Filtered by vendor
Subscriptions
Total
4510 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-27281 | 2 Redhat, Ruby | 2 Enterprise Linux, Rdoc | 2025-02-13 | 4.5 Medium |
An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1. | ||||
CVE-2024-24294 | 1 Blackprint | 1 Blackprint Engine | 2025-02-13 | 9.8 Critical |
A Prototype Pollution issue in Blackprint @blackprint/engine v.0.9.0 allows an attacker to execute arbitrary code via the _utils.setDeepProperty function of engine.min.js. | ||||
CVE-2023-48643 | 1 Shrubbery | 3 Tac Plus 2x, Tac Plus 3x, Tac Plus 4x | 2025-02-13 | 9.8 Critical |
Shrubbery tac_plus 2.x, 3.x. and 4.x through F4.0.4.28 allows unauthenticated Remote Command Execution. The product allows users to configure authorization checks as shell commands through the tac_plus.cfg configuration file. These are executed when a client sends an authorization request with a username that has pre-authorization directives configured. However, it is possible to inject additional commands into these checks because strings from TACACS+ packets are used as command-line arguments. If the installation lacks a a pre-shared secret (there is no pre-shared secret by default), then the injection can be triggered without authentication. (The attacker needs to know a username configured to use a pre-authorization command.) NOTE: this is related to CVE-2023-45239 but the issue is in the original Shrubbery product, not Meta's fork. | ||||
CVE-2022-38745 | 2 Apache, Redhat | 2 Openoffice, Enterprise Linux | 2025-02-13 | 7.8 High |
Apache OpenOffice versions before 4.1.14 may be configured to add an empty entry to the Java class path. This may lead to run arbitrary Java code from the current directory. | ||||
CVE-2024-10644 | 2025-02-13 | 9.1 Critical | ||
Code injection in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution. | ||||
CVE-2023-26817 | 1 Pgyer | 1 Codefever | 2025-02-13 | 8.8 High |
codefever before 2023.2.7-commit-b1c2e7f was discovered to contain a remote code execution (RCE) vulnerability via the component /controllers/api/user.php. | ||||
CVE-2025-25246 | 2025-02-12 | 8.1 High | ||
NETGEAR XR1000 before 1.0.0.74, XR1000v2 before 1.1.0.22, and XR500 before 2.3.2.134 allow remote code execution by unauthenticated users. | ||||
CVE-2025-24959 | 2025-02-12 | N/A | ||
zx is a tool for writing better scripts. An attacker with control over environment variable values can inject unintended environment variables into `process.env`. This can lead to arbitrary command execution or unexpected behavior in applications that rely on environment variables for security-sensitive operations. Applications that process untrusted input and pass it through `dotenv.stringify` are particularly vulnerable. This issue has been patched in version 8.3.2. Users should immediately upgrade to this version to mitigate the vulnerability. If upgrading is not feasible, users can mitigate the vulnerability by sanitizing user-controlled environment variable values before passing them to `dotenv.stringify`. Specifically, avoid using `"`, `'`, and backticks in values, or enforce strict validation of environment variables before usage. | ||||
CVE-2025-0961 | 2025-02-12 | 3.5 Low | ||
A vulnerability, which was classified as problematic, has been found in code-projects Job Recruitment 1.0. Affected by this issue is some unknown functionality of the file /_parse/load_job-details.php. The manipulation of the argument business_stream_name/company_website_url leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
CVE-2025-0971 | 2025-02-12 | 3.5 Low | ||
A vulnerability was found in Zenvia Movidesk up to 25.01.22. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /Account/EditProfile of the component Profile Editing. The manipulation of the argument username leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 25.01.22.245a473c54 is able to address this issue. It is recommended to upgrade the affected component. | ||||
CVE-2025-0972 | 2025-02-12 | 3.5 Low | ||
A vulnerability classified as problematic has been found in Zenvia Movidesk up to 25.01.22. This affects an unknown part of the component New Ticket Handler. The manipulation of the argument subject leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 25.01.22.245a473c54 is able to address this issue. It is recommended to upgrade the affected component. | ||||
CVE-2025-0794 | 2025-02-12 | 3.5 Low | ||
A vulnerability was found in ESAFENET CDG V5 and classified as problematic. Affected by this issue is some unknown functionality of the file /todoDetail.jsp. The manipulation of the argument curpage leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
CVE-2025-0710 | 2025-02-12 | 3.5 Low | ||
A vulnerability classified as problematic has been found in CampCodes School Management Software 1.0. Affected is an unknown function of the file /notice-list of the component Notice Board Page. The manipulation of the argument Notice leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
CVE-2025-0708 | 2025-02-12 | 3.5 Low | ||
A vulnerability was found in fumiao opencms 2.2. It has been declared as problematic. This vulnerability affects unknown code of the file /admin/model/addOrUpdate of the component Add Model Management Page. The manipulation of the argument 模板前缀 leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
CVE-2025-0530 | 2025-02-12 | 3.5 Low | ||
A vulnerability has been found in code-projects Job Recruitment 1.0 and classified as problematic. This vulnerability affects unknown code of the file /_parse/_feedback_system.php. The manipulation of the argument type leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
CVE-2021-22894 | 1 Ivanti | 1 Connect Secure | 2025-02-12 | 8.8 High |
A buffer overflow vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to execute arbitrary code as the root user via maliciously crafted meeting room. | ||||
CVE-2020-8218 | 2 Ivanti, Pulsesecure | 3 Connect Secure, Policy Secure, Pulse Policy Secure | 2025-02-12 | 7.2 High |
A code injection vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface. | ||||
CVE-2020-8243 | 1 Ivanti | 2 Connect Secure, Policy Secure | 2025-02-12 | 7.2 High |
A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to upload custom template to perform an arbitrary code execution. | ||||
CVE-2017-9822 | 1 Dnnsoftware | 1 Dotnetnuke | 2025-02-12 | 8.8 High |
DNN (aka DotNetNuke) before 9.1.1 has Remote Code Execution via a cookie, aka "2017-08 (Critical) Possible remote code execution on DNN sites." | ||||
CVE-2025-0795 | 2025-02-12 | 3.5 Low | ||
A vulnerability was found in ESAFENET CDG V5. It has been classified as problematic. This affects an unknown part of the file /todolistjump.jsp. The manipulation of the argument flowId leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |