CVE List - 2025 / February
Showing 1801 - 1900 of 3676 CVEs for February 2025 (Page 19 of 37)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2024-11895 | 2025-02-18 | Online Payments – Get Paid with PayPal, Square & Stripe <= 3.20.0 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-13465 | 2025-02-18 | aBlocks – WordPress Gutenberg Blocks <= 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-13795 | 2025-02-18 | Ecwid by Lightspeed Ecommerce Shopping Cart <= 6.12.27 - Cross-Site Request Forgery to Send Deactivation Message |
| CVE-2025-0864 | 2025-02-18 | Active Products Tables for WooCommerce. Use constructor to create tables <= 1.0.6.6 - Reflected Cross-Site Scripting |
| CVE-2024-13575 | 2025-02-18 | Web Stories Enhancer – Level Up Your Web Stories <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-0422 | 2025-02-18 | Authenticated Remote Code Execution via ScriptVar |
| CVE-2025-0423 | 2025-02-18 | Multiple Unauthenticated Stored Cross-Site Scripting |
| CVE-2025-0424 | 2025-02-18 | Multiple Authenticated Stored Cross-Site Scripting |
| CVE-2025-0425 | 2025-02-18 | Local Privilege Escalation via Config Manipulation |
| CVE-2024-13718 | 2025-02-18 | Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later <= 1.2.26 - Cross-Site Request Forgery to Wishlist Creation/Modification |
| CVE-2024-13316 | 2025-02-18 | Scratch & Win – Giveaways and Contests <= 2.8.0 - Missing Authorization to Unauthenticated Coupon Creation |
| CVE-2024-12860 | 2025-02-18 | CarSpot – Dealership Wordpress Classified Theme <= 2.4.3 - Unauthenticated Arbitrary Password Reset/Account Takeover |
| CVE-2024-13395 | 2025-02-18 | Threepress <= 1.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-13369 | 2025-02-18 | Tour Master - Tour Booking, Travel, Hotel <= 5.3.6 - Authenticated (Subscriber+) SQL Injection via review_id Parameter |
| CVE-2025-0981 | 2025-02-18 | Session Hijacking via Stored Cross-Site Scripting (XSS) in ChurchCRM GroupEditor.php Description Field |
| CVE-2025-1023 | 2025-02-18 | SQL Injection in ChurchCRM newCountName Parameter via EditEventTypes.php |
| CVE-2024-13797 | 2025-02-18 | PressMart - Modern Elementor WooCommerce WordPress Theme <= 1.2.16 - Unauthenticated Arbitrary Shortcode Execution |
| CVE-2025-0521 | 2025-02-18 | Post SMTP <= 3.0.2 - Unauthenticated Stored Cross-Site Scripting |
| CVE-2024-13681 | 2025-02-18 | Uncode <= 2.9.1.6 - Unauthenticated Arbitrary File Read in uncode_admin_get_oembed |
| CVE-2025-0817 | 2025-02-18 | FormCraft - Premium WordPress Form Builder <= 3.9.11 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload |
| CVE-2024-13667 | 2025-02-18 | Uncode <= 2.9.1.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via mle-description |
| CVE-2024-13691 | 2025-02-18 | Uncode <= 2.9.1.6 - Authenticated (Subscriber+) Arbitrary File Read in uncode_recordMedia |
| CVE-2024-13783 | 2025-02-18 | FormCraft <= 3.9.11 - Missing Authorization to Plugin Data Export in formcraft-main.php |
| CVE-2025-1035 | 2025-02-18 | Path Traversal in Komtera Technolgies' KLog Server |
| CVE-2025-1414 | 2025-02-18 | Memory safety bugs present in Firefox 135. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited... |
| CVE-2025-1269 | 2025-02-18 | Open Redirect in HAVELSAN's Open Source Project Liman MYS |
| CVE-2024-13689 | 2025-02-18 | Uncode Core <= 2.9.1.6 - Authenticated (Subscriber+) Arbitrary Shortcode Execution in uncode_get_medias |
| CVE-2025-21702 | 2025-02-18 | pfifo_tail_enqueue: Drop new packet when sch->limit == 0 |
| CVE-2025-21703 | 2025-02-18 | netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() |
| CVE-2025-22207 | 2025-02-18 | [20250201] - Core - SQL injection vulnerability in Scheduled Tasks component |
| CVE-2024-49589 | 2025-02-18 | Foundry artifacts denial of service |
| CVE-2025-26620 | 2025-02-18 | Duende.AccessTokenManagement race condition when concurrently retrieving customized Client Credentials Access Tokens |
| CVE-2025-25300 | 2025-02-18 | smartbanner.js rel noopener XSS vulnerability |
| CVE-2024-4028 | 2025-02-18 | Keycloak-core: stored xss in keycloak when creating a items in admin console |
| CVE-2025-21608 | 2025-02-18 | Forged packets over MQTT can show up in direct messages in Meshtastic firmware |
| CVE-2024-45774 | 2025-02-18 | Grub2: reader/jpeg: heap oob write during jpeg parsing |
| CVE-2025-26465 | 2025-02-18 | Openssh: machine-in-the-middle attack if verifyhostkeydns is enabled |
| CVE-2025-24894 | 2025-02-18 | SAML Response Signature Verification Bypass in SPID.AspNetCore.Authentication |
| CVE-2025-24895 | 2025-02-18 | SAML Response Signature Verification Bypass in CIE.AspNetCore.Authentication |
| CVE-2025-25284 | 2025-02-18 | Path Traversal and Local File Read via VRT (Virtual Format) in ZOO-Project WPS Implementation |
| CVE-2025-25305 | 2025-02-18 | SSL validation for outgoing requests in Home Assistant Core and used libs not correct |
| CVE-2025-26603 | 2025-02-18 | heap-use-after-free in function str_to_reg in vim/vim |
| CVE-2025-26604 | 2025-02-18 | Possibility to retrieve bot token by malicious module developers in Discord-Bot-Framework-Kernel |
| CVE-2025-26623 | 2025-02-18 | Use After Free in Exiv2 |
| CVE-2024-45775 | 2025-02-18 | Grub2: commands/extcmd: missing check for failed allocation |
| CVE-2024-45776 | 2025-02-18 | Grub2: grub-core/gettext: integer overflow leads to heap oob write and read. |
| CVE-2024-45781 | 2025-02-18 | Grub2: fs/ufs: oob write in the heap |
| CVE-2024-45783 | 2025-02-18 | Grub2: fs/hfs+: refcount can be decremented twice |
| CVE-2025-0622 | 2025-02-18 | Grub2: command/gpg: use-after-free due to hooks not being removed on module unload |
| CVE-2025-27013 | 2025-02-18 | WordPress MediCenter theme < 14.7 - Sensitive Data Exposure vulnerability |
| CVE-2025-27016 | 2025-02-18 | WordPress Drivr Lite – Google Drive Plugin plugin <= 1.0.1 - Stored Cross Site Scripting (XSS) vulnerability |
| CVE-2024-56000 | 2025-02-18 | WordPress K Elements plugin < 5.4.0 - Unauthenticated Account Takeover vulnerability |
| CVE-2025-22639 | 2025-02-18 | WordPress Distance Rate Shipping for WooCommerce plugin <= 1.3.4 - SQL Injection vulnerability |
| CVE-2025-22645 | 2025-02-18 | WordPress Real Estate Manager – Property Listing and Agent Management plugin <= 7.3 - Captcha Bypass Vulnerability vulnerability |
| CVE-2025-22650 | 2025-02-18 | WordPress Smartarget.online Integration plugin <= 1.4 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-22654 | 2025-02-18 | WordPress Simplified Plugin Plugin <= 1.0.6 - Arbitrary File Upload vulnerability |
| CVE-2025-22656 | 2025-02-18 | WordPress Cookie Monster Plugin <= 1.2.2 - Local File Inclusion vulnerability |
| CVE-2025-22657 | 2025-02-18 | WordPress Atarim plugin <= 4.0.9 - Arbitrary Content Deletion vulnerability |
| CVE-2025-22663 | 2025-02-18 | WordPress Paid Videochat Turnkey Site plugin <= 7.2.12 - Arbitrary File Deletion vulnerability |
| CVE-2025-26617 | 2025-02-18 | SQL Injection endpoint 'historico_paciente.php' parameter 'id_fichamedica' in WeGIA |
| CVE-2025-26616 | 2025-02-18 | Path Traversal endpoint 'exportar_dump.php' parameter 'file' in WeGIA |
| CVE-2025-26615 | 2025-02-18 | Path Traversal endpoint 'examples.php' parameter 'src' in WeGIA |
| CVE-2025-26614 | 2025-02-18 | SQL Injection endpoint 'deletar_documento.php' parameter 'id_cargo' in WeGIA |
| CVE-2025-26613 | 2025-02-18 | OS Command Injection endpoint 'gerenciar_backup.php' parameter 'file' (RCE) in WeGIA |
| CVE-2025-26612 | 2025-02-18 | SQL Injection endpoint 'adicionar_almoxarife.php' parameter 'id_almoxarifado', 'id_funcionario' in WeGIA |
| CVE-2025-26611 | 2025-02-18 | SQL Injection endpoint 'remover_produto.php' parameter 'id_produto' in WeGIA |
| CVE-2025-26610 | 2025-02-18 | SQL Injection endpoint 'restaurar_produto_desocultar.php' parameter 'id_produto' in WeGIA |
| CVE-2025-26609 | 2025-02-18 | SQL Injection endpoint 'familiar_docfamiliar.php' parameter 'id_dependente', 'id_doc' in WeGIA |
| CVE-2025-26608 | 2025-02-18 | SQL Injection endpoint 'dependente_docdependente.php' parameter 'id_dependente', 'id_doc' in WeGIA |
| CVE-2025-26607 | 2025-02-18 | SQL Injection endpoint 'documento_excluir.php' parameter 'id_funcionario' in WeGIA |
| CVE-2025-26606 | 2025-02-18 | SQL Injection endpoint 'informacao_adicional.php' parameter 'id_descricao' in WeGIA |
| CVE-2025-26605 | 2025-02-18 | SQL Injection endpoint 'deletar_cargo.php' parameter 'id_cargo' in WeGIA |
| CVE-2024-13743 | 2025-02-18 | Wonder Video Embed <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode |
| CVE-2025-26624 | 2025-02-18 | Local Privilege Escalation in Rufus 4.6 and previous versions |
| CVE-2024-13508 | 2025-02-18 | Booking Package <= 1.6.72 - Reflected Cross-Site Scripting via Locale Parameter |
| CVE-2020-10095 | 2025-02-19 | Various Lexmark devices have CSRF that allows an attacker to modify the configuration of the device. |
| CVE-2020-13481 | 2025-02-19 | Certain Lexmark products through 2020-05-25 allow XSS which allows an attacker to obtain session credentials and other sensitive information. |
| CVE-2020-35546 | 2025-02-19 | Lexmark MX6500 LW75.JD.P296 and previous devices have Incorrect Access Control via the access control settings. |
| CVE-2023-46271 | 2025-02-19 | Extreme Networks IQ Engine before 10.6r1a, and through 10.6r4 before 10.6r5, has a buffer overflow. This issue arises from the ah_webui service, which listens on TCP port 3009 by default. |
| CVE-2023-46272 | 2025-02-19 | Buffer Overflow vulnerability in Extreme Networks IQ Engine before 10.6r1a, and through 10.6r4 before 10.6r5, allows an attacker to execute arbitrary code via the implementation of the ah_auth service |
| CVE-2023-51293 | 2025-02-19 | A lack of rate limiting in the 'Forgot Password', 'Email Settings' feature of PHPJabbers Event Booking Calendar v4.0 allows attackers to send an excessive amount of email for a legitimate... |
| CVE-2023-51296 | 2025-02-19 | PHPJabbers Event Booking Calendar v4.0 is vulnerable to Cross-Site Scripting (XSS) in the "name, plugin_sms_api_key, plugin_sms_country_code, title, plugin_sms_api_key" parameters which allows attackers to execute arbitrary code |
| CVE-2023-51297 | 2025-02-19 | A lack of rate limiting in the 'Email Settings' feature of PHPJabbers Hotel Booking System v4.0 allows attackers to send an excessive amount of email for a legitimate user, leading... |
| CVE-2023-51298 | 2025-02-19 | PHPJabbers Event Booking Calendar v4.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section... |
| CVE-2023-51299 | 2025-02-19 | PHPJabbers Hotel Booking System v4.0 is vulnerable to HTML Injection in the "name, plugin_sms_api_key, plugin_sms_country_code, title, plugin_sms_api_key, title" parameters. |
| CVE-2023-51300 | 2025-02-19 | PHPJabbers Hotel Booking System v4.0 is vulnerable to Cross-Site Scripting (XSS) vulnerabilities in the "name, plugin_sms_api_key, plugin_sms_country_code, title, plugin_sms_api_key" parameters. |
| CVE-2023-51301 | 2025-02-19 | A lack of rate limiting in the "Login Section, Forgot Email" feature of PHPJabbers Hotel Booking System v4.0 allows attackers to send an excessive amount of reset requests for a... |
| CVE-2023-51302 | 2025-02-19 | PHPJabbers Hotel Booking System v4.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section... |
| CVE-2023-51303 | 2025-02-19 | PHPJabbers Event Ticketing System v1.0 is vulnerable to Multiple HTML Injection in the "lid, name, plugin_sms_api_key, plugin_sms_country_code, title, plugin_sms_api_key, title" parameters. |
| CVE-2023-51305 | 2025-02-19 | PHPJabbers Car Park Booking System v3.0 is vulnerable to Multiple Stored Cross-Site Scripting (XSS) in the "name, plugin_sms_api_key, plugin_sms_country_code, title, plugin_sms_api_key" parameters. |
| CVE-2024-57261 | 2025-02-19 | In barebox before 2025.01.0, request2size in common/dlmalloc.c has an integer overflow, a related issue to CVE-2024-57258. |
| CVE-2024-57262 | 2025-02-19 | In barebox before 2025.01.0, ext4fs_read_symlink has an integer overflow for zalloc (adding one to an le32 variable) via a crafted ext4 filesystem with an inode size of 0xffffffff, resulting in... |
| CVE-2025-25942 | 2025-02-19 | An issue in Bento4 v1.6.0-641 allows an attacker to obtain sensitive information via the the mp4fragment tool when processing invalid files. Specifically, memory allocated in SampleArray::SampleArray in Mp4Fragment.cpp is not... |
| CVE-2025-25943 | 2025-02-19 | Buffer Overflow vulnerability in Bento4 v.1.6.0-641 allows a local attacker to execute arbitrary code via the AP4_Stz2Atom::AP4_Stz2Atom component located in Ap4Stz2Atom.cpp. |
| CVE-2025-25944 | 2025-02-19 | Buffer Overflow vulnerability in Bento4 v.1.6.0-641 allows a local attacker to execute arbitrary code via the Ap4RtpAtom.cpp, specifically in AP4_RtpAtom::AP4_RtpAtom, during the execution of mp4fragment with a crafted MP4 input... |
| CVE-2025-25945 | 2025-02-19 | An issue in Bento4 v1.6.0-641 allows an attacker to obtain sensitive information via the the Mp4Fragment.cpp and in AP4_DescriptorFactory::CreateDescriptorFromStream at Ap4DescriptorFactory.cpp. |
| CVE-2025-25946 | 2025-02-19 | An issue in Bento4 v1.6.0-641 allows an attacker to cause a memory leak via Ap4Marlin.cpp and Ap4Processor.cpp, specifically in AP4_MarlinIpmpEncryptingProcessor::Initialize and AP4_Processor::Process, during the execution of mp4encrypt with a specially... |
| CVE-2025-25947 | 2025-02-19 | An issue in Bento4 v1.6.0-641 allows an attacker to trigger a segmentation fault via Ap4Atom.cpp, specifically in AP4_AtomParent::RemoveChild, during the execution of mp4encrypt with a specially crafted MP4 input file. |
| CVE-2025-1447 | 2025-02-19 | kasuganosoras Pigeon index.php server-side request forgery |
| CVE-2025-1448 | 2025-02-19 | Synway SMG Gateway Management Software 9-12ping.php command injection |