Total
384 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-25260 | 1 Stimulsoft | 1 Designer | 2025-02-19 | 7.5 High |
| Stimulsoft Designer (Web) 2023.1.3 is vulnerable to Local File Inclusion. | ||||
| CVE-2024-11629 | 1 Progress | 1 Telerik Document Processing Libraries | 2025-02-19 | 7.1 High |
| In Progress® Telerik® Document Processing Libraries, versions prior to 2025 Q1 (2025.1.205), using .NET Standard 2.0, the contents of a file at an arbitrary path can be exported to RTF. | ||||
| CVE-2024-3564 | 1 Vanderwijk | 1 Content Blocks | 2025-02-19 | 8.8 High |
| The Content Blocks (Custom Post Widget) plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the plugin's 'content_block' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | ||||
| CVE-2023-23330 | 1 Amano | 1 Xoffice | 2025-02-18 | 7.5 High |
| amano Xparc parking solutions 7.1.3879 was discovered to be vulnerable to local file inclusion. | ||||
| CVE-2025-0509 | 2025-02-17 | 7.3 High | ||
| A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle’s (Ed)DSA signing checks. | ||||
| CVE-2023-1124 | 1 Wpeasycart | 1 Wp Easycart | 2025-02-14 | 7.2 High |
| The Shopping Cart & eCommerce Store WordPress plugin before 5.4.3 does not validate HTTP requests, allowing authenticated users with admin privileges to perform LFI attacks. | ||||
| CVE-2025-23421 | 2025-02-14 | 6.4 Medium | ||
| An attacker could obtain firmware files and reverse engineer their intended use leading to loss of confidentiality and integrity of the hardware devices enabled by the Qardio iOS and Android applications. | ||||
| CVE-2024-6911 | 2 Perkin Elmer, Perkinelmer | 2 Process Plus, Processplus | 2025-02-13 | 7.5 High |
| Files on the Windows system are accessible without authentication to external parties due to a local file inclusion in PerkinElmer ProcessPlus.This issue affects ProcessPlus: through 1.11.6507.0. | ||||
| CVE-2024-27894 | 1 Apache | 1 Pulsar | 2025-02-13 | 8.5 High |
| The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function's implementation is referenced by a URL. The supported URL schemes include "file", "http", and "https". When a function is created using this method, the Functions Worker will retrieve the implementation from the URL provided by the user. However, this feature introduces a vulnerability that can be exploited by an attacker to gain unauthorized access to any file that the Pulsar Functions Worker process has permissions to read. This includes reading the process environment which potentially includes sensitive information, such as secrets. Furthermore, an attacker could leverage this vulnerability to use the Pulsar Functions Worker as a proxy to access the content of remote HTTP and HTTPS endpoint URLs. This could also be used to carry out denial of service attacks. This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true". This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. 2.10 Pulsar Function Worker users should upgrade to at least 2.10.6. 2.11 Pulsar Function Worker users should upgrade to at least 2.11.4. 3.0 Pulsar Function Worker users should upgrade to at least 3.0.3. 3.1 Pulsar Function Worker users should upgrade to at least 3.1.3. 3.2 Pulsar Function Worker users should upgrade to at least 3.2.1. Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions. The updated versions of Pulsar Functions Worker will, by default, impose restrictions on the creation of functions using URLs. For users who rely on this functionality, the Function Worker configuration provides two configuration keys: "additionalEnabledConnectorUrlPatterns" and "additionalEnabledFunctionsUrlPatterns". These keys allow users to specify a set of URL patterns that are permitted, enabling the creation of functions using URLs that match the defined patterns. This approach ensures that the feature remains available to those who require it, while limiting the potential for unauthorized access and exploitation. | ||||
| CVE-2024-23282 | 1 Apple | 4 Ipados, Iphone Os, Macos and 1 more | 2025-02-13 | 5.5 Medium |
| The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.5, watchOS 10.5, iOS 17.5 and iPadOS 17.5, iOS 16.7.8 and iPadOS 16.7.8. A maliciously crafted email may be able to initiate FaceTime calls without user authorization. | ||||
| CVE-2024-2056 | 2025-02-13 | 9.8 Critical | ||
| Services that are running and bound to the loopback interface on the Artica Proxy are accessible through the proxy service. In particular, the "tailon" service is running, running as the root user, is bound to the loopback interface, and is listening on TCP port 7050. Security issues associated with exposing this network service are documented at gvalkov's 'tailon' GitHub repo. Using the tailon service, the contents of any file on the Artica Proxy can be viewed. | ||||
| CVE-2024-2055 | 1 Articatech | 1 Artica Proxy | 2025-02-13 | 9.8 Critical |
| The "Rich Filemanager" feature of Artica Proxy provides a web-based interface for file management capabilities. When the feature is enabled, it does not require authentication by default, and runs as the root user. | ||||
| CVE-2023-2976 | 2 Google, Redhat | 10 Guava, Amq Broker, Amq Streams and 7 more | 2025-02-13 | 5.5 Medium |
| Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows. | ||||
| CVE-2023-29450 | 1 Zabbix | 1 Zabbix | 2025-02-13 | 8.5 High |
| JavaScript pre-processing can be used by the attacker to gain access to the file system (read-only access on behalf of user "zabbix") on the Zabbix Server or Zabbix Proxy, potentially leading to unauthorized access to sensitive data. | ||||
| CVE-2020-17519 | 1 Apache | 1 Flink | 2025-02-13 | 7.5 High |
| A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master. | ||||
| CVE-2019-3811 | 4 Debian, Fedoraproject, Opensuse and 1 more | 5 Debian Linux, Fedora, Sssd and 2 more | 2025-02-13 | 5.2 Medium |
| A vulnerability was found in sssd. If a user was configured with no home directory set, sssd would return '/' (the root directory) instead of '' (the empty string / no home directory). This could impact services that restrict the user's filesystem access to within their home directory through chroot() etc. All versions before 2.1 are vulnerable. | ||||
| CVE-2023-27180 | 1 Gdidees | 1 Gdidees Cms | 2025-02-12 | 7.5 High |
| GDidees CMS v3.9.1 was discovered to contain a source code disclosure vulnerability by the backup feature which is accessible via /_admin/backup.php. | ||||
| CVE-2023-29080 | 2025-02-12 | N/A | ||
| Potential privilege escalation vulnerability in Revenera InstallShield versions 2022 R2 and 2021 R2 due to adding InstallScript custom action to a Basic MSI or InstallScript MSI project extracting few binaries to a predefined writable folder during installation time. The standard user account has write access to these files and folders, hence replacing them during installation time can lead to a DLL hijacking vulnerability. | ||||
| CVE-2025-1042 | 1 Gitlab | 1 Gitlab | 2025-02-12 | 4.9 Medium |
| An insecure direct object reference vulnerability in GitLab EE affecting all versions from 15.7 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to view repositories in an unauthorized way. | ||||
| CVE-2024-5045 | 1 Oretnom23 | 1 Online Birth Certificate Management System | 2025-02-10 | 5.3 Medium |
| A vulnerability was found in SourceCodester Online Birth Certificate Management System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /admin. The manipulation leads to files or directories accessible. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-264742 is the identifier assigned to this vulnerability. | ||||