CVE List - 2025 / March
Showing 2401 - 2500 of 4015 CVEs for March 2025 (Page 25 of 41)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2024-12766 | 2025-03-20 | SSRF in parisneo/lollms-webui |
| CVE-2024-12387 | 2025-03-20 | Improper Input Validation in binary-husky/gpt_academic |
| CVE-2024-8556 | 2025-03-20 | Stored XSS in modelscope/agentscope |
| CVE-2024-8769 | 2025-03-20 | Arbitrary File Deletion via Relative Path Traversal in aimhubio/aim |
| CVE-2024-8487 | 2025-03-20 | CORS Vulnerability in modelscope/agentscope |
| CVE-2024-12048 | 2025-03-20 | IDOR Vulnerability in transformeroptimus/superagi |
| CVE-2024-12779 | 2025-03-20 | SSRF in infiniflow/ragflow |
| CVE-2024-10650 | 2025-03-20 | Denial of Service (DoS) in gaizhenbiao/chuanhuchatgpt |
| CVE-2024-8101 | 2025-03-20 | Stored XSS in aimhubio/aim |
| CVE-2025-0454 | 2025-03-20 | SSRF Check Bypass in Requests Utility in significant-gravitas/autogpt |
| CVE-2025-0508 | 2025-03-20 | MD5 Hash Collision in SageMaker Workflow in aws/sagemaker-python-sdk |
| CVE-2024-8017 | 2025-03-20 | Cross-site Scripting (XSS) in open-webui/open-webui |
| CVE-2024-12866 | 2025-03-20 | Local File Inclusion in netease-youdao/qanything |
| CVE-2024-8248 | 2025-03-20 | Path Traversal in mintplex-labs/anything-llm |
| CVE-2024-10549 | 2025-03-20 | Denial of Service by ReDOS in h2oai/h2o-3 |
| CVE-2024-12063 | 2025-03-20 | Denial of Service in imartinez/privategpt |
| CVE-2024-8196 | 2025-03-20 | Missing Authentication for Critical Function in mintplex-labs/anything-llm |
| CVE-2024-7764 | 2025-03-20 | SQL Injection in vanna-ai/vanna |
| CVE-2024-6825 | 2025-03-20 | Remote Code Execution in BerriAI/litellm |
| CVE-2024-12392 | 2025-03-20 | Server-Side Request Forgery (SSRF) in binary-husky/gpt_academic |
| CVE-2024-10457 | 2025-03-20 | SSRF Vulnerabilities in significant-gravitas/autogpt |
| CVE-2024-9216 | 2025-03-20 | Authentication Bypass in gaizhenbiao/ChuanhuChatGPT |
| CVE-2025-0184 | 2025-03-20 | Server-Side Request Forgery (SSRF) in langgenius/dify |
| CVE-2024-8613 | 2025-03-20 | Improper Access Control in gaizhenbiao/chuanhuchatgpt |
| CVE-2024-12215 | 2025-03-20 | Remote Code Execution in kedro-org/kedro |
| CVE-2024-10956 | 2025-03-20 | Cross-Site WebSocket Hijacking in binary-husky/gpt_academic |
| CVE-2024-13923 | 2025-03-20 | Order Export & Order Import for WooCommerce <= 2.6.0 - Authenticated (Administrator+) Server-Side Request Forgery via validate_file Function |
| CVE-2024-13922 | 2025-03-20 | Order Export & Order Import for WooCommerce <= 2.6.0 - Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Deletion via admin_log_page Function |
| CVE-2024-13558 | 2025-03-20 | NP Quote Request for WooCommerce <= 1.9.179 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure |
| CVE-2025-2539 | 2025-03-20 | File Away <= 3.9.9.0.1 - Missing Authorization to Unauthenticated Arbitrary File Read |
| CVE-2025-1802 | 2025-03-20 | HT Mega – Absolute Addons For Elementor <= 2.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets |
| CVE-2024-13921 | 2025-03-20 | Order Export & Order Import for WooCommerce <= 2.6.0 - Authenticated (Admin+) PHP Object Injection via form_data Parameter |
| CVE-2024-13920 | 2025-03-20 | Order Export & Order Import for WooCommerce <= 2.6.0 - Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Read via download_file Function |
| CVE-2025-27888 | 2025-03-20 | Apache Druid: Server-Side Request Forgery and Cross-Site Scripting |
| CVE-2025-2311 | 2025-03-20 | Authentication Bypass in Sechard Information Technologies' SecHard |
| CVE-2025-1496 | 2025-03-20 | Improper Authentication in BG-TEK's Coslat Hotspot |
| CVE-2025-0254 | 2025-03-20 | HCL Digital Experience components Ring API and dxclient may be vulnerable to man-in-the-middle (MitM) attacks prior to 9.5 CF226. |
| CVE-2025-2546 | 2025-03-20 | D-Link DIR-618/DIR-605L Firewall Service formAdvFirewall access control |
| CVE-2025-23120 | 2025-03-20 | A vulnerability allowing remote code execution (RCE) for domain users. |
| CVE-2025-2547 | 2025-03-20 | D-Link DIR-618/DIR-605L formAdvNetwork access control |
| CVE-2025-2548 | 2025-03-20 | D-Link DIR-618/DIR-605L formSetDomainFilter access control |
| CVE-2025-2565 | 2025-03-20 | The data exposure vulnerability in Liferay Portal 7.4.0 through 7.4.3.126, and Liferay DXP 2024.Q3.0, 2024.Q2.0 through 2024.Q2.12, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update... |
| CVE-2025-2549 | 2025-03-20 | D-Link DIR-618/DIR-605L formSetPassword access control |
| CVE-2025-2550 | 2025-03-20 | D-Link DIR-618/DIR-605L DDNS Service formSetDDNS access control |
| CVE-2025-2480 | 2025-03-20 | Santesoft Sante DICOM Viewer Pro Out-of-bounds Write |
| CVE-2024-7598 | 2025-03-20 | Network restriction bypass via race condition during namespace termination |
| CVE-2025-2551 | 2025-03-20 | D-Link DIR-618/DIR-605L formSetPortTr access control |
| CVE-2025-2552 | 2025-03-20 | D-Link DIR-618/DIR-605L formTcpipSetup access control |
| CVE-2025-2553 | 2025-03-20 | D-Link DIR-618/DIR-605L formVirtualServ access control |
| CVE-2025-29914 | 2025-03-20 | OWASP Coraza WAF has parser confusion which leads to wrong URI in `REQUEST_FILENAME` |
| CVE-2025-29922 | 2025-03-20 | kcp allows unauthorized creation and deletion of objects in arbitrary workspaces through APIExport Virtual Workspace |
| CVE-2025-2555 | 2025-03-20 | Audi Universal Traffic Recorder App FTP Credentials hard-coded password |
| CVE-2025-2556 | 2025-03-20 | Audi UTR Dashcam Video Stream hard-coded credentials |
| CVE-2025-29923 | 2025-03-20 | go-redis allows potential out of order responses when `CLIENT SETINFO` times out during connection establishment |
| CVE-2025-30160 | 2025-03-20 | Redlib allows a Denial of Service via DEFLATE Decompression Bomb in restore_preferences Form |
| CVE-2025-2557 | 2025-03-20 | Audi UTR Dashcam Command API access control |
| CVE-2025-29980 | 2025-03-20 | Blind SQL Injection vulnerability in eTRAKiT.Net |
| CVE-2025-30334 | 2025-03-20 | OpenBSD wg(4) kernel crash |
| CVE-2025-2538 | 2025-03-20 | BUG-000174336 |
| CVE-2025-2574 | 2025-03-20 | Out-of-bounds array write in Xpdf 4.05 due to incorrect integer overflow checking |
| CVE-2024-54551 | 2025-03-20 | The issue was addressed with improved memory handling. This issue is fixed in watchOS 10.6, tvOS 17.6, Safari 17.6, macOS Sonoma 14.6, visionOS 1.3, iOS 17.6 and iPadOS 17.6. Processing... |
| CVE-2024-44199 | 2025-03-20 | An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Sonoma 14.6. An app may be able to cause unexpected system termination or read kernel... |
| CVE-2024-54564 | 2025-03-20 | This issue was addressed through improved state management. This issue is fixed in visionOS 1.3, macOS Sonoma 14.6, iOS 17.6 and iPadOS 17.6. A file received from AirDrop may not... |
| CVE-2024-44305 | 2025-03-20 | This issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sonoma 14.6. An app may be able to gain root privileges. |
| CVE-2024-53348 | 2025-03-21 | LoxiLB v.0.9.7 and before is vulnerable to Incorrect Access Control which allows attackers to obtain sensitive information and escalate privileges. |
| CVE-2024-53349 | 2025-03-21 | Insecure permissions in kuadrant v0.11.3 allow attackers to gain access to the service account's token, leading to escalation of privileges via the secretes component in the k8s cluster |
| CVE-2024-53350 | 2025-03-21 | Insecure permissions in kubeslice v1.3.1 allow attackers to gain access to the service account's token, leading to escalation of privileges. |
| CVE-2024-53351 | 2025-03-21 | Insecure permissions in pipecd v0.49 allow attackers to gain access to the service account's token, leading to escalation of privileges. |
| CVE-2024-57490 | 2025-03-21 | Guangzhou Hongfan Technology Co., LTD. iOffice20 has any user login vulnerability. An attacker can log in to any system account including the system administrator through a logical flaw. |
| CVE-2025-29223 | 2025-03-21 | Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability via the pt parameter in the traceRoute function. |
| CVE-2025-29226 | 2025-03-21 | In Linksys E5600 V1.1.0.26, the \usr\share\lua\runtime.lua file contains a command injection vulnerability in the runtime.pingTest function via the pt["count"] parameter. |
| CVE-2025-29227 | 2025-03-21 | In Linksys E5600 V1.1.0.26, the \usr\share\lua\runtime.lua file contains a command injection vulnerability in the runtime.pingTest function via the pt["pkgsize"] parameter. |
| CVE-2025-29230 | 2025-03-21 | Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.emailReg function. The vulnerability can be triggered via the `pt["email"]` parameter. |
| CVE-2025-29640 | 2025-03-21 | Phpgurukul Human Metapneumovirus (HMPV) – Testing Management System v1.0 is vulnerable to SQL Injection in /patient-report.php via the parameter searchdata.. |
| CVE-2025-29641 | 2025-03-21 | Phpgurukul Vehicle Record Management System v1.0 is vulnerable to SQL Injection in /index.php via the 'searchinputdata' parameter. |
| CVE-2025-30342 | 2025-03-21 | An XSS issue was discovered in OpenSlides before 4.2.5. When submitting descriptions such as Moderator Notes or Agenda Topics, an editor is shown that allows one to format the submitted... |
| CVE-2025-30343 | 2025-03-21 | A directory traversal issue was discovered in OpenSlides before 4.2.5. Files can be uploaded to OpenSlides meetings and organized in folders. The interface allows users to download a ZIP archive... |
| CVE-2025-30344 | 2025-03-21 | An issue was discovered in OpenSlides before 4.2.5. During login at the /system/auth/login/ endpoint, the system's response times differ depending on whether a user exists in the system. The timing... |
| CVE-2025-30345 | 2025-03-21 | An issue was discovered in OpenSlides before 4.2.5. When creating new chats via the chat_group.create action, the user is able to specify the name of the chat. Some HTML elements... |
| CVE-2025-30346 | 2025-03-21 | Varnish Cache before 7.6.2 and Varnish Enterprise before 6.0.13r10 allow client-side desync via HTTP/1 requests. |
| CVE-2025-30347 | 2025-03-21 | Varnish Enterprise before 6.0.13r13 allows remote attackers to obtain sensitive information via an out-of-bounds read for range requests on ephemeral MSE4 stevedore objects. |
| CVE-2025-30348 | 2025-03-21 | encodeText in QDom in Qt before 6.8.0 has a complex algorithm involving XML string copy and inline replacement of parts of a string (with relocation of later data). |
| CVE-2025-30349 | 2025-03-21 | Horde IMP through 6.2.27, as used with Horde Application Framework through 5.2.23, allows XSS that leads to account takeover via a crafted text/html e-mail message with an onerror attribute (that... |
| CVE-2023-28207 | 2025-03-21 | The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.3, macOS Monterey 12.6.4, macOS Big Sur 11.7.5. A plug-in may be able to inherit app... |
| CVE-2025-29807 | 2025-03-21 | Microsoft Dataverse Remote Code Execution Vulnerability |
| CVE-2025-29814 | 2025-03-21 | Microsoft Partner Center Elevation of Privilege Vulnerability |
| CVE-2025-2585 | 2025-03-21 | EBM Technologies EBM Maintenance Center - SQL injection |
| CVE-2025-26336 | 2025-03-21 | Dell Chassis Management Controller Firmware for Dell PowerEdge FX2, version(s) prior to 2.40.200.202101130302, and Dell Chassis Management Controller Firmware for Dell PowerEdge VRTX version(s) prior to 3.41.200.202209300499, contain(s) a Stack-based... |
| CVE-2025-2581 | 2025-03-21 | xmedcon DICOM File malloc integer underflow |
| CVE-2024-50053 | 2025-03-21 | Stored XSS |
| CVE-2025-2582 | 2025-03-21 | SimpleMachines SMF ManageAttachments.php cross site scripting |
| CVE-2025-2583 | 2025-03-21 | SimpleMachines SMF ManageNews.php cross site scripting |
| CVE-2024-13903 | 2025-03-21 | quickjs-ng QuickJS qjs quickjs.c JS_GetRuntime stack-based overflow |
| CVE-2025-2584 | 2025-03-21 | WebAssembly wabt binary-reader-interp.cc GetReturnCallDropKeepCount heap-based overflow |
| CVE-2025-27715 | 2025-03-21 | Auto-Enrollment of Team Admins into Private Channels without explicit consent |
| CVE-2025-27933 | 2025-03-21 | Unauthorized Private-to-Public Channel Conversion |
| CVE-2025-25274 | 2025-03-21 | Unauthorized Command Execution in Archived Channels |
| CVE-2025-30179 | 2025-03-21 | MFA Enforcement Bypass in Search APIs |
| CVE-2025-24920 | 2025-03-21 | Unauthorized Bookmark Creation and Modification in Archived Channels |
| CVE-2025-25068 | 2025-03-21 | Bypassing MFA Enforcement on Plugin Endpoints |