Lista CVE - 2025 / Dicembre
Visualizzazione 101 - 200 di 3706 CVE per Dicembre 2025 (Pagina 2 di 38)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2025-64775 | 2025-12-01 | Apache Struts: File leak in multipart request processing causes disk exhaustion (DoS) |
| CVE-2025-3500 | 2025-12-01 | Integer Overflow in Avast Antiviurs 25.1.981.6 on Windows may result in privilege escalation |
| CVE-2025-7007 | 2025-12-01 | Null pointer dereference in Avast Antivirus on macOS (16.0.0) or Linux (3.0.3) |
| CVE-2025-13835 | 2025-12-01 | WordPress Arconix Shortcodes plugin <= 2.1.19 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-13653 | 2025-12-01 | Unauthorized access to documents in data streams with specially crafted requests |
| CVE-2025-13836 | 2025-12-01 | Excessive read buffering DoS in http.client |
| CVE-2025-13837 | 2025-12-01 | Out-of-memory when loading Plist |
| CVE-2025-34297 | 2025-12-01 | KissFFT Integer Overflow Heap Buffer Overflow via kiss_fft_alloc |
| CVE-2025-11772 | 2025-12-01 | Co-Installer Privilege Escalation |
| CVE-2025-12756 | 2025-12-01 | Insecure Direct Object Reference in Mattermost Boards Plugin Enables Unauthorised Comment Deletion |
| CVE-2025-55749 | 2025-12-01 | The XWiki Jetty package (XJetty) allows accessing any application file through URL |
| CVE-2025-58044 | 2025-12-01 | JumpServer has an Open Redirect Vulnerability |
| CVE-2025-66205 | 2025-12-01 | Frappe has the possibility of SQL Injection due to improper validations |
| CVE-2025-66206 | 2025-12-01 | Frappe vulnerable to a path traversal allowing reading certain files |
| CVE-2025-66295 | 2025-12-01 | Grav vulnerable to Path traversal / arbitrary YAML write via user creation leading to Account Takeover / System Corruption |
| CVE-2025-66294 | 2025-12-01 | Grav is vulnerable to RCE via SSTI through Twig Sandbox Bypass |
| CVE-2025-66296 | 2025-12-01 | Grav vulnerable to Privilege Escalation in Grav Admin: Missing Username Uniqueness Check Allows Admin Account Takeover |
| CVE-2025-66297 | 2025-12-01 | Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection |
| CVE-2025-66298 | 2025-12-01 | Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms |
| CVE-2025-66299 | 2025-12-01 | Security Sandbox Bypass with SSTI (Server Side Template Injection) in the Grav CMS |
| CVE-2025-66300 | 2025-12-01 | Grav is vulnerable to Arbitrary File Read |
| CVE-2025-66301 | 2025-12-01 | Grav ihas Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions |
| CVE-2025-66302 | 2025-12-01 | Grav vulnerable to Path Traversal allowing server files backup |
| CVE-2025-66303 | 2025-12-01 | Grav is vulnerable to a DOS on the admin panel |
| CVE-2025-66304 | 2025-12-01 | Grav Exposes Password Hashes Leading to privilege escalation |
| CVE-2025-66305 | 2025-12-01 | Grav vulnerable to Denial of Service via Improper Input Handling in 'Supported' Parameter |
| CVE-2025-66306 | 2025-12-01 | Grav vulnerable to Information Disclosure via IDOR in Grav Admin Panel |
| CVE-2025-66307 | 2025-12-01 | Grav Admin Plugin vulnerable to User Enumeration & Email Disclosure |
| CVE-2025-66308 | 2025-12-01 | Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/config/site` parameter `data[taxonomies]` |
| CVE-2025-66309 | 2025-12-01 | Grav vulnerable to Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][content][items], located in the "Blog Config" tab |
| CVE-2025-66310 | 2025-12-01 | Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` parameter `data[header][template]` in Advanced Tab |
| CVE-2025-66311 | 2025-12-01 | Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` in Multiples parameters |
| CVE-2025-66312 | 2025-12-01 | Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/accounts/groups/[group]` parameter `data[readableName]` |
| CVE-2025-66313 | 2025-12-01 | ChurchCRM vulnerable to a time-based blind SQL injection via the 1FieldSec parameter |
| CVE-2025-66400 | 2025-12-01 | mdast-util-to-hast unsanitized class attribute |
| CVE-2025-66403 | 2025-12-01 | FileRise Vulnerable to Stored XSS via SVG Upload |
| CVE-2025-66405 | 2025-12-01 | Portkey.ai Gateway: Server-Side Request Forgery (SSRF) in Custom Host |
| CVE-2025-66410 | 2025-12-01 | Gin-vue-admin has an arbitrary file deletion vulnerability |
| CVE-2025-66412 | 2025-12-01 | Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attributes |
| CVE-2025-66415 | 2025-12-01 | fastify-reply-from bypass of reply forwarding |
| CVE-2025-66401 | 2025-12-01 | MCP Watch has a Critical Command Injection in cloneRepo allows Remote Code Execution (RCE) via malicious URL |
| CVE-2025-66448 | 2025-12-01 | vLLM vulnerable to remote code execution via transformers_utils/get_config |
| CVE-2025-58386 | 2025-12-02 | In Terminalfour 8 through 8.4.1.1, the userLevel parameter in the user management function is not subject to proper server-side authorization checks. A Power User can intercept and modify this parameter... |
| CVE-2025-59693 | 2025-12-02 | The Chassis Management Board in Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allows a physically proximate attacker to obtain debug access and escalate privileges... |
| CVE-2025-59694 | 2025-12-02 | The Chassis Management Board in Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allows a physically proximate attacker to persistently modify firmware and influence the... |
| CVE-2025-59695 | 2025-12-02 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a user with OS root access to alter firmware on the Chassis Management Board (without Authentication).... |
| CVE-2025-59696 | 2025-12-02 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker to modify or erase tamper events via the Chassis management board. |
| CVE-2025-59697 | 2025-12-02 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker to escalate privileges by editing the Legacy GRUB bootloader configuration to start... |
| CVE-2025-59698 | 2025-12-02 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, might allow a physically proximate attacker to gain access to the EOL legacy bootloader. |
| CVE-2025-59699 | 2025-12-02 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker to escalate privileges by booting from a USB device with a valid... |
| CVE-2025-59700 | 2025-12-02 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker with root access to modify the Recovery Partition (because of a lack... |
| CVE-2025-59701 | 2025-12-02 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker (with elevated privileges) to read and modify the Appliance SSD contents (because... |
| CVE-2025-59702 | 2025-12-02 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker with elevated privileges to falsify tamper events by accessing internal components. |
| CVE-2025-59703 | 2025-12-02 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a Physically Proximate Attacker to access the internal components of the appliance, without leaving tamper evidence.... |
| CVE-2025-59704 | 2025-12-02 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow an attacker to gain access the the BIOS menu because is has no password. |
| CVE-2025-59705 | 2025-12-02 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a Physically Proximate Attacker to Escalate Privileges by enabling the USB interface through chassis probe insertion... |
| CVE-2025-60736 | 2025-12-02 | code-projects Online Medicine Guide 1.0 is vulnerable to SQL Injection in /login.php via the upass parameter. |
| CVE-2025-60854 | 2025-12-02 | A vulnerability has been found in D-Link R15 (AX1500) 1.20.01 and below. By manipulating the model name parameter during a password change request in the web administrator page, it is... |
| CVE-2025-63872 | 2025-12-02 | DeepSeek V3.2 has a Cross Site Scripting (XSS) vulnerability, which allows JavaScript execution through model-generated SVG content. |
| CVE-2025-64070 | 2025-12-02 | Sourcecodester Student Grades Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in the Add New Subject Description field. |
| CVE-2025-65186 | 2025-12-02 | Grav CMS 1.7.49 is vulnerable to Cross Site Scripting (XSS). The page editor allows authenticated users to edit page content via a Markdown editor. The editor fails to properly sanitize... |
| CVE-2025-65187 | 2025-12-02 | A Stored Cross Site Scripting vulnerability exists in CiviCRM before v6.7 in the Accounting Batches field. An authenticated user can inject malicious JavaScript into this field and it executes whenever... |
| CVE-2025-65215 | 2025-12-02 | Sourcecodester Web-based Pharmacy Product Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /product_expiry/add-supplier.php via the Supplier Name field. |
| CVE-2025-65358 | 2025-12-02 | Edoc-doctor-appointment-system v1.0.1 was discovered to contain SQl injection vulnerability via the 'docid' parameter at /admin/appointment.php. |
| CVE-2025-65379 | 2025-12-02 | PHPGurukul Billing System 1.0 is vulnerable to SQL Injection in the /admin/password-recovery.php endpoint. Specifically, the username and mobileno parameters accepts unvalidated user input, which is then concatenated directly into a... |
| CVE-2025-65380 | 2025-12-02 | PHPGurukul Billing System 1.0 is vulnerable to SQL Injection in the admin/index.php endpoint. Specifically, the username parameter accepts unvalidated user input, which is then concatenated directly into a backend SQL... |
| CVE-2025-65656 | 2025-12-02 | dcat-admin v2.2.3-beta and before is vulnerable to file inclusion in admin/src/Extend/VersionManager.php. |
| CVE-2025-65657 | 2025-12-02 | FeehiCMS version 2.1.1 has a Remote Code Execution via Unrestricted File Upload in Ad Management. FeehiCMS version 2.1.1 allows authenticated remote attackers to upload files that the server later executes... |
| CVE-2025-65844 | 2025-12-02 | EverShop 2.0.1 allows a remote unauthenticated attacker to upload arbitrary files and create directories via the /api/images endpoint. The endpoint is accessible without authentication by default, and server-side validation of... |
| CVE-2025-65858 | 2025-12-02 | A Stored Cross-Site Scripting (XSS) vulnerability in Calibre-Web v0.6.25 allows attackers to inject malicious JavaScript into the 'username' field during user creation. The payload is stored unsanitized and later executed... |
| CVE-2025-65877 | 2025-12-02 | Lvzhou CMS before commit c4ea0eb9cab5f6739b2c87e77d9ef304017ed615 (2025-09-22) is vulnerable to SQL injection via the 'title' parameter in com.wanli.lvzhoucms.service.ContentService#findPage. The parameter is concatenated directly into a dynamic SQL query without sanitization or... |
| CVE-2025-65881 | 2025-12-02 | Sourcecodester Zoo Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /classes/Login.php. |
| CVE-2025-65896 | 2025-12-02 | SQL injection vulnerability in long2ice assyncmy thru 0.2.10 allows attackers to execute arbitrary SQL commands via crafted dict keys. |
| CVE-2025-21072 | 2025-12-02 | Out-of-bounds write in decoding metadata in fingerprint trustlet prior to SMR Dec-2025 Release 1 allows local privileged attackers to write out-of-bounds memory. |
| CVE-2025-21080 | 2025-12-02 | Improper export of android application components in Dynamic Lockscreen prior to SMR Dec-2025 Release 1 allows local attackers to access files with Dynamic Lockscreen's privilege. |
| CVE-2025-58475 | 2025-12-02 | Improper input validation in libsec-ril.so prior to SMR Dec-2025 Release 1 allows local privileged attackers to write out-of-bounds memory. |
| CVE-2025-58476 | 2025-12-02 | Out-of-bounds read vulnerability in bootloader prior to SMR Dec-2025 Release 1 allows physical attackers to access out-of-bounds memory. |
| CVE-2025-58477 | 2025-12-02 | Out-of-bounds write in parsing IFD tag in libimagecodec.quram.so prior to SMR Dec-2025 Release 1 allows remote attackers to access out-of-bounds memory. |
| CVE-2025-58478 | 2025-12-02 | Out-of-bounds write in libimagecodec.quram.so prior to SMR Dec-2025 Release 1 allows remote attackers to access out-of-bounds memory. |
| CVE-2025-58479 | 2025-12-02 | Out-of-bounds read in libimagecodec.quram.so prior to SMR Dec-2025 Release 1 allows remote attackers to access out-of-bounds memory. |
| CVE-2025-58480 | 2025-12-02 | Heap-based buffer overflow in libimagecodec.quram.so prior to SMR Dec-2025 Release 1 allows remote attackers to access out-of-bounds memory. |
| CVE-2025-58481 | 2025-12-02 | Improper access control in MPRemoteService of MotionPhoto prior to version 4.1.51 allows local attackers to start privileged service. |
| CVE-2025-58482 | 2025-12-02 | Improper access control in MPLocalService of MotionPhoto prior to version 4.1.51 allows local attackers to start privileged service. |
| CVE-2025-58483 | 2025-12-02 | Improper export of android application components in Galaxy Store for Galaxy Watch prior to version 1.0.06.29 allows local attacker to install arbitrary application on Galaxy Store. |
| CVE-2025-58484 | 2025-12-02 | Incorrect default permissions in Samsung Cloud Assistant prior to version 8.0.03.8 allows local attacker to access partial data in sandbox. |
| CVE-2025-58485 | 2025-12-02 | Improper input validation in Samsung Internet prior to version 29.0.0.48 allows local attackers to inject arbitrary script. |
| CVE-2025-58486 | 2025-12-02 | Improper input validation in Samsung Account prior to version 15.5.01.1 allows local attacker to execute arbitrary script. |
| CVE-2025-58487 | 2025-12-02 | Improper authorization in Samsung Account prior to version 15.5.01.1 allows local attacker to launch arbitrary activity with Samsung Account privilege. |
| CVE-2025-58488 | 2025-12-02 | Improper verification of source of a communication channel in SmartTouchCall prior to version 1.0.1.1 allows remote attackers to access sensitive information. User interaction is required for triggering this vulnerability. |
| CVE-2025-55129 | 2025-12-02 | HackerOne community member Kassem S.(kassem_s94) has reported that username handling in Revive Adserver was still vulnerable to impersonation attacks after the fix for CVE-2025-52672, via several alternate techniques. Homoglyphs based... |
| CVE-2025-12529 | 2025-12-02 | Cost Calculator Builder <= 3.6.3 - Unauthenticated Arbitrary File Deletion |
| CVE-2025-13697 | 2025-12-02 | BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library <= 2.2.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via `timestamp` Attribute |
| CVE-2024-45675 | 2025-12-02 | IBM Informix Dynamic Server Authentication Bypass |
| CVE-2025-20792 | 2025-12-02 | In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base... |
| CVE-2025-20753 | 2025-12-02 | In Modem, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base... |
| CVE-2025-20754 | 2025-12-02 | In Modem, there is a possible system crash due to an incorrect bounds check. This could lead to remote denial of service, if a UE has connected to a rogue... |
| CVE-2025-20755 | 2025-12-02 | In Modem, there is a possible application crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base... |
| CVE-2025-20790 | 2025-12-02 | In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base... |
| CVE-2025-20759 | 2025-12-02 | In Modem, there is a possible out of bounds read due to a missing bounds check. This could lead to remote denial of service, if a UE has connected to... |
| CVE-2025-20758 | 2025-12-02 | In Modem, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base... |