CVE List - 2025 / January
Showing 1201 - 1300 of 4274 CVEs for January 2025 (Page 13 of 43)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2024-13303 | 2025-01-09 | Download All Files - Critical - Access bypass - SA-CONTRIB-2024-069 |
| CVE-2024-13304 | 2025-01-09 | Minify JS - Moderately critical - Cross site request forgery - SA-CONTRIB-2024-070 |
| CVE-2024-13305 | 2025-01-09 | Entity Form Steps - Moderately critical - Cross site scripting - SA-CONTRIB-2024-071 |
| CVE-2024-13308 | 2025-01-09 | Browser Back Button - Moderately critical - Cross site scripting - SA-CONTRIB-2024-072 |
| CVE-2024-13309 | 2025-01-09 | Login Disable - Critical - Access bypass - SA-CONTRIB-2024-073 |
| CVE-2024-13310 | 2025-01-09 | Git Utilities for Drupal - Critical - Unsupported - SA-CONTRIB-2024-074 |
| CVE-2024-13311 | 2025-01-09 | Allow All File Extensions for file fields - Critical - Unsupported - SA-CONTRIB-2024-075 |
| CVE-2024-13312 | 2025-01-09 | Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-076 |
| CVE-2025-21385 | 2025-01-09 | Microsoft Purview Information Disclosure Vulnerability |
| CVE-2025-21380 | 2025-01-09 | Azure Marketplace SaaS Resources Information Disclosure Vulnerability |
| CVE-2024-25371 | 2025-01-10 | Gramine before a390e33e16ed374a40de2344562a937f289be2e1 suffers from an Interface vulnerability due to mismatching SW signals vs HW exceptions. |
| CVE-2024-29970 | 2025-01-10 | Fortanix Enclave OS 3.36.1941-EM has an interface vulnerability that leads to state corruption via injected signals. |
| CVE-2024-29971 | 2025-01-10 | Scontain SCONE 5.8.0 has an interface vulnerability that leads to state corruption via injected signals. |
| CVE-2024-33297 | 2025-01-10 | Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the campaign Name (Internal Name) field in the Add new campaign function |
| CVE-2024-33298 | 2025-01-10 | Microweber Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the create new backup function in the endpoint /admin/module/view?type=admin__backup |
| CVE-2024-33299 | 2025-01-10 | Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the First Name and Last Name parameters in the endpoint /admin/module/view?type=users |
| CVE-2024-54687 | 2025-01-10 | Vtiger CRM v.6.1 and before is vulnerable to Cross Site Scripting (XSS) via the Documents module and function uploadAndSaveFile in CRMEntity.php. |
| CVE-2024-54846 | 2025-01-10 | An issue in CP Plus CP-VNR-3104 B3223P22C02424 allows attackers to obtain the EC private key and access sensitive data or execute a man-in-the-middle attack. |
| CVE-2024-54847 | 2025-01-10 | An issue in CP Plus CP-VNR-3104 B3223P22C02424 allows attackers to access the Diffie-Hellman (DH) parameters and access sensitive data or execute a man-in-the-middle attack. |
| CVE-2024-54848 | 2025-01-10 | Improper handling and storage of certificates in CP Plus CP-VNR-3104 B3223P22C02424 allow attackers to decrypt communications or execute a man-in-the-middle attacks. |
| CVE-2024-54849 | 2025-01-10 | An issue in CP Plus CP-VNR-3104 B3223P22C02424 allows attackers to obtain the second RSA private key and access sensitive data or execute a man-in-the-middle attack. |
| CVE-2024-54910 | 2025-01-10 | Hasleo Backup Suite Free v4.9.4 and before is vulnerable to Insecure Permissions via the File recovery function. |
| CVE-2024-54994 | 2025-01-10 | MonicaHQ v4.1.2 was discovered to contain multiple Client-Side Injection vulnerabilities via the first_name and last_name parameters in the Add a new relationship feature. |
| CVE-2024-54996 | 2025-01-10 | MonicaHQ v4.1.2 was discovered to contain multiple authenticated Client-Side Injection vulnerabilities via the title and description parameters at /people/ID/reminders/create. |
| CVE-2024-54997 | 2025-01-10 | MonicaHQ v4.1.1 was discovered to contain an authenticated Client-Side Injection vulnerability via the entry text field at /journal/entries/ID/edit. |
| CVE-2024-54998 | 2025-01-10 | MonicaHQ v4.1.2 was discovered to contain an authenticated Client-Side Injection vulnerability via the Reason parameter at /people/h:[id]/debts/create. |
| CVE-2024-57211 | 2025-01-10 | TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability via the modifyOne parameter in the enable_wsh function. |
| CVE-2024-57212 | 2025-01-10 | TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability via the opmode parameter in the action_reboot function. |
| CVE-2024-57213 | 2025-01-10 | TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability via the newpasswd parameter in the action_passwd function. |
| CVE-2024-57214 | 2025-01-10 | TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability via the devname parameter in the reset_wifi function. |
| CVE-2024-57222 | 2025-01-10 | Linksys E7350 1.1.00.032 was discovered to contain a command injection vulnerability via the ifname parameter in the apcli_cancel_wps function. |
| CVE-2024-57223 | 2025-01-10 | Linksys E7350 1.1.00.032 was discovered to contain a command injection vulnerability via the ifname parameter in the apcli_wps_gen_pincode function. |
| CVE-2024-57224 | 2025-01-10 | Linksys E7350 1.1.00.032 was discovered to contain a command injection vulnerability via the ifname parameter in the apcli_do_enr_pin_wps function. |
| CVE-2024-57225 | 2025-01-10 | Linksys E7350 1.1.00.032 was discovered to contain a command injection vulnerability via the devname parameter in the reset_wifi function. |
| CVE-2024-57226 | 2025-01-10 | Linksys E7350 1.1.00.032 was discovered to contain a command injection vulnerability via the iface parameter in the vif_enable function. |
| CVE-2024-57227 | 2025-01-10 | Linksys E7350 1.1.00.032 was discovered to contain a command injection vulnerability via the ifname parameter in the apcli_do_enr_pbc_wps function. |
| CVE-2024-57228 | 2025-01-10 | Linksys E7350 1.1.00.032 was discovered to contain a command injection vulnerability via the iface parameter in the vif_disable function. |
| CVE-2024-57687 | 2025-01-10 | An OS Command Injection vulnerability was found in /landrecordsys/admin/dashboard.php in PHPGurukul Land Record System v1.0, which allows remote attackers to execute arbitrary code via the "Cookie" GET request parameter. |
| CVE-2025-22946 | 2025-01-10 | Tenda ac9 v1.0 firmware v15.03.05.19 contains a stack overflow vulnerability in /goform/SetOnlineDevName, which may lead to remote arbitrary code execution. |
| CVE-2025-22949 | 2025-01-10 | Tenda ac9 v1.0 firmware v15.03.05.19 is vulnerable to command injection in /goform/SetSambaCfg, which may lead to remote arbitrary code execution. |
| CVE-2025-23110 | 2025-01-10 | An issue was discovered in REDCap 14.9.6. A Reflected cross-site scripting (XSS) vulnerability in the email-subject field exists while performing an upload of a CSV file containing a list of... |
| CVE-2025-23111 | 2025-01-10 | An issue was discovered in REDCap 14.9.6. It allows HTML Injection via the Survey field name, exposing users to a redirection to a phishing website. An attacker can exploit this... |
| CVE-2025-23112 | 2025-01-10 | An issue was discovered in REDCap 14.9.6. A stored cross-site scripting (XSS) vulnerability allows authenticated users to inject malicious scripts into the Survey field name of Survey. When a user... |
| CVE-2025-23113 | 2025-01-10 | An issue was discovered in REDCap 14.9.6. It has an action=myprojects&logout=1 CSRF issue in the alert-title while performing an upload of a CSV file containing a list of alert configuration.... |
| CVE-2024-46210 | 2025-01-10 | An arbitrary file upload vulnerability in the MediaPool module of Redaxo CMS v5.17.1 allows attackers to execute arbitrary code via uploading a crafted file. |
| CVE-2024-50807 | 2025-01-10 | Trippo Responsive Filemanager 9.14.0 is vulnerable to Cross Site Scripting (XSS) via file upload using the svg and pdf extensions. |
| CVE-2024-57686 | 2025-01-10 | A Cross Site Scripting (XSS) vulnerability was found in /landrecordsys/admin/contactus.php in PHPGurukul Land Record System v1.0, which allows remote attackers to execute arbitrary code via the "pagetitle" parameter. |
| CVE-2024-57822 | 2025-01-10 | In Raptor RDF Syntax Library through 2.0.16, there is a heap-based buffer over-read when parsing triples with the nquads parser in raptor_ntriples_parse_term_internal(). |
| CVE-2024-57823 | 2025-01-10 | In Raptor RDF Syntax Library through 2.0.16, there is an integer underflow when normalizing a URI with the turtle parser in raptor_uri_normalize_path(). |
| CVE-2025-23016 | 2025-01-10 | FastCGI fcgi2 (aka fcgi) 2.x through 2.4.4 has an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs... |
| CVE-2025-23022 | 2025-01-10 | FreeType 2.8.1 has a signed integer overflow in cf2_doFlex in cff/cf2intrp.c. |
| CVE-2024-12606 | 2025-01-10 | AI Scribe – SEO AI Writer, Content Generator, Humanizer, Blog Writer, SEO Optimizer, DALLE-3, AI WordPress Plugin ChatGPT (GPT-4o 128K) <= 2.3 - Missing Authorization to Authenticated (Subscriber+) Settings Update |
| CVE-2024-12473 | 2025-01-10 | AI Scribe – SEO AI Writer, Content Generator, Humanizer, Blog Writer, SEO Optimizer, DALLE-3, AI WordPress Plugin ChatGPT (GPT-4o 128K) <= 2.3 - Authenticated (Contributor+) SQL Injection |
| CVE-2025-0311 | 2025-01-10 | Orbit Fox by ThemeIsle <= 2.10.43 - Authenticated (Contributor+) Stored Cross-Site Scripting via Pricing Table Widget |
| CVE-2024-13183 | 2025-01-10 | Orbit Fox by ThemeIsle <= 2.10.43 - Authenticated (Contributor+) Stored Cross-Site Scripting via title_tag Parameter |
| CVE-2024-13318 | 2025-01-10 | Essential WP Real Estate <= 1.1.3 - Missing Authorization to Arbitrary Post/Page Deletion |
| CVE-2024-41787 | 2025-01-10 | IBM Engineering Requirements Management DOORS Next code execution |
| CVE-2024-56511 | 2025-01-10 | DataEase has an unauthorized vulnerability |
| CVE-2025-22152 | 2025-01-10 | Improper Path Validation Enables Path Traversal in Multiple Components in Atheos |
| CVE-2025-22596 | 2025-01-10 | WeGIA has a Cross-Site Scripting (XSS) Reflected endpoint 'modulos_visiveis.php' parameter'msg_c' |
| CVE-2025-22597 | 2025-01-10 | WeGIA has a Cross-Site Scripting (XSS) Stored endpoint 'CobrancaController.php' parameter 'local_recepcao' |
| CVE-2025-22598 | 2025-01-10 | WeGIA has a Cross-Site Scripting (XSS) Stored endpoint 'cadastrarSocio.php' parameter 'nome' |
| CVE-2025-22599 | 2025-01-10 | WeGIA has a Cross-Site Scripting (XSS) Reflected endpoint `home.php` parameter `msg_c` |
| CVE-2025-22600 | 2025-01-10 | WeGIA has a Cross-Site Scripting (XSS) Reflected endpoint `configuracao_doacao.php` parameter `avulso` |
| CVE-2024-6662 | 2025-01-10 | CSRF in MegaBIP |
| CVE-2024-6880 | 2025-01-10 | CSRF in MegaBIP |
| CVE-2025-23078 | 2025-01-10 | XSS in BreadCrumbs2 |
| CVE-2025-23079 | 2025-01-10 | XSSes in Extension:ArticleFeedbackv5 |
| CVE-2024-12847 | 2025-01-10 | NETGEAR DGN setup.cgi OS Command Injection |
| CVE-2024-6437 | 2025-01-10 | On affected platforms running Arista EOS with one of the following features configured to redirect IP traffic to a next hop: policy-based routing (PBR), BGP Flowspec, or interface traffic policy -- certain IP traffic such as IPv4 packets with IP options ma |
| CVE-2024-7095 | 2025-01-10 | On affected platforms running Arista EOS with SNMP configured, if “snmp-server transmit max-size” is configured, under some circumstances a specially crafted packet can cause the snmpd process to leak memory. This may result in the snmpd process being term |
| CVE-2024-5872 | 2025-01-10 | On affected platforms running Arista EOS, a specially crafted packet with incorrect VLAN tag might be copied to CPU, which may cause incorrect control plane behavior related to the packet, such as route flaps, multicast routes learnt, etc. |
| CVE-2024-7142 | 2025-01-10 | On Arista CloudVision Appliance (CVA) affected releases running on appliances that support hardware disk encryption (DCA-350E-CV only), the disk encryption might not be successfully performed. This results in the disks remaining unsecured and data on them |
| CVE-2024-9131 | 2025-01-10 | A user with administrator privileges can perform command injection |
| CVE-2024-9132 | 2025-01-10 | The administrator is able to configure an insecure captive portal script |
| CVE-2024-9133 | 2025-01-10 | A user with administrator privileges is able to retrieve authentication tokens |
| CVE-2024-9134 | 2025-01-10 | Multiple SQL Injection vulnerabilities exist in the reporting application. A user with advanced report application access rights can exploit the SQL injection, allowing them to execute commands on the underlying operating system with elevated privileges. |
| CVE-2024-47517 | 2025-01-10 | Expired and unusable administrator authentication tokens can be revealed by units that have timed out from ETM access |
| CVE-2024-47518 | 2025-01-10 | Specially constructed queries targeting ETM could discover active remote access sessions |
| CVE-2024-47519 | 2025-01-10 | Backup uploads to ETM subject to man-in-the-middle interception |
| CVE-2024-47520 | 2025-01-10 | A user with advanced report application access rights can perform actions for which they are not authorized |
| CVE-2024-9188 | 2025-01-10 | Specially constructed queries cause cross platform scripting leaking administrator tokens |
| CVE-2024-12404 | 2025-01-11 | CF Internal Link Shortcode <= 1.1.0 - Unauthenticated SQL Injection |
| CVE-2024-12472 | 2025-01-11 | Post Duplicator <= 2.36 - Authenticated (Contributor+) Protected Post Disclosure |
| CVE-2024-12627 | 2025-01-11 | Coupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups <= 1.3.5 - Missing Authorization to Authenticated (Contributor+) PHP Object Injection |
| CVE-2024-12505 | 2025-01-11 | Trackserver <= 5.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-11327 | 2025-01-11 | ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages <= 2.4.1 - Reflected Cross-Site Scripting |
| CVE-2024-12204 | 2025-01-11 | Coupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups <= 1.3.5 - Missing Authorization |
| CVE-2024-42168 | 2025-01-11 | HCL MyXalytics is affected by out-of-band resource load (HTTP) vulnerability |
| CVE-2024-42169 | 2025-01-11 | HCL MyXalytics is affected by insecure direct object references |
| CVE-2025-0103 | 2025-01-11 | Expedition: SQL Injection Vulnerability |
| CVE-2025-0104 | 2025-01-11 | Expedition: Cross-Site Scripting (XSS) Vulnerability |
| CVE-2025-0105 | 2025-01-11 | Expedition: Arbitrary File Deletion Vulnerability |
| CVE-2025-0106 | 2025-01-11 | Expedition: Wildcard Expansion Vulnerability |
| CVE-2025-0107 | 2025-01-11 | Expedition: OS Command Injection Vulnerability |
| CVE-2024-12304 | 2025-01-11 | Gutenberg Blocks with AI by Kadence WP – Page Builder Features <= 3.4.2 - Authenticated (contributor+) Stored Cross-Site Scripting via Button Link |
| CVE-2025-23108 | 2025-01-11 | Opening Javascript links in a new tab via long-press in the Firefox iOS client could result in a malicious script spoofing the URL of the new tab. This vulnerability affects... |
| CVE-2025-23109 | 2025-01-11 | Long hostnames in URLs could be leveraged to obscure the actual host of the website or spoof the website address This vulnerability affects Firefox for iOS < 134. |
| CVE-2024-12587 | 2025-01-11 | Contact Form Master <= 1.0.7 - Reflected XSS |
| CVE-2024-42170 | 2025-01-11 | HCL MyXalytics is affected by a session fixation vulnerability |