Total
286780 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-19321 | 1 Gigabyte | 4 Aorus Graphics Engine, App Center, Oc Guru Ii and 1 more | 2025-03-14 | 7.8 High |
| The GPCIDrv and GDrv low-level drivers in GIGABYTE APP Center v1.05.21 and earlier, AORUS GRAPHICS ENGINE before 1.57, XTREME GAMING ENGINE before 1.26, and OC GURU II v2.08 expose functionality to read and write arbitrary physical memory. This could be leveraged by a local attacker to elevate privileges. | ||||
| CVE-2018-19320 | 1 Gigabyte | 4 Aorus Graphics Engine, App Center, Oc Guru Ii and 1 more | 2025-03-14 | 7.8 High |
| The GDrv low-level driver in GIGABYTE APP Center v1.05.21 and earlier, AORUS GRAPHICS ENGINE before 1.57, XTREME GAMING ENGINE before 1.26, and OC GURU II v2.08 exposes ring0 memcpy-like functionality that could allow a local attacker to take complete control of the affected system. | ||||
| CVE-2018-1000861 | 2 Jenkins, Redhat | 3 Jenkins, Openshift, Openshift Container Platform | 2025-03-14 | 9.8 Critical |
| A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way. | ||||
| CVE-2018-19410 | 1 Paessler | 1 Prtg Network Monitor | 2025-03-14 | 9.8 Critical |
| PRTG Network Monitor before 18.2.40.1683 allows remote unauthenticated attackers to create users with read-write privileges (including administrator). A remote unauthenticated user can craft an HTTP request and override attributes of the 'include' directive in /public/login.htm and perform a Local File Inclusion attack, by including /api/addusers and executing it. By providing the 'id' and 'users' parameters, an unauthenticated attacker can create a user with read-write privileges (including administrator). | ||||
| CVE-2025-26411 | 2025-03-14 | 8.8 High | ||
| An authenticated attacker is able to use the Plugin Manager of the web interface of the Wattsense Bridge devices to upload malicious Python files to the device. This enables an attacker to gain remote root access to the device. An attacker needs a valid user account on the Wattsense web interface to be able to conduct this attack. This issue is fixed in recent firmware versions BSP >= 6.1.0. | ||||
| CVE-2025-25064 | 2025-03-14 | 8.8 High | ||
| SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a specific parameter in the request, allowing them to inject arbitrary SQL queries that could retrieve email metadata. | ||||
| CVE-2025-1984 | 2025-03-14 | 5.2 Medium | ||
| Xerox Desktop Print Experience application contains a Local Privilege Escalation (LPE) vulnerability, which allows a low-privileged user to gain SYSTEM-level access. | ||||
| CVE-2025-0442 | 2025-03-14 | 6.5 Medium | ||
| Inappropriate implementation in Payments in Google Chrome prior to 132.0.6834.83 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2024-57722 | 2025-03-14 | 7.5 High | ||
| lunasvg v3.0.0 was discovered to contain a allocation-size-too-big bug via the component plutovg_surface_create. | ||||
| CVE-2024-57034 | 1 Wegia | 1 Wegia | 2025-03-14 | 9.8 Critical |
| WeGIA < 3.2.0 is vulnerable to SQL Injection in query_geracao_auto.php via the query parameter. | ||||
| CVE-2024-54446 | 2025-03-14 | N/A | ||
| Document history functionality contains a blind SQL injection that can be exploited by authenticated attackers. Using a time-based blind SQLi technique the attacker can disclose all database contents. Account takeover is a potential outcome depending on the presence or lack thereof entries in certain database tables. | ||||
| CVE-2024-54445 | 2025-03-14 | N/A | ||
| Login functionality contains a blind SQL injection that can be exploited by unauthenticated attackers. Using a time-based blind SQLi technique the attacker can disclose all database contents. Account takeover is a potential outcome depending on the presence or lack thereof entries in certain database tables. | ||||
| CVE-2024-40812 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2025-03-14 | 7.8 High |
| A logic issue was addressed with improved checks. This issue is fixed in iOS 16.7.9 and iPadOS 16.7.9, macOS Ventura 13.6.8, macOS Monterey 12.7.6, iOS 17.6 and iPadOS 17.6, watchOS 10.6, visionOS 1.3, macOS Sonoma 14.6. A shortcut may be able to bypass Internet permission requirements. | ||||
| CVE-2024-40725 | 1 Apache | 1 Http Server | 2025-03-14 | 5.3 Medium |
| A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.62, which fixes this issue. | ||||
| CVE-2024-40602 | 1 Mediawiki | 1 Mediawiki | 2025-03-14 | 6.1 Medium |
| An issue was discovered in the Tempo skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries. | ||||
| CVE-2024-40531 | 1 Uab Lexita | 2 Panteracrm Cms, Patera Crm Cms | 2025-03-14 | 8.8 High |
| A mass assignment vulnerability exists in Pantera CRM versions 401.152 and 402.072. This flaw allows authenticated users to modify any user attribute, including roles, by injecting additional parameters via profile management functions. | ||||
| CVE-2024-3368 | 1 Aioseo | 1 All In One Seo | 2025-03-14 | 6.1 Medium |
| The All in One SEO WordPress plugin before 4.6.1.1 does not validate and escape some of its Post fields before outputting them back, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | ||||
| CVE-2024-39676 | 1 Apache | 1 Pinot | 2025-03-14 | 7.5 High |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Pinot. This issue affects Apache Pinot: from 0.1 before 1.0.0. Users are recommended to upgrade to version 1.0.0 and configure RBAC, which fixes the issue. Details: When using a request to path “/appconfigs” to the controller, it can lead to the disclosure of sensitive information such as system information (e.g. arch, os version), environment information (e.g. maxHeapSize) and Pinot configurations (e.g. zookeeper path). This issue was addressed by the Role-based Access Control https://docs.pinot.apache.org/operators/tutorials/authentication/basic-auth-access-control , so that /appConfigs` and all other APIs can be access controlled. Only authorized users have access to it. Note the user needs to add the admin role accordingly to the RBAC guide to control access to this endpoint, and in the future version of Pinot, a default admin role is planned to be added. | ||||
| CVE-2024-33436 | 2025-03-14 | 5.3 Medium | ||
| An issue in CSS Exfil Protection v.1.1.0 allows a remote attacker to obtain sensitive information due to missing support for CSS variables | ||||
| CVE-2024-27983 | 2 Nodejs, Redhat | 7 Nodejs, Enterprise Linux, Rhel Aus and 4 more | 2025-03-14 | 7.5 High |
| An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition. | ||||