Export limit exceeded: 344008 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (344008 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-7205 | 1 Kentico | 1 Xperience | 2025-12-19 | N/A |
| Reflected Cross-Site Scripting vulnerability in "Design" on "Edit device layout" in Kentico 9 through 11 allows remote attackers to execute malicious JavaScript via a malicious devicename parameter in a link that is entered via the "Pages -> Edit template properties -> Device Layouts -> Create device layout (and edit created device layout) -> Design" screens. NOTE: the vendor has responded that there is intended functionality for authorized users to edit and update ascx code layout | ||||
| CVE-2021-46163 | 1 Kentico | 1 Xperience | 2025-12-19 | 6.1 Medium |
| Kentico Xperience 13.0.44 allows XSS via an XML document to the Media Libraries subsystem. | ||||
| CVE-2022-32387 | 1 Kentico | 1 Xperience | 2025-12-19 | 7.5 High |
| In Kentico before 13.0.66, attackers can achieve Denial of Service via a crafted request to the GetResource handler. | ||||
| CVE-2022-29287 | 1 Kentico | 1 Xperience | 2025-12-19 | 4.9 Medium |
| Kentico CMS before 13.0.66 has an Insecure Direct Object Reference vulnerability. It allows an attacker with user management rights (default is Administrator) to export the user options of any user, even ones with higher privileges (like Global Administrators) than the current user. The exported XML contains every option of the exported user (even the hashed password). | ||||
| CVE-2019-19493 | 1 Kentico | 1 Xperience | 2025-12-19 | 5.4 Medium |
| Kentico before 12.0.50 allows file uploads in which the Content-Type header is inconsistent with the file extension, leading to XSS. | ||||
| CVE-2020-24794 | 1 Kentico | 1 Xperience | 2025-12-19 | 6.1 Medium |
| Cross Site Scripting (XSS) vulnerability in Kentico before 12.0.75. | ||||
| CVE-2019-10068 | 1 Kentico | 1 Xperience | 2025-12-19 | 9.8 Critical |
| An issue was discovered in Kentico 12.0.x before 12.0.15, 11.0.x before 11.0.48, 10.0.x before 10.0.52, and 9.x versions. Due to a failure to validate security headers, it was possible for a specially crafted request to the staging service to bypass the initial authentication and proceed to deserialize user-controlled .NET object input. This deserialization then led to unauthenticated remote code execution on the server where the Kentico instance was hosted. | ||||
| CVE-2019-12102 | 1 Kentico | 1 Xperience | 2025-12-19 | N/A |
| Kentico 11 through 12 lets attackers upload and explore files without authentication via the cmsmodules/medialibrary/formcontrols/liveselectors/insertimageormedia/tabs_media.aspx URI. NOTE: The vendor disputes the report because the researcher did not configure the media library permissions correctly. The vendor states that by default all users can read/modify/upload files, and it’s up to the administrator to decide who should have access to the media library and set the permissions accordingly. See the vendor documentation in the references for more information | ||||
| CVE-2019-6242 | 1 Kentico | 1 Xperience | 2025-12-19 | N/A |
| Kentico v10.0.42 allows Global Administrators to read the cleartext SMTP Password by navigating to the SMTP configuration page. NOTE: the vendor considers this a best-practice violation but not a vulnerability. The vendor plans to fix it at a future time | ||||
| CVE-2023-29144 | 2 Linux, Malwarebytes | 2 Linux, Malwarebytes | 2025-12-19 | 3.3 Low |
| Malwarebytes 1.0.14 for Linux doesn't properly compute signatures in some scenarios. This allows a bypass of detection. | ||||
| CVE-2025-67344 | 1 Jishenghua | 1 Jsherp | 2025-12-19 | 4.6 Medium |
| jshERP v3.5 and earlier is affected by a stored Cross Site Scripting (XSS) vulnerability via the /msg/add endpoint. | ||||
| CVE-2025-67341 | 1 Jishenghua | 1 Jsherp | 2025-12-19 | 4.6 Medium |
| jshERP versions 3.5 and earlier are affected by a stored XSS vulnerability. This vulnerability allows attackers to upload PDF files containing XSS payloads. Additionally, these PDF files can be accessed via static URLs, making them accessible to all users. | ||||
| CVE-2025-34442 | 1 Wwbn | 1 Avideo | 2025-12-19 | 7.5 High |
| AVideo versions prior to 20.1 disclose absolute filesystem paths via multiple public API endpoints. Returned metadata includes full server paths to media files, revealing underlying filesystem structure and facilitating more effective attack chains. | ||||
| CVE-2025-34441 | 1 Wwbn | 1 Avideo | 2025-12-19 | 7.5 High |
| AVideo versions prior to 20.1 expose sensitive user information through an unauthenticated public API endpoint. Responses include emails, usernames, administrative status, and last login times, enabling user enumeration and privacy violations. | ||||
| CVE-2025-34440 | 1 Wwbn | 1 Avideo | 2025-12-19 | 6.1 Medium |
| AVideo versions prior to 20.1 contain an open redirect vulnerability caused by insufficient validation of the siteRedirectUri parameter during user registration. Attackers can redirect users to external sites, facilitating phishing attacks. | ||||
| CVE-2025-34439 | 1 Wwbn | 1 Avideo | 2025-12-19 | 6.1 Medium |
| AVideo versions prior to 20.1 are vulnerable to an open redirect flaw due to missing validation of the cancelUri parameter during user login. An attacker can craft a link to redirect users to arbitrary external sites, enabling phishing attacks. | ||||
| CVE-2025-34434 | 1 Wwbn | 1 Avideo | 2025-12-19 | 9.1 Critical |
| AVideo versions prior to 20.1 with the ImageGallery plugin enabled is vulnerable to unauthenticated file upload and deletion. Plugin endpoints responsible for managing gallery images fail to enforce authentication checks and do not validate ownership, allowing unauthenticated attackers to upload or delete images associated with any image-based video. | ||||
| CVE-2025-34435 | 1 Wwbn | 1 Avideo | 2025-12-19 | 6.5 Medium |
| AVideo versions prior to 20.1 are vulnerable to an insecure direct object reference (IDOR) that allows any authenticated user to delete media files belonging to other users. The affected endpoint validates authentication but fails to verify ownership or edit permissions for the targeted video. | ||||
| CVE-2025-34436 | 1 Wwbn | 1 Avideo | 2025-12-19 | 8.8 High |
| AVideo versions prior to 20.1 allow any authenticated user to upload files into directories belonging to other users due to an insecure direct object reference. The upload functionality verifies authentication but does not enforce ownership checks. | ||||
| CVE-2025-34438 | 1 Wwbn | 1 Avideo | 2025-12-19 | 8.1 High |
| AVideo versions prior to 20.1 contain an insecure direct object reference vulnerability allowing users with upload permissions to modify the rotation metadata of any video. The endpoint verifies upload capability but fails to enforce ownership or management rights for the targeted video. | ||||