Total
3244 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-30208 | 2025-03-24 | 5.3 Medium | ||
| Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue. | ||||
| CVE-2025-2687 | 1 Janobe | 1 Elearning System | 2025-03-24 | 6.3 Medium |
| A vulnerability classified as critical has been found in PHPGurukul eLearning System 1.0. Affected is an unknown function of the file /user/index.php of the component Image Handler. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-1343 | 1 Laborofficefree | 1 Laborofficefree | 2025-03-24 | 4.7 Medium |
| A weak permission was found in the backup directory in LaborOfficeFree affecting version 19.10. This vulnerability allows any authenticated user to read backup files in the directory '%programfiles(x86)% LaborOfficeFree BackUp'. | ||||
| CVE-2025-2671 | 2025-03-24 | 6.3 Medium | ||
| A vulnerability was found in Yue Lao Blind Box 月老盲盒 up to 4.0. It has been declared as critical. This vulnerability affects the function base64image of the file /app/controller/Upload.php. The manipulation of the argument data leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-2686 | 2025-03-24 | 6.5 Medium | ||
| A vulnerability has been found in mingyuefusu 明月复苏 tushuguanlixitong 图书管理系统 up to d4836f6b49cd0ac79a4021b15ce99ff7229d4694 and classified as critical. Affected by this vulnerability is the function doFilter of the file /admin/ of the component Backend. The manipulation of the argument Request leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-2607 | 2025-03-24 | 6.3 Medium | ||
| A vulnerability was found in phplaozhang LzCMS-LaoZhangBoKeXiTong up to 1.1.4. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/upload/upimage.html of the component HTTP POST Request Handler. The manipulation of the argument File leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-54559 | 1 Apple | 1 Macos | 2025-03-24 | 5.5 Medium |
| The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.2. An app may be able to access sensitive user data. | ||||
| CVE-2024-54565 | 1 Apple | 1 Macos | 2025-03-24 | 6.2 Medium |
| The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.2. An app may be able to access sensitive user data. | ||||
| CVE-2025-2688 | 2025-03-24 | 4.3 Medium | ||
| A vulnerability classified as problematic was found in TOTOLINK A3000RU up to 5.9c.5185. Affected by this vulnerability is an unknown functionality of the file /cgi-bin/ExportSyslog.sh of the component Syslog Configuration File Handler. The manipulation leads to improper access controls. The attack needs to be done within the local network. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-2702 | 2025-03-24 | 6.3 Medium | ||
| A vulnerability, which was classified as critical, has been found in Softwin WMX3 3.1. This issue affects the function ImageAdd of the file /ImageAdd.ashx. The manipulation of the argument File leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-26645 | 2025-03-23 | 8.8 High | ||
| Relative path traversal in Remote Desktop Client allows an unauthorized attacker to execute code over a network. | ||||
| CVE-2025-24994 | 2025-03-23 | 7.3 High | ||
| Improper access control in Windows Cross Device Service allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-24076 | 2025-03-23 | 7.3 High | ||
| Improper access control in Windows Cross Device Service allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2024-56898 | 2025-03-22 | 8.8 High | ||
| Broken access control vulnerability in Geovision GV-ASWeb with version v6.1.0.0 or less. This vulnerability allows low privilege users perform actions that they aren't authorized to, which can be leveraged to escalate privileges, create, modify or delete accounts. | ||||
| CVE-2025-20144 | 2025-03-21 | 4 Medium | ||
| A vulnerability in the hybrid access control list (ACL) processing of IPv4 packets in Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability is due to incorrect handling of packets when a specific configuration of the hybrid ACL exists. An attacker could exploit this vulnerability by attempting to send traffic through an affected device. A successful exploit could allow the attacker to bypass a configured ACL on the affected device. For more information, see the section of this advisory. Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability. | ||||
| CVE-2022-46754 | 1 Dell | 1 Wyse Management Suite | 2025-03-21 | 8.7 High |
| Wyse Management Suite 3.8 and below contain an improper access control vulnerability. A authenticated malicious admin user might access certain pro license features for which this admin is not authorized in order to configure user controlled external entities. | ||||
| CVE-2025-25500 | 2025-03-21 | 7.5 High | ||
| An issue in CosmWasm prior to v2.2.0 allows attackers to bypass capability restrictions in blockchains by exploiting a lack of runtime capability validation. This allows attackers to deploy a contract without capability enforcement, and execute unauthorized actions on the blockchain. | ||||
| CVE-2025-30132 | 2025-03-21 | 9.1 Critical | ||
| An issue was discovered on IROAD Dashcam V devices. It uses an unregistered public domain name as an internal domain, creating a security risk. During analysis, it was found that this domain was not owned by IROAD, allowing an attacker to register it and potentially intercept sensitive device traffic. If the dashcam or related services attempt to resolve this domain over the public Internet instead of locally, it could lead to data exfiltration or man-in-the-middle attacks. | ||||
| CVE-2023-31346 | 2 Amd, Redhat | 128 Epyc 7203 Firmware, Epyc 7203p, Epyc 7203p Firmware and 125 more | 2025-03-20 | 6 Medium |
| Failure to initialize memory in SEV Firmware may allow a privileged attacker to access stale data from other guests. | ||||
| CVE-2025-2557 | 2025-03-20 | 5.5 Medium | ||
| A vulnerability, which was classified as critical, has been found in Audi UTR Dashcam 2.0. Affected by this issue is some unknown functionality of the component Command API. The manipulation leads to improper access controls. The attack needs to be done within the local network. The exploit has been disclosed to the public and may be used. Upgrading to version 2.89 and 2.90 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early about these issues and acted very professional. Version 2.89 is fixing this issue for new customers and 2.90 is going to fix it for existing customers. | ||||