Lista CVE - 2025 / Aprile
Visualizzazione 4001 - 4033 di 4033 CVE per Aprile 2025 (Pagina 41 di 41)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2025-46331 | 2025-04-30 | OpenFGA Authorization Bypass |
| CVE-2025-32777 | 2025-04-30 | Volcano Scheduler Denial of Service via Unbounded Response from Elastic Service/extender Plugin |
| CVE-2025-24887 | 2025-04-30 | OpenCTI bypass of protected attribute update |
| CVE-2025-46558 | 2025-04-30 | org.xwiki.contrib.markdown:syntax-markdown-commonmark12 vulnerable to XSS via Markdown content |
| CVE-2025-46557 | 2025-04-30 | Any user with view access to the XWiki space can change the authenticator |
| CVE-2025-46554 | 2025-04-30 | XWiki missing authorization when accessing the wiki level attachments list and metadata via REST API |
| CVE-2024-9876 | 2025-04-30 | Application is vulnerable to Privilege escalation |
| CVE-2024-9877 | 2025-04-30 | Sensitive information submitted using GET method |
| CVE-2025-2170 | 2025-04-30 | A Server-side request forgery (SSRF) vulnerability has been identified in the SMA1000 Appliance Work Place interface, which in specific conditions could potentially enable a remote unauthenticated attacker to cause the... |
| CVE-2025-4136 | 2025-04-30 | Weitong Mall Sale Endpoint improper authorization |
| CVE-2025-27611 | 2025-04-30 | base-x homograph attack allows Unicode lookalike characters to bypass validation. |
| CVE-2024-6029 | 2025-04-30 | Tesla Model S Iris Modem Race Condition Firewall Bypass Vulnerability |
| CVE-2024-6031 | 2025-04-30 | Tesla Model S oFono AT Command Heap-based Buffer Overflow Code Execution Vulnerability |
| CVE-2024-13943 | 2025-04-30 | Tesla Model S Iris Modem QCMAP_ConnectionManager Improper Input Validation Sandbox Escape Vulnerability |
| CVE-2024-6030 | 2025-04-30 | Tesla Model S oFono Unnecessary Privileges Sandbox Escape Vulnerability |
| CVE-2024-6032 | 2025-04-30 | Tesla Model S Iris Modem ql_atfwd Command Injection Code Execution Vulnerability |
| CVE-2025-2082 | 2025-04-30 | Tesla Model 3 VCSEC Integer Overflow Remote Code Execution Vulnerability |
| CVE-2025-4139 | 2025-04-30 | Netgear EX6120 fwAcosCgiInbound buffer overflow |
| CVE-2025-24132 | 2025-04-30 | The issue was addressed with improved memory handling. This issue is fixed in AirPlay audio SDK 2.7.1, AirPlay video SDK 3.6.0.126, CarPlay Communication Plug-in R18.1. An attacker on the local... |
| CVE-2025-30422 | 2025-04-30 | A buffer overflow was addressed with improved input validation. This issue is fixed in AirPlay audio SDK 2.7.1, AirPlay video SDK 3.6.0.126, CarPlay Communication Plug-in R18.1. An attacker on the... |
| CVE-2022-27562 | 2025-04-30 | HCL Domino Volt is affected by an unrestricted upload of a dangerous file type |
| CVE-2022-42449 | 2025-04-30 | HCL Domino Volt is affected by an unrestricted upload of a dangerous file type |
| CVE-2022-42450 | 2025-04-30 | HCL Domino Volt is affected by Cross-site scripting (XSS) |
| CVE-2023-37517 | 2025-04-30 | HCL Domino Volt and Domino Leap are affected by missing "no cache" headers |
| CVE-2023-37535 | 2025-04-30 | HCL Domino Volt and Domino Leap are affected by a Cross-site scripting (XSS) vulnerability |
| CVE-2023-45721 | 2025-04-30 | HCL Domino Volt and Domino Leap are affected by a disclosure of private personal information vulnerability |
| CVE-2024-30115 | 2025-04-30 | HCL Domino Volt and Domino Leap are affected by a cross-site scripting (XSS) vulnerability |
| CVE-2024-30145 | 2025-04-30 | HCL Domino Volt and Domino Leap are affected by a cross-site scripting (XSS) vulnerability |
| CVE-2024-30146 | 2025-04-30 | HCL Domino Leap is affected by improper access control |
| CVE-2025-4140 | 2025-04-30 | Netgear EX6120 sub_30394 buffer overflow |
| CVE-2025-4141 | 2025-04-30 | Netgear EX6200 sub_3C03C buffer overflow |
| CVE-2025-4142 | 2025-04-30 | Netgear EX6200 sub_3C8EC buffer overflow |
| CVE-2024-48905 | 2025-05-01 | Sematell ReplyOne 7.4.3.0 has Insecure Permissions for the /rest/sessions endpoint. |
| CVE-2024-48906 | 2025-05-01 | Sematell ReplyOne 7.4.3.0 allows XSS via a ReplyDesk e-mail attachment name. |
| CVE-2024-48907 | 2025-05-01 | Sematell ReplyOne 7.4.3.0 allows SSRF via the application server API. |
| CVE-2025-32881 | 2025-05-01 | An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. By default, the GID is the user's phone number unless they specifically opt out. A phone... |
| CVE-2025-32882 | 2025-05-01 | An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. The app uses a custom implementation of encryption without any additional integrity checking mechanisms. This leaves... |
| CVE-2025-32884 | 2025-05-01 | An issue was discovered on goTenna Mesh devices with app 5.5.3 and firmware 1.1.12. By default, a GID is the user's phone number unless they specifically opt out. A phone... |
| CVE-2025-32885 | 2025-05-01 | An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. The app there makes it possible to inject any custom message (into existing v1 networks) with... |
| CVE-2025-32886 | 2025-05-01 | An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. All packets sent over RF are also sent over UART with USB Shell, allowing someone with... |
| CVE-2025-32887 | 2025-05-01 | An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. A command channel includes the next hop. which can be intercepted and used to break frequency... |
| CVE-2025-32888 | 2025-05-01 | An issue was discovered on goTenna Mesh devices with app 5.5.3 and firmware 1.1.12. The verification token used for sending SMS through a goTenna server is hardcoded in the app. |
| CVE-2025-32889 | 2025-05-01 | An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. The verification token used for sending SMS through a goTenna server is hardcoded in the app. |
| CVE-2025-32890 | 2025-05-01 | An issue was discovered on goTenna Mesh devices with app 5.5.3 and firmware 1.1.12. It uses a custom implementation of encryption without any additional integrity checking mechanisms. This leaves messages... |
| CVE-2025-44835 | 2025-05-01 | D-Link DIR-816 A2V1.1.0B05 was found to contain a command injection in iptablesWebsFilterRun, which allows remote attackers to execute arbitrary commands via shell. |
| CVE-2025-44836 | 2025-05-01 | TOTOLINK CPE CP900 V6.3c.1144_B20190715 was discovered to contain a command injection vulnerability in the setApRebootScheCfg function via the hour or minute parameters. This vulnerability allows attackers to execute arbitrary commands... |
| CVE-2025-44837 | 2025-05-01 | TOTOLINK CPE CP900 V6.3c.1144_B20190715 was discovered to contain a command injection vulnerability in the CloudSrvUserdataVersionCheck function via the url or magicid parameters. This vulnerability allows attackers to execute arbitrary commands... |
| CVE-2025-44838 | 2025-05-01 | TOTOLINK CPE CP900 V6.3c.1144_B20190715 was discovered to contain a command injection vulnerability in the setUploadUserData function via the FileName parameter. This vulnerability allows attackers to execute arbitrary commands via a... |
| CVE-2025-44839 | 2025-05-01 | TOTOLINK CA600-PoE V5.3c.6665_B20180820 was found to contain a command injection vulnerability in the CloudSrvUserdataVersionCheck function via the magicid parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted... |
| CVE-2025-44840 | 2025-05-01 | TOTOLINK CA600-PoE V5.3c.6665_B20180820 was found to contain a command injection vulnerability in the CloudSrvUserdataVersionCheck function via the svn parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted... |
| CVE-2025-44841 | 2025-05-01 | TOTOLINK CA600-PoE V5.3c.6665_B20180820 was found to contain a command injection vulnerability in the CloudSrvUserdataVersionCheck function via the version parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted... |
| CVE-2025-44842 | 2025-05-01 | TOTOLINK CA600-PoE V5.3c.6665_B20180820 was found to contain a command injection vulnerability in the msg_process function via the Port parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted... |
| CVE-2025-44843 | 2025-05-01 | TOTOLINK CA600-PoE V5.3c.6665_B20180820 was found to contain a command injection vulnerability in the CloudSrvUserdataVersionCheck function via the url parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted... |
| CVE-2025-44844 | 2025-05-01 | TOTOLINK CA600-PoE V5.3c.6665_B20180820 was found to contain a command injection vulnerability in the setUpgradeFW function via the FileName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted... |
| CVE-2025-44845 | 2025-05-01 | TOTOLINK CA600-PoE V5.3c.6665_B20180820 was found to contain a command injection vulnerability in the NTPSyncWithHost function via the hostTime parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted... |
| CVE-2025-44846 | 2025-05-01 | TOTOLINK CA600-PoE V5.3c.6665_B20180820 was found to contain a command injection vulnerability in the recvUpgradeNewFw function via the fwUrl parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted... |
| CVE-2025-44847 | 2025-05-01 | TOTOLINK CA600-PoE V5.3c.6665_B20180820 was found to contain a command injection vulnerability in the setWebWlanIdx function via the webWlanIdx parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted... |
| CVE-2025-44848 | 2025-05-01 | TOTOLINK CA600-PoE V5.3c.6665_B20180820 was found to contain a command injection vulnerability in the msg_process function via the Url parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted... |
| CVE-2025-44854 | 2025-05-01 | TOTOLINK CP900 V6.3c.1144_B20190715 was found to contain a command injection vulnerability in the setUpgradeUboot function via the FileName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted... |
| CVE-2025-44860 | 2025-05-01 | TOTOLINK CA300-POE V6.2c.884_B20180522 was found to contain a command injection vulnerability in the msg_process function via the Port parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted... |
| CVE-2025-44861 | 2025-05-01 | TOTOLINK CA300-POE V6.2c.884_B20180522 was found to contain a command injection vulnerability in the CloudSrvUserdataVersionCheck function via the url parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted... |
| CVE-2025-44862 | 2025-05-01 | TOTOLINK CA300-POE V6.2c.884_B20180522 was found to contain a command injection vulnerability in the recvUpgradeNewFw function via the fwUrl parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted... |
| CVE-2025-44863 | 2025-05-01 | TOTOLINK CA300-POE V6.2c.884_B20180522 was found to contain a command injection vulnerability in the msg_process function via the Url parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted... |
| CVE-2025-44864 | 2025-05-01 | Tenda W20E V15.11.0.6 was found to contain a command injection vulnerability in the formSetDebugCfg function via the module parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted... |
| CVE-2025-44865 | 2025-05-01 | Tenda W20E V15.11.0.6 was found to contain a command injection vulnerability in the formSetDebugCfg function via the enable parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted... |
| CVE-2025-44866 | 2025-05-01 | Tenda W20E V15.11.0.6 was found to contain a command injection vulnerability in the formSetDebugCfg function via the level parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted... |
| CVE-2025-44867 | 2025-05-01 | Tenda W20E V15.11.0.6 was found to contain a command injection vulnerability in the formSetNetCheckTools function via the hostName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted... |
| CVE-2025-46625 | 2025-05-01 | Lack of input validation/sanitization in the 'setLanCfg' API endpoint in httpd in the Tenda RX2 Pro 16.03.30.14 allows a remote attacker that is authorized to the web management portal to... |
| CVE-2025-46626 | 2025-05-01 | Reuse of a static AES key and initialization vector for encrypted traffic to the 'ate' management service of the Tenda RX2 Pro 16.03.30.14 allows an attacker to decrypt, replay, and/or... |
| CVE-2025-46627 | 2025-05-01 | Use of weak credentials in the Tenda RX2 Pro 16.03.30.14 allows an unauthenticated attacker to authenticate to the telnet service by calculating the root password based on easily-obtained device information.... |
| CVE-2025-46628 | 2025-05-01 | Lack of input validation/sanitization in the 'ate' management service in the Tenda RX2 Pro 16.03.30.14 allows an unauthorized remote attacker to gain root shell access to the device by sending... |
| CVE-2025-46629 | 2025-05-01 | Lack of access controls in the 'ate' management binary of the Tenda RX2 Pro 16.03.30.14 allows an unauthenticated remote attacker to perform unauthorized configuration changes for any router where 'ate'... |
| CVE-2025-46630 | 2025-05-01 | Improper access controls in the web management portal of the Tenda RX2 Pro 16.03.30.14 allows an unauthenticated remote attacker to enable 'ate' (a remote system management binary) by sending a... |
| CVE-2025-46631 | 2025-05-01 | Improper access controls in the web management portal of the Tenda RX2 Pro 16.03.30.14 allows an unauthenticated remote attacker to enable telnet access to the router's OS by sending a... |
| CVE-2025-46632 | 2025-05-01 | Initialization vector (IV) reuse in the web management portal of the Tenda RX2 Pro 16.03.30.14 may allow an attacker to discern information about or more easily decrypt encrypted messages between... |
| CVE-2025-46633 | 2025-05-01 | Cleartext transmission of sensitive information in the web management portal of the Tenda RX2 Pro 16.03.30.14 allows an attacker to decrypt traffic between the client and server by collecting the... |
| CVE-2025-46634 | 2025-05-01 | Cleartext transmission of sensitive information in the web management portal of the Tenda RX2 Pro 16.03.30.14 may allow an unauthenticated attacker to authenticate to the web management portal by collecting... |
| CVE-2025-46635 | 2025-05-01 | An issue was discovered on Tenda RX2 Pro 16.03.30.14 devices. Improper network isolation between the guest Wi-Fi network and other network interfaces on the router allows an attacker (who is... |
| CVE-2025-47153 | 2025-05-01 | Certain build processes for libuv and Node.js for 32-bit systems, such as for the nodejs binary package through nodejs_20.19.0+dfsg-2_i386.deb for Debian GNU/Linux, have an inconsistent off_t size (e.g., building on... |
| CVE-2025-47154 | 2025-05-01 | LibJS in Ladybird before f5a6704 mishandles the freeing of the vector that arguments_list references, leading to a use-after-free, and allowing remote attackers to execute arbitrary code via a crafted .js... |
| CVE-2025-4145 | 2025-05-01 | Netgear EX6200 sub_3D0BC buffer overflow |
| CVE-2025-4143 | 2025-05-01 | Missing validation of redirect_uri on authorize endpoint |
| CVE-2025-4144 | 2025-05-01 | PKCE bypass via downgrade attack |
| CVE-2025-4146 | 2025-05-01 | Netgear EX6200 sub_41940 buffer overflow |
| CVE-2025-4147 | 2025-05-01 | Netgear EX6200 sub_47F7C buffer overflow |
| CVE-2025-2816 | 2025-05-01 | Page View Count 2.8.0 - 2.8.4 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update |
| CVE-2025-4148 | 2025-05-01 | Netgear EX6200 sub_503FC buffer overflow |
| CVE-2025-1305 | 2025-05-01 | NewsBlogger <= 0.2.5.4 - Cross-Site Request Forgery to Arbitrary Plugin Installation |
| CVE-2025-1304 | 2025-05-01 | NewsBlogger <= 0.2.5.1 - Authenticated (Subscriber+) Arbitrary File Upload |
| CVE-2025-2168 | 2025-05-01 | Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider <= 2.4.1 - Cross-Site Request Forgery to Limited User Meta Update |
| CVE-2025-4149 | 2025-05-01 | Netgear EX6200 sub_54014 buffer overflow |
| CVE-2025-4099 | 2025-05-01 | List Children <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode |
| CVE-2024-13845 | 2025-05-01 | Gravity Forms WebHooks <= 1.6.0 - Authenticated (Admin+) Server-Side Request Forgery via Webhook |
| CVE-2025-3952 | 2025-05-01 | Projectopia – WordPress Project Management <= 5.1.16 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Option Deletion |
| CVE-2025-4150 | 2025-05-01 | Netgear EX6200 sub_54340 buffer overflow |
| CVE-2025-4151 | 2025-05-01 | PHPGurukul Curfew e-Pass Management System pass-bwdates-reports-details.php sql injection |
| CVE-2024-13381 | 2025-05-01 | Calculated Fields Form < 5.2.62 - Admin+ Stored XSS |
| CVE-2025-3502 | 2025-05-01 | WP Maps < 4.7.2 - Admin+ Stored XSS |
| CVE-2025-3503 | 2025-05-01 | WP Maps < 4.7.2 - Admin+ Stored XSS |
| CVE-2025-3504 | 2025-05-01 | WP Maps < 4.7.2 - Admin+ Stored XSS |