CVE List - 2025 / March
Showing 1 - 100 of 4015 CVEs for March 2025 (Page 1 of 41)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-27416 | 2025-03-01 | Asking For Scratch Username And Password |
| CVE-2025-23118 | 2025-03-01 | An Improper Certificate Validation vulnerability could allow an authenticated malicious actor with access to UniFi Protect Cameras adjacent network to make unsupported changes to the camera system. |
| CVE-2025-23115 | 2025-03-01 | A Use After Free vulnerability on UniFi Protect Cameras could allow a Remote Code Execution (RCE) by a malicious actor with access to UniFi Protect Cameras management network. |
| CVE-2025-23117 | 2025-03-01 | An Insufficient Firmware Update Validation vulnerability could allow an authenticated malicious actor with access to UniFi Protect Cameras adjacent network to make unsupported changes to the camera system. |
| CVE-2025-23116 | 2025-03-01 | An Authentication Bypass vulnerability on UniFi Protect Application with Auto-Adopt Bridge Devices enabled could allow a malicious actor with access to UniFi Protect Cameras adjacent network to take control of... |
| CVE-2025-23119 | 2025-03-01 | An Improper Neutralization of Escape Sequences vulnerability could allow an Authentication Bypass with a Remote Code Execution (RCE) by a malicious actor with access to UniFi Protect Cameras adjacent network. |
| CVE-2024-13358 | 2025-03-01 | BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages <= 3.4.24 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update |
| CVE-2025-1780 | 2025-03-01 | BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages <= 3.4.25 - Cross-Site Request Forgery to Limited Settings Update |
| CVE-2024-13568 | 2025-03-01 | Fluent Support – Helpdesk & Customer Support Ticket System <= 1.8.5 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory |
| CVE-2025-0820 | 2025-03-01 | Clicface Trombi <= 2.08 - Authenticated (Contributor+) Stored Cross-Site Scripting via nom Parameter |
| CVE-2024-9217 | 2025-03-01 | Currency Switcher for WooCommerce <= 2.16.2 - Reflected Cross-Site Scripting |
| CVE-2024-13746 | 2025-03-01 | Booking Calendar and Notification <= 4.0.3 - Missing Authorization via wpcb_all_bookings, wpcb_update_booking_post, and wpcb_delete_posts Functions |
| CVE-2024-13750 | 2025-03-01 | Multilevel Referral Affiliate Plugin for WooCommerce <= 2.27 - Authenticated (Subscriber+) SQL Injection |
| CVE-2024-13518 | 2025-03-01 | Simple:Press <= 6.10.11 - Cross-Site Request Forgery to Unauthorized Post Editing |
| CVE-2024-13559 | 2025-03-01 | TemplatesNext ToolKit <= 3.2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode |
| CVE-2024-9212 | 2025-03-01 | SKU Generator for WooCommerce <= 1.6.2 - Reflected Cross-Site Scripting |
| CVE-2024-13901 | 2025-03-01 | Counter Box: Add Engaging Countdowns, Timers & Counters to Your WordPress Site <= 2.0.6 - Authenticated (Administrator+) DOM-Based Stored Cross-Site Scripting |
| CVE-2024-12824 | 2025-03-01 | Nokri – Job Board WordPress Theme <= 1.6.2 - Unauthenticated Arbitrary Password Change |
| CVE-2024-13373 | 2025-03-01 | Exertio Framework <= 1.3.1 - Unauthenticated Arbitrary User Password Update |
| CVE-2025-1502 | 2025-03-01 | IP2Location Redirection <= 1.33.3 - Missing Authorization to Unauthenticated Settings Export |
| CVE-2025-1730 | 2025-03-01 | Simple Download Counter <= 2.0 - Authenticated (Author+) Arbitrary File Read |
| CVE-2025-1459 | 2025-03-01 | Page Builder by SiteOrigin <= 2.31.4 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-1638 | 2025-03-01 | Alloggio Membership <= 1.1 - Authentication Bypass via Social Login Account Takeover |
| CVE-2025-1671 | 2025-03-01 | Academist Membership <= 1.1.6 - Authentication Bypass via Account Takeover |
| CVE-2025-1564 | 2025-03-01 | SetSail Membership <= 1.0.3 - Authentication Bypass via Account Takeover |
| CVE-2024-13911 | 2025-03-01 | Database Backup and check Tables Automated With Scheduler 2024 <= 2.35 - Authenticated (Administrator+) Sensitive Information Exposure |
| CVE-2024-13806 | 2025-03-01 | Authors List <= 2.0.6 - Unauthenticated Arbitrary Shortcode Execution |
| CVE-2024-12544 | 2025-03-01 | SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity <= 1.12.17 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Deletion via SurveyJS_DeleteFile |
| CVE-2024-13611 | 2025-03-01 | Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss <= 2.6.9 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory |
| CVE-2025-1291 | 2025-03-01 | Gutenberg Blocks by Kadence Blocks <= 3.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'icon' |
| CVE-2024-13697 | 2025-03-01 | Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss <= 2.7.4 - Unauthenticated Limited Server-Side Request Forgery in nice_links |
| CVE-2024-13910 | 2025-03-01 | Database Backup and check Tables Automated With Scheduler 2024 <= 2.36 - Authenticated (Administrator+) Arbitrary File Deletion |
| CVE-2024-13546 | 2025-03-01 | GenerateBlocks <= 1.9.1 - Authenticated (Contributor+) Sensitive Information Exposure via 'get_image_description' |
| CVE-2025-1786 | 2025-03-01 | rizinorg rizin pdb.c msf_stream_directory_free buffer overflow |
| CVE-2025-1404 | 2025-03-01 | Secure Copy Content Protection and Content Locking <= 4.4.7 - Missing Authorization to Unauthenticated User Email Retrieval via ays_sccp_reports_user_search Function |
| CVE-2024-13833 | 2025-03-01 | Album Gallery – WordPress Gallery <= 1.6.3 - Authenticated (Editor+) PHP Object Injection via Gallery Meta |
| CVE-2025-1491 | 2025-03-01 | WP Posts Carousel <= 1.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via auto_play_timeout Parameter |
| CVE-2025-1788 | 2025-03-01 | rizinorg rizin utf8.c rz_utf8_encode heap-based overflow |
| CVE-2025-1791 | 2025-03-01 | Zorlan SkyCaiji Tool.php fileAction unrestricted upload |
| CVE-2024-41778 | 2025-03-01 | IBM Controller information disclosure |
| CVE-2025-1797 | 2025-03-01 | Hunan Zhonghe Baiyi Information Technology Baiyiyun Asset Management and Operations System anyUserBoundHouse.php sql injection |
| CVE-2025-1799 | 2025-03-01 | Zorlan SkyCaiji Tool.php previewAction server-side request forgery |
| CVE-2025-1800 | 2025-03-01 | D-Link DAR-7000 HTTP POST Request sxh_vpnlic.php get_ip_addr_details command injection |
| CVE-2025-1804 | 2025-03-01 | Blizzard Battle.Net profapi.dll uncontrolled search path |
| CVE-2025-1806 | 2025-03-01 | Eastnets PaymentSafe URL Default.aspx improper authorization |
| CVE-2025-25724 | 2025-03-02 | list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR... |
| CVE-2025-27579 | 2025-03-02 | In Bitaxe ESP-Miner before 2.5.0 with AxeOS, one can use an /api/system CSRF attack to update the payout address (aka stratumUser) for a Bitaxe Bitcoin miner, or change the frequency... |
| CVE-2025-1807 | 2025-03-02 | Eastnets PaymentSafe Edit Manual Reply directRouter.rfc cross site scripting |
| CVE-2025-1808 | 2025-03-02 | Pixsoft E-Saphira Login Endpoint servlet sql injection |
| CVE-2025-1809 | 2025-03-02 | Pixsoft Sol Login Endpoint servlet sql injection |
| CVE-2025-1810 | 2025-03-02 | Pixsoft Vivaz Login Endpoint servlet cross site scripting |
| CVE-2025-1811 | 2025-03-02 | AT Software Solutions ATSVD Login Endpoint login.aspx sql injection |
| CVE-2025-1812 | 2025-03-02 | zj1983 zz SuperZ.java GetUserOrg sql injection |
| CVE-2025-1813 | 2025-03-02 | zj1983 zz cross-site request forgery |
| CVE-2025-1814 | 2025-03-02 | Tenda AC6 WifiExtraSet stack-based overflow |
| CVE-2025-1815 | 2025-03-02 | pbrong hrms resource.go HrmsDB improper authorization |
| CVE-2025-1816 | 2025-03-02 | FFmpeg IAMF File iamf_parse.c audio_element_obu memory leak |
| CVE-2022-49733 | 2025-03-02 | ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC |
| CVE-2025-1817 | 2025-03-02 | Mini-Tmall Admin Name admin cross site scripting |
| CVE-2025-0895 | 2025-03-02 | IBM Cognos Mobile information disclosure |
| CVE-2024-55907 | 2025-03-02 | IBM Cognos Mobile information disclosure |
| CVE-2025-1818 | 2025-03-02 | zj1983 zz ZfileAction.upload unrestricted upload |
| CVE-2025-1819 | 2025-03-02 | Tenda AC7 1200M telnet TendaTelnet os command injection |
| CVE-2025-1820 | 2025-03-02 | zj1983 zz ZworkflowAction.java getOaWid sql injection |
| CVE-2024-36353 | 2025-03-02 | Insufficient clearing of GPU global memory could allow a malicious process running on the same GPU to read left over memory values potentially leading to loss of confidentiality. |
| CVE-2025-1821 | 2025-03-02 | zj1983 zz ZorgAction.java getUserOrgForUserId sql injection |
| CVE-2025-1829 | 2025-03-02 | TOTOLINK X18 cstecgi.cgi setMtknatCfg os command injection |
| CVE-2025-1830 | 2025-03-02 | zj1983 zz Customer Information cross site scripting |
| CVE-2025-1831 | 2025-03-02 | zj1983 zz ZorgAction.java GetDBUser sql injection |
| CVE-2025-1832 | 2025-03-02 | zj1983 zz ZroleAction.java getUserList sql injection |
| CVE-2025-1833 | 2025-03-02 | zj1983 zz HTTP Request Customer_noticeAction.java sendNotice server-side request forgery |
| CVE-2025-1834 | 2025-03-02 | zj1983 zz resolve unrestricted upload |
| CVE-2025-1835 | 2025-03-02 | osuuu LightPicture Api.php upload unrestricted upload |
| CVE-2025-1836 | 2025-03-02 | Incorta Edit Insight csv injection |
| CVE-2025-1840 | 2025-03-02 | ESAFENET CDG updateorg.jsp sql injection |
| CVE-2023-49031 | 2025-03-03 | Directory Traversal (Local File Inclusion) vulnerability in Tikit (now Advanced) eMarketing platform 6.8.3.0 allows a remote attacker to read arbitrary files and obtain sensitive information via a crafted payload to... |
| CVE-2024-51091 | 2025-03-03 | Cross Site Scripting vulnerability in seajs v.2.2.3 allows a remote attacker to execute arbitrary code via the seajs package |
| CVE-2024-53382 | 2025-03-03 | Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by... |
| CVE-2024-53384 | 2025-03-03 | A DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjs_shims.js components |
| CVE-2024-53386 | 2025-03-03 | Stage.js through 0.8.10 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML... |
| CVE-2024-53387 | 2025-03-03 | A DOM Clobbering vulnerability in umeditor v1.2.3 allows attackers to execute arbitrary code via supplying a crafted HTML element. |
| CVE-2024-53388 | 2025-03-03 | A DOM Clobbering vulnerability in mavo v0.3.2 allows attackers to execute arbitrary code via supplying a crafted HTML element. |
| CVE-2024-55064 | 2025-03-03 | Multiple cross-site scripting (XSS) vulnerabilities in EasyVirt DC NetScope <= 8.6.4 allow remote attackers to inject arbitrary JavaScript or HTML code via the (1) smtp_server, (2) smtp_account, (3) smtp_password, or... |
| CVE-2024-55570 | 2025-03-03 | /api/user/users in the web GUI for the Cubro EXA48200 network packet broker (build 20231025055018) fixed in V5.0R14.5P4-V3.3R1 allows remote authenticated users of the application to increase their privileges by sending... |
| CVE-2024-57240 | 2025-03-03 | A Cross-Site Scripting (XSS) vulnerability in the Rendering Engine component in Apryse WebViewer v11.1 and earlier allows attackers to execute arbitrary code via a crafted PDF file. |
| CVE-2025-25939 | 2025-03-03 | Reprise License Manager 14.2 is vulnerable to reflected cross-site scripting in /goform/activate_process via the akey parameter. |
| CVE-2025-25948 | 2025-03-03 | Incorrect access control in the component /rest/staffResource/create of Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 allows create and modify user accounts, including an Administrator account. |
| CVE-2025-25949 | 2025-03-03 | A stored cross-site scripting (XSS) vulnerability in Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 allows attackers to execute arbitrary web scripts or HTML via injecting a... |
| CVE-2025-25950 | 2025-03-03 | Incorrect access control in the component /rest/staffResource/update of Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 allows create and modify user accounts, including an Administrator account. |
| CVE-2025-25951 | 2025-03-03 | An information disclosure vulnerability in the component /rest/cb/executeBasicSearch of Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 allows attackers to access sensitive user information. |
| CVE-2025-25952 | 2025-03-03 | An Insecure Direct Object References (IDOR) in the component /getStudemtAllDetailsById?studentId=XX of Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 allows attackers to access sensitive user information via... |
| CVE-2025-25953 | 2025-03-03 | Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 was discovered to contain an Azure JWT access token exposure. This vulnerability allows authenticated attackers to escalate privileges and... |
| CVE-2025-25967 | 2025-03-03 | Acora CMS version 10.1.1 is vulnerable to Cross-Site Request Forgery (CSRF). This flaw enables attackers to trick authenticated users into performing unauthorized actions, such as account deletion or user creation,... |
| CVE-2025-26206 | 2025-03-03 | Cross Site Request Forgery vulnerability in sell done storefront v.1.0 allows a remote attacker to escalate privileges via the index.html component |
| CVE-2025-27219 | 2025-03-03 | In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit... |
| CVE-2025-27220 | 2025-03-03 | In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method. |
| CVE-2025-27221 | 2025-03-03 | In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the... |
| CVE-2025-27370 | 2025-03-03 | OpenID Connect Core through 1.0 errata set 2 allows audience injection in certain situations. When the private_key_jwt authentication mechanism is used, a malicious Authorization Server could trick a Client into... |
| CVE-2025-27371 | 2025-03-03 | In certain IETF OAuth 2.0-related specifications, when the JSON Web Token Profile for OAuth 2.0 Client Authentication mechanism is used, there are ambiguities in the audience values of JWTs sent... |
| CVE-2025-27583 | 2025-03-03 | Incorrect access control in the component /rest/staffResource/findAllUsersAcrossOrg of Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 allows create and modify user accounts, including an Administrator account. |