CVE List - 2025 / June
Showing 1101 - 1200 of 3683 CVEs for June 2025 (Page 12 of 37)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-1041 | 2025-06-10 | Avaya Call Management System RCE vulnerability |
| CVE-2025-27818 | 2025-06-10 | Apache Kafka: Possible RCE attack via SASL JAAS LdapLoginModule configuration |
| CVE-2025-27819 | 2025-06-10 | Apache Kafka: Possible RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration |
| CVE-2025-27817 | 2025-06-10 | Apache Kafka Client: Arbitrary file read and SSRF vulnerability |
| CVE-2025-5740 | 2025-06-10 | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause arbitrary file writes when an authenticated user on the web server manipulates file... |
| CVE-2025-5741 | 2025-06-10 | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause arbitrary file reads from the charging station. The exploitation of this vulnerability does... |
| CVE-2025-5742 | 2025-06-10 | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability exists when an authenticated user modifies configuration parameters on the web server |
| CVE-2025-5743 | 2025-06-10 | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause remote control over the charging station when an authenticated user modifies... |
| CVE-2025-3898 | 2025-06-10 | CWE-20: Improper Input Validation vulnerability exists that could cause Denial of Service when an authenticated malicious user sends HTTPS request containing invalid data type to the webserver. |
| CVE-2025-3899 | 2025-06-10 | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists in Certificates page on Webserver that could cause an unvalidated data injected by authenticated malicious user leading... |
| CVE-2025-3112 | 2025-06-10 | CWE-400: Uncontrolled Resource Consumption vulnerability exists that could cause Denial of Service when an authenticated malicious user sends manipulated HTTPS Content-Length header to the webserver. |
| CVE-2025-3905 | 2025-06-10 | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists impacting PLC system variables that could cause an unvalidated data injected by authenticated malicious user leading to... |
| CVE-2025-3116 | 2025-06-10 | CWE-20: Improper Input Validation vulnerability exists that could cause Denial of Service when an authenticated malicious user sends special malformed HTTPS request containing improper formatted body data to the controller. |
| CVE-2025-4680 | 2025-06-10 | Improper Input Validation vulnerability in upKeeper Solutions upKeeper Instant Privilege Access allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects upKeeper Instant Privilege Access: before 1.4.0. |
| CVE-2025-3117 | 2025-06-10 | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists impacting configuration file paths that could cause an unvalidated data injected by authenticated malicious user leading to... |
| CVE-2025-4681 | 2025-06-10 | Improper Privilege Management vulnerability in upKeeper Solutions upKeeper Instant Privilege Access allows Privilege Abuse.This issue affects upKeeper Instant Privilege Access: before 1.4.0. |
| CVE-2025-40654 | 2025-06-10 | SQL injection vulnerability in DM Corporative CMS |
| CVE-2025-40655 | 2025-06-10 | SQL injection vulnerability in DM Corporative CMS |
| CVE-2025-40656 | 2025-06-10 | SQL injection vulnerability in DM Corporative CMS |
| CVE-2025-40657 | 2025-06-10 | SQL injection vulnerability in DM Corporative CMS |
| CVE-2025-40658 | 2025-06-10 | Insecure Direct Object Reference (IDOR) vulnerability in DM Corporative CMS |
| CVE-2025-40659 | 2025-06-10 | Insecure Direct Object Reference (IDOR) vulnerability in DM Corporative CMS |
| CVE-2025-40660 | 2025-06-10 | Insecure Direct Object Reference (IDOR) vulnerability in DM Corporative CMS |
| CVE-2025-40661 | 2025-06-10 | Insecure Direct Object Reference (IDOR) vulnerability in DM Corporative CMS |
| CVE-2025-40662 | 2025-06-10 | Absolute path disclosure vulnerability in DM Corporative CMS |
| CVE-2024-13089 | 2025-06-10 | Authenticated RCE in update functionality in Guardian/CMC before 24.6.0 |
| CVE-2024-13090 | 2025-06-10 | Privilege escalation in Guardian/CMC before 24.6.0 |
| CVE-2025-41657 | 2025-06-10 | AUMA: Incorrect delivery status of the Bluetooth configuration |
| CVE-2025-43700 | 2025-06-10 | Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (FlexCards) allows exposure of encrypted data. This impacts OmniStudio: before Spring 2025. |
| CVE-2025-43701 | 2025-06-10 | Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (FlexCards) allows exposure of Custom Settings data. This impacts OmniStudio: before version 254. |
| CVE-2025-4774 | 2025-06-10 | Premium Addons for Elementor <= 4.11.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget |
| CVE-2025-2918 | 2025-06-10 | Ultimate Blocks – WordPress Blocks Plugin <= 3.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets |
| CVE-2025-4577 | 2025-06-10 | Smash Balloon Custom Facebook Feed <= 4.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-color` Attribute |
| CVE-2025-43697 | 2025-06-10 | Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (DataMapper) allows exposure of encrypted data. This impacts OmniStudio: before Spring 2025 |
| CVE-2025-43698 | 2025-06-10 | Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (FlexCards) allows bypass of field level security controls for Salesforce objects. This impacts OmniStudio: before Spring 2025 |
| CVE-2025-43699 | 2025-06-10 | Client-Side Enforcement of Server-Side Security vulnerability in Salesforce OmniStudio (FlexCards) allows bypass of required permission check. This impacts OmniStudio: before Spring 2025 |
| CVE-2025-49511 | 2025-06-10 | WordPress Civi Framework plugin <= 2.1.6 - Cross Site Request Forgery (CSRF) to User Deactivation vulnerability |
| CVE-2025-49510 | 2025-06-10 | WordPress Min Max Step Quantity Limits Manager for WooCommerce plugin <= 5.1.0 - Cross Site Request Forgery (CSRF) vulnerability |
| CVE-2025-49509 | 2025-06-10 | WordPress Audio Editor & Recorder plugin <= 2.2.1 - Broken Access Control vulnerability |
| CVE-2025-49507 | 2025-06-10 | WordPress CozyStay < 1.7.1 - PHP Object Injection Vulnerability |
| CVE-2025-49455 | 2025-06-10 | WordPress TinySalt < 3.10.0 - PHP Object Injection Vulnerability |
| CVE-2025-49454 | 2025-06-10 | WordPress TinySalt < 3.10.0 - Local File Inclusion Vulnerability |
| CVE-2024-29198 | 2025-06-10 | GeoServer Vulnerable to Unauthenticated SSRF via TestWfsPost |
| CVE-2024-34711 | 2025-06-10 | GeoServer has improper ENTITY_RESOLUTION_ALLOWLIST URI validation in XML Processing (SSRF) |
| CVE-2025-22455 | 2025-06-10 | A hardcoded key in Ivanti Workspace Control before version 10.19.0.0 allows a local authenticated attacker to decrypt stored SQL credentials. |
| CVE-2025-22463 | 2025-06-10 | A hardcoded key in Ivanti Workspace Control before version 10.19.10.0 allows a local authenticated attacker to decrypt the stored environment password. |
| CVE-2025-5353 | 2025-06-10 | A hardcoded key in Ivanti Workspace Control before version 10.19.10.0 allows a local authenticated attacker to decrypt stored SQL credentials. |
| CVE-2025-26394 | 2025-06-10 | SolarWinds SWOSH Open Redirection Vulnerability |
| CVE-2025-26395 | 2025-06-10 | SolarWinds SWOSH DOM-based reflective XSS Vulnerability |
| CVE-2024-38524 | 2025-06-10 | GWC Home Page communicate version and revision information |
| CVE-2024-40625 | 2025-06-10 | GeoServer Coverage REST API Allows Server Side Request Forgery |
| CVE-2025-5335 | 2025-06-10 | Privilege Ecalation due to Untrusted Search Path Vulnerability |
| CVE-2025-27505 | 2025-06-10 | GeoServer Missing Authorization on REST API Index |
| CVE-2025-30145 | 2025-06-10 | GeoServer has an Infinite Loop Vulnerability in Jiffle process |
| CVE-2025-37100 | 2025-06-10 | Exposure of Sensitive Information to an Unauthorized User in HPE Aruba Networking Private 5G Core |
| CVE-2025-30220 | 2025-06-10 | GeoTools, GeoServer, and GeoNetwork XML External Entity (XXE) Processing Vulnerability in XSD schema handling |
| CVE-2024-41797 | 2025-06-10 | A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions < V3.1), SCALANCE XC316-8 (6GK5324-8TS00-2AC2) (All versions < V3.1), SCALANCE XC324-4 (6GK5328-4TS00-2AC2) (All versions < V3.1), SCALANCE XC324-4 EEC... |
| CVE-2025-40567 | 2025-06-10 | A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions < V3.2), SCALANCE XC316-8 (6GK5324-8TS00-2AC2) (All versions < V3.2), SCALANCE XC324-4 (6GK5328-4TS00-2AC2) (All versions < V3.2), SCALANCE XC324-4 EEC... |
| CVE-2025-40568 | 2025-06-10 | A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions < V3.2), SCALANCE XC316-8 (6GK5324-8TS00-2AC2) (All versions < V3.2), SCALANCE XC324-4 (6GK5328-4TS00-2AC2) (All versions < V3.2), SCALANCE XC324-4 EEC... |
| CVE-2025-40569 | 2025-06-10 | A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions < V3.2), SCALANCE XC316-8 (6GK5324-8TS00-2AC2) (All versions < V3.2), SCALANCE XC324-4 (6GK5328-4TS00-2AC2) (All versions < V3.2), SCALANCE XC324-4 EEC... |
| CVE-2025-40585 | 2025-06-10 | A vulnerability has been identified in Energy Services (All versions with G5DFR). Affected solutions using G5DFR contain default credentials. This could allow an attacker to gain control of G5DFR component... |
| CVE-2025-40591 | 2025-06-10 | A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.5), RUGGEDCOM ROX MX5000RE (All versions < V2.16.5), RUGGEDCOM ROX RX1400 (All versions < V2.16.5), RUGGEDCOM ROX RX1500... |
| CVE-2025-48067 | 2025-06-10 | OctoPrint vulnerable to possible file extraction via upload endpoints |
| CVE-2025-48879 | 2025-06-10 | OctoPrint Vulnerable to Denial of Service through malformed HTTP request |
| CVE-2025-48937 | 2025-06-10 | matrix-sdk-crypto vulnerable to sender of encrypted events being spoofed by homeserver administrator |
| CVE-2025-49142 | 2025-06-10 | Nautobot vulnerable to secrets exposure and data manipulation through Jinja2 templating |
| CVE-2025-49143 | 2025-06-10 | Nautobot may allows uploaded media files to be accessible without authentication |
| CVE-2025-4653 | 2025-06-10 | Remote Code Execution leads to Command Injection |
| CVE-2025-4678 | 2025-06-10 | Remote Code Execution leads to Command Injection |
| CVE-2025-43585 | 2025-06-10 | Adobe Commerce | Improper Authorization (CWE-285) |
| CVE-2025-27207 | 2025-06-10 | Adobe Commerce | Improper Access Control (CWE-284) |
| CVE-2025-47110 | 2025-06-10 | Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79) |
| CVE-2025-43586 | 2025-06-10 | Adobe Commerce | Improper Access Control (CWE-284) |
| CVE-2025-27206 | 2025-06-10 | Adobe Commerce | Improper Access Control (CWE-284) |
| CVE-2023-20599 | 2025-06-10 | Improper register access control in ASP may allow a privileged attacker to perform unauthorized access to ASP’s Crypto Co-Processor (CCP) registers from x86, resulting in potential loss of control of... |
| CVE-2025-43590 | 2025-06-10 | InDesign Desktop | Out-of-bounds Write (CWE-787) |
| CVE-2025-47106 | 2025-06-10 | InDesign Desktop | Use After Free (CWE-416) |
| CVE-2025-43593 | 2025-06-10 | InDesign Desktop | Out-of-bounds Write (CWE-787) |
| CVE-2025-47104 | 2025-06-10 | InDesign Desktop | Out-of-bounds Read (CWE-125) |
| CVE-2025-47105 | 2025-06-10 | InDesign Desktop | Out-of-bounds Read (CWE-125) |
| CVE-2025-43558 | 2025-06-10 | InDesign Desktop | Out-of-bounds Write (CWE-787) |
| CVE-2025-30317 | 2025-06-10 | InDesign Desktop | Heap-based Buffer Overflow (CWE-122) |
| CVE-2025-43589 | 2025-06-10 | InDesign Desktop | Use After Free (CWE-416) |
| CVE-2025-30321 | 2025-06-10 | InDesign Desktop | NULL Pointer Dereference (CWE-476) |
| CVE-2025-47108 | 2025-06-10 | Substance3D - Painter | Out-of-bounds Write (CWE-787) |
| CVE-2025-33112 | 2025-06-10 | IBM AIX command execution |
| CVE-2025-5969 | 2025-06-10 | D-Link DIR-632 HTTP POST Request biurl_grou FUN_00425fd8 stack-based overflow |
| CVE-2024-45329 | 2025-06-10 | A authorization bypass through user-controlled key in Fortinet FortiPortal versions 7.4.0, versions 7.2.0 through 7.2.5, and versions 7.0.0 through 7.0.8 may allow an authenticated attacker to view unauthorized device information... |
| CVE-2024-54019 | 2025-06-10 | A improper validation of certificate with host mismatch in Fortinet FortiClientWindows version 7.4.0, versions 7.2.0 through 7.2.6, and 7.0 all versions allow an unauthorized attacker to redirect VPN connections via... |
| CVE-2024-50562 | 2025-06-10 | An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL-VPN version 7.6.0, version 7.4.6 and below, version 7.2.10 and below, 7.0 all versions, 6.4 all versions may allow an attacker in... |
| CVE-2025-22251 | 2025-06-10 | An improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in FortiOS 7.6.0, 7.4.0 through 7.4.5, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an unauthenticated... |
| CVE-2025-31104 | 2025-06-10 | An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiADC 7.6.0 through 7.6.1, 7.4.0 through 7.4.6, 7.2.0 through 7.2.7, 7.1.0 through 7.1.4,... |
| CVE-2024-32119 | 2025-06-10 | An improper authentication vulnerability [CWE-287] in Fortinet FortiClientEMS version 7.4.0 and before 7.2.4 allows an unauthenticated attacker with the knowledge of the targeted user's FCTUID and VDOM to perform operations... |
| CVE-2025-22256 | 2025-06-10 | A improper handling of insufficient permissions or privileges in Fortinet FortiPAM 1.4.0 through 1.4.1, 1.3.0, 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiSRA 1.4.0 through 1.4.1 allows attacker to improper... |
| CVE-2025-22254 | 2025-06-10 | An Improper Privilege Management vulnerability [CWE-269] affecting Fortinet FortiOS version 7.6.0 through 7.6.1, 7.4.0 through 7.4.6, 7.2.0 through 7.2.10, 7.0.0 through 7.0.16 and before 6.4.15, FortiProxy version 7.6.0 through 7.6.1... |
| CVE-2025-24471 | 2025-06-10 | An Improper Certificate Validation vulnerability [CWE-295] in FortiOS version 7.6.1 and below, version 7.4.7 and below may allow an EAP verified remote user to connect from FortiClient via revoked certificate. |
| CVE-2023-48786 | 2025-06-10 | A server-side request forgery vulnerability [CWE-918] in Fortinet FortiClientEMS version 7.4.0 through 7.4.2 and before 7.2.6 may allow an authenticated attacker to perform internal requests via crafted HTTP or HTTPS... |
| CVE-2023-29184 | 2025-06-10 | An incomplete cleanup vulnerability [CWE-459] in FortiOS 7.2 all versions and before & FortiProxy version 7.2.0 through 7.2.2 and before 7.0.8 allows a VDOM privileged attacker to add SSH key... |
| CVE-2025-25250 | 2025-06-10 | An Exposure of Sensitive Information to an Unauthorized Actor vulnerability [CWE-200] in FortiOS version 7.6.0, version 7.4.7 and below, 7.2 all versions, 7.0 all versions, 6.4 all versions SSL-VPN web-mode... |
| CVE-2024-50568 | 2025-06-10 | A channel accessible by non-endpoint vulnerability [CWE-300] in Fortinet FortiOS version 7.4.0 through 7.4.3, 7.2.0 through 7.2.7 and before 7.0.14 & FortiProxy version 7.4.0 through 7.4.3, 7.2.0 through 7.2.9 and... |