CVE List - 2025 / February
Showing 1 - 100 of 3676 CVEs for February 2025 (Page 1 of 37)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2024-13547 | 2025-02-01 | aThemes Addons for Elementor <= 1.0.12 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-11780 | 2025-02-01 | Site Search 360 <= 2.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-12184 | 2025-02-01 | WordPress Contact Forms by Cimatti <= 1.9.4 - Missing Authorization to Unauthenticated Form Submission Download |
| CVE-2024-12620 | 2025-02-01 | AnimateGL Animations for WordPress – Elementor & Gutenberg Blocks Animations <= 1.4.23 - Missing Authorization to Unauthenticated Settings Update |
| CVE-2024-13651 | 2025-02-01 | RapidLoad – Optimize Web Vitals Automatically <= 2.4.4 - Missing Authorization to Authenticated (Subscriber+) Limited Setting Reset |
| CVE-2024-12171 | 2025-02-01 | ELEX WordPress HelpDesk & Customer Ticketing System <= 3.2.6 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation |
| CVE-2024-53296 | 2025-02-01 | Dell PowerProtect DD versions prior to 7.10.1.50 and 7.13.1.20 contain a Stack-based Buffer Overflow vulnerability in the RestAPI. A high privileged attacker with remote access could potentially exploit this vulnerability,... |
| CVE-2024-51534 | 2025-02-01 | Dell PowerProtect DD versions prior to DDOS 8.3.0.0, 7.10.1.50, and 7.13.1.20 contain a path traversal vulnerability. A local low privileged could potentially exploit this vulnerability to gain unauthorized overwrite of... |
| CVE-2024-53295 | 2025-02-01 | Dell PowerProtect DD versions prior to 8.3.0.0, 7.10.1.50, and 7.13.1.20 contain an improper access control vulnerability. A local malicious user with low privileges could potentially exploit this vulnerability leading to... |
| CVE-2024-12041 | 2025-02-01 | Directorist – AI-Powered WordPress Business Directory Plugin with Classified Ads Listings <= 8.0.12 - Unauthenticated User Information Exposure |
| CVE-2025-0366 | 2025-02-01 | Jupiter X Core <= 4.8.7 - Authenticated (Contributor+) SVG Upload to Local File Inclusion (Remote Code Execution) |
| CVE-2025-0365 | 2025-02-01 | Jupiterx Core <= 4.8.7 - Authenticated (Contributor+) Arbitrary File Read |
| CVE-2024-12768 | 2025-02-01 | Responsive iframe <= 1.2.0 - Contributor+ Stored XSS |
| CVE-2024-13096 | 2025-02-01 | WP Finance <= 1.3.6 - Stored XSS via CSRF |
| CVE-2024-13097 | 2025-02-01 | WP Finance <= 1.3.6 - Reflected XSS |
| CVE-2024-13098 | 2025-02-01 | WP Email Newsletter <= 1.1 - Reflected XSS |
| CVE-2024-13099 | 2025-02-01 | Widget4call <= 1.0.7 - Reflected XSS |
| CVE-2024-13341 | 2025-02-01 | MultiLoca - WooCommerce Multi Locations Inventory Management <= 4.1.11 - Authenticated (Subscriber+) SQL Injection |
| CVE-2025-0939 | 2025-02-01 | MagicForm - WordPress Form Builder <= 1.6.2 - Missing Authorization |
| CVE-2024-11829 | 2025-02-01 | The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-23091 | 2025-02-01 | An Improper Certificate Validation on UniFi OS devices, with Identity Enterprise configured, could allow a malicious actor to execute a man-in-the-middle (MitM) attack during application update. |
| CVE-2024-12825 | 2025-02-01 | Custom Related Posts <= 1.7.3 - Missing Authorization to Authenticated (Subscriber+) Private Post Search and Relation Updates |
| CVE-2024-13429 | 2025-02-01 | WP Job Portal <= 2.2.6 - Insecure Direct Object Reference to Authenticated (Employer+) Arbitrary Job Deletion |
| CVE-2024-13425 | 2025-02-01 | WP Job Portal <= 2.2.6 - Insecure Direct Object Reference to Authenticated (Employer+) Arbitrary Company Deletion |
| CVE-2024-13428 | 2025-02-01 | WP Job Portal <= 2.2.6 - Insecure Direct Object Reference to Unauthenticated Company Logo Deletion |
| CVE-2024-13371 | 2025-02-01 | WP Job Portal <= 2.2.6 - Missing Authorization to Unauthenticated Arbitrary Email Sending |
| CVE-2024-13372 | 2025-02-01 | WP Job Portal <= 2.2.6 - Insecure Direct Object Reference to Unauthenticated Arbitrary Resume Download |
| CVE-2025-0943 | 2025-02-01 | itsourcecode Tailoring Management System deldoc.php sql injection |
| CVE-2024-13612 | 2025-02-01 | Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss <= 2.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode |
| CVE-2024-13775 | 2025-02-01 | WooCommerce Support Ticket System <= 17.8 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion and Information Exposure |
| CVE-2025-0944 | 2025-02-01 | itsourcecode Tailoring Management System customerview.php sql injection |
| CVE-2025-0945 | 2025-02-01 | itsourcecode Tailoring Management System typedelete.php sql injection |
| CVE-2025-0946 | 2025-02-01 | itsourcecode Tailoring Management System templatedelete.php sql injection |
| CVE-2025-0947 | 2025-02-01 | itsourcecode Tailoring Management System expview.php sql injection |
| CVE-2025-0948 | 2025-02-01 | itsourcecode Tailoring Management System incview.php sql injection |
| CVE-2025-0949 | 2025-02-01 | itsourcecode Tailoring Management System partview.php sql injection |
| CVE-2025-0950 | 2025-02-01 | itsourcecode Tailoring Management System staffview.php sql injection |
| CVE-2025-0961 | 2025-02-01 | code-projects Job Recruitment load_job-details.php cross site scripting |
| CVE-2024-0131 | 2025-02-02 | NVIDIA GPU kernel driver for Windows and Linux contains a vulnerability where a potential user-mode attacker could read a buffer with an incorrect length. A successful exploit of this vulnerability... |
| CVE-2025-0967 | 2025-02-02 | code-projects Chat System add_chatroom.php sql injection |
| CVE-2025-0970 | 2025-02-02 | Zenvia Movidesk Login redirect |
| CVE-2025-0971 | 2025-02-02 | Zenvia Movidesk Profile Editing EditProfile cross site scripting |
| CVE-2023-52163 | 2025-02-03 | Digiever DS-2105 Pro 3.1.0.71-11 devices allow time_tzsetup.cgi Command Injection. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. |
| CVE-2023-52164 | 2025-02-03 | access_device.cgi on Digiever DS-2105 Pro 3.1.0.71-11 devices allows arbitrary file read. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. |
| CVE-2024-34896 | 2025-02-03 | An issue in Nedis SmartLife Video Doorbell (WIFICDP10GY), Nedis SmartLife IOS v1.4.0 causes users who are disconnected from a previous peer-to-peer connection with the device to still have access to... |
| CVE-2024-34897 | 2025-02-03 | Nedis SmartLife android app v1.4.0 was discovered to contain an API key disclosure vulnerability. |
| CVE-2024-36437 | 2025-02-03 | The com.enflick.android.TextNow (aka TextNow: Call + Text Unlimited) application 24.17.0.2 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted... |
| CVE-2024-44449 | 2025-02-03 | Cross Site Scripting vulnerability in Quorum onQ OS v.6.0.0.5.2064 allows a remote attacker to obtain sensitive information via the msg parameter in the Login page. |
| CVE-2024-50656 | 2025-02-03 | itsourcecode Placement Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via the Full Name field in registration.php. |
| CVE-2024-53942 | 2025-02-03 | An issue was discovered on NRadio N8-180 NROS-1.9.2.n3.c5 devices. The /cgi-bin/luci/nradio/basic/radio endpoint is vulnerable to command injection via the 2.4 GHz and 5 GHz name parameters, allowing a remote attacker... |
| CVE-2024-53943 | 2025-02-03 | An issue was discovered in NRadio N8-180 NROS-1.9.2.n3.c5 devices. The /cgi-bin/luci/nradio/basic/radio endpoint is vulnerable to XSS via the 2.4 GHz and 5 GHz name parameters, allowing an attacker to execute... |
| CVE-2024-54840 | 2025-02-03 | PVWA (Password Vault Web Access) in CyberArk Privileged Access Manager Self-Hosted before 14.4 does not properly address environment issues that can contribute to Host header injection. |
| CVE-2024-55456 | 2025-02-03 | lunasvg v3.0.1 was discovered to contain a segmentation violation via the component gray_find_cell |
| CVE-2024-56898 | 2025-02-03 | Broken access control vulnerability in Geovision GV-ASWeb with version v6.1.0.0 or less. This vulnerability allows low privilege users perform actions that they aren't authorized to, which can be leveraged to... |
| CVE-2024-56901 | 2025-02-03 | A Cross-Site Request Forgery (CSRF) vulnerability in Geovision GV-ASWeb application with the version 6.1.1.0 or less that allows attackers to arbitrarily create Administrator accounts via a crafted GET request method.... |
| CVE-2024-56902 | 2025-02-03 | Information disclosure vulnerability in Geovision GV-ASManager web application with the version v6.1.0.0 or less, which discloses account information, including cleartext password. |
| CVE-2024-56903 | 2025-02-03 | Geovision GV-ASWeb with the version 6.1.1.0 or less allows attackers to modify POST request method with the GET against critical functionalities, such as account management. This vulnerability is used in... |
| CVE-2024-56921 | 2025-02-03 | An issue was discovered in Open5gs v2.7.2. InitialUEMessage, Registration request sent at a specific time can crash AMF due to incorrect error handling of gmm_state_exception() function upon receipt of the... |
| CVE-2024-56946 | 2025-02-03 | Denial of service in DNS-over-QUIC in Technitium DNS Server <= v13.2.2 allows remote attackers to permanently stop the server from accepting new DNS-over-QUIC connections by triggering unhandled exceptions in listener... |
| CVE-2024-57004 | 2025-02-03 | Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail 1.6.9 allows remote authenticated users to upload a malicious file as an email attachment, leading to the triggering of the XSS by visiting... |
| CVE-2024-57097 | 2025-02-03 | ClassCMS 4.8 is vulnerable to Cross Site Scripting (XSS) in class/admin/channel.php. |
| CVE-2024-57098 | 2025-02-03 | Moss v0.1.3 version has an SQL injection vulnerability that allows attackers to inject carefully designed payloads into the order parameter. |
| CVE-2024-57099 | 2025-02-03 | ClassCMS v4.8 has a code execution vulnerability. Attackers can exploit this vulnerability by constructing a payload in the classview parameter of the model management feature, allowing them to execute arbitrary... |
| CVE-2024-57175 | 2025-02-03 | A Stored Cross-Site Scripting (XSS) vulnerability was identified in the PHPGURUKUL Online Birth Certificate System v1.0 via the profile name to /user/certificate-form.php. |
| CVE-2024-57237 | 2025-02-03 | Prolink 4G LTE Mobile Wi-Fi DL-7203E V4.0.0B05 is vulnerable to Cross Site Scripting (XSS) in the /reqproc/proc_get endpoint. The vulnerability arises because the cmd parameter does not properly sanitize input... |
| CVE-2024-57238 | 2025-02-03 | Prolink 4G LTE Mobile Wi-Fi DL-7203E V4.0.0B05 is vulnerable to SQL Injection in in the /reqproc/proc_get endpoint. The vulnerability allows an attacker to manipulate SQL queries by injecting malicious SQL... |
| CVE-2024-57450 | 2025-02-03 | ChestnutCMS <=1.5.0 is vulnerable to File Upload via the Create template function. |
| CVE-2024-57451 | 2025-02-03 | ChestnutCMS <=1.5.0 has a directory traversal vulnerability in contentcore.controller.FileController#getFileList, which allows attackers to view any directory. |
| CVE-2024-57452 | 2025-02-03 | ChestnutCMS <=1.5.0 has an arbitrary file deletion vulnerability in contentcore.controller.FileController, which allows attackers to delete any file and folder. |
| CVE-2024-57498 | 2025-02-03 | Cross Site Scripting vulnerability in sayski ForestBlog 20241223 allows a remote attacker to escalate privileges via the article editing function. |
| CVE-2024-57522 | 2025-02-03 | SourceCodester Packers and Movers Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in Users.php. An attacker can inject a malicious script into the username or name field during... |
| CVE-2024-57669 | 2025-02-03 | Directory Traversal vulnerability in Zrlog backup-sql-file.jar v.3.0.31 allows a remote attacker to obtain sensitive information via the BackupController.java file. |
| CVE-2024-57966 | 2025-02-03 | libarchiveplugin.cpp in KDE ark before 24.12.0 can extract to an absolute path from an archive. |
| CVE-2024-57967 | 2025-02-03 | PVWA (Password Vault Web Access) in CyberArk Privileged Access Manager Self-Hosted before 14.4 has potentially elevated privileges in LDAP mapping. |
| CVE-2024-57968 | 2025-02-03 | Advantive VeraCore before 2024.4.2.1 allows remote authenticated users to upload files to unintended folders (e.g., ones that are accessible during web browsing by other users). upload.aspx can be used for... |
| CVE-2025-22918 | 2025-02-03 | Polycom RealPresence Group 500 <=20 has Insecure Permissions due to automatically loaded cookies. This allows for the use of administrator functions, resulting in the leakage of sensitive user information. |
| CVE-2025-22978 | 2025-02-03 | eladmin <=2.7 is vulnerable to CSV Injection in the exception log download module. |
| CVE-2025-25062 | 2025-02-03 | An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It doesn't sufficiently isolate long text content when the CKEditor 5 rich text editor is... |
| CVE-2025-25063 | 2025-02-03 | An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It does not sufficiently validate uploaded SVG images to ensure they do not contain potentially... |
| CVE-2025-25064 | 2025-02-03 | SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can... |
| CVE-2025-25065 | 2025-02-03 | SSRF vulnerability in the RSS feed parser in Zimbra Collaboration 9.0.0 before Patch 43, 10.0.x before 10.0.12, and 10.1.x before 10.1.4 allows unauthorized redirection to internal network endpoints. |
| CVE-2025-25066 | 2025-02-03 | nDPI through 4.12 has a potential stack-based buffer overflow in ndpi_address_cache_restore in lib/ndpi_cache.c. |
| CVE-2025-25181 | 2025-02-03 | A SQL injection vulnerability in timeoutWarning.asp in Advantive VeraCore through 2025.1.0 allows remote attackers to execute arbitrary SQL commands via the PmSess1 parameter. |
| CVE-2025-0972 | 2025-02-03 | Zenvia Movidesk New Ticket cross site scripting |
| CVE-2025-0973 | 2025-02-03 | CmsEasy index.php backAll_action path traversal |
| CVE-2025-0974 | 2025-02-03 | MaxD Lightning Module deserialization |
| CVE-2025-20633 | 2025-02-03 | In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote (proximal/adjacent) code execution with no additional execution... |
| CVE-2025-20632 | 2025-02-03 | In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution... |
| CVE-2025-20631 | 2025-02-03 | In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution... |
| CVE-2025-20634 | 2025-02-03 | In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution, if a UE has connected to a... |
| CVE-2025-20635 | 2025-02-03 | In V6 DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical... |
| CVE-2025-20636 | 2025-02-03 | In secmem, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already... |
| CVE-2025-20637 | 2025-02-03 | In network HW, there is a possible system hang due to an uncaught exception. This could lead to remote denial of service with no additional execution privileges needed. User interaction... |
| CVE-2024-20141 | 2025-02-03 | In V5 DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical... |
| CVE-2024-20142 | 2025-02-03 | In V5 DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical... |
| CVE-2025-20638 | 2025-02-03 | In DA, there is a possible read of uninitialized heap data due to uninitialized data. This could lead to local information disclosure, if an attacker has physical access to the... |
| CVE-2025-20639 | 2025-02-03 | In DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical access... |
| CVE-2025-20640 | 2025-02-03 | In DA, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure, if an attacker has physical access to... |
| CVE-2025-20641 | 2025-02-03 | In DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical access... |
| CVE-2025-20642 | 2025-02-03 | In DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical access... |