CVE List - 2025 / January
Showing 2201 - 2300 of 4274 CVEs for January 2025 (Page 23 of 43)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2024-57773 | 2025-01-16 | A cross-site scripting (XSS) vulnerability in the openSelectManyUserPage?orgid interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. |
| CVE-2024-57774 | 2025-01-16 | A cross-site scripting (XSS) vulnerability in the getBusinessUploadListPage?busid interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. |
| CVE-2024-40513 | 2025-01-16 | An issue in themesebrand Chatvia v.5.3.2 allows a remote attacker to execute arbitrary code via the User profile Upload image function. |
| CVE-2024-40514 | 2025-01-16 | Insecure Permissions vulnerability in themesebrand Chatvia v.5.3.2 allows a remote attacker to escalate privileges via the User profile name and image upload functions. |
| CVE-2024-46450 | 2025-01-16 | Incorrect access control in Tenda AC1200 Smart Dual-Band WiFi Router Model AC6 v2.0 Firmware v15.03.06.50 allows attackers to bypass authentication via a crafted web request. |
| CVE-2024-48460 | 2025-01-16 | An issue in Eugeny Tabby 1.0.213 allows a remote attacker to obtain sensitive information via the server and sends the SSH username and password even when the host key verification... |
| CVE-2024-50633 | 2025-01-16 | A Broken Object Level Authorization (BOLA) vulnerability in Indico through 3.3.5 allows attackers to read information by sending a crafted POST request to the component /api/principals. NOTE: this is disputed... |
| CVE-2024-53553 | 2025-01-16 | An issue in OPEXUS FOIAXPRESS PUBLIC ACCESS LINK v11.1.0 allows attackers to bypass authentication via crafted web requests. |
| CVE-2024-54660 | 2025-01-16 | A JNDI injection issue was discovered in Cloudera JDBC Connector for Hive before 2.6.26 and JDBC Connector for Impala before 2.6.35. Attackers can inject malicious parameters into the JDBC URL,... |
| CVE-2024-55511 | 2025-01-16 | A null pointer dereference vulnerability in Macrium Reflect prior to 8.1.8017 allows a local attacker to cause a system crash or potentially elevate their privileges via executing a specially crafted... |
| CVE-2024-57159 | 2025-01-16 | 07FLYCMS V1.3.9 was discovered to contain a Cross-Site Request Forgery (CSRF) via /erp.07fly.net:80/oa/OaWorkReport/add.html. |
| CVE-2024-57160 | 2025-01-16 | 07FLYCMS V1.3.9 was discovered to contain a Cross-Site Request Forgery (CSRF) via /erp.07fly.net:80/oa/OaTask/edit.html. |
| CVE-2024-57161 | 2025-01-16 | 07FLYCMS V1.3.9 was discovered to contain a Cross-Site Request Forgery (CSRF) via /erp.07fly.net:80/oa/OaWorkReport/edit.html |
| CVE-2024-57162 | 2025-01-16 | Campcodes Cybercafe Management System v1.0 is vulnerable to SQL Injection in /ccms/view-user-detail.php. |
| CVE-2024-57575 | 2025-01-16 | Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the ssid parameter in the form_fast_setting_wifi_set function. |
| CVE-2024-57579 | 2025-01-16 | Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the limitSpeedUp parameter in the formSetClientState function. |
| CVE-2024-57580 | 2025-01-16 | Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the devName parameter in the formSetDeviceName function. |
| CVE-2024-57581 | 2025-01-16 | Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the firewallEn parameter in the formSetFirewallCfg function. |
| CVE-2024-57582 | 2025-01-16 | Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the startIP parameter in the formSetPPTPServer function. |
| CVE-2024-57583 | 2025-01-16 | Tenda AC18 V15.03.05.19 was discovered to contain a command injection vulnerability via the usbName parameter in the formSetSambaConf function. |
| CVE-2024-57611 | 2025-01-16 | 07FLYCMS V1.3.9 was discovered to contain a Cross-Site Request Forgery (CSRF) via admin/doAdminAction.php?act=editShop&shopId. |
| CVE-2024-57676 | 2025-01-16 | An access control issue in the component form2WlanBasicSetup.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the 2.4G and 5G wlan service of the device via a crafted POST request. |
| CVE-2024-57677 | 2025-01-16 | An access control issue in the component form2Wan.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the wan service of the device via a crafted POST request. |
| CVE-2024-57678 | 2025-01-16 | An access control issue in the component form2WlAc.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the 2.4G and 5G mac access control list of the device via a crafted... |
| CVE-2024-57679 | 2025-01-16 | An access control issue in the component form2RepeaterSetup.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the 2.4G and 5G repeater service of the device via a crafted POST request. |
| CVE-2024-57680 | 2025-01-16 | An access control issue in the component form2PortriggerRule.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the port trigger of the device via a crafted POST request. |
| CVE-2024-57681 | 2025-01-16 | An access control issue in the component form2alg.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the agl service of the device via a crafted POST request. |
| CVE-2024-57682 | 2025-01-16 | An information disclosure vulnerability in the component d_status.asp of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to access sensitive information via a crafted POST request. |
| CVE-2024-57683 | 2025-01-16 | An access control issue in the component websURLFilterAddDel of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the filter settings of the device via a crafted POST request. |
| CVE-2024-57703 | 2025-01-16 | Tenda AC8v4 V16.03.34.06 has a stack overflow vulnerability. Affected by this vulnerability is the function setSchedWifi of the file /goform/openSchedWifi. The manipulation of the argument schedEndTime leads to stack-based buffer... |
| CVE-2024-57704 | 2025-01-16 | Tenda AC8v4 V16.03.34.06 has a stack overflow vulnerability. Affected by this vulnerability is the function setSchedWifi of the file /goform/openSchedWifi. The manipulation of the argument schedStartTime leads to stack-based buffer... |
| CVE-2024-57768 | 2025-01-16 | JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component validRoleKey?sysRole.key. |
| CVE-2024-57769 | 2025-01-16 | JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component borrowmoney/listData?applyUser. |
| CVE-2024-57770 | 2025-01-16 | JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component apply/save#oaContractApply.id. |
| CVE-2024-57775 | 2025-01-16 | JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component getWorkFlowHis?insid. |
| CVE-2024-57776 | 2025-01-16 | A cross-site scripting (XSS) vulnerability in the /apply/getEditPage?view interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. |
| CVE-2024-57784 | 2025-01-16 | An issue in the component /php/script_uploads.php of Zenitel AlphaWeb XE v11.2.3.10 allows attackers to execute a directory traversal. |
| CVE-2024-57785 | 2025-01-16 | Zenitel AlphaWeb XE v11.2.3.10 was discovered to contain a local file inclusion vulnerability via the component amc_uploads.php. |
| CVE-2025-22904 | 2025-01-16 | RE11S v1.11 was discovered to contain a stack overflow via the pptpUserName parameter in the setWAN function. |
| CVE-2025-22905 | 2025-01-16 | RE11S v1.11 was discovered to contain a command injection vulnerability via the command parameter at /goform/mp. |
| CVE-2025-22906 | 2025-01-16 | RE11S v1.11 was discovered to contain a command injection vulnerability via the L2TPUserName parameter at /goform/setWAN. |
| CVE-2025-22907 | 2025-01-16 | RE11S v1.11 was discovered to contain a stack overflow via the selSSID parameter in the formWlSiteSurvey function. |
| CVE-2025-22912 | 2025-01-16 | RE11S v1.11 was discovered to contain a command injection vulnerability via the component /goform/formAccept. |
| CVE-2025-22913 | 2025-01-16 | RE11S v1.11 was discovered to contain a stack overflow via the rootAPmac parameter in the formStaDrvSetup function. |
| CVE-2025-22916 | 2025-01-16 | RE11S v1.11 was discovered to contain a stack overflow via the pppUserName parameter in the formPPPoESetup function. |
| CVE-2025-0455 | 2025-01-16 | NetVision Information airPASS - SQL injection |
| CVE-2025-0456 | 2025-01-16 | NetVision Information airPASS - Missing Authentication |
| CVE-2025-0457 | 2025-01-16 | NetVision Information airPASS - OS Command Injection |
| CVE-2025-0170 | 2025-01-16 | DWT - Directory & Listing WordPress Theme <= 3.3.3 - Reflected Cross-Site Scripting |
| CVE-2024-10970 | 2025-01-16 | Motors – Car Dealer, Classifieds & Listing <= 1.4.43 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via Custom Title |
| CVE-2024-11452 | 2025-01-16 | Chamber Dashboard Business Directory <= 3.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-10789 | 2025-01-16 | WP User Profile Avatar <= 1.0.5 - Cross-Site Request Forgery to Settings Update |
| CVE-2024-12226 | 2025-01-16 | In affected versions of the Octopus Kubernetes worker or agent, sensitive variables could be written to the Kubernetes script pod log in clear-text. This was identified in Version 2 however... |
| CVE-2024-45331 | 2025-01-16 | A incorrect privilege assignment in Fortinet FortiAnalyzer versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15, FortiManager versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through... |
| CVE-2024-48885 | 2025-01-16 | A improper limitation of a pathname to a restricted directory ('path traversal') in Fortinet FortiRecorder versions 7.2.0 through 7.2.1, 7.0.0 through 7.0.4, FortiWeb versions 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through... |
| CVE-2024-50563 | 2025-01-16 | A weak authentication in Fortinet FortiManager Cloud, FortiAnalyzer versions 7.6.0 through 7.6.1, 7.4.1 through 7.4.3, FortiAnalyzer Cloud versions 7.4.1 through 7.4.3, FortiManager versions 7.6.0 through 7.6.1, 7.4.1 through 7.4.3, FortiManager... |
| CVE-2024-13387 | 2025-01-16 | WP Responsive Tabs <= 1.2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-13355 | 2025-01-16 | Admin and Customer Messages After Order for WooCommerce <= 13.2 - Authenticated (Subscriber+) Limited File Upload to Cross-Site Scripting |
| CVE-2024-12614 | 2025-01-16 | Passwords Manager <= 1.4.8 - Missing Authorization to Authenticated (Subscriber+) Add Password + Update Encryption Key |
| CVE-2024-12615 | 2025-01-16 | Passwords Manager <= 1.4.8 - Authenticated (Subscriber+) SQL Injection |
| CVE-2024-12613 | 2025-01-16 | Passwords Manager <= 1.4.8 - Unauthenticated SQL Injection |
| CVE-2024-12427 | 2025-01-16 | Multi Step Form <= 1.7.23 - Missing Authorization to Unauthenticated Limited File Upload |
| CVE-2018-25108 | 2025-01-16 | WAGO: Denial of service in 750-8xx controller due to uncontrolled resource consumption |
| CVE-2025-0471 | 2025-01-16 | Unrestricted Upload of File with Dangerous Type vulnerability in PMB platform |
| CVE-2025-0472 | 2025-01-16 | Information exposure vulnerability in PMB platform |
| CVE-2025-0473 | 2025-01-16 | Incomplete Cleanup vulnerability in PMB platform |
| CVE-2025-0518 | 2025-01-16 | Unchecked sscanf return value which leads to memory data leak |
| CVE-2024-41746 | 2025-01-16 | IBM CICS TX cross-site scripting |
| CVE-2025-20072 | 2025-01-16 | Mobile crash via improper validation of proto style in attachments |
| CVE-2024-37181 | 2025-01-16 | Time-of-check time-of-use race condition in some Intel(R) Neural Compressor software before version v3.0 may allow an authenticated user to potentially enable information disclosure via adjacent access. |
| CVE-2025-20621 | 2025-01-16 | Webapp crash via object that can't be cast to String in Attachment Field |
| CVE-2025-20630 | 2025-01-16 | Mobile crash via object that can't be cast to String in Attachment Field |
| CVE-2024-52594 | 2025-01-16 | Server-Side Request Forgery (SSRF) on redirects and federation in gomatrixserverlib |
| CVE-2024-56515 | 2025-01-16 | Untrusted file formats can be thumbnailed, invoking potentially further untrusted decoders in Matrix Media Repo |
| CVE-2024-52791 | 2025-01-16 | Denial of service through memory exhaustion in Matrix Media Repo |
| CVE-2024-52602 | 2025-01-16 | Server-Side Request Forgery (SSRF) on redirects and federation in Matrix Media Repo |
| CVE-2024-36403 | 2025-01-16 | Denial of service/high operating costs through unauthenticated downloads in Matrix Media Repo |
| CVE-2024-36402 | 2025-01-16 | Unauthenticated writes to the media repository allow planting of problematic content in Matrix Media Repo |
| CVE-2024-56136 | 2025-01-16 | /api/v1/jwt/fetch_api_key endpoint can leak if an email address has an account in Zulip server |
| CVE-2024-55954 | 2025-01-16 | OpenObserve Improper Authorization Allows Admin User to Remove Root User |
| CVE-2025-23423 | 2025-01-16 | WordPress SendGrid for WordPress plugin <= 1.4 - Broken Access Control vulnerability |
| CVE-2025-23467 | 2025-01-16 | WordPress RSS News Scroller plugin <= 2.0.0 - CSRF to Stored XSS vulnerability |
| CVE-2025-23470 | 2025-01-16 | WordPress Visit Site Link enhanced plugin <= 1.0 - CSRF to Stored XSS vulnerability |
| CVE-2025-23432 | 2025-01-16 | WordPress AlT Report plugin <= 1.12.0 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-23463 | 2025-01-16 | WordPress MD Custom content after or before of post plugin <= 1.0 - CSRF to Stored XSS vulnerability |
| CVE-2025-23483 | 2025-01-16 | WordPress Universal Analytics Injector plugin <= 1.0.3 - CSRF to Stored XSS vulnerability |
| CVE-2025-23429 | 2025-01-16 | WordPress Altima Lookbook Free for WooCommerce plugin <= 1.1.0 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-23476 | 2025-01-16 | WordPress my-related-posts plugin <= 1.1 - CSRF to Stored XSS vulnerability |
| CVE-2025-23456 | 2025-01-16 | WordPress EmailShroud plugin <= 2.2.1 - CSRF to Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2025-23442 | 2025-01-16 | WordPress Shockingly Big IE6 Warning plugin <= 1.6.3 - CSRF to Stored XSS vulnerability |
| CVE-2025-23436 | 2025-01-16 | WordPress Wp-Scribd-List plugin <= 1.2 - CSRF to XSS vulnerability |
| CVE-2025-23455 | 2025-01-16 | WordPress WP VTiger Synchronization plugin <= 1.1.1 - CSRF to Stored XSS vulnerability |
| CVE-2025-23430 | 2025-01-16 | WordPress Mass Custom Fields Manager plugin <= 1.5 - CSRF to Cross Site Scripting (XSS) vulnerability |
| CVE-2025-23445 | 2025-01-16 | WordPress Easy Tynt plugin <= 0.2.5.1 - CSRF to Stored Cross Site Scripting (XSS) vulnerability |
| CVE-2025-23453 | 2025-01-16 | WordPress Stars SMTP Mailer plugin <= 1.7 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2025-23426 | 2025-01-16 | WordPress go Social plugin <= 1.0 - CSRF to Stored Cross Site Scripting (XSS) vulnerability |
| CVE-2025-23424 | 2025-01-16 | WordPress Marquee Style RSS News Ticker plugin <= 3.2.0 - CSRF to Stored Cross Site Scripting (XSS) vulnerability |
| CVE-2025-23444 | 2025-01-16 | WordPress Scroll Top Advanced plugin <= 2.5 - Stored Cross Site Scripting (XSS) vulnerability |
| CVE-2025-23471 | 2025-01-16 | WordPress ECT Add to Cart Button plugin <= 1.4 - CSRF to Stored XSS vulnerability |
| CVE-2025-23434 | 2025-01-16 | WordPress Easy EU Cookie law plugin <= 1.3.3.1 - Stored Cross Site Scripting (XSS) vulnerability |