The CVE-2025-4762 vulnerability allows an unauthenticated attacker to access arbitrary files in the document system of the eSigna product by manipulating file paths and object identifiers in the eSignaViewer component.
This vulnerability is a problem because it enables unauthorized access to sensitive documents and files, potentially leading to data breaches, intellectual property theft, and other security incidents.
The TicketBAI Facturas para WooCommerce plugin for WordPress has a vulnerability that allows attackers to delete any file on the server without needing to be authenticated, due to poor validation of file paths.
This vulnerability is a problem because it can lead to remote code execution, which means an attacker could potentially take control of the entire server, by deleting critical files such as wp-config.php, and then using that access to run malicious code.
This vulnerability allows authenticated users with limited permissions to add guest users to a team in Mattermost, even if they only have permission to invite non-guest users, by exploiting an API weakness.
This vulnerability is a problem because it enables users to bypass permission controls, potentially leading to unauthorized access to sensitive information and teams, which can compromise the security and integrity of the system.
This vulnerability allows attackers to lock out external LDAP accounts by repeatedly attempting to log in to Mattermost with incorrect credentials, as the system fails to properly lock out LDAP users after multiple failed login attempts.
This vulnerability is a problem because it enables attackers to intentionally lock out legitimate users from accessing their accounts, potentially disrupting business operations and causing denial-of-service conditions, which can lead to significant inconvenience and potential security risks.
This vulnerability allows a remote attacker to change the settings of I-O DATA 'HDL-T Series' network attached hard disks without needing authentication, due to a missing authentication mechanism in firmware versions 1.21 and earlier.
This is a problem because it enables unauthorized access to the device's settings, potentially leading to data tampering, disruption of service, or other malicious activities, which can compromise the security and integrity of the data stored on the device.
This vulnerability allows a remote attacker to execute arbitrary OS commands on an I-O DATA network attached hard disk 'HDL-T Series' with firmware Ver.1.21 or earlier, when the 'Remote Link3 function' is enabled.
This is a significant issue because it enables unauthorized access and control over the device, potentially leading to data breaches, system compromise, or other malicious activities, all without requiring the attacker to have any authentication credentials.
The mobile application "com.transsion.aivoiceassistant" has an insufficient encryption vulnerability, which means that sensitive information transmitted or stored by the app may not be properly secured.
This vulnerability is a problem because it can lead to the leakage of sensitive information, potentially exposing users' personal data to unauthorized parties, and putting them at risk of identity theft, financial loss, or other malicious activities.
The CVE-2025-27525 vulnerability exposes sensitive information in Hitachi JP1/IT Desktop Management 2 - Smart Device Manager on Windows, specifically affecting versions 12-00 before 12-00-08, 11-10 through 11-10-08, 11-00 through 11-00-05, and 10-50 through 10-50-06.
This vulnerability is a problem because it allows unauthorized access to sensitive information, which can be used for malicious purposes, potentially leading to data breaches, unauthorized system access, or other security threats.
The CVE-2025-27524 vulnerability allows attackers to exploit weak encryption in the Hitachi JP1/IT Desktop Management 2 - Smart Device Manager on Windows, potentially giving them access to sensitive data.
This vulnerability is a problem because it can compromise the security and confidentiality of sensitive information managed by the Smart Device Manager, putting users' data at risk of being intercepted, stolen, or modified.
The CVE-2025-27523 vulnerability is an XML External Entity (XXE) issue in Hitachi JP1/IT Desktop Management 2 - Smart Device Manager on Windows, allowing attackers to potentially extract sensitive data or execute malicious code by manipulating XML files.
This vulnerability is a problem because it can be exploited by attackers to gain unauthorized access to sensitive information, disrupt system operations, or execute malicious code, ultimately compromising the security and integrity of the affected systems, particularly those running vulnerable versions of JP1/IT Desktop Management 2 - Smart Device Manager.
The CVE-2025-48027 vulnerability allows an attacker to bypass authentication in the HttpAuth plugin of pGina.Fork versions up to 3.9.9.12 by manipulating DNS resolution for the pginaloginserver.
This vulnerability is a problem because it enables unauthorized access to sensitive systems and data, potentially leading to data breaches, malicious activities, and other security threats.
The Responsive Lightbox & Gallery WordPress plugin has a vulnerability that allows users with contributor roles or higher to inject malicious code into pages or posts due to inadequate validation and escaping of certain attributes.
This vulnerability is a problem because it enables Stored Cross-Site Scripting (XSS) attacks, which can lead to unauthorized access, data theft, or malicious activities on the affected website.
The File Manager Advanced Shortcode WordPress plugin has a vulnerability that allows attackers with Administrator-level access to include and execute arbitrary JavaScript files on the server, using a specific shortcode.
This vulnerability is a problem because it can be used to bypass access controls, obtain sensitive data, or achieve code execution, potentially leading to unauthorized access and malicious activities on the server.
The CVE-2025-48024 vulnerability allows an authenticated regular user to access sensitive application secrets through the /api/v1/settings endpoint in BlueWave Checkmate versions before 2.1.
This vulnerability is a problem because it enables unauthorized access to sensitive information, which could be used to exploit the application or compromise its security, potentially leading to data breaches or other malicious activities.
The UiPress lite plugin for WordPress has a vulnerability that allows attackers to execute arbitrary code on the server by exploiting the uip_process_form_input() function, which takes user-supplied inputs without proper capability checks.
This vulnerability is a problem because it enables authenticated attackers with minimal access (Subscriber-level and above) to gain control over the server, potentially leading to data breaches, malware distribution, and other malicious activities, due to the lack of input validation and capability checks.
The Weluka Lite plugin for WordPress has a vulnerability that allows attackers to inject malicious scripts into pages using a specific shortcode, potentially executing arbitrary web scripts when a user accesses the infected page.
This vulnerability is a problem because it enables authenticated attackers with contributor-level access or higher to inject harmful scripts, potentially stealing user data, taking control of user sessions, or spreading malware, which can compromise the security and integrity of the WordPress site.
The Bon Toolkit plugin for WordPress has a vulnerability that allows attackers to inject malicious scripts into pages using a specific shortcode, due to poor input validation and sanitization. This enables them to execute arbitrary web scripts whenever a user visits the compromised page.
This vulnerability is a problem because it allows authenticated attackers with contributor-level access or higher to inject malicious code, potentially leading to unauthorized actions, data theft, or further exploitation of the website.
The EG-Series plugin for WordPress has a vulnerability that allows attackers to inject arbitrary JavaScript code into a webpage via the plugin's shortcode, which can execute when a user accesses the infected page.
This vulnerability is a problem because it enables authenticated attackers with contributor-level access or higher to inject malicious code, potentially leading to unauthorized actions, data theft, or other security breaches, especially on sites using the Classic Editor plugin.
The 百度站长SEO合集 plugin for WordPress allows unauthorized users to upload any type of file to the site's server due to a lack of file type validation, potentially enabling remote code execution.
This vulnerability is a problem because it enables attackers to upload malicious files, which could lead to taking control of the site, stealing sensitive data, or spreading malware, resulting in significant security breaches and damage.
The WP Content Security Plugin for WordPress has a vulnerability that allows attackers to inject malicious scripts into website pages by exploiting insufficient input sanitization and output escaping in the blocked-uri and effective-directive parameters.
This vulnerability is a problem because it enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses the infected page, potentially leading to unauthorized actions, data theft, or further malware infections.
This vulnerability allows an attacker to inject a malicious script into a web page in Label Studio, a data labeling and annotation tool, by sending a specially formatted request to a specific endpoint, potentially leading to unauthorized actions.
This vulnerability is a problem because it can result in serious consequences such as data theft, session hijacking, and unauthorized actions on behalf of the user, compromising the security and integrity of the system and its users.
The CVE-2025-46836 vulnerability affects the net-tools package in Linux, specifically the network utilities like ifconfig, which do not properly validate the structure of /proc files when displaying interfaces, allowing for possible arbitrary code execution or crash due to a buffer overflow.
This vulnerability is a problem because it can be exploited by an attacker to potentially execute arbitrary code or crash the system, without requiring any special privileges, although it does not provide privilege escalation.
This vulnerability is a race-condition issue in Next.js, a React framework for building web applications, where certain misconfigurations can cause normal endpoints to serve sensitive `pageProps` data instead of standard HTML.
This vulnerability is a problem because it can potentially expose sensitive data to unauthorized users, compromising the security and integrity of the application, especially for self-hosted Next.js deployments.
This vulnerability allows an authenticated user to potentially gain higher privileges on a system through local access, due to incorrect default permissions in some Intel Gaudi software installers before version 1.18.
This is a problem because it could enable an attacker to escalate their privileges, potentially leading to unauthorized access to sensitive data or systems, and allowing them to perform malicious actions that could compromise the security and integrity of the system.
This vulnerability allows attackers to inject malicious code into a website by manipulating the username field during the login process, potentially enabling them to execute arbitrary web scripts or HTML.
This vulnerability is a problem because it enables attackers to hijack user sessions, steal sensitive information, or take control of the user's account, which can lead to unauthorized access, data breaches, or other malicious activities.
This vulnerability allows attackers to inject malicious scripts or HTML code into a website by exploiting a flaw in the OA System, specifically in the outtype parameter of the AddrController.java file, which can lead to the execution of arbitrary web scripts.
This vulnerability is a problem because it enables attackers to execute malicious code on a user's browser, potentially stealing sensitive information, taking control of user sessions, or performing other malicious actions, compromising the security and integrity of the system and its users.
This vulnerability allows attackers to inject malicious scripts or code into a website by manipulating the password parameter in the OA System's MailController, potentially leading to the execution of arbitrary web scripts or HTML.
This vulnerability is a problem because it enables attackers to execute malicious code on a user's browser, potentially stealing sensitive information, hijacking user sessions, or performing other malicious activities, which can compromise the security and integrity of the system and its users.
This vulnerability allows attackers to inject malicious code into a website by manipulating the title parameter in a specific URL, potentially leading to the execution of arbitrary web scripts or HTML.
This vulnerability is a problem because it enables attackers to execute malicious code on a user's browser, potentially stealing sensitive information, hijacking user sessions, or taking control of the user's account.
This vulnerability allows attackers to inject malicious scripts or HTML code into a website by manipulating the title parameter in a specific controller, potentially leading to the execution of arbitrary web scripts.
This vulnerability is a problem because it enables attackers to execute malicious code on a user's browser, potentially stealing sensitive information, taking control of the user's session, or performing other malicious actions.
The Jenkins WSO2 Oauth Plugin version 1.0 and earlier has a vulnerability that allows attackers to log in to controllers without proper authentication, using any username and password, even if the username does not exist.
This vulnerability is a problem because it enables unauthorized access to sensitive systems and data, potentially leading to data breaches, malicious activities, and other security threats.
The Jenkins DingTalk Plugin version 2.7.3 and earlier disables the security checks for SSL/TLS certificates and hostname validation when connecting to DingTalk webhooks, allowing potentially insecure connections.
This vulnerability is a problem because it makes the connection to DingTalk webhooks vulnerable to man-in-the-middle attacks, where an attacker could intercept and alter the data being sent, potentially leading to unauthorized access or data theft.
The Jenkins Cadence vManager Plugin has a vulnerability that allows attackers with basic read permission to connect to any URL using a username and password of their choice, potentially giving them unauthorized access to sensitive information.
This vulnerability is a problem because it could allow malicious actors to exploit the plugin and gain access to sensitive data or systems, potentially leading to data breaches, unauthorized changes, or other malicious activities.
This vulnerability allows an attacker to trick a user into making unintended requests to a specified URL using the user's credentials, potentially connecting to a malicious site with the user's username and password.
This vulnerability is a problem because it enables attackers to gain unauthorized access to sensitive information and systems, potentially leading to data breaches, malware infections, or other malicious activities, all while appearing to originate from a legitimate user.
The Jenkins Health Advisor by CloudBees Plugin (version 374.v194b_d4f0c8c8 and earlier) fails to properly escape responses from the Jenkins Health Advisor server, allowing an attacker to inject malicious code and potentially steal user data or take control of the system.
This vulnerability is a problem because it enables stored cross-site scripting (XSS) attacks, which can be used by attackers to inject malicious code into the system, potentially leading to unauthorized access, data theft, or disruption of services.
The Jenkins OpenID Connect Provider Plugin has a vulnerability that allows attackers to create a fake build ID Token, which can impersonate a trusted job, by exploiting overridden environment variables and certain plugin configurations.
This vulnerability is a problem because it can give unauthorized access to external services, potentially leading to security breaches and data compromises, by allowing attackers to masquerade as trusted jobs.
This vulnerability allows attackers to overflow a buffer in the upload.cgi component of the WS-WN572HP3 device, which can be triggered by sending a specially crafted HTTP request, causing the device to become unresponsive or crash.
This vulnerability is a problem because it enables attackers to launch a Denial of Service (DoS) attack, disrupting the device's functionality and potentially causing significant disruptions to the network or system it is connected to.
The CVE-2025-44024 vulnerability allows an attacker to inject malicious JavaScript code into the username or password fields of the Pichome system's login form due to insufficient sanitization of user input, potentially leading to Cross-Site Scripting (XSS) attacks.
This vulnerability is a problem because it enables attackers to execute malicious code on the victim's browser, potentially stealing sensitive information, hijacking user sessions, or performing unauthorized actions on the Pichome system.
This vulnerability allows out-of-bounds reads to occur due to a lack of length check when processing malformed NAS packets on certain Samsung Exynos processors, including those used in mobile and wearable devices.
This vulnerability is a problem because it can potentially allow attackers to access sensitive information or disrupt device functionality by sending specially crafted packets to exploit the lack of length check, leading to unauthorized data access or device instability.
The CVE-2025-26783 vulnerability is found in certain Samsung processors, including those used in mobile and wearable devices, and modems. It occurs when the processor incorrectly handles undefined values, leading to a Denial of Service (DoS) attack, which can cause the device or system to become unresponsive or crash.
This vulnerability is a problem because it can be exploited by attackers to intentionally disrupt or shut down devices, resulting in loss of functionality, data, or productivity. This can have significant consequences, particularly for critical systems or devices that rely on continuous operation.
This vulnerability allows an attacker to send malformed RRC packets to a Samsung Mobile or Wearable Processor, which can lead to out-of-bounds access due to a lack of length check, potentially disrupting the normal functioning of the device.
This vulnerability is a problem because it can be exploited by attackers to gain unauthorized access to sensitive information, disrupt device operations, or even take control of the device, which can compromise user privacy and security.
The CVE-2024-55569 vulnerability is an issue in certain Samsung processors that allows out-of-bounds writes due to a lack of length check, potentially enabling unauthorized access or modification of sensitive data.
This vulnerability is a problem because it can be exploited by attackers to execute arbitrary code, gain unauthorized access to sensitive information, or disrupt the normal functioning of affected devices, leading to potential security breaches and data compromise.
The CVE-2025-32363 vulnerability allows remote attackers to execute code on a target system by exploiting the deserialization of untrusted data in mediDOK versions before 2.5.18.43.
This vulnerability is a problem because it enables attackers to remotely take control of a system, potentially leading to unauthorized access, data theft, or other malicious activities, by exploiting a weakness in the way the system handles untrusted data.
This vulnerability allows an attacker with physical access to a realme GT 2 device running Android 14 with realme UI 5.0 to obtain sensitive information by exploiting the "show app only setting" function.
This vulnerability is a problem because it enables an unauthorized person to access sensitive information on the device, potentially leading to data theft, privacy breaches, or other malicious activities, especially if the device is lost, stolen, or shared with others.
The Samsung Galaxy Buds and Galaxy Buds 2 audio devices can be paired with other Bluetooth devices without user input or consent, allowing unauthorized access to audio playback and microphone recording.
This vulnerability is a problem because it enables unauthorized individuals to take control of the audio device, potentially allowing them to listen to or record private conversations, or play unwanted audio, all without the user's knowledge or consent.
This vulnerability allows a local attacker to obtain sensitive information by using a specially crafted file in WPS Office versions before v.19302.
This vulnerability is a problem because it enables attackers to access confidential data, potentially leading to unauthorized use, theft, or exploitation of sensitive information.
This vulnerability allows attackers to execute arbitrary JavaScript code within a user's Zimbra Collaboration session when they view a specially crafted email in the Classic UI, potentially accessing sensitive information.
This is a problem because it enables attackers to gain unauthorized access to a user's email account and sensitive data, simply by sending a malicious email that the user views, without requiring any further interaction from the user.
The CVE-2025-4641 vulnerability allows an attacker to exploit the improper restriction of XML External Entity Reference in the WebDriverManager, enabling them to perform a Data Serialization External Entities Blowup attack, which can lead to unauthorized data access and potential system crashes.
This vulnerability is a problem because it can be used by attackers to gain unauthorized access to sensitive data, disrupt system operations, and potentially execute malicious code, compromising the security and integrity of systems that use the affected WebDriverManager versions.
The CVE-2025-4640 vulnerability allows an out-of-bounds write in the PointCloudLibrary (PCL), which can cause buffer overflows, potentially leading to data corruption or code execution.
This vulnerability is a problem because it can be exploited by attackers to crash systems, steal sensitive data, or execute malicious code, especially in systems using PCL versions older than 1.14.0 or those that have specifically opted out of using the system zlib.
This vulnerability allows attackers to embed arbitrary JavaScript code in the Web UI of IBM WebSphere Application Server 8.5 and 9.0, altering the intended functionality and potentially leading to the execution of malicious scripts.
This vulnerability is a problem because it can lead to cross-site scripting attacks, which can result in the disclosure of sensitive credentials, such as usernames and passwords, within a trusted session, compromising the security of the application and its users.
This vulnerability causes a denial of service in IBM Semeru Runtime by overflowing a buffer and crashing the system, due to a flaw in the native AES/CBC encryption implementation.
This vulnerability is a problem because it allows attackers to intentionally crash the system, disrupting service and causing potential data loss or other negative consequences, by exploiting the buffer overflow weakness in the encryption implementation.
The vulnerability in Palo Alto Networks Prisma Cloud Compute Edition allows web sessions to remain active even after a user is deleted, potentially granting unauthorized access to the system.
This vulnerability is a problem because it can lead to unauthorized access to sensitive information and systems, as deleted users' sessions are not properly terminated, posing a security risk to the organization.
This vulnerability allows a malicious administrator with read-write access to impersonate another legitimate administrator on the Palo Alto Networks PAN-OS software management web interface.
This is a problem because it enables an attacker to disguise themselves as a trusted administrator, potentially allowing them to perform unauthorized actions, access sensitive information, or disrupt the system.
The CVE-2025-0136 vulnerability occurs when the AES-128-CCM algorithm is used for IPSec on certain Palo Alto Networks firewalls, resulting in unencrypted data transfer to connected devices.
This vulnerability is a problem because it allows sensitive data to be transferred without encryption, potentially exposing it to unauthorized access and compromising the security of the network.
The CVE-2025-0135 vulnerability allows a non-administrative user with local access to a macOS device to disable the Palo Alto Networks GlobalProtect app, which is a security tool designed to protect the device and its connections.
This vulnerability is a problem because it enables unauthorized users to bypass security measures put in place by the GlobalProtect app, potentially exposing the device and its data to security risks and threats.
This vulnerability allows an authenticated user to inject code and execute arbitrary commands with root privileges on the host operating system that runs the Palo Alto Networks Cortex XDR Broker VM.
This is a problem because it gives an attacker the ability to gain complete control over the host system, potentially leading to data breaches, malware installation, and other malicious activities, all with elevated privileges.
This vulnerability allows an attacker to create a specially crafted link that, when clicked by an authenticated user, can execute malicious JavaScript code in the user's browser, potentially leading to phishing attacks and credential theft.
This vulnerability is a problem because it enables attackers to create links that appear to be legitimate, but actually steal sensitive information from users, particularly those with Clientless VPN enabled. This can compromise the confidentiality of user credentials and put them at risk of theft.
This vulnerability allows an unauthenticated user to disable certain internal services on the Palo Alto Networks Cortex XDR Broker VM, given they have network access to the Broker VM.
This is a problem because it enables an attacker to disrupt the normal functioning of the Broker VM without needing any authentication credentials, potentially leading to service outages or other malicious activities.
This vulnerability allows a non-administrative Windows user to potentially gain system-level access (NT AUTHORITY\SYSTEM) on a device running the Palo Alto Networks GlobalProtect app, by exploiting an incorrect privilege management issue in the OPSWAT MetaDefender Endpoint Security SDK, although it requires exploiting a difficult-to-reach race condition.
This vulnerability is a problem because it could allow a low-privileged user to gain high-level access to a system, potentially leading to unauthorized data access, modification, or deletion, as well as the ability to install malware or disrupt system operations.
This vulnerability allows a remote attacker to leak cross-origin data by using a specially crafted HTML page, taking advantage of insufficient policy enforcement in the Loader component of Google Chrome versions prior to 136.0.7103.113.
This vulnerability is a problem because it enables attackers to access sensitive data from other websites, potentially leading to unauthorized information disclosure and compromising user privacy.
The CVE-2025-4639 vulnerability allows an attacker to exploit an improper restriction of XML External Entity Reference in the getDocumentBuilder() method of the WebDav servlet in Peergos, affecting versions up to 1.1.0.
This vulnerability is a problem because it can potentially allow an attacker to access sensitive data, execute system-level commands, or launch a denial-of-service attack by manipulating the XML external entity references, which can lead to unauthorized access and disruption of the system.
The CVE-2025-4638 vulnerability exists in the zlib library used by the PointCloudLibrary (PCL), specifically in the inftrees.c component, allowing attackers to cause undefined behavior by exploiting improper pointer arithmetic.
This vulnerability is a problem because it can be exploited by context-dependent attackers to cause unpredictable behavior, potentially leading to crashes, data corruption, or other security issues in systems using affected PCL versions.
The CVE-2025-4637 vulnerability allows remote attackers to cause a denial of service by exploiting a "Divide By Zero" error in the dlib library, which can be triggered by a specially crafted file.
This vulnerability is a problem because it enables attackers to disrupt the normal functioning of systems that use the affected dlib library, potentially leading to service outages, data loss, or other negative consequences.
This vulnerability allows an authenticated user to potentially disrupt the integrity of certain Zoom Workplace Apps by exploiting improper handling of special elements, which can be done through network access.
This vulnerability is a problem because it can compromise the reliability and security of Zoom Workplace Apps, potentially leading to unauthorized modifications or disruptions, even if the user is authenticated.
This vulnerability allows an authenticated user to crash certain Zoom Workplace Apps for Windows by sending a malicious request over the network, due to a buffer over-read issue.
This vulnerability is a problem because it can be used to conduct a denial of service attack, disrupting the availability of the affected Zoom Workplace Apps and potentially causing inconvenience or loss of productivity for users who rely on these apps.
This vulnerability allows an authenticated user to cause a denial of service in certain Zoom Workplace Apps by exploiting an integer underflow, which can be triggered via network access.
This vulnerability is a problem because it can be used to intentionally disrupt the service, making it unavailable to users, which can lead to productivity loss and other negative consequences.
This vulnerability allows an authenticated user to crash certain Zoom Workplace Apps for Windows by exploiting a NULL pointer dereference, which can be done through network access.
This vulnerability is a problem because it enables an attacker to disrupt the service, causing a denial of service (DoS) that can prevent legitimate users from accessing the application, potentially leading to productivity losses and other negative consequences.
This vulnerability allows an authenticated user to crash certain Zoom Workplace Apps for Windows by exploiting a NULL pointer dereference, which can be done through network access.
This vulnerability is a problem because it enables an attacker to disrupt the service, causing a denial of service that can result in downtime and loss of productivity for users who rely on the affected Zoom Workplace Apps.
The CVE-2025-30665 vulnerability allows an authenticated user to crash certain Zoom Workplace Apps for Windows, making them unavailable, by exploiting a NULL pointer dereference via network access.
This vulnerability is a problem because it can be used to conduct a denial of service (DoS) attack, disrupting the normal functioning of the affected Zoom apps and potentially causing inconvenience or loss of productivity for users who rely on them.
This vulnerability allows an authenticated user to potentially gain higher privileges on a system through local access, due to improper handling of special elements in certain Zoom Workplace Apps.
This vulnerability is a problem because it could enable an attacker to escalate their privileges, potentially allowing them to access sensitive information, install malicious software, or take control of the system, which could compromise the security and integrity of the affected system.
The CVE-2025-30663 vulnerability is a time-of-check time-of-use race condition in some Zoom Workplace Apps, allowing an authenticated user with local access to potentially escalate their privileges.
This vulnerability is a problem because it enables an authenticated user to gain elevated access and potentially perform unauthorized actions, compromising the security and integrity of the system.
This vulnerability allows an unauthenticated attacker to send specially crafted packets to a Palo Alto Networks firewall with the web proxy feature enabled, causing it to become unresponsive, reboot, and potentially enter maintenance mode after repeated attacks.
This vulnerability is a problem because it enables an attacker to disrupt the normal functioning of a firewall, which can lead to a loss of network security and potentially allow unauthorized access to the network, compromising the confidentiality, integrity, and availability of sensitive data.
The CVE-2025-47710 vulnerability allows an attacker to bypass authentication in Drupal Enterprise MFA - TFA for Drupal using an alternate path or channel, potentially granting unauthorized access to the system.
This vulnerability is a problem because it enables attackers to circumvent the multi-factor authentication (MFA) mechanism, which is designed to provide an additional layer of security to protect user accounts and sensitive data, thereby compromising the security and integrity of the system.
The CVE-2025-47709 vulnerability allows unauthorized access to certain areas of a Drupal website using the Enterprise MFA - TFA module, due to a missing authorization check, enabling forceful browsing.
This vulnerability is a problem because it enables unauthorized users to access sensitive areas of the website, potentially leading to data breaches, tampering, or other malicious activities, compromising the security and integrity of the website.
The CVE-2025-47708 vulnerability allows an attacker to perform a Cross-Site Request Forgery (CSRF) attack on the Drupal Enterprise MFA - TFA for Drupal module, which can trick users into performing unintended actions on the website.
This vulnerability is a problem because it can be used by attackers to gain unauthorized access to user accounts, steal sensitive information, or perform malicious actions on the website, potentially leading to security breaches and data loss.
The CVE-2025-47707 vulnerability allows an attacker to bypass authentication in Drupal Enterprise MFA - TFA for Drupal using an alternate path or channel, potentially granting unauthorized access to the system.
This vulnerability is a problem because it enables attackers to circumvent the multi-factor authentication (MFA) mechanism, which is designed to provide an additional layer of security. If exploited, this vulnerability could lead to unauthorized access to sensitive data and systems.
This vulnerability allows an attacker to bypass authentication in Drupal Enterprise MFA - TFA by capturing and replaying stolen credentials, enabling unauthorized access to remote services.
This vulnerability is a problem because it enables attackers to gain unauthorized access to sensitive systems and data, potentially leading to data breaches, system compromise, and other malicious activities, even if multi-factor authentication is in place.
The CVE-2025-47705 vulnerability allows an attacker to inject malicious code into a website using the Drupal IFrame Remove Filter, potentially leading to Cross-Site Scripting (XSS) attacks.
This vulnerability is a problem because it enables attackers to execute malicious scripts on a user's browser, potentially stealing sensitive information, hijacking user sessions, or taking control of the user's account.
The CVE-2025-47704 vulnerability allows an attacker to inject malicious code into a website using the Drupal Klaro Cookie & Consent Management module, enabling Cross-Site Scripting (XSS) attacks.
This vulnerability is a problem because it enables attackers to steal user data, take control of user sessions, or perform other malicious actions on the affected website, potentially compromising user privacy and security.
The CVE-2025-47703 vulnerability allows an attacker to inject malicious code into a website using the Drupal COOKiES Consent Management module, enabling Cross-Site Scripting (XSS) attacks.
This vulnerability is a problem because it enables attackers to execute malicious scripts on a user's browser, potentially stealing sensitive information, hijacking user sessions, or performing other malicious actions.
The CVE-2025-47702 vulnerability allows an attacker to inject malicious code into a website using the Drupal oEmbed Providers module, potentially leading to Cross-Site Scripting (XSS) attacks. This occurs due to improper neutralization of input during web page generation.
This vulnerability is a problem because it enables attackers to execute malicious scripts on a user's browser, potentially stealing sensitive information, hijacking user sessions, or performing other malicious actions.
The CVE-2025-47701 vulnerability allows an attacker to perform a Cross-Site Request Forgery (CSRF) attack on the Drupal Restrict route by IP module, which can trick users into performing unintended actions on a website.
This vulnerability is a problem because it enables attackers to bypass security restrictions and make malicious requests on behalf of legitimate users, potentially leading to unauthorized access, data modification, or other harmful activities.
The CVE-2025-44186 vulnerability allows an attacker to perform unauthorized actions on the SourceCodester Best Employee Management System 1.0 by tricking an administrator into performing a Cross Site Request Forgery (CSRF) attack on the /admin/Operation/User.php page.
This vulnerability is a problem because it enables an attacker to manipulate the system without the administrator's knowledge or consent, potentially leading to data modification, deletion, or other malicious activities, which can compromise the security and integrity of the employee management system.
The CVE-2025-44184 vulnerability allows an attacker to inject malicious code into the Best Employee Management System V1.0 via certain parameters in the /admin/profile.php page, including website_image, fname, lname, contact, username, and address, enabling Cross Site Scripting (XSS) attacks.
This vulnerability is a problem because it enables attackers to execute malicious scripts on the website, potentially stealing user data, taking control of user sessions, or performing other unauthorized actions, which can compromise the security and integrity of the system.
This vulnerability allows a remote attacker to trick the SMA1000 Appliance into making unauthorized requests to unintended locations on the internet by using a specially crafted, encoded URL.
This is a problem because it could enable an attacker to access sensitive information, disrupt service, or exploit other vulnerabilities that are not directly accessible from the outside, all without needing to authenticate with the appliance.
This vulnerability allows an attacker to craft a malicious email with a tracking link disguised as an attachment, which Thunderbird would automatically access when the user tries to open it, bypassing the configuration to block remote content.
This vulnerability is a problem because it enables attackers to potentially trick users into accessing malicious websites, leading to phishing attacks, malware downloads, or other security threats, even if the user has configured Thunderbird to block remote content.
This vulnerability allows an attacker to execute JavaScript code on a user's computer by sending a specially crafted email with a nested attachment, which Thunderbird may render as HTML and execute the embedded JavaScript without requiring a file download.
This vulnerability is a problem because it enables an attacker to run malicious JavaScript code on a user's computer, potentially allowing them to steal sensitive information, install malware, or take control of the system, all by simply opening a malicious email in Thunderbird.
This vulnerability allows an attacker to send a crafted HTML email that can automatically download files to a user's computer without prompting, even if auto-saving is disabled, by using specific links that exploit Thunderbird's handling of external content.
This vulnerability is a problem because it can be used to fill a user's disk with malicious data, leak sensitive information such as Windows credentials, or conceal the download trigger, all of which can compromise the security and integrity of the user's system.
The CVE-2025-3875 vulnerability allows an attacker to spoof the sender's email address in Thunderbird, making it appear as if the email is coming from a different sender than it actually is, by manipulating the "From" header in the email.
This vulnerability is a problem because it can be used by attackers to trick users into trusting fake emails, potentially leading to phishing attacks, spam, or other malicious activities, as the user may mistakenly believe the email is coming from a legitimate source.
This vulnerability is an issue in certain Samsung processors that allows out-of-bounds writes due to a lack of length check, potentially enabling unauthorized access or modification of sensitive data.
This vulnerability is a problem because it can lead to data corruption, unauthorized access, or even complete system compromise, potentially affecting the security and integrity of devices using the affected processors.
This vulnerability allows for out-of-bounds writes due to a lack of length check in the NAS component of certain Samsung processors, including Mobile, Wearable, and Modem Exynos models.
This issue can lead to unauthorized access and modification of sensitive data, potentially resulting in data corruption, system crashes, or even allowing attackers to execute malicious code.
This vulnerability allows an attacker with admin credentials to execute any command on a motionEye system by constructing a specific camera device path using the motionEye web API, potentially giving them control over the system.
This vulnerability is a problem because it enables an attacker to gain unauthorized access and execute malicious commands on the system, which could lead to data breaches, system compromise, or other malicious activities, especially since it can be exploited by someone with existing admin credentials.
The CVE-2025-47781 vulnerability allows an attacker to brute force a 6-digit authentication token sent to a user's email address, gaining access to the user's account on the Rallly scheduling and collaboration tool, as long as the attacker knows the user's registered email address.
This vulnerability is a problem because the weak entropy of the 6-digit token, combined with the lack of brute force protection, makes it possible for an attacker to guess the token within 15 minutes, allowing them to take over any user account, compromising user data and potentially leading to further malicious activities.
The CVE-2025-47778 vulnerability allows an admin user in the Sulu content management system to upload SVG files that can load external data, potentially leading to insecure XML External Entity References.
This vulnerability is a problem because it can be exploited to access sensitive data or execute malicious code, compromising the security of the system and its users.
This vulnerability allows an attacker to inject malicious code into the 5ire desktop artificial intelligence assistant through chatbot responses, potentially leading to Remote Code Execution (RCE) due to insufficient sanitization and exposed Electron APIs.
This vulnerability is a problem because it can enable attackers to execute arbitrary code on a user's system, potentially allowing them to steal sensitive information, install malware, or take control of the system, especially when interacting with untrusted chatbots or pasting external content.
The CVE-2025-47775 vulnerability allows unauthorized outbound traffic in GitHub workflows when using the Bullfrog GitHub Action prior to version 0.8.4, enabling DNS exfiltration and potentially bypassing sandbox security.
This vulnerability is a problem because it can be exploited to leak sensitive information and evade security controls, compromising the security and integrity of GitHub workflows and potentially leading to further malicious activities.
The CVE-2025-24969 vulnerability allows a portal user to view any other contact's picture in the iTop IT Service Management tool by modifying the picture ID in the URL, prior to version 3.2.1.
This vulnerability is a problem because it compromises the privacy and security of contact information, potentially exposing sensitive data to unauthorized users.
This vulnerability allows an attacker to send a malicious URL to the iTop IT Service Management server, causing a PHP error that crashes the start page for the next user who tries to load the dashboard.
This vulnerability is a problem because it can be used to disrupt the service, causing inconvenience and potential downtime for users who rely on the iTop platform, ultimately affecting the overall productivity and efficiency of the organization.
The CVE-2025-24026 vulnerability allows for a regular expression denial of service (ReDoS) attack on iTop, a web-based IT Service Management tool, affecting versions prior to 3.2.1, which can potentially disrupt the iTop server.
This vulnerability is a problem because it can be exploited to cause a denial of service, making the iTop server unavailable and potentially impacting the organization's ability to manage IT services.
The CVE-2025-24022 vulnerability allows an attacker to execute server code through the frontend of iTop's portal, which is a web-based IT Service Management tool, in versions prior to 2.7.12, 3.1.3, and 3.2.1.
This vulnerability is a problem because it enables an attacker to gain control over the server, potentially leading to unauthorized access, data breaches, and disruption of IT services, which can have severe consequences for an organization's security and operations.
The CVE-2025-24021 vulnerability allows users with portal access to modify object fields in the iTop IT Service Management tool, even when they don't have the necessary permissions.
This vulnerability is a problem because it enables unauthorized users to make changes to sensitive data, potentially disrupting IT service management operations and compromising data integrity.