Total
347 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-32993 | 1 Jenkins | 1 Saml Single Sign On | 2025-01-23 | 4.8 Medium |
| Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused using a man-in-the-middle attack to intercept these connections. | ||||
| CVE-2024-25996 | 1 Phoenixcontact | 8 Charx Sec-3000, Charx Sec-3000 Firmware, Charx Sec-3050 and 5 more | 2025-01-23 | 5.3 Medium |
| An unauthenticated remote attacker can perform a remote code execution due to an origin validation error. The access is limited to the service user. | ||||
| CVE-2025-21497 | 2 Oracle, Redhat | 2 Mysql Server, Enterprise Linux | 2025-01-23 | 5.5 Medium |
| Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). | ||||
| CVE-2025-21542 | 1 Oracle | 1 Communications Order And Service Management | 2025-01-22 | 6.3 Medium |
| Vulnerability in the Oracle Communications Order and Service Management product of Oracle Communications Applications (component: Security). Supported versions that are affected are 7.4.0, 7.4.1 and 7.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Communications Order and Service Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Order and Service Management accessible data as well as unauthorized read access to a subset of Oracle Communications Order and Service Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Communications Order and Service Management. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). | ||||
| CVE-2025-24010 | 2025-01-21 | 6.5 Medium | ||
| Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and 4.5.6. | ||||
| CVE-2024-26135 | 2 Meshcentral, Ylianst | 2 Meshcentral, Meshcentral | 2025-01-16 | 8.4 High |
| MeshCentral is a full computer management web site. Versions prior to 1.1.21 a cross-site websocket hijacking (CSWSH) vulnerability within the control.ashx endpoint. This component is the primary mechanism used within MeshCentral to perform administrative actions on the server. The vulnerability is exploitable when an attacker is able to convince a victim end-user to click on a malicious link to a page hosting an attacker-controlled site. The attacker can then originate a cross-site websocket connection using client-side JavaScript code to connect to `control.ashx` as the victim user within MeshCentral. Version 1.1.21 contains a patch for this issue. | ||||
| CVE-2023-2886 | 1 Cbot | 2 Cbot Core, Cbot Panel | 2025-01-15 | 4.3 Medium |
| Missing Origin Validation in WebSockets vulnerability in CBOT Chatbot allows Content Spoofing Via Application API Manipulation.This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7. | ||||
| CVE-2024-7322 | 2025-01-15 | 5.8 Medium | ||
| A ZigBee coordinator, router, or end device may change their node ID when an unsolicited encrypted rejoin response is received, this changeĀ in node ID causes Denial of Service (DoS). To recover from this DoS, the network must be re-established | ||||
| CVE-2023-23561 | 1 Stormshield | 1 Endpoint Security | 2025-01-14 | 5.5 Medium |
| Stormshield Endpoint Security 2.3.0 through 2.3.2 has Incorrect Access Control: authenticated users can read sensitive information. | ||||
| CVE-2023-29728 | 1 Applika | 1 Call Blocker | 2025-01-13 | 9.8 Critical |
| The Call Blocker application 6.6.3 for Android allows attackers to tamper with feature-related data, resulting in a severe elevation of privilege attack. | ||||
| CVE-2023-28349 | 2 Faronics, Microsoft | 2 Insight, Windows | 2025-01-13 | 8.8 High |
| An issue was discovered in Faronics Insight 10.0.19045 on Windows. It is possible for an attacker to create a crafted program that functions similarly to the Teacher Console. This can compel Student Consoles to connect and put themselves at risk automatically. Connected Student Consoles can be compelled to write arbitrary files to arbitrary locations on disk with NT AUTHORITY/SYSTEM level permissions, enabling remote code execution. | ||||
| CVE-2023-30196 | 1 Webbax | 1 Salesbooster | 2025-01-13 | 7.5 High |
| Prestashop salesbooster <= 1.10.4 is vulnerable to Incorrect Access Control via modules/salesbooster/downloads/download.php. | ||||
| CVE-2023-29745 | 1 Bestweather Project | 1 Bestweather | 2025-01-13 | 7.1 High |
| An issue found in BestWeather v.7.3.1 for Android allows unauthorized apps to cause a persistent denial of service attack by manipulating the database. | ||||
| CVE-2023-29743 | 1 Bestweather Project | 1 Bestweather | 2025-01-13 | 7.5 High |
| An issue found in BestWeather v.7.3.1 for Android allows unauthorized apps to cause a persistent denial of service attack by manipulating the database. | ||||
| CVE-2023-33740 | 2 Google, Luowice | 2 Android, Luowice | 2025-01-13 | 7.5 High |
| Incorrect access control in luowice v3.5.18 allows attackers to access cloud source code information via modification fo the Verify parameter in a warning message. | ||||
| CVE-2025-23109 | 2025-01-13 | 6.5 Medium | ||
| Long hostnames in URLs could be leveraged to obscure the actual host of the website or spoof the website address This vulnerability affects Firefox for iOS < 134. | ||||
| CVE-2024-51072 | 2025-01-10 | 5.3 Medium | ||
| An issue in KIA Seltos vehicle instrument cluster with software and hardware v1.0 allows attackers to cause a Denial of Service (DoS) via ECU reset UDS service. NOTE: this is disputed by the Supplier because the findings came from a potentially unrealistic test environment (an isolated ECU part that was not in a vehicle), and because the ECUReset specification does not allow a manufacturer to require SecurityAccess and Authentication. | ||||
| CVE-2023-27745 | 1 Southrivertech | 1 Titan Ftp Server Nextgen | 2025-01-09 | 8.8 High |
| An issue in South River Technologies TitanFTP Before v2.0.1.2102 allows attackers with low-level privileges to perform Administrative actions by sending requests to the user server. | ||||
| CVE-2023-23601 | 2 Mozilla, Redhat | 8 Firefox, Firefox Esr, Thunderbird and 5 more | 2025-01-09 | 6.5 Medium |
| Navigations were being allowed when dragging a URL from a cross-origin iframe into the same tab which could lead to website spoofing attacks. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7. | ||||
| CVE-2023-28164 | 2 Mozilla, Redhat | 8 Firefox, Firefox Esr, Thunderbird and 5 more | 2025-01-09 | 6.5 Medium |
| Dragging a URL from a cross-origin iframe that was removed during the drag could have led to user confusion and website spoofing attacks. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9. | ||||