Lista CVE - 2025 / Novembre
Visualizzazione 801 - 900 di 1779 CVE per Novembre 2025 (Pagina 9 di 18)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2025-12896 | 2025-11-07 | Improper resource management in firmware of some Solidigm DC Products may allow an attacker with local or physical access to gain un-authorized access to a locked storage device. |
| CVE-2025-64442 | 2025-11-07 | HumHub is vulnerable to XSS through its Meta Search component |
| CVE-2025-12875 | 2025-11-07 | mruby array.c ary_fill_exec out-of-bounds write |
| CVE-2025-64481 | 2025-11-07 | Open redirect endpoint in Datasette |
| CVE-2025-12863 | 2025-11-07 | Libxml2: namespace use-after-free in xmlsettreedoc() function of libxml2 |
| CVE-2025-12418 | 2025-11-07 | Potential Denial of Service in Supported Versions of Revenera InstallShield |
| CVE-2020-36870 | 2025-11-07 | Ruijie Gateway EG & NBR Models v11.1(6)B9P1 - 11.9(4)B12P1 RCE |
| CVE-2025-37736 | 2025-11-07 | Elastic Cloud Enterprise Improper Authorization |
| CVE-2025-64434 | 2025-11-07 | KubeVirt Improper TLS Certificate Management Handling Allows API Identity Spoofing |
| CVE-2025-64435 | 2025-11-07 | KubeVirt VMI Denial-of-Service (DoS) Using Pod Impersonation |
| CVE-2025-64436 | 2025-11-07 | KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between Nodes |
| CVE-2025-64437 | 2025-11-07 | KubeVirt Isolation Detection Flaw Allows Arbitrary File Permission Changes |
| CVE-2025-64433 | 2025-11-07 | KubeVirt Arbitrary Container File Read |
| CVE-2025-64485 | 2025-11-07 | CVAT: Mounted share file overwrite via crafted request |
| CVE-2025-12905 | 2025-11-07 | Inappropriate implementation in Downloads in Google Chrome on Windows prior to 140.0.7339.80 allowed a remote attacker to bypass Mark of the Web via a crafted HTML page. (Chromium security severity:... |
| CVE-2025-12906 | 2025-11-07 | Inappropriate implementation in Permissions in Google Chrome prior to 140.0.7339.80 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) |
| CVE-2025-12907 | 2025-11-07 | Insufficient validation of untrusted input in Devtools in Google Chrome prior to 140.0.7339.80 allowed a remote attacker to execute arbitrary code via user action in Devtools. (Chromium security severity: Low) |
| CVE-2025-12908 | 2025-11-07 | Insufficient validation of untrusted input in Downloads in Google Chrome on Android prior to 140.0.7339.80 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security... |
| CVE-2025-12909 | 2025-11-07 | Insufficient policy enforcement in Devtools in Google Chrome prior to 140.0.7339.80 allowed a remote attacker to leak cross-origin data via Devtools. (Chromium security severity: Low) |
| CVE-2025-12910 | 2025-11-07 | Inappropriate implementation in Passkeys in Google Chrome prior to 140.0.7339.80 allowed a local attacker to obtain potentially sensitive information via debug logs. (Chromium security severity: Low) |
| CVE-2025-12911 | 2025-11-07 | Inappropriate implementation in Permissions in Google Chrome prior to 140.0.7339.80 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) |
| CVE-2025-64486 | 2025-11-07 | calibre is vulnerable to arbitrary code execution when opening FB2 files |
| CVE-2025-64488 | 2025-11-07 | SuiteCRM: Authenticated SQL Injection Possible in Reschedule Call Module |
| CVE-2025-64489 | 2025-11-08 | SuiteCRM: Privilege Escalation via Improper Session Invalidation and Inactive User Bypass |
| CVE-2025-64490 | 2025-11-08 | SuiteCRM's Inconsistent RBAC Enforcement Enables Access Control Bypass |
| CVE-2025-64491 | 2025-11-08 | SuiteCRM is vulnerable to unauthenticated reflected XSS through its Login page |
| CVE-2025-64492 | 2025-11-08 | SuiteCRM is Vulnerable to Authenticated Time Based Blind SQL Injection |
| CVE-2025-64493 | 2025-11-08 | SuiteCRM is Vulnerable to Authenticated Blind SQL Injection via GraphQL |
| CVE-2025-64494 | 2025-11-08 | Soft Serve does not sanitize ANSI escape sequences in user input |
| CVE-2025-64495 | 2025-11-08 | Open WebUI vulnerable to Stored DOM XSS via prompts when 'Insert Prompt as Rich Text' is enabled resulting in ATO/RCE |
| CVE-2025-64496 | 2025-11-08 | Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events |
| CVE-2025-11452 | 2025-11-08 | Asgaros Forum <= 3.1.0 - Unauthenticated SQL Injection |
| CVE-2025-12583 | 2025-11-08 | Simple Downloads List <= 1.4.3 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting |
| CVE-2025-12167 | 2025-11-08 | Contact Form 7 AWeber Extension <= 0.1.42 - Missing Authorization to Authenticated (Subscriber+) Log Reset |
| CVE-2025-12177 | 2025-11-08 | Download Manager <= 3.3.30 - Unauthenticated Cron Trigger due to Hardcoded Cron Key |
| CVE-2025-12064 | 2025-11-08 | WP2Social Auto Publish <= 2.4.7 - Reflected Cross-Site Scripting via PostMessage |
| CVE-2025-12042 | 2025-11-08 | Course Booking System <= 6.1.5 - Missing Authorization to Unauthenticated Booking Data Export |
| CVE-2025-12353 | 2025-11-08 | WPFunnels <= 3.6.2 - Unauthorized User Registration |
| CVE-2025-7663 | 2025-11-08 | Ovatheme Events Manager <= 1.8.6 - Missing Authorization |
| CVE-2025-11972 | 2025-11-08 | Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI <= 3.40.0 - Authenticated (Editor+) SQL Injection |
| CVE-2025-12193 | 2025-11-08 | Mang Board WP <= 2.3.1 - Reflected Cross-Site Scripting |
| CVE-2025-12161 | 2025-11-08 | Smart Auto Upload Images <= 1.2.0 - Authenticated (Contributor+) Arbitrary File Upload |
| CVE-2025-11748 | 2025-11-08 | Groups <= 3.7.0 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Group Join |
| CVE-2025-12000 | 2025-11-08 | WPFunnels <= 3.6.2 - Authenticated (Administrator+) Arbitrary File Deletion via Path Traversal |
| CVE-2025-12112 | 2025-11-08 | Insert Headers and Footers Code – HT Script <= 1.1.6 - Authenticated (Author+) Stored Cross-Site Scripting |
| CVE-2025-12125 | 2025-11-08 | HTML Forms <= 1.5.5 - Authenticated (Admin+) Stored Cross-Site Scripting |
| CVE-2025-9334 | 2025-11-08 | Better Find and Replace <= 1.7.7 - Authenticated (Subscriber+) Limited Code Injection |
| CVE-2025-12498 | 2025-11-08 | EventPrime – Events Calendar, Bookings and Tickets <= 4.2.0.0 - Missing Authorization to Authenticated (Subscriber+) Booking Note Creation |
| CVE-2025-12621 | 2025-11-08 | Flexible Refund and Return Order for WooCommerce <= 1.0.42 - Incorrect Authorization to Authenticated (Contributor+) Refund Status Update |
| CVE-2025-12099 | 2025-11-08 | Academy LMS – WordPress LMS Plugin for Complete eLearning Solution <= 3.3.8 - Authenticated (Administrator+) PHP Object Injection via 'import_all_courses' |
| CVE-2025-12098 | 2025-11-08 | Academy LMS Pro <= 3.3.8 - Unauthenticated Sensitive Information Exposure via 'enqueue_social_login_script' |
| CVE-2025-12092 | 2025-11-08 | CYAN Backup <= 2.5.4 - Authenticated (Admin+) Arbitrary File Deletion |
| CVE-2025-11980 | 2025-11-08 | Quick Featured Images <= 13.7.3 - Authenticated (Editor+) SQL Injection via delete_orphaned |
| CVE-2025-12643 | 2025-11-08 | Saphali LiqPay for donate <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode |
| CVE-2025-12837 | 2025-11-08 | aThemes Addons for Elementor <= 1.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Call To Action Widget |
| CVE-2025-11448 | 2025-11-08 | Gallery Plugin for WordPress – Envira Photo Gallery <= 1.11.0 - Missing Authorization to Authenticated (Contributor+) Gallery Conversion |
| CVE-2025-11967 | 2025-11-08 | Mail Mint <= 1.18.10 - Authenticated (Admin+) Arbitrary File Upload |
| CVE-2025-12399 | 2025-11-08 | Alex Reservations: Smart Restaurant Booking <= 2.2.3 - Authenticated (Admin+) Arbitrary File Upload |
| CVE-2025-12913 | 2025-11-08 | code-projects Responsive Hotel Site roomdel.php sql injection |
| CVE-2025-12914 | 2025-11-08 | aaPanel BaoTa Backend database sql injection |
| CVE-2025-12915 | 2025-11-08 | 70mai X200 Init Script file inclusion |
| CVE-2025-12916 | 2025-11-08 | Sangfor Operation and Maintenance Security Management System Frontend portal_login command injection |
| CVE-2025-40108 | 2025-11-09 | serial: qcom-geni: Fix blocked task |
| CVE-2025-40109 | 2025-11-09 | crypto: rng - Ensure set_ent is always present |
| CVE-2025-12917 | 2025-11-09 | TOZED ZLT T10 Reboot proc_post denial of service |
| CVE-2025-12918 | 2025-11-09 | yungifez Skuul School Management System View Fee Invoice fee-invoices resource injection |
| CVE-2025-12919 | 2025-11-09 | EverShop Order Order.resolvers.js resource injection |
| CVE-2025-12920 | 2025-11-09 | qianfox FoxCMS Product.php edit cross site scripting |
| CVE-2025-12921 | 2025-11-09 | OpenClinica Community Edition CRF Data Import ImportCRFData xml injection |
| CVE-2025-56503 | 2025-11-10 | An issue in Sublime HQ Pty Ltd Sublime Text 4 4200 allows authenticated attackers with low-level privileges to escalate privileges to Administrator via replacing the uninstall file with a crafted... |
| CVE-2025-60876 | 2025-11-10 | BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to... |
| CVE-2025-63147 | 2025-11-10 | Tenda AX3 V16.03.12.10_CN was discovered to contain a stack overflow in the deviceId parameter of the saveParentControlInfo function. This vulnerability allows attackers to cause a Denial of Service (DoS) via... |
| CVE-2025-63149 | 2025-11-10 | Tenda AX3 V16.03.12.10_CN was discovered to contain a stack overflow in the urls parameter of the get_parentControl_list_Info function. This vulnerability allows attackers to cause a Denial of Service (DoS) via... |
| CVE-2025-63152 | 2025-11-10 | Tenda AX3 V16.03.12.10_CN was discovered to contain a stack overflow in the wpapsk_crypto parameter of the wlSetExternParameter function. This vulnerability allows attackers to cause a Denial of Service (DoS) via... |
| CVE-2025-63153 | 2025-11-10 | TOTOLink A7000R V9.1.0u.6115_B20201022 was discovered to contain a stack overflow in the ssid parameter of the urldecode function. This vulnerability allows attackers to cause a Denial of Service (DoS) via... |
| CVE-2025-63154 | 2025-11-10 | TOTOLink A7000R V9.1.0u.6115_B20201022 was discovered to contain a stack overflow in the addEffect parameter of the urldecode function. This vulnerability allows attackers to cause a Denial of Service (DoS) via... |
| CVE-2025-63288 | 2025-11-10 | In Open5GS 2.7.6, AMF crashes when receiving an abnormal NGSetupRequest message, resulting in denial of service. |
| CVE-2025-63296 | 2025-11-10 | KERUI K259 5MP Wi-Fi / Tuya Smart Security Camera firmware v33.53.87 contains a code execution vulnerability in its boot/update logic: during startup /usr/sbin/anyka_service.sh scans mounted TF/SD cards and, if /mnt/update.nor.sh... |
| CVE-2025-63384 | 2025-11-10 | A vulnerability was discovered in RISC-V Rocket-Chip v1.6 and before implementation where the SRET (Supervisor-mode Exception Return) instruction fails to correctly transition the processor's privilege level. Instead of downgrading from... |
| CVE-2025-63397 | 2025-11-10 | Improper input validation in OneFlow v0.9.0 allows attackers to cause a segmentation fault via adding a Python sequence to the native code during broadcasting/type conversion. |
| CVE-2025-63455 | 2025-11-10 | Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow via the shareSpeed parameter in the fromSetWifiGusetBasic function. This vulnerability allows attackers to cause a Denial of Service (DoS) via... |
| CVE-2025-63456 | 2025-11-10 | Tenda AX-1803 v1.0.0.1 was discovered to contain a stack overflow via the time parameter in the SetSysTimeCfg function. This vulnerability allows attackers to cause a Denial of Service (DoS) via... |
| CVE-2025-63457 | 2025-11-10 | Tenda AX-1803 v1.0.0.1 was discovered to contain a stack overflow via the wanMTU parameter in the sub_4F55C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via... |
| CVE-2025-63497 | 2025-11-10 | The patient prescription viewing functionality in his_doc_view_single_patient.php of rickxy Hospital Management System version 1.0 contains an SQL injection vulnerability. The pat_number GET parameter is directly concatenated into SQL queries without... |
| CVE-2025-63617 | 2025-11-10 | ktg-mes before commit a484f96 (2025-07-03) has a fastjson deserialization vulnerability. This is because it uses a vulnerable version of fastjson and deserializes unsafe input data. |
| CVE-2025-63678 | 2025-11-10 | An authenticated arbitrary file upload vulnerability in the /uploads/ endpoint of CMS Made Simple Foundation File Manager v2.2.22 allows attackers with Administrator privileges to execute arbitrary code via uploading a... |
| CVE-2025-63709 | 2025-11-10 | A Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Simple To-Do List System 1.0 in the "Add Tasks" text input. An authenticated user can submit HTML/JavaScript that is not correctly sanitized... |
| CVE-2025-63710 | 2025-11-10 | The send_message.php endpoint in SourceCodester Simple Public Chat Room 1.0 is vulnerable to Cross-Site Request Forgery (CSRF). The application does not implement any CSRF-protection mechanisms such as tokens, nonces, or... |
| CVE-2025-63711 | 2025-11-10 | A Cross-Site Request Forgery (CSRF) vulnerability in the SourceCodester Client Database Management System 1.0 allows an attacker to cause an authenticated administrative user to perform user deletion actions without their... |
| CVE-2025-63712 | 2025-11-10 | Cross-Site Request Forgery (CSRF) in SourceCodester Product Expiry Management System. The User Management module (delete-user.php) allows remote attackers to delete arbitrary user accounts via forged cross-origin GET requests because the... |
| CVE-2025-63834 | 2025-11-10 | A stored cross-site scripting (XSS) vulnerability was discovered in Tenda AC18 v15.03.05.05_multi. The vulnerability exists in the ssid parameter of the wireless settings. Remote attackers can inject malicious payloads that... |
| CVE-2025-63835 | 2025-11-10 | A stack-based buffer overflow vulnerability was discovered in Tenda AC18 v15.03.05.05_multi. The vulnerability exists in the guestSsid parameter of the /goform/WifiGuestSet interface. Remote attackers can exploit this vulnerability by sending... |
| CVE-2025-12922 | 2025-11-10 | OpenClinica Community Edition CRF Data Import ImportCRFData path traversal |
| CVE-2025-12923 | 2025-11-10 | liweiyi ChestnutCMS download resourceDownload path traversal |
| CVE-2025-12924 | 2025-11-10 | rymcu forest BankController.java GlobalResult authorization |
| CVE-2025-12925 | 2025-11-10 | rymcu forest UserDicController.java deleteDic authorization |
| CVE-2025-12926 | 2025-11-10 | SourceCodester Farm Management System review.php sql injection |
| CVE-2025-12864 | 2025-11-10 | e-Excellence|U-Office Force - SQL Injection |
| CVE-2025-12865 | 2025-11-10 | e-Excellence|U-Office Force - SQL Injection |
| CVE-2025-12927 | 2025-11-10 | DedeBIZ archives_add.php sql injection |