CVE List - 2025 / February
Showing 2101 - 2200 of 3676 CVEs for February 2025 (Page 22 of 37)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2024-49337 | 2025-02-20 | IBM OpenPages HTML injection |
| CVE-2025-21105 | 2025-02-20 | Dell RecoverPoint for Virtual Machines 6.0.X contains a command execution vulnerability. A Low privileged malicious user with local access could potentially exploit this vulnerability by running the specific binary and... |
| CVE-2025-1039 | 2025-02-20 | Lenix Elementor Leads addon <= 1.8.2 - Unauthenticated Stored Cross-Site Scripting via URL Form Field |
| CVE-2025-20059 | 2025-02-20 | PingAM Java Policy Agent path traversal |
| CVE-2025-0161 | 2025-02-20 | IBM Security Verify Access Appliance code injection |
| CVE-2025-27091 | 2025-02-20 | OpenH264 Decoding Functions Heap Overflow Vulnerability |
| CVE-2024-7141 | 2025-02-20 | CSRF in Gliffy |
| CVE-2025-26618 | 2025-02-20 | SSH SFTP packet size not verified properly in Erlang OTP |
| CVE-2025-27096 | 2025-02-20 | SQL Injection endpoint 'html/personalizacao_upload.php' parameter 'id_campo' in WeGIA |
| CVE-2025-1265 | 2025-02-20 | Elseta Vinci Protocol Analyzer OS Command Injection |
| CVE-2025-0352 | 2025-02-20 | Rapid Response Monitoring My Security Account App Authorization Bypass Through User-Controlled Key |
| CVE-2025-24893 | 2025-02-20 | Remote code execution as guest via SolrSearchMacros request in xwiki |
| CVE-2025-25299 | 2025-02-20 | Cross-site scripting (XSS) in the real-time collaboration package |
| CVE-2025-27098 | 2025-02-20 | Unwanted access to the entire file system vulnerability due to a missing check in `staticFiles` HTTP handler in graphql-mesh |
| CVE-2025-27097 | 2025-02-20 | Cache variables with the operations when transforms exist on the root level even if variables change in the further requests with the same operation |
| CVE-2025-27088 | 2025-02-20 | Reflected Cross-site Scripting (XSS) in template implementation in oxyno-zeta/s3-proxy |
| CVE-2020-19248 | 2025-02-21 | SQL Injection vulnerability in PbootCMS 1.4.1 in parsing if statements in templates, resulting in a malicious user's ability to contaminate template content by searching for page contamination URLs, thus triggering... |
| CVE-2024-55156 | 2025-02-21 | An XML External Entity (XXE) vulnerability in the deserializeArgs() method of Java SDK for CloudEvents v4.0.1 allows attackers to access sensitive information via supplying a crafted XML-formatted event message. |
| CVE-2024-55159 | 2025-02-21 | GFast between v2 to v3.2 was discovered to contain a SQL injection vulnerability via the SortName parameter at /system/loginLog/list. |
| CVE-2024-57176 | 2025-02-21 | An issue in the shiroFilter function of White-Jotter project v0.2.2 allows attackers to execute a directory traversal and access sensitive endpoints via a crafted URL. |
| CVE-2025-25505 | 2025-02-21 | Tenda AC6 15.03.05.16_multi is vulnerable to Buffer Overflow in the sub_452A4 function. |
| CVE-2025-25507 | 2025-02-21 | There is a RCE vulnerability in Tenda AC6 15.03.05.16_multi. In the formexeCommand function, the parameter cmdinput will cause remote command execution. |
| CVE-2025-25510 | 2025-02-21 | Tenda AC8 V16.03.34.06 is vulnerable to Buffer Overflow in the get_parentControl_list_Info function. |
| CVE-2025-25604 | 2025-02-21 | Totolink X5000R V9.1.0u.6369_B20230113 is vulnerable to command injection via the vif_disable function in mtkwifi.lua. |
| CVE-2025-25605 | 2025-02-21 | Totolink X5000R V9.1.0u.6369_B20230113 is vulnerable to command injection via the apcli_wps_gen_pincode function in mtkwifi.lua. |
| CVE-2025-25765 | 2025-02-21 | MRCMS v3.1.2 was discovered to contain an arbitrary file write vulnerability via the component /file/save.do. |
| CVE-2025-25766 | 2025-02-21 | An arbitrary file upload vulnerability in the component /file/savefile.do of MRCMS v3.1.2 allows attackers to execute arbitrary code via uploading a crafted .jsp file. |
| CVE-2025-25767 | 2025-02-21 | A vertical privilege escalation vulnerability in the component /controller/UserController.java of MRCMS v3.1.2 allows attackers to arbitrarily delete users via a crafted request. |
| CVE-2025-25768 | 2025-02-21 | MRCMS v3.1.2 was discovered to contain a server-side template injection (SSTI) vulnerability in the component \servlet\DispatcherServlet.java. This vulnerability allows attackers to execute arbitrary code via a crafted payload. |
| CVE-2025-25769 | 2025-02-21 | Wangmarket v4.10 to v5.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /controller/UserController.java. |
| CVE-2025-25770 | 2025-02-21 | Wangmarket v4.10 to v5.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /agency/AgencyUserController.java. |
| CVE-2025-25772 | 2025-02-21 | A Cross-Site Request Forgery (CSRF) in the component /back/UserController.java of Jspxcms v9.0 to v9.5 allows attackers to arbitrarily add Administrator accounts via a crafted request. |
| CVE-2025-25875 | 2025-02-21 | A vulnerability was found in ITSourcecode Simple ChatBox up to 1.0. This vulnerability affects unknown code of the file /message.php. The attack can use SQL injection to obtain sensitive data. |
| CVE-2025-25876 | 2025-02-21 | A vulnerability was found in ITSourcecode Simple ChatBox up to 1.0. This vulnerability affects unknown code of the file /delete.php. The attack can use SQL injection to obtain sensitive data. |
| CVE-2025-25877 | 2025-02-21 | A vulnerability was found in ITSourcecode Simple ChatBox up to 1.0. This vulnerability affects unknown code of the file /admin.php. The attack can use SQL injection to obtain sensitive data. |
| CVE-2025-25878 | 2025-02-21 | A vulnerability was found in ITSourcecode Simple ChatBox up to 1.0. This vulnerability affects unknown code of the file /del.php. The attack can use SQL injection to obtain sensitive data. |
| CVE-2025-26013 | 2025-02-21 | An issue in Loggrove v.1.0 allows a remote attacker to obtain sensitive information via the read.py component. |
| CVE-2025-26014 | 2025-02-21 | A Remote Code Execution (RCE) vulnerability in Loggrove v.1.0 allows a remote attacker to execute arbitrary code via the path parameter. |
| CVE-2025-26794 | 2025-02-21 | Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allows remote SQL injection. |
| CVE-2025-27100 | 2025-02-21 | An authenticated user can crash lakeFS by exhausting server memory |
| CVE-2025-1001 | 2025-02-21 | Medixant RadiAnt DICOM Viewer Improper Certificate Validation |
| CVE-2024-38657 | 2025-02-21 | External control of a file name in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to write... |
| CVE-2024-13388 | 2025-02-21 | TCBD Tooltip <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-13235 | 2025-02-21 | Pinpoint Booking System – #1 WordPress Booking Plugin <= 2.9.9.5.2 - Authenticated (Subscriber+) SQL Injection |
| CVE-2024-13883 | 2025-02-21 | WPUpper Share Buttons <= 3.51 - Cross-Site Request Forgery to Custom CSS Update |
| CVE-2024-13818 | 2025-02-21 | Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction <= 3.8.3.9 - Sensitive Information Exposure via Log Files |
| CVE-2024-13379 | 2025-02-21 | C9 Admin Dashboard <= 1.3.5 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload |
| CVE-2024-13672 | 2025-02-21 | Mini Course Generator | Embed mini-courses and interactive content <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-1407 | 2025-02-21 | AMO Team Showcase <= 1.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via amoteam_skills Shortcode |
| CVE-2025-1406 | 2025-02-21 | Newpost Catch <= 1.3.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via npc Shortcode |
| CVE-2024-13537 | 2025-02-21 | C9 Blocks <= 1.7.7 - Unauthenticated Full Path Disclosure |
| CVE-2024-13751 | 2025-02-21 | 3D Photo Gallery <= 1.3 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting |
| CVE-2024-11260 | 2025-02-21 | Events Manager – Calendar, Bookings, Tickets, and more! <= 6.6.3 - Unauthenticated SQL Injection via Event Status Parameter |
| CVE-2024-13314 | 2025-02-21 | Carousel, Slider, Gallery by WP Carousel < 2.7.4 - Admin+ Stored XSS |
| CVE-2024-13585 | 2025-02-21 | Ajax Search Lite < 4.12.5 - Admin+ Stored XSS |
| CVE-2025-0726 | 2025-02-21 | Eclipse ThreadX NetX Duo HTTP server denial of service |
| CVE-2025-0728 | 2025-02-21 | Eclipse ThreadX NetX Duo HTTP server single PUT request integer underflow |
| CVE-2025-0727 | 2025-02-21 | Eclipse ThreadX NetX Duo HTTP server single PUT request integer underflow |
| CVE-2025-1410 | 2025-02-21 | Events Calendar Made Simple – Pie Calendar <= 1.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via piecal Shortcode |
| CVE-2024-13461 | 2025-02-21 | Autoship Cloud for WooCommerce Subscription Products <= 2.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-12276 | 2025-02-21 | Ultimate Member <= 2.9.2 - Authenticated SQL Injection |
| CVE-2024-13353 | 2025-02-21 | Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates <= 1.6.4 - Authenticated (Contributor+) Local File Inclusion |
| CVE-2024-13648 | 2025-02-21 | Maps for WP <= 1.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-12452 | 2025-02-21 | Ziggeo <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-1470 | 2025-02-21 | Eclipse OMR: Null pointer dereference vulnerability |
| CVE-2025-1471 | 2025-02-21 | Eclipse OMR: Buffer overflow vulnerability |
| CVE-2024-13900 | 2025-02-21 | Head, Footer and Post Injections <= 3.3.0 - Authenticated (Administrator+) PHP Code Injection in Multisite Environments |
| CVE-2025-1489 | 2025-02-21 | WP-Appbox <= 4.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via appbox Shortcode |
| CVE-2024-13713 | 2025-02-21 | WPExperts Square For GiveWP <= 1.3.1 - Authenticated (Subscriber+) SQL Injection |
| CVE-2024-13455 | 2025-02-21 | igumbi Online Booking <= 1.40 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-1402 | 2025-02-21 | Event Tickets and Registration <= 5.19.1.1 - Missing Authorization to Ticket Deletion |
| CVE-2024-13846 | 2025-02-21 | Indeed Ultimate Learning Pro <= 3.9 - Authenticated (Administrator+) SQL Injection via post_id Parameter |
| CVE-2024-9150 | 2025-02-21 | Code Injection in Wyn Enterprise |
| CVE-2025-1535 | 2025-02-21 | Baiyi Cloud Asset Management System admin.ticket.close.php sql injection |
| CVE-2020-6158 | 2025-02-21 | Opera Mini for Android before version 52.2 is vulnerable to an address bar spoofing attack. The vulnerability allows a malicious page to trick the browser into showing an address of... |
| CVE-2024-10222 | 2025-02-21 | SVG Support <= 2.5.10 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload |
| CVE-2025-0838 | 2025-02-21 | Heap Buffer overflow in Abseil |
| CVE-2025-1536 | 2025-02-21 | Raisecom Multi-Service Intelligent Gateway Request Parameter vpn_template_style.php os command injection |
| CVE-2025-1537 | 2025-02-21 | Harpia DiagSystem atualatendimento_jpeg.php sql injection |
| CVE-2025-1538 | 2025-02-21 | D-Link DAP-1320 api set_ws_action heap-based overflow |
| CVE-2025-1539 | 2025-02-21 | D-Link DAP-1320 storagein.pd-XXXXXX replace_special_char stack-based overflow |
| CVE-2025-1543 | 2025-02-21 | iteachyou Dreamer CMS ueditor-1.4.3.3 path traversal |
| CVE-2025-1544 | 2025-02-21 | dingfanzu CMS loadShopInfo.php sql injection |
| CVE-2025-1546 | 2025-02-21 | BDCOM Behavior Management and Auditing System operate.mds log_operate_clear os command injection |
| CVE-2024-45673 | 2025-02-21 | IBM Security Verify Bridge information disclosure |
| CVE-2025-1403 | 2025-02-21 | Qiskit SDK denial of service |
| CVE-2025-1548 | 2025-02-21 | iteachyou Dreamer CMS edit cross site scripting |
| CVE-2025-1555 | 2025-02-21 | hzmanyun Education and Training System saveImage unrestricted upload |
| CVE-2025-25282 | 2025-02-21 | Potential Insecure Direct Object Reference (IDOR) vulnerability in ragflow |
| CVE-2025-27108 | 2025-02-21 | Cross-site Scripting vulnerability due to improper use of string.replace in dom-expressions |
| CVE-2025-27109 | 2025-02-21 | Lack of Escaping of HTML in JSX Fragments allows for Cross-site Scripting in solid-js |
| CVE-2019-8900 | 2025-02-21 | A vulnerability in the SecureROM of some Apple devices can be exploited by an unauthenticated local attacker to execute arbitrary code upon booting those devices. This vulnerability allows arbitrary code... |
| CVE-2025-27106 | 2025-02-21 | Code injection in binance-trading-bot |
| CVE-2025-27105 | 2025-02-21 | AugAssign evaluation order causing OOB write within the object in Vyper |
| CVE-2025-27104 | 2025-02-21 | double eval in For List Iter in Vyper |
| CVE-2025-26622 | 2025-02-21 | sqrt doesn't define rounding behavior in Vyper |
| CVE-2024-45674 | 2025-02-21 | IBM Security Verify Bridge information disclosure |
| CVE-2024-22341 | 2025-02-22 | IBM Watson Query on Cloud Pak for Data information disclosure |
| CVE-2024-13873 | 2025-02-22 | WP Job Portal <= 2.2.8 - Insecure Direct Object Reference to Authenticated (Subscriber+) User Photo Disconnection |
| CVE-2025-1509 | 2025-02-22 | Show Me The Cookies <= 1.0 - Unauthenticated Arbitrary Shortcode Execution |