Total
3528 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-4333 | 2025-05-06 | 6.3 Medium | ||
| A vulnerability was found in feng_ha_ha/megagao ssm-erp and production_ssm up to 0.0.1. It has been classified as critical. This affects the function uploadFile of the file src/main/java/com/megagao/production/ssm/service/impl/FileServiceImpl.java. The manipulation of the argument uploadFile leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product is distributed under two entirely different names. | ||||
| CVE-2025-45613 | 2025-05-06 | 7.5 High | ||
| Incorrect access control in the component /user/list of Shiro-Action v0.6 allows attackers to access sensitive information via a crafted payload. | ||||
| CVE-2025-45612 | 2025-05-06 | 9.8 Critical | ||
| Incorrect access control in xmall v1.1 allows attackers to bypass authentication via a crafted GET request to /index. | ||||
| CVE-2025-45611 | 2025-05-06 | 9.8 Critical | ||
| Incorrect access control in the /user/edit/ component of hope-boot v1.0.0 allows attackers to bypass authentication via a crafted GET request. | ||||
| CVE-2025-45610 | 2025-05-06 | 7.5 High | ||
| Incorrect access control in the component /scheduleLog/info/1 of PassJava-Platform v3.0.0 allows attackers to access sensitive information via a crafted payload. | ||||
| CVE-2025-45609 | 2025-05-06 | 7.5 High | ||
| Incorrect access control in the doFilter function of kob latest v1.0.0-SNAPSHOT allows attackers to access sensitive information via a crafted payload. | ||||
| CVE-2025-45608 | 2025-05-06 | 7.5 High | ||
| Incorrect access control in the /system/user/findUserList API of Xinguan v0.0.1-SNAPSHOT allows attackers to access sensitive information via a crafted payload. | ||||
| CVE-2025-45618 | 2025-05-06 | 6.5 Medium | ||
| Incorrect access control in the component /admin/sys/datasource/ajaxList of jeeweb-mybatis-springboot v0.0.1.RELEASE allows attackers to access sensitive information via a crafted payload. | ||||
| CVE-2025-45617 | 2025-05-06 | 7.5 High | ||
| Incorrect access control in the component /user/list of production_ssm v0.0.1-SNAPSHOT allows attackers to access sensitive information via a crafted payload. | ||||
| CVE-2025-45616 | 2025-05-06 | 9.8 Critical | ||
| Incorrect access control in the /admin/** API of brcc v1.2.0 allows attackers to gain access to Admin rights via a crafted request. | ||||
| CVE-2025-45615 | 2025-05-06 | 9.8 Critical | ||
| Incorrect access control in the /admin/ API of yaoqishan v0.0.1-SNAPSHOT allows attackers to gain access to Admin rights via a crafted request. | ||||
| CVE-2025-45614 | 2025-05-06 | 7.5 High | ||
| Incorrect access control in the component /api/user/manager of One v1.0 allows attackers to access sensitive information via a crafted payload. | ||||
| CVE-2025-45237 | 2025-05-06 | 7.5 High | ||
| Incorrect access control in the component /config/download of DBSyncer v2.0.6 allows attackers to access the JSON file containing sensitive account information, including the encrypted password. | ||||
| CVE-2025-4291 | 2025-05-06 | 6.3 Medium | ||
| A vulnerability, which was classified as critical, was found in IdeaCMS up to 1.6. Affected is the function saveUpload. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-4305 | 2025-05-06 | 6.3 Medium | ||
| A vulnerability has been found in kefaming mayi up to 1.3.9 and classified as critical. This vulnerability affects the function Upload of the file app/tools/controller/File.php. The manipulation of the argument File leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-1568 | 2025-05-06 | 8.8 High | ||
| or other security impacts via manipulating IPSET_ATTR_CIDR Netlink attribute without proper bounds checking on the modified IP address in bitmap_ip_uadt | ||||
| CVE-2025-4270 | 2025-05-05 | 5.3 Medium | ||
| A vulnerability was found in TOTOLINK A720R 4.1.5cu.374. It has been classified as problematic. Affected is an unknown function of the file /cgi-bin/cstecgi.cgi of the component Config Handler. The manipulation of the argument topicurl with the input getInitCfg/getSysStatusCfg leads to information disclosure. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-4316 | 2025-05-05 | N/A | ||
| Improper access control in PAM feature in Devolutions Server 2025.1.6.0 and earlier allows a PAM user to self approve their PAM requests even if disallowed by the configured policy via specific user interface actions. | ||||
| CVE-2025-4258 | 2025-05-05 | 6.3 Medium | ||
| A vulnerability, which was classified as critical, was found in zhangyanbo2007 youkefu up to 4.2.0. Affected is the function Upload of the file \youkefu-master\src\main\java\com\ukefu\webim\web\handler\resource\MediaController.java. The manipulation of the argument imgFile leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-4259 | 2025-05-05 | 6.3 Medium | ||
| A vulnerability has been found in newbee-mall 1.0 and classified as critical. Affected by this vulnerability is the function Upload of the file ltd/newbee/mall/controller/common/UploadController.java. The manipulation of the argument File leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. | ||||