CVE List - 2025 / January
Showing 301 - 400 of 4274 CVEs for January 2025 (Page 4 of 43)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-22389 | 2025-01-04 | An issue was discovered in Optimizely EPiServer.CMS.Core before 12.32.0. A medium-severity vulnerability exists in the CMS, where the application does not properly validate uploaded files. This allows the upload of... |
| CVE-2025-0200 | 2025-01-04 | code-projects Point of Sales and Inventory Management System search_num.php sql injection |
| CVE-2025-0201 | 2025-01-04 | code-projects Point of Sales and Inventory Management System update_account.php sql injection |
| CVE-2025-0202 | 2025-01-04 | TCS BaNCS REPORTS_SHOW_FILE.jsp file inclusion |
| CVE-2025-0203 | 2025-01-04 | code-projects Student Management System DbFunction.php showSubject1 sql injection |
| CVE-2024-12047 | 2025-01-04 | WP Compress – Instant Performance & Speed Optimization <= 6.30.03 - Reflected Cross-Site Scripting via custom_server Parameter |
| CVE-2024-12701 | 2025-01-04 | WP Smart Import : Import any XML File to WordPress <= 1.1.2 - Reflected Cross-Site Scripting |
| CVE-2024-11974 | 2025-01-04 | Media Library Assistant <= 3.23 - Reflected Cross-Site Scripting via smc_settings_tab, unattachfixit-action, and woofixit-action Parameters |
| CVE-2024-12545 | 2025-01-04 | Scratch & Win – Giveaways and Contests <= 2.7.1 - Cross-Site Request Forgery via reset_installation Function |
| CVE-2024-10932 | 2025-01-04 | Backup Migration <= 1.4.6 - Unauthenticated PHP Object Injection via 'recursive_unserialize_replace' |
| CVE-2025-0204 | 2025-01-04 | code-projects Online Shoe Store details.php sql injection |
| CVE-2024-12583 | 2025-01-04 | Dynamics 365 Integration <= 1.3.23 - Authenticated (Contributor+) Remote Code Execution and Arbitrary File Read via Twig Server-Side Template Injection |
| CVE-2024-11930 | 2025-01-04 | Taskbuilder – WordPress Project & Task Management plugin <= 3.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via wppm_tasks Shortcode |
| CVE-2025-0205 | 2025-01-04 | code-projects Online Shoe Store details2.php sql injection |
| CVE-2024-12221 | 2025-01-04 | Turnkey bbPress by WeaverTheme <= 1.6.3 - Reflected Cross-Site Scripting via _wpnonce Parameter |
| CVE-2024-12475 | 2025-01-04 | WP Multi Store Locator <= 2.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-12279 | 2025-01-04 | WP Social AutoConnect <= 4.6.2 - Cross-Site Request Forgery to Reflected Cross-Site Scripting |
| CVE-2024-12195 | 2025-01-04 | WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts <= 2.6.16 - Authenticated (Subscriber+) SQL Injection |
| CVE-2025-0206 | 2025-01-04 | code-projects Online Shoe Store index.php access control |
| CVE-2025-0207 | 2025-01-04 | code-projects Online Shoe Store login.php sql injection |
| CVE-2025-0208 | 2025-01-04 | code-projects Online Shoe Store summary.php sql injection |
| CVE-2024-10957 | 2025-01-04 | UpdraftPlus: WP Backup & Migration Plugin 1.23.8 - 1.24.11 - Unauthenticated PHP Object Injection |
| CVE-2025-0210 | 2025-01-04 | Campcodes School Faculty Scheduling System ajax.php sql injection |
| CVE-2024-41768 | 2025-01-04 | IBM Engineering Lifecycle Optimization - Publishing unhandled SLL exception |
| CVE-2024-41767 | 2025-01-04 | IBM Engineering Lifecycle Optimization - Publishing SQL injection |
| CVE-2024-41765 | 2025-01-04 | IBM Engineering Lifecycle Optimization - Publishing directory traversal |
| CVE-2024-41766 | 2025-01-04 | IBM Engineering Lifecycle Optimization - Publishing denial of service |
| CVE-2024-41763 | 2025-01-04 | IBM Engineering Lifecycle Optimization - Publishing information disclosure |
| CVE-2025-0211 | 2025-01-04 | Campcodes School Faculty Scheduling System index.php file inclusion |
| CVE-2025-0212 | 2025-01-04 | Campcodes Student Grading System view_students.php sql injection |
| CVE-2025-0213 | 2025-01-04 | Campcodes Project Management System update_forms.php unrestricted upload |
| CVE-2025-0214 | 2025-01-04 | TMD Custom Header Menu index.php sql injection |
| CVE-2024-13130 | 2025-01-05 | Dahua IPC-HFW1200S Web Interface Sha1Account1 path traversal |
| CVE-2024-13132 | 2025-01-05 | Emlog Pro Subpage article.php cross site scripting |
| CVE-2024-13133 | 2025-01-05 | ZeroWdd studentmanager StudentController. java editStudent unrestricted upload |
| CVE-2025-0219 | 2025-01-05 | Trimble SPS851 Receiver Status Identity Tab cross site scripting |
| CVE-2024-13134 | 2025-01-05 | ZeroWdd studentmanager TeacherController. java editTeacher unrestricted upload |
| CVE-2024-13135 | 2025-01-05 | Emlog Pro Subpage twitter.php cross site scripting |
| CVE-2024-13136 | 2025-01-05 | wangl1989 mysiteforme ShiroConfig.java rememberMeManager deserialization |
| CVE-2024-13137 | 2025-01-05 | wangl1989 mysiteforme SiteController RestResponse cross site scripting |
| CVE-2024-13138 | 2025-01-05 | wangl1989 mysiteforme LocalUploadServiceImpl upload unrestricted upload |
| CVE-2024-13139 | 2025-01-05 | wangl1989 mysiteforme FileController doContent server-side request forgery |
| CVE-2024-13140 | 2025-01-05 | Emlog Pro Cover Upload article.php cross site scripting |
| CVE-2025-0220 | 2025-01-05 | Trimble SPS851 Ethernet Configuration Menu cross site scripting |
| CVE-2024-13141 | 2025-01-05 | osuuu LightPicture SVG File Upload upload cross site scripting |
| CVE-2025-0221 | 2025-01-05 | IOBit Protected Folder IOCTL pffilter.sys 0x22200c null pointer dereference |
| CVE-2025-0222 | 2025-01-05 | IObit Protected Folder IOCTL IUProcessFilter.sys 0x8001E004 null pointer dereference |
| CVE-2025-0223 | 2025-01-05 | IObit Protected Folder IOCTL IURegistryFilter.sys 0x8001E010 null pointer dereference |
| CVE-2025-0224 | 2025-01-05 | Provision-ISR SH-4050A-2 server.js information disclosure |
| CVE-2025-0225 | 2025-01-05 | Tsinghua Unigroup Electronic Archives System exampleDownload.html path traversal |
| CVE-2025-0226 | 2025-01-05 | Tsinghua Unigroup Electronic Archives System downLoad.html download information disclosure |
| CVE-2025-0227 | 2025-01-05 | Tsinghua Unigroup Electronic Archives System downLoad.html information disclosure |
| CVE-2025-0228 | 2025-01-05 | code-projects Local Storage Todo App index.html cross site scripting |
| CVE-2025-0229 | 2025-01-05 | code-projects Travel Management System enquiry.php sql injection |
| CVE-2025-0230 | 2025-01-05 | code-projects Responsive Hotel Site print.php sql injection |
| CVE-2025-0231 | 2025-01-05 | Codezips Gym Management System submit_payments.php sql injection |
| CVE-2025-0232 | 2025-01-05 | Codezips Blood Bank Management System successadmin.php sql injection |
| CVE-2025-0233 | 2025-01-05 | Codezips Project Management System course.php sql injection |
| CVE-2024-13142 | 2025-01-05 | ZeroWdd studentmanager RoleController. java submitAddRole cross site scripting |
| CVE-2024-13143 | 2025-01-05 | ZeroWdd studentmanager PermissionController. java submitAddPermission cross site scripting |
| CVE-2021-27285 | 2025-01-06 | An issue was discovered in Inspur ClusterEngine v4.0 that allows attackers to gain escalated Local privileges and execute arbitrary commands via /opt/tsce4/torque6/bin/getJobsByShell. |
| CVE-2024-35498 | 2025-01-06 | A cross-site scripting (XSS) vulnerability in Grav v1.7.45 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. |
| CVE-2024-46073 | 2025-01-06 | A reflected Cross-Site Scripting (XSS) vulnerability exists in the login page of IceHRM v32.4.0.OS. The vulnerability is due to improper sanitization of the "next" parameter, which is included in the... |
| CVE-2024-46209 | 2025-01-06 | A stored cross-site scripting (XSS) vulnerability in the component /media/test.html of REDAXO CMS v5.17.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the... |
| CVE-2024-46622 | 2025-01-06 | An Escalation of Privilege security vulnerability was found in SecureAge Security Suite software 7.0.x before 7.0.38, 7.1.x before 7.1.11, 8.0.x before 8.0.18, and 8.1.x before 8.1.18 that allows arbitrary file... |
| CVE-2024-48455 | 2025-01-06 | An issue in Netis Wifi6 Router NX10 2.0.1.3643 and 2.0.1.3582 and Netis Wifi 11AC Router NC65 3.0.0.3749 and Netis Wifi 11AC Router NC63 3.0.0.3327 and 3.0.0.3503 and Netis Wifi 11AC... |
| CVE-2024-48456 | 2025-01-06 | An issue in Netis Wifi6 Router NX10 2.0.1.3643 and 2.0.1.3582 and Netis Wifi 11AC Router NC65 3.0.0.3749 and Netis Wifi 11AC Router NC63 3.0.0.3327 and 3.0.0.3503 and Netis Wifi 11AC... |
| CVE-2024-48457 | 2025-01-06 | An issue in Netis Wifi6 Router NX10 2.0.1.3643 and 2.0.1.3582 and Netis Wifi 11AC Router NC65 3.0.0.3749 and Netis Wifi 11AC Router NC63 3.0.0.3327 and 3.0.0.3503 and Netis Wifi 11AC... |
| CVE-2024-51111 | 2025-01-06 | Cross-Site Scripting (XSS) vulnerability in Pnetlab 5.3.11 allows an attacker to inject malicious scripts into a web page, which are executed in the context of the victim's browser. |
| CVE-2024-51112 | 2025-01-06 | Open Redirect vulnerability in Pnetlab 5.3.11 allows an attacker to manipulate URLs to redirect users to arbitrary external websites via a crafted script |
| CVE-2024-53933 | 2025-01-06 | The com.callerscreen.colorphone.themes.callflash (aka Color Call Theme & Call Screen) application through 1.0.7 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a... |
| CVE-2024-53934 | 2025-01-06 | The com.windymob.callscreen.ringtone.callcolor.colorphone (aka Color Phone Call Screen Themes) application through 1.1.2 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted... |
| CVE-2024-53935 | 2025-01-06 | The com.callos14.callscreen.colorphone (aka iCall OS17 - Color Phone Flash) application through 4.3 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a... |
| CVE-2024-53936 | 2025-01-06 | The com.asianmobile.callcolor (aka Color Phone Call Screen App) application through 24 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted... |
| CVE-2024-54763 | 2025-01-06 | An access control issue in the component /login/hostinfo.cgi of ipTIME A2004 v12.17.0 allows attackers to obtain sensitive information without authentication. |
| CVE-2024-54764 | 2025-01-06 | An access control issue in the component /login/hostinfo2.cgi of ipTIME A2004 v12.17.0 allows attackers to obtain sensitive information without authentication. |
| CVE-2024-54879 | 2025-01-06 | SeaCMS V13.1 is vulnerable to Incorrect Access Control. A logic flaw can be exploited by an attacker to allow any user to recharge members indefinitely. |
| CVE-2024-54880 | 2025-01-06 | SeaCMS V13.1 is vulnerable to Incorrect Access Control. A logic flaw can be exploited by an attacker to allow any user to register accounts in bulk. |
| CVE-2024-55074 | 2025-01-06 | The edit profile function of Grocy through 4.3.0 allows stored XSS and resultant privilege escalation by uploading a crafted HTML or SVG file, a different issue than CVE-2024-8370. |
| CVE-2024-55075 | 2025-01-06 | Grocy through 4.3.0 allows remote attackers to obtain sensitive information via direct requests to pages that are not shown in the UI, such as calendar and recipes. |
| CVE-2024-55076 | 2025-01-06 | Grocy through 4.3.0 has no CSRF protection, as demonstrated by changing the Administrator's password. |
| CVE-2024-55407 | 2025-01-06 | An issue in the DeviceloControl function of ITE Tech. Inc ITE IO Access v1.0.0.0 allows attackers to perform arbitrary port read and write actions via supplying crafted IOCTL requests. |
| CVE-2024-55408 | 2025-01-06 | An improper access control vulnerability in the AsusSAIO.sys driver may lead to the misuse of software functionality utilizing the driver when crafted IOCTL requests are supplied. |
| CVE-2024-55529 | 2025-01-06 | Z-BlogPHP 1.7.3 is vulnerable to arbitrary code execution via \zb_users\theme\shell\template. |
| CVE-2024-56828 | 2025-01-06 | File Upload vulnerability in ChestnutCMS through 1.5.0. Based on the code analysis, it was determined that the /api/member/avatar API endpoint receives a base64 string as input. This string is then... |
| CVE-2024-53931 | 2025-01-06 | The com.glitter.caller.screen (aka iCaller, Caller Theme & Dialer) application through 1.1 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted... |
| CVE-2024-53932 | 2025-01-06 | The com.remi.colorphone.callscreen.calltheme.callerscreen (aka Color Phone: Call Screen Theme) application through 21.1.9 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted... |
| CVE-2024-54767 | 2025-01-06 | An access control issue in the component /juis_boxinfo.xml of AVM FRITZ!Box 7530 AX v7.59 allows attackers to obtain sensitive information without authentication. NOTE: this is disputed by the Supplier because... |
| CVE-2024-55553 | 2025-01-06 | In FRRouting (FRR) before 10.3 from 6.0 onward, all routes are re-validated if the total size of an update received via RTR exceeds the internal socket's buffer size, default 4K... |
| CVE-2024-13144 | 2025-01-06 | zhenfeng13 My-Blog BlogController.java uploadFileByEditomd unrestricted upload |
| CVE-2024-13145 | 2025-01-06 | zhenfeng13 My-Blog uploadController. java upload unrestricted upload |
| CVE-2024-20154 | 2025-01-06 | In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution, if a UE has connected to a... |
| CVE-2024-20140 | 2025-01-06 | In power, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already... |
| CVE-2024-20143 | 2025-01-06 | In V6 DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical... |
| CVE-2024-20144 | 2025-01-06 | In V6 DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical... |
| CVE-2024-20145 | 2025-01-06 | In V6 DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical... |
| CVE-2024-20146 | 2025-01-06 | In wlan STA driver, there is a possible out of bounds write due to improper input validation. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges... |
| CVE-2024-20148 | 2025-01-06 | In wlan STA FW, there is a possible out of bounds write due to improper input validation. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges... |
| CVE-2024-20105 | 2025-01-06 | In m4u, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already... |
| CVE-2024-20149 | 2025-01-06 | In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction is... |