Lista CVE - 2025 / Aprile
Visualizzazione 3601 - 3700 di 4033 CVE per Aprile 2025 (Pagina 37 di 41)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2025-46599 | 2025-04-25 | CNCF K3s 1.32 before 1.32.4-rc1+k3s1 has a Kubernetes kubelet configuration change with the unintended consequence that, in some situations, ReadOnlyPort is set to 10255. For example, the default behavior of... |
| CVE-2025-46613 | 2025-04-25 | OpenPLC 3 through 64f9c11 has server.cpp Memory Corruption because a thread may access handleConnections arguments after the parent stack frame becomes unavailable. |
| CVE-2025-46616 | 2025-04-25 | Quantum StorNext Web GUI API before 7.2.4 allows potential Arbitrary Remote Code Execution (RCE) via upload of a file. This affects StorNext RYO before 7.2.4, StorNext Xcellis Workflow Director before... |
| CVE-2025-46617 | 2025-04-25 | Quantum StorNext Web GUI API before 7.2.4 grants access to internal StorNext configuration and unauthorized modification of some software configuration parameters via undocumented user credentials. This affects StorNext RYO before... |
| CVE-2025-43864 | 2025-04-25 | React Router allows a DoS via cache poisoning by forcing SPA mode |
| CVE-2025-43865 | 2025-04-25 | React Router allows pre-render data spoofing on React-Router framework mode |
| CVE-2025-3775 | 2025-04-25 | ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) <= 3.1.2 - Unauthenticated Server-Side Request Forgery via URL Parameter |
| CVE-2025-3752 | 2025-04-25 | Able Player, accessible HTML5 media player <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via preload Parameter |
| CVE-2025-3511 | 2025-04-25 | Improper Validation of Specified Quantity in Input vulnerability in Mitsubishi Electric Corporation CC-Link IE TSN Remote I/O module, CC-Link IE TSN Analog-Digital Converter module, CC-Link IE TSN Digital-Analog Converter module,... |
| CVE-2025-2580 | 2025-04-25 | Contact Form by Bit Form <= 2.18.3 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload |
| CVE-2025-3861 | 2025-04-25 | Prevent Direct Access 2.8.6 - 2.8.8.2 - Incorrect Authorization to Authenticated (Contributor+) Multiple Media Actions |
| CVE-2025-3923 | 2025-04-25 | Prevent Direct Access – Protect WordPress Files <= 2.8.8 - Unauthenticated Sensitive Information Exposure |
| CVE-2025-0671 | 2025-04-25 | Email Subscribers < 5.7.50 - Admin+ Stored XSS in Template |
| CVE-2025-3866 | 2025-04-25 | Add Google +1 (Plus one) social share Button <= 1.0.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting |
| CVE-2025-3867 | 2025-04-25 | Ajax Comment Form CST <= 1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting |
| CVE-2025-3868 | 2025-04-25 | Custom Admin-Bar Favorites <= 0.1 - Reflected Cross-Site Scripting |
| CVE-2025-2238 | 2025-04-25 | Vikinger <= 1.9.30 - Authenticated (Subscriber+) Privilege Escalation via 'vikinger_user_meta_update_ajax' |
| CVE-2025-3743 | 2025-04-25 | Upsell Funnel Builder for WooCommerce <= 3.0.0 - Unauthenticated Order Manipulation |
| CVE-2025-46482 | 2025-04-25 | WordPress WP Quiz plugin <= 2.0.10 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-46535 | 2025-04-25 | WordPress Custom Login and Registration plugin <= 1.0.0 - Broken Access Control vulnerability |
| CVE-2025-3870 | 2025-04-25 | 1 Decembrie 1918 <= 1.dec.2012 - Cross-Site Request Forgery to Stored Cross-Site Scripting |
| CVE-2025-1279 | 2025-04-25 | BM Content Builder <= 3.16.2.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update |
| CVE-2025-1565 | 2025-04-25 | Mayosis Core <= 5.4.1 - Unauthenticated Arbitrary File Read |
| CVE-2025-2986 | 2025-04-25 | IBM Maximo Asset Management cross-site scripting |
| CVE-2025-3912 | 2025-04-25 | WS Form LITE – Drag & Drop Contact Form Builder for WordPress <= 1.10.35 - Missing Authorization to Unauthenticated Sensitive Information Exposure |
| CVE-2024-11917 | 2025-04-25 | JobSearch WP Job Board <= 2.9.2 - Authentication Bypass via Social Logins |
| CVE-2025-2470 | 2025-04-25 | Service Finder Bookings <= 5.1 - Unauthenticated Privilege Escalation via 'nsl_registration_store_extra_input' |
| CVE-2024-6198 | 2025-04-25 | SNORE Interface Unauthenticated Remote Code Execution |
| CVE-2024-6199 | 2025-04-25 | Unauthenticated Remote Code Execution |
| CVE-2025-3634 | 2025-04-25 | Moodle: moodle allows course self-enrolment before completing mfa |
| CVE-2025-43016 | 2025-04-25 | In JetBrains Rider before 2025.1.2 custom archive unpacker allowed arbitrary file overwrite during remote debug session |
| CVE-2025-46432 | 2025-04-25 | In JetBrains TeamCity before 2025.03.1 base64-encoded credentials could be exposed in build logs |
| CVE-2025-46433 | 2025-04-25 | In JetBrains TeamCity before 2025.03.1 improper path validation in loggingPreset parameter was possible |
| CVE-2025-46618 | 2025-04-25 | In JetBrains TeamCity before 2025.03.1 stored XSS was possible on Data Directory tab |
| CVE-2025-3625 | 2025-04-25 | Moodle: user dos and name disclosure via idor in moodle mfa email factor revoke action |
| CVE-2025-3627 | 2025-04-25 | Moodle: partial data exposure in moodle before completing multi-factor authentication |
| CVE-2025-3628 | 2025-04-25 | Moodle: moodle assignment submission search leaks anonymous student identities |
| CVE-2025-3635 | 2025-04-25 | Moodle: csrf risk in moodle user tours manager allows tour duplication |
| CVE-2025-3636 | 2025-04-25 | Moodle: idor in moodle rss block allows unauthorized access to rss feeds |
| CVE-2025-3637 | 2025-04-25 | Moodle: csrf token exposure via url in moodle mod_data module |
| CVE-2025-3638 | 2025-04-25 | Moodle: csrf risk in brickfield tool's analysis request action |
| CVE-2025-3640 | 2025-04-25 | Moodle: idor in web service allows users enrolled in a course to access some details of other users |
| CVE-2025-3641 | 2025-04-25 | Moodle: authenticated remote code execution risk in the moodle lms dropbox repository |
| CVE-2025-3642 | 2025-04-25 | Moodle: authenticated remote code execution risk in the moodle lms equella repository |
| CVE-2025-3643 | 2025-04-25 | Moodle: reflected xss risk in policy tool |
| CVE-2025-3644 | 2025-04-25 | Moodle: ajax section delete does not respect course_can_delete_section() |
| CVE-2025-3645 | 2025-04-25 | Moodle: idor in messaging web service allows access to some user details |
| CVE-2025-3647 | 2025-04-25 | Moodle: idor when accessing the cohorts report |
| CVE-2025-32044 | 2025-04-25 | Moodle: unauthenticated rest api user data exposure |
| CVE-2025-32045 | 2025-04-25 | Moodle: hidden grades shown to users without permission on some grade reports |
| CVE-2025-32432 | 2025-04-25 | Craft CMS Allows Remote Code Execution |
| CVE-2025-43862 | 2025-04-25 | Dify Allows Unauthorized Access and Modification of APP Orchestration |
| CVE-2024-56156 | 2025-04-25 | Halo Vulnerable to Stored XSS and RCE via File Upload Bypass |
| CVE-2025-2068 | 2025-04-25 | An open redirect vulnerability was reported in the FileZ client that could allow information disclosure if a crafted url is visited by a local user. |
| CVE-2025-2069 | 2025-04-25 | A cross-site scripting vulnerability was reported in the FileZ client that could allow execution of code if a crafted url is visited by a local user. |
| CVE-2025-2070 | 2025-04-25 | An improper XML parsing vulnerability was reported in the FileZ client that could allow arbitrary file reads on the system if a crafted url is visited by a local user. |
| CVE-2025-3928 | 2025-04-25 | Commvault Web Server unspecified vulnerability |
| CVE-2024-30152 | 2025-04-25 | HCL SX is affected by usage of a weak cryptographic algorithm |
| CVE-2025-3935 | 2025-04-25 | ScreenConnect Exposure to ASP.NET ViewState Code Injection |
| CVE-2025-46333 | 2025-04-25 | z2d OOB composition could lead to invalid memory access and corruption |
| CVE-2024-53636 | 2025-04-26 | An arbitrary file upload vulnerability via writefile.php of Serosoft Academia Student Information System (SIS) EagleR-1.0.118 allows attackers to execute arbitrary code via ../ in the filePath parameter. |
| CVE-2025-46646 | 2025-04-26 | In Artifex Ghostscript before 10.05.0, decode_utf8 in base/gp_utf8.c mishandles overlong UTF-8 encoding. NOTE: this issue exists because of an incomplete fix for CVE-2024-46954. |
| CVE-2025-46652 | 2025-04-26 | In IZArc through 4.5, there is a Mark-of-the-Web Bypass Vulnerability. When a user performs an extraction from an archive file that bears Mark-of-the-Web, Mark-of-the-Web is not propagated to the extracted... |
| CVE-2025-46653 | 2025-04-26 | Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." (Also, there... |
| CVE-2025-46654 | 2025-04-26 | CodiMD through 2.2.0 has a CSP-based protection mechanism against XSS through uploaded JavaScript content, but it can be bypassed by uploading a .html file that references an uploaded .js file. |
| CVE-2025-46655 | 2025-04-26 | CodiMD through 2.5.4 has a CSP-based protection mechanism against XSS through uploaded SVG documents containing JavaScript, but it can be bypassed in certain cases of different-origin file storage, such as... |
| CVE-2025-46656 | 2025-04-26 | python-markdownify (aka markdownify) before 0.14.1 allows large headline prefixes such as <h9999999> in addition to <h1> through <h6>. This causes memory consumption. |
| CVE-2025-2801 | 2025-04-26 | Create custom forms for WordPress with a smart form plugin for smart businesses <= 1.2.4 - Unauthenticated Arbitrary Shortcode Execution |
| CVE-2024-13808 | 2025-04-26 | Xpro Elementor Addons - Pro <= 1.4.9 - Authenticated (Contributor+) Remote Code Execution |
| CVE-2025-2105 | 2025-04-26 | Jupiter X Core <= 4.8.11 - Unauthenticated PHP Object Injection via PHAR |
| CVE-2025-1458 | 2025-04-26 | Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) <= 5.10.29 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-3491 | 2025-04-26 | Add custom page template <= 2.0.1 - Authenticated (Administrator+) PHP Code Injection to Remote Code Execution |
| CVE-2025-3914 | 2025-04-26 | Aeropage Sync for Airtable <= 3.2.0 - Authenticated (Subscriber+) Arbitrary File Upload |
| CVE-2025-3906 | 2025-04-26 | Integração entre Eduzz e Woocommerce 1.5.0 - 1.7.5 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation |
| CVE-2025-3915 | 2025-04-26 | Aeropage Sync for Airtable <= 3.2.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion |
| CVE-2025-2907 | 2025-04-26 | Order Delivery Date Pro for WooCommerce < 12.3.1 - Unauthenticated Arbitrary Option Update |
| CVE-2025-2811 | 2025-04-26 | GL.iNet GL-A1300 Slate Plus API redos |
| CVE-2025-2850 | 2025-04-26 | GL.iNet GL-A1300 Slate Plus Download Interface improper authorization |
| CVE-2025-2851 | 2025-04-26 | GL.iNet GL-A1300 Slate Plus RPC plugins.so buffer overflow |
| CVE-2024-13812 | 2025-04-26 | Anps Theme plugin <= 1.1.1 - Unauthenticated Arbitrary Shortcode Execution |
| CVE-2025-2101 | 2025-04-26 | Edumall <= 4.2.4 - Unauthenticated Local File Inclusion |
| CVE-2025-3954 | 2025-04-26 | ChurchCRM Referer server-side request forgery |
| CVE-2025-46657 | 2025-04-27 | Karaz Karazal through 2025-04-14 allows reflected XSS via the lang parameter to the default URI. |
| CVE-2025-46672 | 2025-04-27 | NASA CryptoLib before 1.3.2 does not check the OTAR crypto function returned status, potentially leading to spacecraft hijacking. |
| CVE-2025-46673 | 2025-04-27 | NASA CryptoLib before 1.3.2 does not check whether the SA is in an operational state before use, possibly leading to a bypass of the Space Data Link Security protocol (SDLS). |
| CVE-2025-46674 | 2025-04-27 | NASA CryptoLib before 1.3.2 uses Extended Procedures that are a Work in Progress (not intended for use during flight), potentially leading to a keystream oracle. |
| CVE-2025-46675 | 2025-04-27 | In NASA CryptoLib before 1.3.2, the key state is not checked before use, potentially leading to spacecraft hijacking. |
| CVE-2025-46687 | 2025-04-27 | quickjs-ng through 0.9.0 has a missing length check in JS_ReadString for a string, leading to a heap-based buffer overflow. QuickJS before 2025-04-26 is also affected. |
| CVE-2025-46688 | 2025-04-27 | quickjs-ng through 0.9.0 has an incorrect size calculation in JS_ReadBigInt for a BigInt, leading to a heap-based buffer overflow. QuickJS before 2025-04-26 is also affected. |
| CVE-2025-46689 | 2025-04-27 | Ververica Platform 2.14.0 contain an Reflected XSS vulnerability via a namespaces/default/formats URI. |
| CVE-2025-46690 | 2025-04-27 | Ververica Platform 2.14.0 allows low-privileged users to access SQL connectors via a direct namespaces/default/formats request. |
| CVE-2025-3955 | 2025-04-27 | codeprojects Patient Record Management System edit_rpatient.php.php sql injection |
| CVE-2025-46574 | 2025-04-27 | ZTE GoldenDB Database product has an input validation vulnerability |
| CVE-2025-46575 | 2025-04-27 | ZTE GoldenDB Database product has an information disclosure vulnerability |
| CVE-2025-46576 | 2025-04-27 | ZTE GoldenDB Database product has a privilege escalation vulnerability |
| CVE-2025-46577 | 2025-04-27 | ZTE GoldenDB Database product has an SQL injection vulnerability |
| CVE-2025-46578 | 2025-04-27 | ZTE GoldenDB Database product has SQL injection vulnerabilities in multiple interfaces |
| CVE-2025-46579 | 2025-04-27 | ZTE GoldenDB Database product has a DDE injection vulnerability |
| CVE-2025-46580 | 2025-04-27 | ZTE GoldenDB Database product has a code-related vulnerability |
| CVE-2025-3956 | 2025-04-27 | 201206030 novel-cloud BookInfoMapper.xml RestResp sql injection |