CVE List - 2025 / January
Showing 3201 - 3300 of 4274 CVEs for January 2025 (Page 33 of 43)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2024-42182 | 2025-01-23 | HCL BigFix Patch Download Plug-ins are affected by Server-Side Request Forgery (SSRF) vulnerability |
| CVE-2024-42183 | 2025-01-23 | HCL BigFix Patch Download Plug-ins are affected by an arbitrary file download vulnerability |
| CVE-2024-42184 | 2025-01-23 | HCL BigFix Patch Download Plug-ins are affected by insecure support for file URI scheme |
| CVE-2024-42185 | 2025-01-23 | HCL BigFix Patch Download Plug-ins are affected by an insecure package which is susceptible to XML injection attacks |
| CVE-2023-32340 | 2025-01-23 | IBM Sterling B2B Integrator cross-site scripting |
| CVE-2023-50309 | 2025-01-23 | IBM Sterling B2B Integrator cross-site scripting |
| CVE-2024-42186 | 2025-01-23 | HCL BigFix Patch Download Plug-ins are affected by an insecure protocol support |
| CVE-2024-42187 | 2025-01-23 | HCL BigFix Patch Download Plug-ins are affected by path traversal vulnerability |
| CVE-2025-24030 | 2025-01-23 | Envoy Admin Interface Exposed through prometheus metrics endpoint |
| CVE-2024-43710 | 2025-01-23 | Kibana server-side request forgery |
| CVE-2024-43707 | 2025-01-23 | Kibana exposure of sensitive information to an unauthorized actor |
| CVE-2024-52972 | 2025-01-23 | Kibana allocation of resources without limits or throttling leads to crash |
| CVE-2024-52975 | 2025-01-23 | Fleet Server sensitive information exposure via logs |
| CVE-2024-53299 | 2025-01-23 | Apache Wicket: An attacker can intentionally trigger a memory leak |
| CVE-2024-13511 | 2025-01-23 | Variation Swatches for WooCommerce 1.0.8 - 1.3.2 - Cross-Site Request Forgery to Plugin Settings Reset |
| CVE-2024-13593 | 2025-01-23 | BMLT Meeting Map <= 2.6.0 - Authenticated (Contributor+) Local File Inclusion |
| CVE-2024-12957 | 2025-01-23 | A file handling command vulnerability in certain versions of Armoury Crate may result in arbitrary file deletion. Refer to the '01/23/2025 Security Update for Armoury Crate App' section on the... |
| CVE-2024-43708 | 2025-01-23 | An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted payload to a number of inputs in Kibana UI. This... |
| CVE-2025-0648 | 2025-01-23 | M-Files Server crash via EOT database driver configuration |
| CVE-2025-0619 | 2025-01-23 | Unsafe stored password recovery |
| CVE-2025-0635 | 2025-01-23 | Denial of Service condition in M-Files Server |
| CVE-2024-12043 | 2025-01-23 | Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider) <= 3.16.5 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-13234 | 2025-01-23 | Product Table by WBW <= 2.1.2 - Unuthenticated SQL Injection |
| CVE-2024-12504 | 2025-01-23 | Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP <= 6.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-13236 | 2025-01-23 | Tainacan <= 0.21.12 - Authenticated (Subscriber+) SQL Injection |
| CVE-2024-13422 | 2025-01-23 | SEO Blogger to WordPress Migration using 301 Redirection <= 0.4.8 - Reflected Cross-Site Scripting |
| CVE-2024-13389 | 2025-01-23 | Cliptakes <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-12118 | 2025-01-23 | The Events Calendar <= 6.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-13340 | 2025-01-23 | MDTF – Meta Data and Taxonomies Filter <= 1.3.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-23006 | 2025-01-23 | Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote... |
| CVE-2024-10539 | 2025-01-23 | Reflected XSS in Uyumsoft's ERP |
| CVE-2024-57947 | 2025-01-23 | netfilter: nf_set_pipapo: fix initial map fill |
| CVE-2025-23540 | 2025-01-23 | WordPress WP Front-end login and register plugin <= 2.1.0 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2024-10846 | 2025-01-23 | Excessive Platform Resource Consumption within a Loop when unmarshalling Compose file having recursive loop |
| CVE-2025-0637 | 2025-01-23 | Inadequate access control in Beta10 |
| CVE-2025-22264 | 2025-01-23 | WordPress WP Query Creator plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2025-22768 | 2025-01-23 | WordPress Rocket Media Library Mime Type plugin <= 2.1.0 - CSRF to Stored Cross Site Scripting (XSS) vulnerability |
| CVE-2025-23541 | 2025-01-23 | WordPress Download, Downloads plugin <= 1.4.2 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-23544 | 2025-01-23 | WordPress StatPressCN plugin <= 1.9.1 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2025-23545 | 2025-01-23 | WordPress WP Social Broadcast plugin <= 1.0.0 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2025-23624 | 2025-01-23 | WordPress WpDevTool plugin <= 0.1.1 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2025-23626 | 2025-01-23 | WordPress Kumihimo plugin <= 1.0.2 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2025-23628 | 2025-01-23 | WordPress GeoDigs plugin <= 3.4.1 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2025-23629 | 2025-01-23 | WordPress Gallerio plugin <= 1.0.1 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2025-23634 | 2025-01-23 | WordPress Youtube Video Grid plugin <= 1.9 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2025-23636 | 2025-01-23 | WordPress My Favorite Car plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2025-23722 | 2025-01-23 | WordPress Mind3doM RyeBread Widgets plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2025-23723 | 2025-01-23 | WordPress Plestar Directory Listing plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2025-23724 | 2025-01-23 | WordPress University Quizzes Online plugin <= 1.4 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2025-23725 | 2025-01-23 | WordPress Accessibility Task Manager plugin <= 1.2.1 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2025-23727 | 2025-01-23 | WordPress AZ Content Finder plugin <= 0.1 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2025-23729 | 2025-01-23 | WordPress XTRA Settings plugin <= 2.1.8 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2025-23730 | 2025-01-23 | WordPress FLX Dashboard Groups plugin <= 0.0.7 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2025-23733 | 2025-01-23 | WordPress SC Simple Zazzle plugin <= 1.1.6 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2025-23834 | 2025-01-23 | WordPress Links/Problem Reporter plugin <= 2.6.0 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2025-23835 | 2025-01-23 | WordPress Legal + Plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2025-23836 | 2025-01-23 | WordPress Custom Coming Soon Plugin <= 2.2 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2025-23894 | 2025-01-23 | WordPress wp-flickr-press Plugin <= 2.6.4 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2025-23960 | 2025-01-23 | WordPress Save & Import Image from URL Plugin <= 0.7 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2024-52325 | 2025-01-23 | ECOVACS robot lawnmowers and vacuums command injection |
| CVE-2025-0650 | 2025-01-23 | Ovn: egress acls may be bypassed via specially crafted udp packet |
| CVE-2024-52328 | 2025-01-23 | ECOVACS lawnmowers and vacuums insecurely store audio warning files |
| CVE-2024-52329 | 2025-01-23 | ECOVACS HOME mobile app plugins do not properly validate TLS certificates |
| CVE-2024-52330 | 2025-01-23 | ECOVACS lawnmowers and vacuums do not properly validate TLS certificates |
| CVE-2024-52331 | 2025-01-23 | ECOVACS lawnmowers and vacuums deterministic firmware encryption key |
| CVE-2024-11147 | 2025-01-23 | ECOVACS lawnmowers and vacuums deterministic root password |
| CVE-2024-12078 | 2025-01-23 | ECOVACS lawnmowers and vacuums static BLE GATT encryption key |
| CVE-2024-12079 | 2025-01-23 | ECOVACS lawnmowers cleartext storage of anti-theft PIN |
| CVE-2024-52327 | 2025-01-23 | ECOVACS lawnmower and vacuum cloud service live video PIN bypass |
| CVE-2024-55925 | 2025-01-23 | API Security bypass through header manipulation |
| CVE-2024-55926 | 2025-01-23 | Arbitrary file upload, deletion and read through header manipulation |
| CVE-2025-23227 | 2025-01-23 | IBM Tivoli Application Dependency Discovery Manager cross-site scripting |
| CVE-2024-55927 | 2025-01-23 | Flawed token generation implementation & Hard-coded key implementation |
| CVE-2024-55928 | 2025-01-23 | Clear text secrets returned & Remote system secrets in clear text |
| CVE-2024-55929 | 2025-01-23 | Mail spoofing |
| CVE-2024-45672 | 2025-01-23 | IBM Security Verify Bridge data manipulation |
| CVE-2025-22153 | 2025-01-23 | try/except* clauses could allow bypass RestrictedPython via type confusion bug in the CPython interpreter |
| CVE-2024-55930 | 2025-01-23 | Weak default folder permissions |
| CVE-2025-24034 | 2025-01-23 | Himmelblau leaks credentials in the debug log |
| CVE-2025-24033 | 2025-01-23 | @fastify/multipart vulnerable to unlimited consumption of resources |
| CVE-2025-24353 | 2025-01-23 | Directus privilege escalation vulnerability using Share feature |
| CVE-2025-23011 | 2025-01-23 | Fedora Repository archive extraction path traversal |
| CVE-2025-23012 | 2025-01-23 | Fedora Repository fedoraIntCallUser default credentials |
| CVE-2025-0693 | 2025-01-23 | Issue with AWS Sign-in IAM User Login Flow - Possible Username Enumeration |
| CVE-2021-42718 | 2025-01-23 | Sensitive data unnecessarily returned from authenticated API |
| CVE-2022-47090 | 2025-01-24 | GPAC MP4box 2.1-DEV-rev574-g9d5bb184b contains a buffer overflow in gf_vvc_read_pps_bs_internal function of media_tools/av_parsers.c, check needed for num_exp_tile_columns |
| CVE-2024-50690 | 2025-01-24 | SunGrow WiNet-SV200.001.00.P027 and earlier versions contains a hardcoded password that can be used to decrypt all firmware updates. |
| CVE-2024-50692 | 2025-01-24 | SunGrow WiNet-SV200.001.00.P027 and earlier versions contains hardcoded MQTT credentials that allow an attacker to send arbitrary commands to an arbitrary inverter. It is also possible to impersonate the broker, because... |
| CVE-2024-50694 | 2025-01-24 | In SunGrow WiNet-SV200.001.00.P027 and earlier versions, when copying the timestamp read from an MQTT message, the underlying code does not check the bounds of the buffer that is used to... |
| CVE-2024-50695 | 2025-01-24 | SunGrow WiNet-SV200.001.00.P027 and earlier versions is vulnerable to stack-based buffer overflow when parsing MQTT messages, due to missing MQTT topic bounds checks. |
| CVE-2024-50697 | 2025-01-24 | In SunGrow WiNet-SV200.001.00.P027 and earlier versions, when decrypting MQTT messages, the code that parses specific TLV fields does not have sufficient bounds checks. This may result in a stack-based buffer... |
| CVE-2024-50698 | 2025-01-24 | SunGrow WiNet-SV200.001.00.P027 and earlier versions is vulnerable to heap-based buffer overflow due to bounds checks of the MQTT message content. |
| CVE-2024-56404 | 2025-01-24 | In One Identity Identity Manager 9.x before 9.3, an insecure direct object reference (IDOR) vulnerability allows privilege escalation. Only On-Premise installations are affected. |
| CVE-2024-57041 | 2025-01-24 | A persistent cross-site scripting (XSS) vulnerability in NodeBB v3.11.0 allows remote attackers to store arbitrary code in the 'about me' section of their profile. |
| CVE-2024-57095 | 2025-01-24 | SQL injection vulnerability in Go-CMS v.1.1.10 allows a remote attacker to execute arbitrary code via a crafted payload. |
| CVE-2024-57184 | 2025-01-24 | An issue was discovered in GPAC v0.8.0, as demonstrated by MP4Box. It contains a heap-based buffer overflow in gf_m2ts_process_pmt in media_tools/mpegts.c:2163 that can cause a denial of service (DOS) via... |
| CVE-2024-57277 | 2025-01-24 | InnoShop V.0.3.8 and below is vulnerable to Cross Site Scripting (XSS) via SVG file upload. |
| CVE-2025-23222 | 2025-01-24 | An issue was discovered in Deepin dde-api-proxy through 1.0.19 in which unprivileged users can access D-Bus services as root. Specifically, dde-api-proxy runs as root and forwards messages from arbitrary local... |
| CVE-2025-0314 | 2025-01-24 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab |
| CVE-2024-11931 | 2025-01-24 | Insufficient Granularity of Access Control in GitLab |