CVE List - 2025 / April
Showing 1201 - 1300 of 4033 CVEs for April 2025 (Page 13 of 41)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-3408 | 2025-04-08 | Nothings stb stb_dupreplace integer overflow |
| CVE-2024-13820 | 2025-04-08 | Melhor Envio <= 2.15.9 - Unauthenticated Sensitive Information Exposure via Hardcoded Hash |
| CVE-2025-2004 | 2025-04-08 | Simple WP Events <= 1.8.17 - Unauthenticated Arbitrary File Deletion |
| CVE-2025-3409 | 2025-04-08 | Nothings stb stb_include_string stack-based overflow |
| CVE-2025-20934 | 2025-04-08 | Improper access control in Sticker Center prior to SMR Apr-2025 Release 1 allows local attackers to access image files with system privilege. |
| CVE-2025-20935 | 2025-04-08 | Improper handling of insufficient permission or privileges in ClipboardService prior to SMR Apr-2025 Release 1 allows local attackers to access files with system privilege. User interaction is required for triggering... |
| CVE-2025-20936 | 2025-04-08 | Improper access control in HDCP trustlet prior to SMR Apr-2025 Release 1 allows local attackers with shell privilege to escalate their privileges to root. |
| CVE-2025-20938 | 2025-04-08 | Improper access control in SamsungContacts prior to SMR Apr-2025 Release 1 allows local attackers to access protected data in SamsungContacts. |
| CVE-2025-20940 | 2025-04-08 | Improper handling of insufficient permission in Samsung Device Health Manager Service prior to SMR Apr-2025 Release 1 allows local attackers to access provider in SDMHS. |
| CVE-2025-20941 | 2025-04-08 | Improper access control in InputManager to SMR Apr-2025 Release 1 allows local attackers to access the scancode of specific input device. |
| CVE-2025-20942 | 2025-04-08 | Improper Verification of Intent by Broadcast Receiver in DeviceIdService prior to SMR Apr-2025 Release 1 allows local attackers to reset OAID. |
| CVE-2025-20943 | 2025-04-08 | Out-of-bounds write in secfr trustlet prior to SMR Apr-2025 Release 1 allows local privileged attackers to cause memory corruption. |
| CVE-2025-20944 | 2025-04-08 | Out-of-bounds read in parsing audio data in libsavsac.so prior to SMR Apr-2025 Release 1 allows local attackers to read out-of-bounds memory. |
| CVE-2025-20945 | 2025-04-08 | Improper access control in Galaxy Watch prior to SMR Apr-2025 Release 1 allows local attackers to access sensitive information of Galaxy watch. |
| CVE-2025-20947 | 2025-04-08 | Improper handling of insufficient permission or privileges in ClipboardService prior to SMR Apr-2025 Release 1 allows local attackers to access image files across multiple users. User interaction is required for... |
| CVE-2025-20948 | 2025-04-08 | Out-of-bounds read in enrollment with cdsp frame secfr trustlet prior to SMR Apr-2025 Release 1 allows local privileged attackers to read out-of-bounds memory. |
| CVE-2025-20950 | 2025-04-08 | Use of implicit intent for sensitive communication in SamsungNotes prior to version 4.4.26.45 allows local attackers to access sensitive information. |
| CVE-2025-20951 | 2025-04-08 | Improper verification of intent by broadcast receiver vulnerability in Galaxy Store prior to version 4.5.90.7 allows local attackers to write arbitrary files with the privilege of Galaxy Store. |
| CVE-2025-20939 | 2025-04-08 | Improper authorization in wireless download protocol in Galaxy Watch prior to SMR Apr-2025 Release 1 allows physical attackers to update device unique identifier of Watch devices. |
| CVE-2025-20946 | 2025-04-08 | Improper handling of exceptional conditions in pairing specific bluetooth devices in Galaxy Watch Bluetooth pairing prior to SMR Apr-2025 Release 1 allows local attackers to pair with specific bluetooth devices... |
| CVE-2025-3410 | 2025-04-08 | mymagicpower AIAS LocalStorageController.java unrestricted upload |
| CVE-2025-3411 | 2025-04-08 | mymagicpower AIAS AsrController.java server-side request forgery |
| CVE-2025-3412 | 2025-04-08 | mymagicpower AIAS InferController.java server-side request forgery |
| CVE-2024-47261 | 2025-04-08 | 51l3nc3, a member of the AXIS OS Bug Bounty Program, has found that the VAPIX API uploadoverlayimage.cgi did not have sufficient input validation to allow an attacker to upload files... |
| CVE-2025-0361 | 2025-04-08 | During an annual penetration test conducted on behalf of Axis Communications, Truesec discovered a flaw in the VAPIX Device Configuration framework that allowed for unauthenticated username enumeration through the VAPIX... |
| CVE-2025-3413 | 2025-04-08 | opplus springboot-admin SysGeneratorController.java code deserialization |
| CVE-2025-3427 | 2025-04-08 | 3DPrint Lite <=2.1.3.6 - Authenticated (Admin+) SQL Injection via 'infill_text' |
| CVE-2025-3429 | 2025-04-08 | 3DPrint Lite <=2.1.3.6 - Authenticated (Admin+) SQL Injection via 'material_text' |
| CVE-2025-3430 | 2025-04-08 | 3DPrint Lite <=2.1.3.6 - Authenticated (Admin+) SQL Injection via 'printer_text' |
| CVE-2019-25223 | 2025-04-08 | Team Circle Image Slider With Lightbox <= 1.0.4 - Authenticated (Admin+) SQL Injection |
| CVE-2025-3428 | 2025-04-08 | 3DPrint Lite <=2.1.3.6 - Authenticated (Admin+) SQL Injection via 'coating_text' |
| CVE-2025-23186 | 2025-04-08 | Mixed Dynamic RFC Destination vulnerability through Remote Function Call (RFC) in SAP NetWeaver Application Server ABAP |
| CVE-2025-26653 | 2025-04-08 | Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) |
| CVE-2025-26654 | 2025-04-08 | Potential information disclosure vulnerability in SAP Commerce Cloud (Public Cloud) |
| CVE-2025-26657 | 2025-04-08 | Information Disclosure vulnerability in SAP KMC WPC |
| CVE-2025-27428 | 2025-04-08 | Directory Traversal vulnerability in SAP NetWeaver and ABAP Platform (Service Data Collection) |
| CVE-2025-27429 | 2025-04-08 | Code Injection Vulnerability in SAP S/4HANA (Private Cloud or On-Premise) |
| CVE-2025-27435 | 2025-04-08 | Information Disclosure Vulnerability in SAP Commerce Cloud |
| CVE-2025-27437 | 2025-04-08 | Missing Authorization check in SAP NetWeaver Application Server ABAP (Virus Scan Interface) |
| CVE-2025-30013 | 2025-04-08 | Code Injection vulnerability in SAP ERP BW Business Content |
| CVE-2025-30014 | 2025-04-08 | Directory Traversal vulnerability in SAP Capital Yield Tax Management |
| CVE-2025-30015 | 2025-04-08 | Memory Corruption vulnerability in SAP NetWeaver and ABAP Platform (Application Server ABAP) |
| CVE-2025-30016 | 2025-04-08 | Authentication Bypass Vulnerability in SAP Financial Consolidation |
| CVE-2025-30017 | 2025-04-08 | Missing Authorization check in SAP Solution Manager |
| CVE-2025-31330 | 2025-04-08 | Code Injection Vulnerability in SAP Landscape Transformation (Analysis Platform) |
| CVE-2025-31331 | 2025-04-08 | Authorization Bypass vulnerability in SAP NetWeaver |
| CVE-2025-31332 | 2025-04-08 | Insecure File permissions vulnerability in SAP BusinessObjects Business Intelligence Platform |
| CVE-2025-31333 | 2025-04-08 | Odata meta-data tampering in SAP S4CORE entity |
| CVE-2025-3431 | 2025-04-08 | ZoomSounds - WordPress Wave Audio Player with Playlist <= 6.91 - Unauthenticated Arbitrary File Download |
| CVE-2025-2882 | 2025-04-08 | GreenPay(tm) by Green.Money 3.0.0 - 3.0.9 - Unauthenticated Information Exposure |
| CVE-2025-22008 | 2025-04-08 | regulator: check that dummy regulator has been probed before using it |
| CVE-2025-22009 | 2025-04-08 | regulator: dummy: force synchronous probing |
| CVE-2025-22010 | 2025-04-08 | RDMA/hns: Fix soft lockup during bt pages loop |
| CVE-2025-22011 | 2025-04-08 | ARM: dts: bcm2711: Fix xHCI power-domain |
| CVE-2025-22012 | 2025-04-08 | Revert "arm64: dts: qcom: sdm845: Affirm IDR0.CCTW on apps_smmu" |
| CVE-2025-22013 | 2025-04-08 | KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state |
| CVE-2025-22014 | 2025-04-08 | soc: qcom: pdr: Fix the potential deadlock |
| CVE-2025-22015 | 2025-04-08 | mm/migrate: fix shmem xarray update during migration |
| CVE-2025-22016 | 2025-04-08 | dpll: fix xa_alloc_cyclic() error handling |
| CVE-2025-22017 | 2025-04-08 | devlink: fix xa_alloc_cyclic() error handling |
| CVE-2024-41788 | 2025-04-08 | A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices does not sanitize the input parameters in specific GET requests. This... |
| CVE-2024-41789 | 2025-04-08 | A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices does not sanitize the language parameter in specific POST requests. This... |
| CVE-2024-41790 | 2025-04-08 | A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices does not sanitize the region parameter in specific POST requests. This... |
| CVE-2024-41791 | 2025-04-08 | A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices does not authenticate report creation requests. This could allow an unauthenticated... |
| CVE-2025-3432 | 2025-04-08 | AAWEP Obfuscator <= 1.0 - Authenticated (Author+) Stored Cross-Site Scripting |
| CVE-2024-41792 | 2025-04-08 | A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices contains a path traversal vulnerability. This could allow an unauthenticated attacker... |
| CVE-2025-3433 | 2025-04-08 | Advanced Advertising System <= 1.3.1 - Open Redirect |
| CVE-2025-3436 | 2025-04-08 | coreActivity: Activity Logging for WordPress <= 2.7 - Authenticated (Subscriber+) SQL Injection |
| CVE-2025-3064 | 2025-04-08 | WPFront User Role Editor <= 4.2.1 - Cross-Site Request Forgery to Privilege Escalation via whitelist_options Function |
| CVE-2024-41793 | 2025-04-08 | A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices provides an endpoint that allows to enable the ssh service without... |
| CVE-2024-41794 | 2025-04-08 | A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). Affected devices contain hardcoded credentials for remote access to the device operating system with root privileges. This... |
| CVE-2024-41795 | 2025-04-08 | A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices is vulnerable to Cross-Site Request Forgery (CSRF) attacks. This could allow... |
| CVE-2024-41796 | 2025-04-08 | A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices allows to change the login password without knowing the current password.... |
| CVE-2024-54092 | 2025-04-08 | A vulnerability has been identified in Industrial Edge Device Kit - arm64 V1.17 (All versions), Industrial Edge Device Kit - arm64 V1.18 (All versions), Industrial Edge Device Kit - arm64... |
| CVE-2025-29999 | 2025-04-08 | A vulnerability has been identified in Siemens License Server (SLS) (All versions < V4.3). The affected application searches for executable files in the application folder without proper validation. This could... |
| CVE-2025-30000 | 2025-04-08 | A vulnerability has been identified in Siemens License Server (SLS) (All versions < V4.3). The affected application does not properly restrict permissions of the users. This could allow a lowly-privileged... |
| CVE-2025-30280 | 2025-04-08 | A vulnerability has been identified in Mendix Runtime V10 (All versions < V10.21.0), Mendix Runtime V10.12 (All versions < V10.12.16), Mendix Runtime V10.18 (All versions < V10.18.5), Mendix Runtime V10.6... |
| CVE-2025-2807 | 2025-04-08 | Motors – Car Dealership & Classified Listings Plugin <= 1.4.64 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation |
| CVE-2025-2808 | 2025-04-08 | Motors – Car Dealership & Classified Listings Plugin <= 1.4.63 - Authenticated (Subscriber+) Stored Cross-Site Scripting |
| CVE-2025-3437 | 2025-04-08 | Motors – Car Dealership & Classified Listings Plugin <= 1.4.66 - Missing Authorization to Authenticated (Subscriber+) Wizard Set-up |
| CVE-2025-2883 | 2025-04-08 | Accept SagePay Payments Using Contact Form 7 <= 2.0 - Unauthenticated Information Exposure |
| CVE-2025-29986 | 2025-04-08 | Dell Common Event Enabler, version(s) CEE 9.0.0.0, contain(s) an Improper Restriction of Communication Channel to Intended Endpoints vulnerability in the Common Anti-Virus Agent (CAVA). An unauthenticated attacker with remote access... |
| CVE-2025-29985 | 2025-04-08 | Dell Common Event Enabler, version(s) CEE 9.0.0.0, contain(s) an Initialization of a Resource with an Insecure Default vulnerability in the Common Anti-Virus Agent (CAVA). An unauthenticated attacker with remote access... |
| CVE-2025-30166 | 2025-04-08 | Pimcore's Admin Classic Bundle allows HTML Injection |
| CVE-2025-2568 | 2025-04-08 | Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce 1.0.4 - 1.2.1 - Missing Authorization to Unauthenticated Limited Arbitrary Options Update |
| CVE-2025-2876 | 2025-04-08 | MelaPress Login Security and MelaPress Login Security Premium 2.1.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion |
| CVE-2025-30151 | 2025-04-08 | Shopware allows Denial Of Service via password length |
| CVE-2025-30150 | 2025-04-08 | Shopware 6 allows attackers to check for registered accounts through the store-api |
| CVE-2025-31498 | 2025-04-08 | c-ares has a use-after-free in read_answers() |
| CVE-2025-22855 | 2025-04-08 | An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Fortinet FortiClient before 7.4.1 may allow the EMS administrator to send messages containing javascript code. |
| CVE-2025-25254 | 2025-04-08 | An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] in FortiWeb version 7.6.2 and below, version 7.4.6 and below, 7.2 all versions, 7.0 all versions... |
| CVE-2024-54025 | 2025-04-08 | An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiIsolator CLI before version 2.4.6 allows a privileged attacker to execute unauthorized... |
| CVE-2024-54024 | 2025-04-08 | An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiIsolator before version 2.4.6 allows a privileged attacker with super-admin profile and... |
| CVE-2024-32122 | 2025-04-08 | A storing passwords in a recoverable format in Fortinet FortiOS versions 7.2.0 through 7.2.1 allows attacker to information disclosure via modification of LDAP server IP to point to a malicious... |
| CVE-2024-46671 | 2025-04-08 | An Incorrect User Management vulnerability [CWE-286] in FortiWeb version 7.6.2 and below, version 7.4.6 and below, version 7.2.10 and below, version 7.0.11 and below widgets dashboard may allow an authenticated... |
| CVE-2024-52962 | 2025-04-08 | An Improper Output Neutralization for Logs vulnerability [CWE-117] in FortiAnalyzer version 7.6.1 and below, version 7.4.5 and below, version 7.2.8 and below, version 7.0.13 and below and FortiManager version 7.6.1... |
| CVE-2023-37930 | 2025-04-08 | Multiple issues including the use of uninitialized ressources [CWE-908] and excessive iteration [CWE-834] vulnerabilities in Fortinet FortiOS SSL VPN webmode version 7.4.0, version 7.2.0 through 7.2.5, version 7.0.1 through 7.0.11... |
| CVE-2024-26013 | 2025-04-08 | A improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in Fortinet FortiOS version 7.4.0 through 7.4.4, 7.2.0 through 7.2.8, 7.0.0 through 7.0.15, 6.4.0 through 6.4.15 and before 6.2.16,... |
| CVE-2024-50565 | 2025-04-08 | A improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in Fortinet FortiOS version 7.4.0 through 7.4.3, 7.2.0 through 7.2.7, 7.0.0 through 7.0.14, 6.4.0 through 6.4.15 and 6.2.0 through... |
| CVE-2025-22458 | 2025-04-08 | DLL hijacking in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows an authenticated attacker to escalate to System. |