CVE List - 2025 / February
Showing 1701 - 1800 of 3676 CVEs for February 2025 (Page 18 of 37)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-26775 | 2025-02-17 | WordPress BEAR Plugin <= 1.1.4.4 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-26778 | 2025-02-17 | WordPress Gallery Custom Links Plugin <= 2.2.1 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-23840 | 2025-02-17 | WordPress WP-NOTCAPTCHA Plugin <= 1.3.1 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2025-23845 | 2025-02-17 | WordPress ImageMeta Plugin <= 1.1.2 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2025-0714 | 2025-02-17 | Insecure storage of sensitive information in MobaXTerm <25.0. |
| CVE-2025-21103 | 2025-02-17 | Dell NetWorker Management Console, version(s) 19.11 through 19.11.0.3 & Versions prior to 19.10.0.7 contain(s) an improper neutralization of server-side vulnerability. An unauthenticated attacker with local access could potentially exploit this... |
| CVE-2025-1391 | 2025-02-17 | Keycloak-services: improper authorization in keycloak organization mapper allows unauthorized organization claims |
| CVE-2024-13879 | 2025-02-17 | Stream <= 4.0.2 - Authenticated (Admin+) Server-Side Request Forgery |
| CVE-2025-1392 | 2025-02-17 | D-Link DIR-816 index.html cross site scripting |
| CVE-2025-25055 | 2025-02-17 | Authentication bypass by spoofing issue exists in FileMegane versions above 1.0.0.0 prior to 3.4.0.0, which may lead to user impersonation. If exploited, restricted file contents may be accessed. |
| CVE-2025-20075 | 2025-02-17 | Server-side request forgery (SSRF) vulnerability exists in FileMegane versions above 3.0.0.0 prior to 3.4.0.0. Executing arbitrary backend Web API requests could potentially lead to rebooting the services. |
| CVE-2021-46686 | 2025-02-17 | Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in acmailer CGI ver.4.0.3 and earlier and acmailer DB ver.1.1.5 and earlier. If this vulnerability... |
| CVE-2022-41545 | 2025-02-18 | The administrative web interface of a Netgear C7800 Router running firmware version 6.01.07 (and possibly others) authenticates users via basic authentication, with an HTTP header containing a base64 value of... |
| CVE-2024-39327 | 2025-02-18 | Incorrect Access Control vulnerability in Atos Eviden IDRA before 2.6.1 could allow the possibility to obtain CA signing in an illegitimate way. |
| CVE-2024-39328 | 2025-02-18 | Insecure Permissions in Atos Eviden IDRA and IDCA before 2.7.0. A highly trusted role (Config Admin) could exceed their configuration privileges in a multi-partition environment and access some confidential data.... |
| CVE-2024-50608 | 2025-02-18 | An issue was discovered in Fluent Bit 3.1.9. When the Prometheus Remote Write input plugin is running and listening on an IP address and port, one can send a packet... |
| CVE-2024-50609 | 2025-02-18 | An issue was discovered in Fluent Bit 3.1.9. When the OpenTelemetry input plugin is running and listening on an IP address and port, one can send a packet with Content-Length:... |
| CVE-2024-51505 | 2025-02-18 | An issue was discovered in Atos Eviden IDRA before 2.7.1. A highly trusted role (Config Admin) could leverage a race condition to escalate privileges. |
| CVE-2024-55460 | 2025-02-18 | A time-based SQL injection vulnerability in the login page of BoardRoom Limited Dividend Distribution Tax Election System Version v2.0 allows attackers to execute arbitrary code via a crafted input. |
| CVE-2024-56171 | 2025-02-18 | libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema... |
| CVE-2024-56882 | 2025-02-18 | Sage DPW before 2024_12_000 is vulnerable to Cross Site Scripting (XSS). Low-privileged Sage users with employee role privileges can permanently store JavaScript code in the Kurstitel and Kurzinfo input fields.... |
| CVE-2024-56883 | 2025-02-18 | Sage DPW before 2024_12_001 is vulnerable to Incorrect Access Control. The implemented role-based access controls are not always enforced on the server side. Low-privileged Sage users with employee role privileges... |
| CVE-2024-57045 | 2025-02-18 | A vulnerability in the D-Link DIR-859 router with firmware version A3 1.05 and earlier permits unauthorized individuals to bypass the authentication. An attacker can obtain a user name and password... |
| CVE-2024-57046 | 2025-02-18 | A vulnerability in the Netgear DGN2200 router with firmware version v1.0.0.46 and earlier permits unauthorized individuals to bypass the authentication. When adding "?x=1.gif" to the the requested url, it will... |
| CVE-2024-57049 | 2025-02-18 | A vulnerability in the TP-Link Archer c20 router with firmware version V6.6_230412 and earlier permits unauthorized individuals to bypass the authentication of some interfaces under the /cgi directory. When adding... |
| CVE-2024-57055 | 2025-02-18 | Server-Side Access Control Bypass vulnerability in WombatDialer before 25.02 could allow unauthorized users to potentially call certain services without the necessary access level. This issue is limited to services used... |
| CVE-2024-57056 | 2025-02-18 | Incorrect cookie session handling in WombatDialer before 25.02 results in the full session identity being written to system logs and could be used by a malicious attacker to impersonate an... |
| CVE-2024-57254 | 2025-02-18 | An integer overflow in sqfs_inode_size in Das U-Boot before 2025.01-rc1 occurs in the symlink size calculation via a crafted squashfs filesystem. |
| CVE-2024-57255 | 2025-02-18 | An integer overflow in sqfs_resolve_symlink in Das U-Boot before 2025.01-rc1 occurs via a crafted squashfs filesystem with an inode size of 0xffffffff, resulting in a malloc of zero and resultant... |
| CVE-2024-57256 | 2025-02-18 | An integer overflow in ext4fs_read_symlink in Das U-Boot before 2025.01-rc1 occurs for zalloc (adding one to an le32 variable) via a crafted ext4 filesystem with an inode size of 0xffffffff,... |
| CVE-2024-57257 | 2025-02-18 | A stack consumption issue in sqfs_size in Das U-Boot before 2025.01-rc1 occurs via a crafted squashfs filesystem with deep symlink nesting. |
| CVE-2024-57258 | 2025-02-18 | Integer overflows in memory allocation in Das U-Boot before 2025.01-rc1 occur for a crafted squashfs filesystem via sbrk, via request2size, or because ptrdiff_t is mishandled on x86_64. |
| CVE-2024-57259 | 2025-02-18 | sqfs_search_dir in Das U-Boot before 2025.01-rc1 exhibits an off-by-one error and resultant heap memory corruption for squashfs directory listing because the path separator is not considered in a size calculation. |
| CVE-2025-22919 | 2025-02-18 | A reachable assertion in FFmpeg git-master commit N-113007-g8d24a28d06 allows attackers to cause a Denial of Service (DoS) via opening a crafted AAC file. |
| CVE-2025-22920 | 2025-02-18 | A heap buffer overflow vulnerability in FFmpeg before commit 4bf784c allows attackers to trigger a memory corruption via supplying a crafted media file in avformat when processing tile grid group... |
| CVE-2025-22921 | 2025-02-18 | FFmpeg git-master,N-113007-g8d24a28d06 was discovered to contain a segmentation violation via the component /libavcodec/jpeg2000dec.c. |
| CVE-2025-24928 | 2025-02-18 | libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD.... |
| CVE-2025-25467 | 2025-02-18 | Insufficient tracking and releasing of allocated used memory in libx264 git master allows attackers to execute arbitrary code via creating a crafted AAC file. |
| CVE-2025-25468 | 2025-02-18 | FFmpeg git-master before commit d5873b was discovered to contain a memory leak in the component libavutil/mem.c. |
| CVE-2025-25469 | 2025-02-18 | FFmpeg git-master before commit d5873b was discovered to contain a memory leak in the component libavutil/iamf.c. |
| CVE-2025-25471 | 2025-02-18 | FFmpeg git master before commit fd1772 was discovered to contain a NULL pointer dereference via the component libavformat/mov.c. |
| CVE-2025-25472 | 2025-02-18 | A buffer overflow in DCMTK git master v3.6.9+ DEV allows attackers to cause a Denial of Service (DoS) via a crafted DCM file. |
| CVE-2025-25473 | 2025-02-18 | FFmpeg git master before commit c08d30 was discovered to contain a NULL pointer dereference via the component libavformat/mov.c. |
| CVE-2025-25474 | 2025-02-18 | DCMTK v3.6.9+ DEV was discovered to contain a buffer overflow via the component /dcmimgle/diinpxt.h. |
| CVE-2025-25475 | 2025-02-18 | A NULL pointer dereference in the component /libsrc/dcrleccd.cc of DCMTK v3.6.9+ DEV allows attackers to cause a Denial of Service (DoS) via a crafted DICOM file. |
| CVE-2025-25891 | 2025-02-18 | A buffer overflow vulnerability was discovered in D-Link DSL-3782 v1.01, triggered by the destination, netmask and gateway parameters. This vulnerability allows attackers to cause a Denial of Service (DoS) via... |
| CVE-2025-25892 | 2025-02-18 | A buffer overflow vulnerability was discovered in D-Link DSL-3782 v1.01 via the sstartip, sendip, dstartip, and dendip parameters. This vulnerability allows attackers to cause a Denial of Service (DoS) via... |
| CVE-2025-25893 | 2025-02-18 | An OS command injection vulnerability was discovered in D-Link DSL-3782 v1.01 via the inIP, insPort, inePort, exsPort, exePort, and protocol parameters. This vulnerability allows attackers to execute arbitrary operating system... |
| CVE-2025-25894 | 2025-02-18 | An OS command injection vulnerability was discovered in D-Link DSL-3782 v1.01 via the samba_wg and samba_nbn parameters. This vulnerability allows attackers to execute arbitrary operating system (OS) commands via a... |
| CVE-2025-25895 | 2025-02-18 | An OS command injection vulnerability was discovered in D-Link DSL-3782 v1.01 via the public_type parameter. This vulnerability allows attackers to execute arbitrary operating system (OS) commands via a crafted packet. |
| CVE-2025-25896 | 2025-02-18 | A buffer overflow vulnerability was discovered in D-Link DSL-3782 v1.01 via the destination, netmask, and gateway parameters. This vulnerability allows attackers to cause a Denial of Service (DoS) via a... |
| CVE-2025-26058 | 2025-02-18 | Webkul QloApps v1.6.1 exposes authentication tokens in URLs during redirection. When users access the admin panel or other protected areas, the application appends sensitive authentication tokens directly to the URL. |
| CVE-2025-27113 | 2025-02-18 | libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c. |
| CVE-2025-25221 | 2025-02-18 | The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in pdf.php. If this vulnerability is exploited, information in a... |
| CVE-2025-25222 | 2025-02-18 | The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in retrieve.php. If this vulnerability is exploited, information in a... |
| CVE-2025-25223 | 2025-02-18 | The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a path traversal vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on... |
| CVE-2025-25224 | 2025-02-18 | The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a missing authentication vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on... |
| CVE-2024-13741 | 2025-02-18 | ProfileGrid – User Profiles, Groups and Communities <= 5.9.4.2 - Authenticated (Subscriber+) Limited Server-Side Request Forgery |
| CVE-2024-13740 | 2025-02-18 | ProfileGrid – User Profiles, Groups and Communities <= 5.9.4.2 - Insecure Direct Object Reference to Authenticated (Subscriber+) Private Messages Disclosure |
| CVE-2025-1390 | 2025-02-18 | pam_cap: Fix potential configuration parsing error |
| CVE-2024-13522 | 2025-02-18 | magayo Lottery Results <= 2.0.12 - Cross-Site Request Forgery to Stored Cross-Site Scripting |
| CVE-2024-13587 | 2025-02-18 | Zigaform – Price Calculator & Cost Estimation Form Builder Lite <= 7.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-13581 | 2025-02-18 | Simple Charts <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-13538 | 2025-02-18 | BigBuy Dropshipping Connector for WooCommerce <= 1.9.19 - Unauthenticated Full Path Disclosute |
| CVE-2025-0805 | 2025-02-18 | Mortgage Calculator / Loan Calculator <= 1.5.20 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-13578 | 2025-02-18 | WP-BibTeX <= 3.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-13684 | 2025-02-18 | Reset <= 1.6 - Cross-Site Request Forgery to Database Reset |
| CVE-2024-13501 | 2025-02-18 | WP-FormAssembly <= 2.0.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode |
| CVE-2024-13595 | 2025-02-18 | Simple Signup Form <= 1.6.5 - Authenticated (Contributor+) SQL Injection |
| CVE-2024-13579 | 2025-02-18 | WP-Asambleas <= 2.85.0 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-0796 | 2025-02-18 | Mortgage Lead Capture System <= 8.2.10 - Cross-Site Request Forgery to Settings Reset |
| CVE-2024-12813 | 2025-02-18 | Open Hours – Easy Opening Hours <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-13540 | 2025-02-18 | WooODT Lite – Delivery & pickup date time location for WooCommerce <= 2.5.1 - Unauthenticated Full Path Dsiclosure |
| CVE-2024-13577 | 2025-02-18 | CATS Job Listings <= 2.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-13852 | 2025-02-18 | Option Editor <= 1.0 - Cross-Site Request Forgery to Arbitrary Options Update |
| CVE-2024-13588 | 2025-02-18 | Simplebooklet PDF Viewer and Embedder <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-12525 | 2025-02-18 | Easy MLS Listings Import <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-13725 | 2025-02-18 | Keap Official Opt-in Forms <= 2.0.1 - Unauthenticated Limited Local File Inclusion |
| CVE-2024-13576 | 2025-02-18 | Gumlet Video <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-13535 | 2025-02-18 | Actionwear products sync <= 2.3.0 - Unauthenticated Full Patch Disclosure |
| CVE-2024-12314 | 2025-02-18 | Rapid Cache <= 1.2.3 - Unauthenticated Cache Poisoning |
| CVE-2024-13573 | 2025-02-18 | Zigaform – Form Builder Lite <= 7.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-13687 | 2025-02-18 | Team Builder – Meet the Team <= 1.3 - Missing Authorization to Authenticated (Subscriber+) Settings Update |
| CVE-2024-13848 | 2025-02-18 | Reaction Buttons <= 2.1.6 - Authenticated (Administrator+) Stored Cross-Site Scripting |
| CVE-2024-13622 | 2025-02-18 | File Uploads Addon for WooCommerce <= 1.7.1 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory |
| CVE-2024-13555 | 2025-02-18 | 1 Click WordPress Migration Plugin – 100% FREE for a limited time <= 2.1 - Cross-Site Request Forgery to Backup Process Cancellation |
| CVE-2024-13677 | 2025-02-18 | GetBookingsWp - Appointments & Bookings Plugin Basic Version <= 1.1.27 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover |
| CVE-2024-13565 | 2025-02-18 | Simple Map No Api <= 1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter |
| CVE-2024-13464 | 2025-02-18 | Library Bookshelves <= 5.9 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-13609 | 2025-02-18 | 1 Click WordPress Migration Plugin – 100% FREE for a limited time <= 2.1 - Unauthenticated Sensitive Information Exposure via Database Backup in class-ocm-backup.php |
| CVE-2024-13582 | 2025-02-18 | Simple Pricing Tables For WPBakery Page Builder(Formerly Visual Composer) <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-45320 | 2025-02-18 | Out-of-bounds write vulnerability exists in DocuPrint CP225w 01.22.01 and earlier, DocuPrint CP228w 01.22.01 and earlier, DocuPrint CM225fw 01.10.01 and earlier, and DocuPrint CM228fw 01.10.01 and earlier. If an affected MFP... |
| CVE-2024-13438 | 2025-02-18 | SpeedSize Image & Video AI-Optimizer <= 1.5.1 - Cross-Site Request Forgery to Clear Cache |
| CVE-2024-13556 | 2025-02-18 | Affiliate Links: WordPress Plugin for Link Cloaking and Link Management <= 3.0.1 - Missing Authorization to Unauthenticated Import/Export and PHP Object Injection |
| CVE-2024-13315 | 2025-02-18 | Shopwarden – Automated WooCommerce monitoring & testing <= 1.0.11 - Cross-Site Request Forgery to Arbitrary Options Update |
| CVE-2024-57963 | 2025-02-18 | Insecure Loading of Dynamic Link Libraries in USB-CONVERTERCABLE DRIVER |
| CVE-2024-57964 | 2025-02-18 | Insecure Loading of Dynamic Link Libraries in HVAC Energy Saving Program |
| CVE-2024-13523 | 2025-02-18 | MemorialDay <= 1.0.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting |
| CVE-2024-11376 | 2025-02-18 | s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions <= 241216 - Reflected Cross-Site Scripting |
| CVE-2024-13704 | 2025-02-18 | Super Testimonials <= 4.0.1 - Unauthenticated Stored Cross-Site Scripting |