Total
29492 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-43690 | 1 Concretecms | 1 Concrete Cms | 2025-04-30 | 6.3 Medium |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 did not use strict comparison for the legacy_salt so that limited authentication bypass could occur if using this functionality. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | ||||
| CVE-2025-29925 | 1 Xwiki | 1 Xwiki | 2025-04-30 | 5.3 Medium |
| XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pages are listed when requesting the REST endpoints /rest/wikis/[wikiName]/pages even if the user doesn't have view rights on them. It's particularly true if the entire wiki is protected with "Prevent unregistered user to view pages": the endpoint would still list the pages of the wiki, though only for the main wiki. The problem has been patched in XWiki 15.10.14, 16.4.6, 16.10.0RC1. In those versions the endpoint can still be requested but the result is filtered out based on pages rights. | ||||
| CVE-2025-32783 | 1 Xwiki | 1 Xwiki | 2025-04-30 | 4.7 Medium |
| XWiki Platform is a generic wiki platform. A vulnerability in versions from 5.0 to 16.7.1 affects users with Message Stream enabled and a wiki configured as closed from selecting "Prevent unregistered users to view pages" in the Administrations Rights. The vulnerability is that any message sent in a subwiki to "everyone" is actually sent to the farm: any visitor of the main wiki will be able to see that message through the Dashboard, even if the subwiki is configured to be private. This issue will not be patched as Message Stream has been deprecated in XWiki 16.8.0RC1 and is not maintained anymore. A workaround for this issue involves keeping Message Stream disabled by default. It's advised to keep it disabled from Administration > Social > Message Stream. | ||||
| CVE-2021-25991 | 1 If-me | 1 Ifme | 2025-04-30 | 5.7 Medium |
| In Ifme, versions v5.0.0 to v7.32 are vulnerable against an improper access control, which makes it possible for admins to ban themselves leading to their deactivation from Ifme account and complete loss of admin access to Ifme. | ||||
| CVE-2025-23382 | 1 Dell | 1 Secure Connect Gateway | 2025-04-30 | 5.5 Medium |
| Dell Secure Connect Gateway (SCG) 5.0 Appliance - SRS, version(s) 5.26, contain(s) an Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure.c | ||||
| CVE-2024-49559 | 1 Dell | 1 Smartfabric Os10 | 2025-04-30 | 8.8 High |
| Dell SmartFabric OS10 Software, version(s) 10.5.4.x, 10.5.5.x, 10.5.6.x, 10.6.0.x, contain(s) an Use of Default Password vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access. | ||||
| CVE-2022-43138 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2025-04-30 | 9.8 Critical |
| Dolibarr Open Source ERP & CRM for Business before v14.0.1 allows attackers to escalate privileges via a crafted API. | ||||
| CVE-2022-34313 | 1 Ibm | 1 Cics Tx | 2025-04-30 | 4.3 Medium |
| IBM CICS TX 11.1 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. X-Force ID: 229449. | ||||
| CVE-2023-23919 | 2 Nodejs, Redhat | 2 Node.js, Enterprise Linux | 2025-04-30 | 7.5 High |
| A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service. | ||||
| CVE-2021-27101 | 1 Accellion | 1 Fta | 2025-04-30 | 9.8 Critical |
| Accellion FTA 9_12_370 and earlier is affected by SQL injection via a crafted Host header in a request to document_root.html. The fixed version is FTA_9_12_380 and later. | ||||
| CVE-2012-0216 | 1 Debian | 1 Apache2 | 2025-04-29 | N/A |
| The default configuration of the apache2 package in Debian GNU/Linux squeeze before 2.2.16-6+squeeze7, wheezy before 2.2.22-4, and sid before 2.2.22-4, when mod_php or mod_rivet is used, provides example scripts under the doc/ URI, which might allow local users to conduct cross-site scripting (XSS) attacks, gain privileges, or obtain sensitive information via vectors involving localhost HTTP requests to the Apache HTTP Server. | ||||
| CVE-2025-0482 | 1 Native-php-cms Project | 1 Native-php-cms | 2025-04-29 | 7.3 High |
| A vulnerability, which was classified as critical, was found in Fanli2012 native-php-cms 1.0. This affects an unknown part of the file /fladmin/user_recoverpwd.php. The manipulation leads to use of default credentials. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2022-44801 | 1 Dlink | 2 Dir-878, Dir-878 Firmware | 2025-04-29 | 9.8 Critical |
| D-Link DIR-878 1.02B05 is vulnerable to Incorrect Access Control. | ||||
| CVE-2022-34827 | 1 Carel | 2 Boss Mini, Boss Mini Firmware | 2025-04-29 | 8.8 High |
| Carel Boss Mini 1.5.0 has Improper Access Control. | ||||
| CVE-2022-44786 | 1 Maggioli | 1 Appalti \& Contratti | 2025-04-29 | 7.5 High |
| An issue was discovered in Appalti & Contratti 9.12.2. The target web applications allow Local File Inclusion in any page relying on the href parameter to specify the JSP page to be rendered. This affects ApriPagina.do POST and GET requests to each application. | ||||
| CVE-2022-44784 | 1 Maggioli | 1 Appalti \& Contratti | 2025-04-29 | 8.8 High |
| An issue was discovered in Appalti & Contratti 9.12.2. The target web applications LFS and DL229 expose a set of services provided by the Axis 1.4 instance, embedded directly into the applications, as hinted by the WEB-INF/web.xml file leaked through Local File Inclusion. Among the exposed services, there is the Axis AdminService, which, through the default configuration, should normally be accessible only by the localhost. Nevertheless, by trying to access the mentioned service, both in LFS and DL229, the service can actually be reached even by remote users, allowing creation of arbitrary services on the server side. When an attacker can reach the AdminService, they can use it to instantiate arbitrary services on the server. The exploit procedure is well known and described in Generic AXIS-SSRF exploitation. Basically, the attack consists of writing a JSP page inside the root directory of the web application, through the org.apache.axis.handlers.LogHandler class. | ||||
| CVE-2022-41326 | 1 Mitel | 1 Micollab | 2025-04-29 | 9.8 Critical |
| The web conferencing component of Mitel MiCollab through 9.6.0.13 could allow an unauthenticated attacker to upload arbitrary scripts due to improper authorization controls. A successful exploit could allow remote code execution within the context of the application. | ||||
| CVE-2022-40282 | 1 Belden | 2 Hirschmann Bat-c2, Hirschmann Bat-c2 Firmware | 2025-04-29 | 8.8 High |
| The web server of Hirschmann BAT-C2 before 09.13.01.00R04 allows authenticated command injection. This allows an authenticated attacker to pass commands to the shell of the system because the dir parameter of the FsCreateDir Ajax function is not sufficiently sanitized. The vendor's ID is BSECV-2022-21. | ||||
| CVE-2022-32537 | 1 Medtronic | 56 Guardian Link 2 Transmitter Mmt-7730, Guardian Link 2 Transmitter Mmt-7730 Firmware, Guardian Link 2 Transmitter Mmt-7731 and 53 more | 2025-04-29 | 4.8 Medium |
| A vulnerability exists which could allow an unauthorized user to learn aspects of the communication protocol used to pair system components while the pump is being paired with other system components. Exploitation requires nearby wireless signal proximity with the patient and the device; advanced technical knowledge is required for exploitation. Please refer to the Medtronic Product Security Bulletin for guidance | ||||
| CVE-2022-45475 | 1 Tiny File Manager Project | 1 Tiny File Manager | 2025-04-29 | 6.5 Medium |
| Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to access the application's internal files. This is possible because the application is vulnerable to broken access control. | ||||