DLL hijacking vulnerability in Evope Collector 1.1.6.9.0 and related components load the wtsapi32.dll library from an uncontrolled search path (C:\ProgramData\Evope). This allows local unprivileged attackers to execute arbitrary code or... |
| CVE-2025-61234 | 2025-10-29 | Incorrect access control on Dataphone A920 v2025.07.161103 exposes a service on port 8888 by default on the local network without authentication. This allows an attacker to interact with the device... |
| CVE-2025-61429 | 2025-10-29 | An issue in NCR Atleos Terminal Manager (ConfigApp) v3.4.0 allows attackers to escalate privileges via a crafted request. |
| CVE-2025-61876 | 2025-10-29 | Insecure Direct Object Reference (IDOR) in /tenants/{id} API endpoint in Inforcer Platform version 2.0.153 allows an authenticated user with low privileges to enumerate and access tenant information belonging to other... |
| CVE-2025-63622 | 2025-10-29 | A vulnerability was found in code-projects Online Complaint Site 1.0. This issue affects some unknown processing of the file /cms/admin/subcategory.php. This manipulation of the argument category causes SQL injection. |
| CVE-2025-57931 | 2025-10-29 | WordPress Popup box plugin <= 5.5.4 - Cross Site Request Forgery (CSRF) vulnerability |
| CVE-2025-64296 | 2025-10-29 | WordPress Facebook for WooCommerce plugin <= 3.5.7 - Broken Access Control to Notice Dismissal vulnerability |
| CVE-2025-11705 | 2025-10-29 | Anti-Malware Security and Brute-Force Firewall <= 4.23.81 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Read |
| CVE-2025-62776 | 2025-10-29 | The installer of WTW EAGLE (for Windows) 3.0.8.0 contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code... |
| CVE-2025-49042 | 2025-10-29 | WordPress WooCommerce plugin <= 10.0.2 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-9544 | 2025-10-29 | Doppler Forms <= 2.5.1 - Subscriber+ Limited Plugin Installation |
| CVE-2023-7320 | 2025-10-29 | WooCommerce <= 7.8.2 - Sensitive Information Exposure |
| CVE-2025-11702 | 2025-10-29 | Missing Authorization in GitLab |
| CVE-2025-58711 | 2025-10-29 | WordPress Blog Designer PRO plugin <= 3.4.8 - Broken Access Control vulnerability |
| CVE-2025-58939 | 2025-10-29 | WordPress Super Store Finder plugin <= 7.5 - Cross Site Request Forgery (CSRF) vulnerability |
| CVE-2025-60075 | 2025-10-29 | WordPress hpb seo plugin for WordPress plugin <= 3.0.1 - Cross Site Request Forgery (CSRF) vulnerability |
| CVE-2025-64194 | 2025-10-29 | WordPress Eduma theme <= 5.7.6 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-64195 | 2025-10-29 | WordPress Eduma theme <= 5.7.6 - Local File Inclusion vulnerability |
| CVE-2025-64197 | 2025-10-29 | WordPress Rehub theme < 19.9.9.1 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-64199 | 2025-10-29 | WordPress wpresidence theme <= 5.3.2 - Broken Access Control vulnerability |
| CVE-2025-64200 | 2025-10-29 | WordPress Email Template Customizer for WooCommerce plugin <= 1.2.17 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-64201 | 2025-10-29 | WordPress PowerPress Podcasting plugin <= 11.13.12 - Cross Site Request Forgery (CSRF) vulnerability |
| CVE-2025-64202 | 2025-10-29 | WordPress Sahifa theme < 5.8.6 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-64204 | 2025-10-29 | WordPress SmartMag theme <= 10.3.1 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-64208 | 2025-10-29 | WordPress Jannah - Extensions plugin <= 1.1.4 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-64210 | 2025-10-29 | WordPress Masterstudy Elementor Widgets plugin <= 1.2.4 - Broken Access Control vulnerability |
| CVE-2025-64211 | 2025-10-29 | WordPress Masterstudy Elementor Widgets plugin <= 1.2.4 - Broken Access Control vulnerability |
| CVE-2025-64212 | 2025-10-29 | WordPress MasterStudy LMS Pro plugin < 4.7.16 - Broken Access Control vulnerability |
| CVE-2025-64216 | 2025-10-29 | WordPress SmartMag theme <= 10.3.0 - Local File Inclusion vulnerability |
| CVE-2025-64219 | 2025-10-29 | WordPress Business Directory plugin <= 6.4.18 - Broken Access Control vulnerability |
| CVE-2025-64220 | 2025-10-29 | WordPress Rey Core plugin <= 3.1.8 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-64226 | 2025-10-29 | WordPress Stockie Extra plugin <= 1.2.11 - Cross Site Request Forgery (CSRF) vulnerability |
| CVE-2025-64228 | 2025-10-29 | WordPress SUMO Affiliates Pro plugin <= 11.0.0 - Sensitive Data Exposure vulnerability |
| CVE-2025-64229 | 2025-10-29 | WordPress Client Invoicing by Sprout Invoices plugin <= 20.8.7 - Broken Access Control vulnerability |
| CVE-2025-64234 | 2025-10-29 | WordPress Evergreen Content Poster plugin <= 1.4.5 - Broken Access Control vulnerability |
| CVE-2025-64283 | 2025-10-29 | WordPress RTMKit plugin <= 1.6.7 - Insecure Direct Object References (IDOR) vulnerability |
| CVE-2025-64284 | 2025-10-29 | WordPress Majestic Support plugin <= 1.1.1 - Local File Inclusion vulnerability |
| CVE-2025-64285 | 2025-10-29 | WordPress Premmerce Wholesale Pricing for WooCommerce plugin <= 1.1.10 - Broken Access Control vulnerability |
| CVE-2025-64286 | 2025-10-29 | WordPress WP Rentals theme <= 3.13.1 - Cross Site Request Forgery (CSRF) vulnerability |
| CVE-2025-64288 | 2025-10-29 | WordPress Premmerce plugin <= 1.3.19 - Cross Site Request Forgery (CSRF) vulnerability |
| CVE-2025-64289 | 2025-10-29 | WordPress Premmerce Product Search for WooCommerce plugin <= 2.2.4 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-64290 | 2025-10-29 | WordPress Premmerce Product Search for WooCommerce plugin <= 2.2.4 - Cross Site Request Forgery (CSRF) vulnerability |
| CVE-2025-64291 | 2025-10-29 | WordPress Premmerce User Roles plugin <= 1.0.13 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-12058 | 2025-10-29 | Vulnerability in Keras Model.load_model Leading to Arbitrary Local File Loading and SSRF |
| CVE-2015-10146 | 2025-10-29 | Thumbnail Slider With Lightbox <= 1.0.4 - Authenticated (Admin+) SQL Injection |
| CVE-2025-12450 | 2025-10-29 | LiteSpeed Cache <= 7.5.0.1 - Reflected Cross-Site Scripting |
| CVE-2015-10147 | 2025-10-29 | Easy Testimonial Slider and Form <= 1.0.2 - Authenticated (Admin+) SQL injection |
| CVE-2025-12461 | 2025-10-29 | Unprotected access to parts of the application in Epsilon RH by Grupo Castilla |
| CVE-2025-12142 | 2025-10-29 | BSS(Block Started by Symbol) Memory Corruption Vulnerability |
| CVE-2025-11632 | 2025-10-29 | Call Now Button <= 1.5.4 - Authenticated (Subscriber+) Missing Authorization to Multiple Functions |
| CVE-2025-11587 | 2025-10-29 | Call Now Button <= 1.5.3 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Settings Update |
| CVE-2025-64131 | 2025-10-29 | Jenkins SAML Plugin 4.583.vc68232f7018a_ and earlier does not implement a replay cache, allowing attackers able to obtain information about the SAML authentication flow between a user's web browser and Jenkins... |
| CVE-2025-64132 | 2025-10-29 | Jenkins MCP Server Plugin 0.84.v50ca_24ef83f2 and earlier does not perform permission checks in multiple MCP tools, allowing attackers to trigger builds and obtain information about job and cloud configuration they... |
| CVE-2025-64133 | 2025-10-29 | A cross-site request forgery (CSRF) vulnerability in Jenkins Extensible Choice Parameter Plugin 239.v5f5c278708cf and earlier allows attackers to execute sandboxed Groovy code. |
| CVE-2025-64134 | 2025-10-29 | Jenkins JDepend Plugin 1.3.1 and earlier includes an outdated version of JDepend Maven Plugin that does not configure its XML parser to prevent XML external entity (XXE) attacks. |
| CVE-2025-64135 | 2025-10-29 | Jenkins Eggplant Runner Plugin 0.0.1.301.v963cffe8ddb_8 and earlier sets the Java system property `jdk.http.auth.tunneling.disabledSchemes` to an empty value, disabling a protection mechanism of the Java runtime. |
| CVE-2025-64136 | 2025-10-29 | A cross-site request forgery (CSRF) vulnerability in Jenkins Themis Plugin 1.4.1 and earlier allows attackers to connect to an attacker-specified HTTP server. |
| CVE-2025-64137 | 2025-10-29 | A missing permission check in Jenkins Themis Plugin 1.4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server. |
| CVE-2025-64138 | 2025-10-29 | A cross-site request forgery (CSRF) vulnerability in Jenkins Start Windocks Containers Plugin 1.4 and earlier allows attackers to connect to an attacker-specified URL. |
| CVE-2025-64139 | 2025-10-29 | A missing permission check in Jenkins Start Windocks Containers Plugin 1.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. |
| CVE-2025-64140 | 2025-10-29 | Jenkins Azure CLI Plugin 0.9 and earlier does not restrict which commands it executes on the Jenkins controller, allowing attackers with Item/Configure permission to execute arbitrary shell commands. |
| CVE-2025-64141 | 2025-10-29 | A cross-site request forgery (CSRF) vulnerability in Jenkins Nexus Task Runner Plugin 0.9.2 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials. |
| CVE-2025-64142 | 2025-10-29 | A missing permission check in Jenkins Nexus Task Runner Plugin 0.9.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. |
| CVE-2025-64143 | 2025-10-29 | Jenkins OpenShift Pipeline Plugin 1.0.57 and earlier stores authorization tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission,... |
| CVE-2025-64144 | 2025-10-29 | Jenkins ByteGuard Build Actions Plugin 1.0 stores API tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or... |
| CVE-2025-64145 | 2025-10-29 | Jenkins ByteGuard Build Actions Plugin 1.0 does not mask API tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them. |
| CVE-2025-64146 | 2025-10-29 | Jenkins Curseforge Publisher Plugin 1.0 stores API Keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access... |
| CVE-2025-64147 | 2025-10-29 | Jenkins Curseforge Publisher Plugin 1.0 does not mask API Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. |
| CVE-2025-64148 | 2025-10-29 | A missing permission check in Jenkins Publish to Bitbucket Plugin 0.4 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. |
| CVE-2025-64149 | 2025-10-29 | A cross-site request forgery (CSRF) vulnerability in Jenkins Publish to Bitbucket Plugin 0.4 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another... |
| CVE-2025-64150 | 2025-10-29 | A missing permission check in Jenkins Publish to Bitbucket Plugin 0.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through... |
| CVE-2025-40083 | 2025-10-29 | net/sched: sch_qfq: Fix null-deref in agg_dequeue |
| CVE-2025-40084 | 2025-10-29 | ksmbd: transport_ipc: validate payload size before reading handle |
| CVE-2025-40085 | 2025-10-29 | ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card |
| CVE-2023-7324 | 2025-10-29 | scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses |