CVE List - 2025 / July
Showing 2401 - 2500 of 3776 CVEs for July 2025 (Page 25 of 38)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-7868 | 2025-07-20 | Portabilis i-Educar Calendar educar_calendario_dia_motivo_cad.php cross site scripting |
| CVE-2025-7869 | 2025-07-20 | Portabilis i-Educar Turma Module educar_turma_tipo_det.php cross site scripting |
| CVE-2025-7870 | 2025-07-20 | Portabilis i-Diario justificativas-de-falta Endpoint cross site scripting |
| CVE-2025-7871 | 2025-07-20 | Portabilis i-Diario conteudos cross site scripting |
| CVE-2025-7872 | 2025-07-20 | Portabilis i-Diario justificativas-de-falta cross site scripting |
| CVE-2025-7873 | 2025-07-20 | Metasoft 美特软件 MetaCRM mcc_login.jsp sql injection |
| CVE-2025-7874 | 2025-07-20 | Metasoft 美特软件 MetaCRM env.jsp information disclosure |
| CVE-2025-7875 | 2025-07-20 | Metasoft 美特软件 MetaCRM debug.jsp improper authentication |
| CVE-2025-7876 | 2025-07-20 | Metasoft 美特软件 MetaCRM download.jsp AnalyzeParam deserialization |
| CVE-2025-7877 | 2025-07-20 | Metasoft 美特软件 MetaCRM sendfile.jsp unrestricted upload |
| CVE-2025-7878 | 2025-07-20 | Metasoft 美特软件 MetaCRM upload2.jsp unrestricted upload |
| CVE-2025-7879 | 2025-07-20 | Metasoft 美特软件 MetaCRM mobileupload.jsp unrestricted upload |
| CVE-2025-7880 | 2025-07-20 | Metasoft 美特软件 MetaCRM sendsms.jsp unrestricted upload |
| CVE-2025-7881 | 2025-07-20 | Mercusys MW301R Web Interface password recovery |
| CVE-2025-7882 | 2025-07-20 | Mercusys MW301R Login excessive authentication |
| CVE-2025-7883 | 2025-07-20 | Eluktronics Control Center Powershell Script Command command injection |
| CVE-2025-7884 | 2025-07-20 | Eluktronics Control Center REG File data authenticity |
| CVE-2025-7885 | 2025-07-20 | Huashengdun WebSSH Login Page cross site scripting |
| CVE-2025-7886 | 2025-07-20 | pmTicket Project-Management-Software class.database.php getUserLanguage sql injection |
| CVE-2025-7887 | 2025-07-20 | Zavy86 WikiDocs template.inc.php cross site scripting |
| CVE-2025-7888 | 2025-07-20 | TDuckCloud tduck-platform UserFormDataMapper.java UserFormDataMapper sql injection |
| CVE-2025-7889 | 2025-07-20 | CallApp Caller ID App caller.id.phone.number.block AndroidManifest.xml improper export of android application components |
| CVE-2025-7890 | 2025-07-20 | Dunamu StockPlus App com.dunamu.stockplus AndroidManifest.xml improper export of android application components |
| CVE-2025-7891 | 2025-07-20 | InstantBits Web Video Cast App com.instantbits.cast.webvideo AndroidManifest.xml improper export of android application components |
| CVE-2025-7892 | 2025-07-20 | IDnow App de.idnow AndroidManifest.xml improper export of android application components |
| CVE-2025-7893 | 2025-07-20 | Foresight News App pro.foresightnews.appa AndroidManifest.xml improper export of android application components |
| CVE-2025-7894 | 2025-07-20 | Onyx Chat Interface a3_generate_simple_sql.py generate_simple_sql sql injection |
| CVE-2025-46382 | 2025-07-20 | CWE-200 Exposure of Sensitive Information to an Unauthorized Actor |
| CVE-2025-7895 | 2025-07-20 | harry0703 MoneyPrinterTurbo File Extension video.py upload_bgm_file unrestricted upload |
| CVE-2025-46383 | 2025-07-20 | CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') |
| CVE-2025-46384 | 2025-07-20 | CWE-434 Unrestricted Upload of File with Dangerous Type |
| CVE-2025-46385 | 2025-07-20 | CWE-918 Server-Side Request Forgery (SSRF) |
| CVE-2025-7896 | 2025-07-20 | harry0703 MoneyPrinterTurbo video.py delete_video path traversal |
| CVE-2025-7897 | 2025-07-20 | harry0703 MoneyPrinterTurbo API Endpoint base.py verify_token missing authentication |
| CVE-2025-7898 | 2025-07-20 | Codecanyon iDentSoft Account Setting Page updateSetting unrestricted upload |
| CVE-2025-7901 | 2025-07-20 | yangzongzhuan RuoYi Swagger UI index.html cross site scripting |
| CVE-2025-7902 | 2025-07-20 | yangzongzhuan RuoYi SysNoticeController.java addSave cross site scripting |
| CVE-2025-7903 | 2025-07-20 | yangzongzhuan RuoYi Image Source ui layer |
| CVE-2025-7904 | 2025-07-20 | itsourcecode Insurance Management System insertNominee.php sql injection |
| CVE-2025-7905 | 2025-07-20 | itsourcecode Insurance Management System insertPayment.php sql injection |
| CVE-2025-7906 | 2025-07-20 | yangzongzhuan RuoYi CommonController.java uploadFile unrestricted upload |
| CVE-2025-7907 | 2025-07-20 | yangzongzhuan RuoYi Druid application-druid.yml default credentials |
| CVE-2025-7908 | 2025-07-20 | D-Link DI-8100 jhttpd ddns.asp sprintf stack-based overflow |
| CVE-2025-7909 | 2025-07-20 | D-Link DIR-513 Boa Webserver formLanSetupRouterSettings sprintf stack-based overflow |
| CVE-2025-7910 | 2025-07-20 | D-Link DIR-513 Boa Webserver formSetWanNonLogin sprintf stack-based overflow |
| CVE-2025-53771 | 2025-07-20 | Microsoft SharePoint Server Spoofing Vulnerability |
| CVE-2025-7911 | 2025-07-20 | D-Link DI-8100 jhttpd upnp_ctrl.asp sprintf stack-based overflow |
| CVE-2025-7912 | 2025-07-20 | TOTOLINK T6 MQTT Service recvSlaveUpgstatus buffer overflow |
| CVE-2025-7913 | 2025-07-20 | TOTOLINK T6 MQTT Service updateWifiInfo buffer overflow |
| CVE-2020-26799 | 2025-07-21 | A reflected cross-site scripting (XSS) vulnerability was discovered in index.php on Luxcal 4.5.2 which allows an unauthenticated attacker to steal other users' data. |
| CVE-2024-55040 | 2025-07-21 | Cross Site Scripting vulnerability in Sensaphone WEB600 Monitoring System v.1.6.5.H and before allows a remote attacker to execute arbitrary code via a crafted GET requests to /@.xml, placing payloads in... |
| CVE-2025-36845 | 2025-07-21 | An issue was discovered in Eveo URVE Web Manager 27.02.2025. The endpoint /_internal/redirect.php allows for Server-Side Request Forgery (SSRF). The endpoint takes a URL as input, sends a request to... |
| CVE-2025-36846 | 2025-07-21 | An issue was discovered in Eveo URVE Web Manager 27.02.2025. The application exposes a /_internal/pc/vpro.php localhost endpoint to unauthenticated users that is vulnerable to OS Command Injection. The endpoint takes... |
| CVE-2025-43720 | 2025-07-21 | Headwind MDM before 5.33.1 makes configuration details accessible to unauthorized users. The Configuration profile is exposed to the Observer user role, revealing the password requires to escape out of the... |
| CVE-2025-43976 | 2025-07-21 | The com.enflick.android.tn2ndLine application through 24.17.1.0 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.enflick.android.TextNow.activities.DialerActivity component. |
| CVE-2025-43977 | 2025-07-21 | The com.skt.prod.dialer application through 12.5.0 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.skt.prod.dialer.activities.outgoingcall.OutgoingCallInternalBroadcaster component. |
| CVE-2025-44647 | 2025-07-21 | In TRENDnet TEW-WLC100P 2.03b03, the i_dont_care_about_security_and_use_aggressive_mode_psk option is enabled in the strongSwan configuration file, so that IKE Responders are allowed to use IKEv1 Aggressive Mode with Pre-Shared Keys to conduct... |
| CVE-2025-44649 | 2025-07-21 | In the configuration file of racoon in the TRENDnet TEW-WLC100P 2.03b03, the first item of exchage_mode is set to aggressive. Aggressive mode in IKE Phase 1 exposes identity information in... |
| CVE-2025-44650 | 2025-07-21 | In Netgear R7000 V1.3.1.64_10.1.36 and EAX80 V1.0.1.70_1.0.2, the USERLIMIT_GLOBAL option is set to 0 in the bftpd.conf configuration file. This can cause DoS attacks when unlimited users are connected. |
| CVE-2025-44651 | 2025-07-21 | In TRENDnet TPL-430AP FW1.0, the USERLIMIT_GLOBAL option is set to 0 in the bftpd-related configuration file. This can cause DoS attacks when unlimited users are connected. |
| CVE-2025-44652 | 2025-07-21 | In Netgear RAX30 V1.0.10.94_3, the USERLIMIT_GLOBAL option is set to 0 in multiple bftpd-related configuration files. This can cause DoS attacks when unlimited users are connected. |
| CVE-2025-44653 | 2025-07-21 | In H3C GR2200 MiniGR1A0V100R016, the USERLIMIT_GLOBAL option is set to 0 in the /etc/bftpd.conf. This can cause DoS attacks when unlimited users are connected. |
| CVE-2025-44654 | 2025-07-21 | In Linksys E2500 3.0.04.002, the chroot_local_user option is enabled in the vsftpd configuration file. This could lead to unauthorized access to system files, privilege escalation, or use of the compromised... |
| CVE-2025-44655 | 2025-07-21 | In TOTOLink A7100RU V7.4, A950RG V5.9, and T10 V5.9, the chroot_local_user option is enabled in the vsftpd.conf. This could lead to unauthorized access to system files, privilege escalation, or use... |
| CVE-2025-44657 | 2025-07-21 | In Linksys EA6350 V2.1.2, the chroot_local_user option is enabled in the dynamically generated vsftpd configuration file. This could lead to unauthorized access to system files, privilege escalation, or use of... |
| CVE-2025-44658 | 2025-07-21 | In Netgear RAX30 V1.0.10.94, a PHP-FPM misconfiguration vulnerability is caused by not following the specification to only limit FPM to .php extensions. An attacker may exploit this by uploading malicious... |
| CVE-2025-46116 | 2025-07-21 | An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, and in Ruckus ZoneDirector prior to 10.5.1.0.279, where an authenticated attacker can disable the passphrase requirement for... |
| CVE-2025-46117 | 2025-07-21 | An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, and in Ruckus ZoneDirector prior to 10.5.1.0.279, where a hidden debug script `.ap_debug.sh` invoked from the restricted... |
| CVE-2025-46118 | 2025-07-21 | An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139 and in Ruckus ZoneDirector prior to 10.5.1.0.279, where hard-coded credentials for the ftpuser account provide FTP access... |
| CVE-2025-46119 | 2025-07-21 | An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.27 and 200.18.7.1.323, and in Ruckus ZoneDirector prior to 10.5.1.0.282, where an authenticated request to the management endpoint `/admin/_cmdstat.jsp` discloses... |
| CVE-2025-46120 | 2025-07-21 | An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.27 and 200.18.7.1.323, and in Ruckus ZoneDirector prior to 10.5.1.0.282, where a path-traversal flaw in the web interface lets the... |
| CVE-2025-46121 | 2025-07-21 | An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the functions `stamgr_cfg_adpt_addStaFavourite` and `stamgr_cfg_adpt_addStaIot` pass a client hostname directly to snprintf as the format string.... |
| CVE-2025-46122 | 2025-07-21 | An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the authenticated diagnostics API endpoint `/admin/_cmdstat.jsp` passes attacker-controlled input to the shell without adequate validation, enabling... |
| CVE-2025-46123 | 2025-07-21 | An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, and in Ruckus ZoneDirector prior to 10.5.1.0.279, where the authenticated configuration endpoint `/admin/_conf.jsp` writes the Wi-Fi guest... |
| CVE-2025-51396 | 2025-07-21 | A stored cross-site scripting (XSS) vulnerability in Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Telegram Bot Username... |
| CVE-2025-51397 | 2025-07-21 | A stored cross-site scripting (XSS) vulnerability in the Facebook Chat module of Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload... |
| CVE-2025-51398 | 2025-07-21 | A stored cross-site scripting (XSS) vulnerability in the Facebook registration page of Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload... |
| CVE-2025-51400 | 2025-07-21 | A stored cross-site scripting (XSS) vulnerability in the Personal Canned Messages of Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload. |
| CVE-2025-51401 | 2025-07-21 | A stored cross-site scripting (XSS) vulnerability in the chat transfer function of Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload... |
| CVE-2025-51403 | 2025-07-21 | A stored cross-site scripting (XSS) vulnerability in the department assignment editing module of of Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via injecting a... |
| CVE-2025-51868 | 2025-07-21 | Insecure Direct Object Reference (IDOR) vulnerability in Dippy (chat.dippy.ai) v2 allows attackers to gain sensitive information via the conversation_id parameter to the conversation_history endpoint. |
| CVE-2025-51869 | 2025-07-21 | Insecure Direct Object Reference (IDOR) vulnerability in Liner thru 2025-06-03 allows attackers to gain sensitive information via crafted space_id, thread_id, and message_id parameters to the v1/space/{space_id}/thread/{thread_id}/message/{message_id} endpoint. |
| CVE-2025-52362 | 2025-07-21 | Server-Side Request Forgery (SSRF) vulnerability exists in the URL processing functionality of PHProxy version 1.1.1 and prior. The input validation for the _proxurl parameter can be bypassed, allowing a remote,... |
| CVE-2025-52372 | 2025-07-21 | An issue in hMailServer v.5.8.6 allows a local attacker to obtain sensitive information via the hmailserver/installation/hMailServerInnoExtension.iss and hMailServer.ini components. |
| CVE-2025-52373 | 2025-07-21 | Use of hardcoded cryptographic key in BlowFish.cpp in hMailServer 5.8.6 and 5.6.9-beta allows attacker to decrypt passwords used in database connections from hMailServer.ini config file. |
| CVE-2025-52374 | 2025-07-21 | Use of hardcoded cryptographic key in Encryption.cs in hMailServer 5.8.6 and 5.6.9-beta allows attacker to decrypt passwords to other servers from hMailAdmin.exe.config file to access other hMailServer admin consoles with... |
| CVE-2025-54352 | 2025-07-21 | WordPress 3.5 through 6.8.2 allows remote attackers to guess titles of private and draft posts via pingback.ping XML-RPC requests. NOTE: the Supplier is not changing this behavior. |
| CVE-2025-7914 | 2025-07-21 | Tenda AC6 httpd setparentcontrolinfo buffer overflow |
| CVE-2025-7915 | 2025-07-21 | Chanjet CRM Login Page mailinactive.php sql injection |
| CVE-2025-7916 | 2025-07-21 | Simopro Technology|WinMatrix3 - Insecure Deserialization |
| CVE-2025-7917 | 2025-07-21 | Simopro Technology|WinMatrix3 Web package - Arbitrary File Upload |
| CVE-2025-7918 | 2025-07-21 | Simopro Technology|WinMatrix3 Web package - SQL Injection |
| CVE-2025-7919 | 2025-07-21 | Simopro Technology|WinMatrix3 Web package - SQL Injection |
| CVE-2025-24936 | 2025-07-21 | Insufficient Validation of Input in the URL |
| CVE-2025-24937 | 2025-07-21 | Access to local file system and its content |
| CVE-2025-24938 | 2025-07-21 | Insufficient Validation of Input while user creation |
| CVE-2025-7921 | 2025-07-21 | ASKEY|modem - Stack-based Buffer Overflow |
| CVE-2025-7343 | 2025-07-21 | Digiwin|SFT - SQL Injection |
| CVE-2025-7344 | 2025-07-21 | Digiwin|EAI - Privilege Escalation |
| CVE-2025-7920 | 2025-07-21 | Simopro Technology|WinMatrix3 Web package - Reflected Cross-Site Scripting |