Export limit exceeded: 18577 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10532 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-27730 | 1 Friendica | 1 Friendica | 2025-06-04 | 9.8 Critical |
| Insecure Permissions vulnerability in Friendica v.2023.12 allows a remote attacker to obtain sensitive information and execute arbitrary code via the cid parameter of the calendar event feature. | ||||
| CVE-2024-56655 | 1 Linux | 1 Linux Kernel | 2025-06-04 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: do not defer rule destruction via call_rcu nf_tables_chain_destroy can sleep, it can't be used from call_rcu callbacks. Moreover, nf_tables_rule_release() is only safe for error unwinding, while transaction mutex is held and the to-be-desroyed rule was not exposed to either dataplane or dumps, as it deactives+frees without the required synchronize_rcu() in-between. nft_rule_expr_deactivate() callbacks will change ->use counters of other chains/sets, see e.g. nft_lookup .deactivate callback, these must be serialized via transaction mutex. Also add a few lockdep asserts to make this more explicit. Calling synchronize_rcu() isn't ideal, but fixing this without is hard and way more intrusive. As-is, we can get: WARNING: .. net/netfilter/nf_tables_api.c:5515 nft_set_destroy+0x.. Workqueue: events nf_tables_trans_destroy_work RIP: 0010:nft_set_destroy+0x3fe/0x5c0 Call Trace: <TASK> nf_tables_trans_destroy_work+0x6b7/0xad0 process_one_work+0x64a/0xce0 worker_thread+0x613/0x10d0 In case the synchronize_rcu becomes an issue, we can explore alternatives. One way would be to allocate nft_trans_rule objects + one nft_trans_chain object, deactivate the rules + the chain and then defer the freeing to the nft destroy workqueue. We'd still need to keep the synchronize_rcu path as a fallback to handle -ENOMEM corner cases though. | ||||
| CVE-2024-45033 | 1 Apache | 1 Apache-airflow-providers-fab | 2025-06-03 | 8.1 High |
| Insufficient Session Expiration vulnerability in Apache Airflow Fab Provider. This issue affects Apache Airflow Fab Provider: before 1.5.2. When user password has been changed with admin CLI, the sessions for that user have not been cleared, leading to insufficient session expiration, thus logged users could continue to be logged in even after the password was changed. This only happened when the password was changed with CLI. The problem does not happen in case change was done with webserver thus this is different from CVE-2023-40273 https://github.com/advisories/GHSA-pm87-24wq-r8w9 which was addressed in Apache-Airflow 2.7.0 Users are recommended to upgrade to version 1.5.2, which fixes the issue. | ||||
| CVE-2023-50342 | 1 Hcltech | 1 Dryice Myxalytics | 2025-06-03 | 7.1 High |
| HCL DRYiCE MyXalytics is impacted by an Insecure Direct Object Reference (IDOR) vulnerability. A user can obtain certain details about another user as a result of improper access control. | ||||
| CVE-2023-45718 | 1 Hcltech | 1 Sametime | 2025-06-03 | 3.9 Low |
| Sametime is impacted by a failure to invalidate sessions. The application is setting sensitive cookie values in a persistent manner in Sametime Web clients. When this happens, cookie values can remain valid even after a user has closed out their session. | ||||
| CVE-2023-45190 | 1 Ibm | 1 Engineering Lifecycle Optimization | 2025-06-03 | 5.1 Medium |
| IBM Engineering Lifecycle Optimization 7.0.2 and 7.0.3 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 268754. | ||||
| CVE-2022-2913 | 1 Login No Captcha Recaptcha Project | 1 Login No Captcha Recaptcha | 2025-06-03 | 4.3 Medium |
| The Login No Captcha reCAPTCHA WordPress plugin before 1.7 doesn't check the proper IP address allowing attackers to spoof IP addresses on the allow list and bypass the need for captcha on the login screen. | ||||
| CVE-2025-5183 | 1 Summerpearlgroup | 1 Vacation Rental Management Platform | 2025-06-03 | 3.5 Low |
| A vulnerability was found in Summer Pearl Group Vacation Rental Management Platform up to 1.0.1 and classified as problematic. This issue affects some unknown processing of the component Header Handler. The manipulation of the argument Host leads to open redirect. The attack may be initiated remotely. Upgrading to version 1.0.2 is able to address this issue. It is recommended to upgrade the affected component. | ||||
| CVE-2025-5182 | 1 Summerpearlgroup | 1 Vacation Rental Management Platform | 2025-06-03 | 4.3 Medium |
| A vulnerability has been found in Summer Pearl Group Vacation Rental Management Platform up to 1.0.1 and classified as critical. This vulnerability affects unknown code of the component Listing Handler. The manipulation leads to authorization bypass. The attack can be initiated remotely. Upgrading to version 1.0.2 is able to address this issue. It is recommended to upgrade the affected component. | ||||
| CVE-2025-5181 | 1 Summerpearlgroup | 1 Vacation Rental Management Platform | 2025-06-03 | 3.5 Low |
| A vulnerability, which was classified as problematic, was found in Summer Pearl Group Vacation Rental Management Platform up to 1.0.1. This affects an unknown part of the file /spgpm/updateListing. The manipulation of the argument spgLsTitle leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.0.2 is able to address this issue. It is recommended to upgrade the affected component. | ||||
| CVE-2023-50345 | 1 Hcltech | 1 Dryice Myxalytics | 2025-06-03 | 3.7 Low |
| HCL DRYiCE MyXalytics is impacted by an Open Redirect vulnerability which could allow an attacker to redirect users to malicious sites, potentially leading to phishing attacks or other security threats. | ||||
| CVE-2023-49394 | 1 Easycorp | 1 Zentao | 2025-06-03 | 6.1 Medium |
| Zentao versions 4.1.3 and before has a URL redirect vulnerability, which prevents the system from functioning properly. | ||||
| CVE-2024-0186 | 1 Huiran Host Reseller System Project | 1 Huiran Host Reseller System | 2025-06-03 | 3.7 Low |
| A vulnerability classified as problematic has been found in HuiRan Host Reseller System up to 2.0.0. Affected is an unknown function of the file /user/index/findpass?do=4 of the component HTTP POST Request Handler. The manipulation leads to weak password recovery. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249444. | ||||
| CVE-2025-47226 | 1 Snipeitapp | 1 Snipe-it | 2025-06-03 | 5 Medium |
| Grokability Snipe-IT before 8.1.0 has incorrect authorization for accessing asset information. | ||||
| CVE-2024-21641 | 1 Flarum | 1 Flarum | 2025-06-03 | 6.5 Medium |
| Flarum is open source discussion platform software. Prior to version 1.8.5, the Flarum `/logout` route includes a redirect parameter that allows any third party to redirect users from a (trusted) domain of the Flarum installation to redirect to any link. For logged-in users, the logout must be confirmed. Guests are immediately redirected. This could be used by spammers to redirect to a web address using a trusted domain of a running Flarum installation. The vulnerability has been fixed and published as flarum/core v1.8.5. As a workaround, some extensions modifying the logout route can remedy this issue if their implementation is safe. | ||||
| CVE-2024-0264 | 1 Oretnom23 | 1 Clinic Queuing System | 2025-06-03 | 7.3 High |
| A vulnerability was found in SourceCodester Clinic Queuing System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /LoginRegistration.php. The manipulation of the argument formToken leads to authorization bypass. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249820. | ||||
| CVE-2024-0350 | 1 Engineers Online Portal Project | 1 Engineers Online Portal | 2025-06-03 | 3.1 Low |
| A vulnerability was found in SourceCodester Engineers Online Portal 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. VDB-250118 is the identifier assigned to this vulnerability. | ||||
| CVE-2023-45139 | 1 Fonttools | 1 Fonttools | 2025-06-03 | 7.5 High |
| fontTools is a library for manipulating fonts, written in Python. The subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed. This allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system. This vulnerability has been patched in version 4.43.0. | ||||
| CVE-2024-43033 | 2 Jpress, Microsoft | 2 Jpress, Windows | 2025-06-03 | 8.8 High |
| JPress through 5.1.1 on Windows has an arbitrary file upload vulnerability that could cause arbitrary code execution via ::$DATA to AttachmentController, such as a .jsp::$DATA file to io.jpress.web.commons.controller.AttachmentController#upload. NOTE: this is unrelated to the attack vector for CVE-2024-32358. | ||||
| CVE-2024-21597 | 1 Juniper | 1 Junos | 2025-06-03 | 5.3 Medium |
| An Exposure of Resource to Wrong Sphere vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX Series allows an unauthenticated, network-based attacker to bypass the intended access restrictions. In an Abstracted Fabric (AF) scenario if routing-instances (RI) are configured, specific valid traffic destined to the device can bypass the configured lo0 firewall filters as it's received in the wrong RI context. This issue affects Juniper Networks Junos OS on MX Series: * All versions earlier than 20.4R3-S9; * 21.2 versions earlier than 21.2R3-S3; * 21.4 versions earlier than 21.4R3-S5; * 22.1 versions earlier than 22.1R3; * 22.2 versions earlier than 22.2R3; * 22.3 versions earlier than 22.3R2. | ||||