Lista CVE - 2025 / Aprile
Visualizzazione 3001 - 3100 di 4033 CVE per Aprile 2025 (Pagina 31 di 41)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2025-2947 | 2025-04-17 | IBM i privilege escalation |
| CVE-2020-36789 | 2025-04-17 | can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ context |
| CVE-2021-47668 | 2025-04-17 | can: dev: can_restart: fix use after free bug |
| CVE-2021-47669 | 2025-04-17 | can: vxcan: vxcan_xmit: fix use after free bug |
| CVE-2021-47670 | 2025-04-17 | can: peak_usb: fix use after free bugs |
| CVE-2021-47671 | 2025-04-17 | can: etas_es58x: es58x_rx_err_msg(): fix memory leak in error path |
| CVE-2025-3762 | 2025-04-17 | PCMan FTP Server MPUT Command buffer overflow |
| CVE-2025-3763 | 2025-04-17 | SourceCodester Phone Management System Password main buffer overflow |
| CVE-2024-42177 | 2025-04-17 | HCL MyXalytics is affected by SSL∕TLS Protocol affected with BREACH & LUCKY13 vulnerabilities |
| CVE-2025-3764 | 2025-04-17 | SourceCodester Web-based Pharmacy Product Management System edit-product.php unrestricted upload |
| CVE-2025-3765 | 2025-04-17 | SourceCodester Web-based Pharmacy Product Management System edit-photo.php unrestricted upload |
| CVE-2024-42178 | 2025-04-17 | HCL MyXalytics is affected by a failure to restrict URL access vulnerability |
| CVE-2025-3124 | 2025-04-17 | Missing Authorization vulnerability was identified in GitHub Enterprise Server that allowed unauthorized access to private repository names |
| CVE-2025-3509 | 2025-04-17 | Pre-Receive Hook Remote Code Execution vulnerability was identified in GitHub Enterprise Server that allowing Privilege Escalation |
| CVE-2025-3246 | 2025-04-17 | Markdown math block sanitization bypass allows privilege escalation and unauthorized workflow triggers |
| CVE-2024-29643 | 2025-04-18 | An issue in croogo v.3.0.2 allows an attacker to perform Host header injection via the feed.rss component. |
| CVE-2024-41447 | 2025-04-18 | A stored cross-site scripting (XSS) vulnerability in Alkacon OpenCMS v17.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the author parameter under the... |
| CVE-2024-46089 | 2025-04-18 | 74cms <=3.33 is vulnerable to remote code execution (RCE) in the background interface apiadmin. |
| CVE-2024-53591 | 2025-04-18 | An issue in the login page of Seclore v3.27.5.0 allows attackers to bypass authentication via a brute force attack. |
| CVE-2024-57493 | 2025-04-18 | An issue in redoxOS relibc before commit 98aa4ea5 allows a local attacker to cause a denial of service via the setsockopt function. |
| CVE-2025-25983 | 2025-04-18 | An issue in Macro-video Technologies Co.,Ltd V380 Pro android application 2.1.44 and V380 Pro android application 2.1.64 allows an attacker to obtain sensitive information via the QE code based sharing... |
| CVE-2025-25984 | 2025-04-18 | An issue in Macro-video Technologies Co.,Ltd V380E6_C1 IP camera (Hw_HsAKPIQp_WF_XHR) 1020302 allows a physically proximate attacker to execute arbitrary code via UART component. |
| CVE-2025-25985 | 2025-04-18 | An issue in Macro-video Technologies Co.,Ltd V380E6_C1 IP camera (Hw_HsAKPIQp_WF_XHR) 1020302 allows a physically proximate attacker to execute arbitrary code via the /mnt/mtd/mvconf/wifi.ini and /mnt/mtd/mvconf/user_info.ini components. |
| CVE-2025-28059 | 2025-04-18 | An access control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows deleted users to retain access to system resources due to improper session invalidation and stale token handling. When an administrator... |
| CVE-2025-28197 | 2025-04-18 | Crawl4AI <=0.4.247 is vulnerable to SSRF in /crawl4ai/async_dispatcher.py. |
| CVE-2025-28228 | 2025-04-18 | A credential exposure vulnerability in Electrolink 500W, 1kW, 2kW Medium DAB Transmitter Web v01.09, v01.08, v01.07, and Display v1.4, v1.2 allows unauthorized attackers to access credentials in plaintext. |
| CVE-2025-28229 | 2025-04-18 | Incorrect access control in Orban OPTIMOD 5950 Firmware v1.0.0.2 and System v2.2.15 allows attackers to bypass authentication and gain Administrator privileges. |
| CVE-2025-28230 | 2025-04-18 | Incorrect access control in JMBroadcast JMB0150 Firmware v1.0 allows attackers to access hardcoded administrator credentials. |
| CVE-2025-28231 | 2025-04-18 | Incorrect access control in Itel Electronics IP Stream v1.7.0.6 allows unauthorized attackers to execute arbitrary commands with Administrator privileges. |
| CVE-2025-28232 | 2025-04-18 | Incorrect access control in the HOME.php endpoint of JMBroadcast JMB0150 Firmware v1.0 allows attackers to access the Admin panel without authentication. |
| CVE-2025-28233 | 2025-04-18 | Incorrect access control in BW Broadcast TX600 (14980), TX300 (32990) (31448), TX150, TX1000, TX30, and TX50 Hardware Version: 2, Software Version: 1.6.0, Control Version: 1.0, AIO Firmware Version: 1.7 allows... |
| CVE-2025-28235 | 2025-04-18 | An information disclosure vulnerability in the component /socket.io/1/websocket/ of Soundcraft Ui Series Model(s) Ui12 and Ui16 Firmware v1.0.7x and v1.0.5x allows attackers to access Administrator credentials in plaintext. |
| CVE-2025-28236 | 2025-04-18 | Nautel VX Series transmitters VX SW v6.4.0 and below was discovered to contain a remote code execution (RCE) vulnerability in the firmware update process. This vulnerability allows attackers to execute... |
| CVE-2025-28237 | 2025-04-18 | An issue in WorldCast Systems ECRESO FM/DAB/TV Transmitter v1.10.1 allows authenticated attackers to escalate privileges via a crafted JSON payload. |
| CVE-2025-28238 | 2025-04-18 | Improper session management in Elber REBLE310 Firmware v5.5.1.R , Equipment Model: REBLE310/RX10/4ASI allows attackers to execute a session hijacking attack. |
| CVE-2025-28242 | 2025-04-18 | Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session hijacking attack. |
| CVE-2025-28355 | 2025-04-18 | Volmarg Personal Management System 1.4.65 is vulnerable to Cross Site Request Forgery (CSRF) allowing attackers to execute arbitrary code and obtain sensitive information via the SameSite cookie attribute defaults value... |
| CVE-2025-29058 | 2025-04-18 | An issue in Qimou CMS v.3.34.0 allows a remote attacker to execute arbitrary code via the upgrade.php component. |
| CVE-2025-29209 | 2025-04-18 | TOTOLINK X18 v9.1.0cu.2024_B20220329 has an unauthorized arbitrary command execution in the enable parameter' of the sub_41105C function of cstecgi .cgi. |
| CVE-2025-29512 | 2025-04-18 | Cross-Site Scripting (XSS) vulnerability in NodeBB v4.0.4 and before allows remote attackers to store arbitrary code and potentially render the blacklist IP functionality unusable until content is removed via the... |
| CVE-2025-29513 | 2025-04-18 | Cross-Site Scripting (XSS) vulnerability in NodeBB v4.0.4 and before allows remote attackers to store arbitrary code in the admin API Access token generator. |
| CVE-2025-29625 | 2025-04-18 | A buffer overflow vulnerability in Astrolog v7.70 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via an overly long environment variable passed to FileOpen function. |
| CVE-2025-43903 | 2025-04-18 | NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the adbe.pkcs7.sha1 signatures on documents, resulting in potential signature forgeries. |
| CVE-2025-25427 | 2025-04-18 | XSS in TP-Link TL-WR841N v14/v14.6/v14.8 Upnp page |
| CVE-2025-0467 | 2025-04-18 | GPU DDK - rgxfw_hwperf_get_packet_buffer OOB write |
| CVE-2025-3520 | 2025-04-18 | Avatar <= 0.1.4 - Authenticated (Subscriber+) Arbitrary File Deletion |
| CVE-2024-13650 | 2025-04-18 | Piotnet Addons For Elementor <= 2.4.34 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-2613 | 2025-04-18 | Login Manager – Design Login Page, View Login Activity, Limit Login Attempts <= 2.0.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via Custom URL |
| CVE-2025-42599 | 2025-04-18 | Active! mail 6 BuildInfo: 6.60.05008561 and earlier contains a stack-based buffer overflow vulnerability. Receiving a specially crafted request created and sent by a remote unauthenticated attacker may lead to arbitrary... |
| CVE-2025-39471 | 2025-04-18 | WordPress Modal Survey plugin <= 2.0.2.0.1 - SQL Injection vulnerability |
| CVE-2025-39470 | 2025-04-18 | WordPress Ivy School <= 1.6.0 - Local File Inclusion Vulnerability |
| CVE-2025-39469 | 2025-04-18 | WordPress Modal Survey plugin <= 2.0.2.0.1 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-3598 | 2025-04-18 | Coupon Affiliates – Affiliate Plugin for WooCommerce <= 6.3.0 - Reflected Cross-Site Scripting via 'commission_summary' Parameter |
| CVE-2025-3783 | 2025-04-18 | SourceCodester Web-based Pharmacy Product Management System add-product.php unrestricted upload |
| CVE-2025-1863 | 2025-04-18 | Insecure default settings for recorder products |
| CVE-2025-2162 | 2025-04-18 | MapPress Maps for WordPress < 2.94.10 - Admin+ Stored XSS |
| CVE-2025-37785 | 2025-04-18 | ext4: fix OOB read when checking dotdot dir |
| CVE-2025-37860 | 2025-04-18 | sfc: fix NULL dereferences in ef100_process_design_param() |
| CVE-2025-37893 | 2025-04-18 | LoongArch: BPF: Fix off-by-one error in build_prologue() |
| CVE-2025-37925 | 2025-04-18 | jfs: reject on-disk inodes of an unsupported type |
| CVE-2025-38049 | 2025-04-18 | x86/resctrl: Fix allocation of cleanest CLOSID on platforms with no monitors |
| CVE-2025-38104 | 2025-04-18 | drm/amdgpu: Replace Mutex with Spinlock for RLCG register access to avoid Priority Inversion in SRIOV |
| CVE-2025-38152 | 2025-04-18 | remoteproc: core: Clear table_sz when rproc_shutdown |
| CVE-2025-38240 | 2025-04-18 | drm/mediatek: dp: drm_err => dev_err in HPD path to avoid NULL ptr |
| CVE-2025-38479 | 2025-04-18 | dmaengine: fsl-edma: free irq correctly in remove path |
| CVE-2025-38575 | 2025-04-18 | ksmbd: use aead_request_free to match aead_request_alloc |
| CVE-2025-38637 | 2025-04-18 | net_sched: skbprio: Remove overly strict queue assertions |
| CVE-2025-39688 | 2025-04-18 | nfsd: allow SC_STATUS_FREEABLE when searching via nfs4_lookup_stateid() |
| CVE-2025-39728 | 2025-04-18 | clk: samsung: Fix UBSAN panic in samsung_clk_init() |
| CVE-2025-39735 | 2025-04-18 | jfs: fix slab-out-of-bounds read in ea_get() |
| CVE-2025-39755 | 2025-04-18 | staging: gpib: Fix cb7210 pcmcia Oops |
| CVE-2025-39778 | 2025-04-18 | objtool, nvmet: Fix out-of-bounds stack access in nvmet_ctrl_state_show() |
| CVE-2025-39930 | 2025-04-18 | ASoC: simple-card-utils: Don't use __free(device_node) at graph_util_parse_dai() |
| CVE-2025-39989 | 2025-04-18 | x86/mce: use is_copy_from_user() to determine copy-from-user context |
| CVE-2025-40014 | 2025-04-18 | objtool, spi: amd: Fix out-of-bounds stack access in amd_set_spi_freq() |
| CVE-2025-40114 | 2025-04-18 | iio: light: Add check for array bounds in veml6075_read_int_time_ms |
| CVE-2025-40325 | 2025-04-18 | md/raid10: wait barrier before returning discard request with REQ_NOWAIT |
| CVE-2025-3056 | 2025-04-18 | Download Manager <= 3.3.12 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload |
| CVE-2025-3785 | 2025-04-18 | D-Link DWR-M961 Authorization Interface formStaticDHCP stack-based overflow |
| CVE-2025-2492 | 2025-04-18 | An improper authentication control vulnerability exists in AiCloud. This vulnerability can be triggered by a crafted request, potentially leading to unauthorized execution of functions. Refer to the 'ASUS Router AiCloud... |
| CVE-2025-3786 | 2025-04-18 | Tenda AC15 WifiExtraSet fromSetWirelessRepeat buffer overflow |
| CVE-2025-3106 | 2025-04-18 | LA-Studio Element Kit for Elementor <= 1.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Table of Contents Widget |
| CVE-2025-3787 | 2025-04-18 | PbootCMS Image server-side request forgery |
| CVE-2025-3788 | 2025-04-18 | baseweb JSite save cross site scripting |
| CVE-2024-49808 | 2025-04-18 | IBM Sterling Connect:Direct Web Services improper authorization |
| CVE-2024-45651 | 2025-04-18 | IBM Sterling Connect:Direct Web Services session fixation |
| CVE-2025-32790 | 2025-04-18 | Dify Allows Insecure User Role Access Control for APP DSL Exporting |
| CVE-2025-3789 | 2025-04-18 | baseweb JSite save cross site scripting |
| CVE-2025-3790 | 2025-04-18 | baseweb JSite Apache Druid Monitoring Console index.html access control |
| CVE-2025-40364 | 2025-04-18 | io_uring: fix io_req_prep_async with provided buffers |
| CVE-2025-37838 | 2025-04-18 | HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition |
| CVE-2025-3791 | 2025-04-18 | symisc UnQLite unqlite.c jx9MemObjStore heap-based overflow |
| CVE-2025-2950 | 2025-04-18 | IBM i improper HTTP header neutralization |
| CVE-2025-3792 | 2025-04-18 | SeaCMS admin_link.php sql injection |
| CVE-2025-29953 | 2025-04-18 | Apache ActiveMQ NMS OpenWire Client: deserialization allowlist bypass |
| CVE-2025-32434 | 2025-04-18 | PyTorch: `torch.load` with `weights_only=True` leads to remote code execution |
| CVE-2025-27599 | 2025-04-18 | Element X Android vulnerable to loading malicious web pages via received intent |
| CVE-2025-29784 | 2025-04-18 | NamelessMC Has Lack of Length Validation for s Parameter in GET Requests |
| CVE-2025-30158 | 2025-04-18 | NamelessMC Forum iframe width/height abuse causing UI-based Denial of Service |
| CVE-2025-30357 | 2025-04-18 | NamelessMC Forum Topic Deletion Triggered by Unrelated User Deletion |