CVE List - 2025 / August
Showing 601 - 700 of 3631 CVEs for August 2025 (Page 7 of 37)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-54786 | 2025-08-06 | SuiteCRM: Legacy iCal service allows unauthenticated access to meeting data |
| CVE-2025-54788 | 2025-08-06 | SuiteCRM: Authenticated Blind SQL Injection in InboundEmail module |
| CVE-2023-40992 | 2025-08-07 | Hospital Management System 4 is vulnerable to a SQL injection in /Hospital-Management-System-master/func.php via the password2 parameter. |
| CVE-2023-41519 | 2025-08-07 | Student Attendance Management System v1 was discovered to contain a cross-site scripting (XSS) vulnerability via the sessionName parameter at createSessionTerm.php. |
| CVE-2023-41520 | 2025-08-07 | Student Attendance Management System v1 was discovered to contain multiple SQL injection vulnerabilities in createClassArms.php via the classId and classArmName parameters. |
| CVE-2023-41521 | 2025-08-07 | Student Attendance Management System v1 was discovered to contain multiple SQL injection vulnerabilities in createSessionTerm.php via the id, termId, and sessionName parameters. |
| CVE-2023-41522 | 2025-08-07 | Student Attendance Management System v1 was discovered to contain multiple SQL injection vulnerabilities in createStudents.php via the Id, firstname, and admissionNumber parameters. |
| CVE-2023-41523 | 2025-08-07 | Student Attendance Management System v1 was discovered to contain a SQL injection vulnerability via the emailAddress parameter at createClassTeacher.php. |
| CVE-2023-41524 | 2025-08-07 | Student Attendance Management System v1 was discovered to contain a SQL injection vulnerability via the username parameter at index.php. |
| CVE-2023-41525 | 2025-08-07 | Hospital Management System v4 was discovered to contain a SQL injection vulnerability via the patient_contact parameter in patientsearch.php. |
| CVE-2023-41526 | 2025-08-07 | Hospital Management System v4 was discovered to contain multiple SQL injection vulnerabilities in func1.php via the username3 and password3 parameters. |
| CVE-2023-41527 | 2025-08-07 | Hospital Management System v4 was discovered to contain a SQL injection vulnerability via the password2 parameter in func.php. |
| CVE-2023-41528 | 2025-08-07 | Hospital Management System v4 was discovered to contain multiple SQL injection vulnerabilities in contact.php via the txtname, txtphone, and txtmail parameters. |
| CVE-2023-41529 | 2025-08-07 | Hospital Management System v4 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in func2.php via the fname and lname parameters. |
| CVE-2023-41530 | 2025-08-07 | Hospital Management System v4 was discovered to contain a SQL injection vulnerability via the app_contact parameter in appsearch.php. |
| CVE-2023-41531 | 2025-08-07 | Hospital Management System v4 was discovered to contain multiple SQL injection vulnerabilities in func3.php via the username1 and password2 parameters. |
| CVE-2023-41532 | 2025-08-07 | Hospital Management System v4 was discovered to contain a SQL injection vulnerability via the doctor_contact parameter in doctorsearch.php. |
| CVE-2024-42048 | 2025-08-07 | OpenOrange Business Framework version 1.15.5 installs to a directory with overly permissive access control, allowing all authenticated users to write to the installation path. In combination with the application's behavior... |
| CVE-2024-52680 | 2025-08-07 | EyouCMS 1.6.7 is vulnerable to Cross Site Scripting (XSS) in /login.php?m=admin&c=System&a=web&lang=cn. |
| CVE-2024-55401 | 2025-08-07 | An issue in 4C Strategies Exonaut before v22.4 allows attackers to execute a directory traversal. |
| CVE-2025-32094 | 2025-08-07 | An issue was discovered in Akamai Ghost, as used for the Akamai CDN platform before 2025-03-26. Under certain circumstances, a client making an HTTP/1.x OPTIONS request with an "Expect: 100-continue"... |
| CVE-2025-44779 | 2025-08-07 | An issue in Ollama v0.1.33 allows attackers to delete arbitrary files via sending a crafted packet to the endpoint /api/pull. |
| CVE-2025-45765 | 2025-08-07 | ruby-jwt v3.0.0.beta1 was discovered to contain weak encryption. NOTE: the Supplier's perspective is "keysize is not something that is enforced by this library. Currently more recent versions of OpenSSL are... |
| CVE-2025-47183 | 2025-08-07 | In GStreamer through 1.26.1, the isomp4 plugin's qtdemux_parse_tree function may read past the end of a heap buffer while parsing an MP4 file, leading to information disclosure. |
| CVE-2025-47188 | 2025-08-07 | A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones through 6.4 SP4 (R6.4.0.4006), and the 6970 Conference Unit through 6.4 SP4 (R6.4.0.4006) or version V1... |
| CVE-2025-47219 | 2025-08-07 | In GStreamer through 1.26.1, the isomp4 plugin's qtdemux_parse_trak function may read past the end of a heap buffer while parsing an MP4 file, possibly leading to information disclosure. |
| CVE-2025-47806 | 2025-08-07 | In GStreamer through 1.26.1, the subparse plugin's parse_subrip_time function may write data past the bounds of a stack buffer, leading to a crash. |
| CVE-2025-47807 | 2025-08-07 | In GStreamer through 1.26.1, the subparse plugin's subrip_unescape_formatting function may dereference a NULL pointer while parsing a subtitle file, leading to a crash. |
| CVE-2025-47808 | 2025-08-07 | In GStreamer through 1.26.1, the subparse plugin's tmplayer_parse_line function may dereference a NULL pointer while parsing a subtitle file, leading to a crash. |
| CVE-2025-48709 | 2025-08-07 | An issue was discovered in BMC Control-M 9.0.21.300. When Control-M Server has a database connection, it runs DBUStatus.exe frequently, which then calls dbu_connection_details.vbs with the username, password, database hostname, and... |
| CVE-2025-50675 | 2025-08-07 | GPMAW 14, a bioinformatics software, has a critical vulnerability related to insecure file permissions in its installation directory. The directory is accessible with full read, write, and execute permissions for... |
| CVE-2025-50692 | 2025-08-07 | FoxCMS <=v1.2.5 is vulnerable to Code Execution in admin/template_file/editFile.html. |
| CVE-2025-50952 | 2025-08-07 | openjpeg v 2.5.0 was discovered to contain a NULL pointer dereference via the component /openjp2/dwt.c. |
| CVE-2025-51533 | 2025-08-07 | An Insecure Direct Object Reference (IDOR) in Sage DPW v2024_12_004 and below allows unauthorized attackers to access internal forms via sending a crafted GET request. |
| CVE-2025-51629 | 2025-08-07 | A cross-site scripting (XSS) vulnerability in the PdfViewer component of Agenzia Impresa Eccobook 2.81.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the... |
| CVE-2025-54392 | 2025-08-07 | Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 allows XSS for authentication error data, a different vulnerability than CVE-2025-47189. |
| CVE-2025-54393 | 2025-08-07 | Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 allows Static Code Injection. Authenticated users can obtain administrative access. |
| CVE-2025-54394 | 2025-08-07 | Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 has Insufficiently Protected Credentials for requests to remote Excel resources. |
| CVE-2025-54395 | 2025-08-07 | Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 allows XSS for authentication configuration data. |
| CVE-2025-54396 | 2025-08-07 | Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 allows SQL Injection. Authenticated users can exploit this. |
| CVE-2025-54397 | 2025-08-07 | Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 inserts Sensitive Information Into Sent Data to authenticated users. |
| CVE-2025-55133 | 2025-08-07 | In Agora Foundation Agora fall23-Alpha1 before b087490, there is XSS via topicName in client/agora/public/js/editorManager.js. |
| CVE-2025-55134 | 2025-08-07 | In Agora Foundation Agora fall23-Alpha1 before b087490, there is XSS via tag in client/agora/public/js/editorManager.js. |
| CVE-2025-55135 | 2025-08-07 | In Agora Foundation Agora fall23-Alpha1 before 690ce56, there is XSS via a profile picture to server/controller/userController.js. Formats other than PNG, JPEG, and WEBP are permitted by server/routes/userRoutes.js; this includes SVG. |
| CVE-2025-55136 | 2025-08-07 | ERC (aka Emotion Recognition in Conversation) through 0.3 has insecure deserialization via a serialized object because jsonpickle is used. |
| CVE-2025-55137 | 2025-08-07 | LinkJoin through 882f196 mishandles lacks type checking in password reset. |
| CVE-2025-55138 | 2025-08-07 | LinkJoin through 882f196 mishandles token ownership in password reset. |
| CVE-2025-54882 | 2025-08-07 | Himmelblau's Kerberos credential cache collection is world readable |
| CVE-2025-54885 | 2025-08-07 | Thinbus generates insufficient entropy: 252 bits vs minimum 256 bits |
| CVE-2025-54799 | 2025-08-07 | Lego does not enforce HTTPS |
| CVE-2025-54798 | 2025-08-07 | tmp does not restrict arbitrary temporary file / directory write via symbolic link `dir` parameter |
| CVE-2025-54783 | 2025-08-07 | SuiteCRM: Reflected Cross Site Scripting (XSS) through HTTP Referrer header |
| CVE-2025-54784 | 2025-08-07 | SuiteCRM is vulnerable to Cross Site Scripting (XSS) through its email viewer |
| CVE-2025-3770 | 2025-08-07 | SMM IDT Privilege Escalation Vulnerability |
| CVE-2025-29865 | 2025-08-07 | : Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in TAGFREE X-Free Uploader XFU allows Path Traversal.This issue affects X-Free Uploader: from 1.0.1.0084 before 1.0.1.0085, from... |
| CVE-2025-8576 | 2025-08-07 | Use after free in Extensions in Google Chrome prior to 139.0.7258.66 allowed a remote attacker to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Medium) |
| CVE-2025-8577 | 2025-08-07 | Inappropriate implementation in Picture In Picture in Google Chrome prior to 139.0.7258.66 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing... |
| CVE-2025-8578 | 2025-08-07 | Use after free in Cast in Google Chrome prior to 139.0.7258.66 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) |
| CVE-2025-8579 | 2025-08-07 | Inappropriate implementation in Picture In Picture in Google Chrome prior to 139.0.7258.66 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing... |
| CVE-2025-8580 | 2025-08-07 | Inappropriate implementation in Filesystems in Google Chrome prior to 139.0.7258.66 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) |
| CVE-2025-8581 | 2025-08-07 | Inappropriate implementation in Extensions in Google Chrome prior to 139.0.7258.66 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a... |
| CVE-2025-8582 | 2025-08-07 | Insufficient validation of untrusted input in Core in Google Chrome prior to 139.0.7258.66 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML... |
| CVE-2025-8583 | 2025-08-07 | Inappropriate implementation in Permissions in Google Chrome prior to 139.0.7258.66 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) |
| CVE-2025-29866 | 2025-08-07 | : External Control of File Name or Path vulnerability in TAGFREE X-Free Uploader XFU allows : Parameter Injection.This issue affects X-Free Uploader: from 1.0.1.0084 before 1.0.1.0085, from 2.0.1.0034 before 2.0.1.0035. |
| CVE-2025-35970 | 2025-08-07 | On multiple products of SEIKO EPSON and FUJIFILM Corporation, the initial administrator password is easy to guess from the information available via SNMP. If the administrator password is not changed... |
| CVE-2025-8533 | 2025-08-07 | Incorrect Authorization of XPC Service in Fantastical.app |
| CVE-2025-7054 | 2025-08-07 | Infinite loop triggered by connection ID retirement |
| CVE-2025-47907 | 2025-08-07 | Incorrect results returned from Rows.Scan in database/sql |
| CVE-2024-56339 | 2025-08-07 | IBM WebSphere Application Server information disclosure |
| CVE-2025-34152 | 2025-08-07 | Shenzhen Aitemi M300 Wi-Fi Repeater OS Command Injection via Time Parameter |
| CVE-2025-34151 | 2025-08-07 | Shenzhen Aitemi M300 Wi-Fi Repeater PPPoE Password Command Injection |
| CVE-2025-34150 | 2025-08-07 | Shenzhen Aitemi M300 Wi-Fi Repeater PPPoE Username Command Injection |
| CVE-2025-34149 | 2025-08-07 | Shenzhen Aitemi M300 Wi-Fi Repeater OS Command Injection via WPA2 Key |
| CVE-2025-34148 | 2025-08-07 | Shenzhen Aitemi M300 Wi-Fi Repeater OS Command Injection via WISP SSID |
| CVE-2025-24000 | 2025-08-07 | WordPress Post SMTP plugin <= 3.2.0 - Account Takeover Vulnerability |
| CVE-2025-55077 | 2025-08-07 | Tyler Technologies ERP Pro 9 SaaS application escape |
| CVE-2025-8697 | 2025-08-07 | agentUniverse MCPSessionManager/MCPTool/MCPToolkit StdioServerParameters os command injection |
| CVE-2025-7195 | 2025-08-07 | Operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd |
| CVE-2025-26513 | 2025-08-07 | The installer for SAN Host Utilities for Windows versions prior to 8.0 is susceptible to a vulnerability which when successfully exploited could allow a local user to escalate their privileges. |
| CVE-2025-8698 | 2025-08-07 | Open5GS AMF Service nsmf-handler.c amf_nsmf_pdusession_handle_release_sm_context assertion |
| CVE-2025-53792 | 2025-08-07 | Azure Portal Elevation of Privilege Vulnerability |
| CVE-2025-53767 | 2025-08-07 | Azure OpenAI Elevation of Privilege Vulnerability |
| CVE-2025-53774 | 2025-08-07 | Microsoft 365 Copilot BizChat Information Disclosure Vulnerability |
| CVE-2025-53787 | 2025-08-07 | Microsoft 365 Copilot BizChat Information Disclosure Vulnerability |
| CVE-2025-8701 | 2025-08-07 | Wanzhou WOES Intelligent Optimization Energy Saving System GetPageList sql injection |
| CVE-2025-54787 | 2025-08-07 | SuiteCRM: Improper Authorization for attachment downloads |
| CVE-2025-30404 | 2025-08-07 | An integer overflow vulnerability in the loading of ExecuTorch models can cause overlapping allocations, potentially resulting in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit... |
| CVE-2025-30405 | 2025-08-07 | An integer overflow vulnerability in the loading of ExecuTorch models can cause objects to be placed outside their allocated memory area, potentially resulting in code execution or other undesirable effects.... |
| CVE-2025-54949 | 2025-08-07 | A heap buffer overflow vulnerability in the loading of ExecuTorch models can potentially result in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit ede82493dae6d2d43f8c424e7be4721abe5242be |
| CVE-2025-54950 | 2025-08-07 | An out-of-bounds access vulnerability in the loading of ExecuTorch models can cause the runtime to crash and potentially result in code execution or other undesirable effects. This issue affects ExecuTorch... |
| CVE-2025-54951 | 2025-08-07 | A group of related buffer overflow vulnerabilities in the loading of ExecuTorch models can cause the runtime to crash and potentially result in code execution or other undesirable effects. This... |
| CVE-2025-54952 | 2025-08-07 | An integer overflow vulnerability in the loading of ExecuTorch models can cause smaller-than-expected memory regions to be allocated, potentially resulting in code execution or other undesirable effects. This issue affects... |
| CVE-2025-8702 | 2025-08-07 | Wanzhou WOES Intelligent Optimization Energy Saving System Historical Data Query Module GetVariableByOneIDNew sql injection |
| CVE-2020-9322 | 2025-08-08 | The /users endpoint in Statamic Core before 2.11.8 allows XSS to add an administrator user. This can be exploited via CSRF. Stored XSS can occur via a JavaScript payload in... |
| CVE-2025-50465 | 2025-08-08 | OpenMetadata <=1.4.4 is vulnerable to SQL Injection. An attacker can extract information from the database in function listCount in the TestDefinitionDAO interface. The testPlatform parameter can be used to build... |
| CVE-2025-50466 | 2025-08-08 | OpenMetadata <=1.4.4 is vulnerable to SQL Injection. An attacker can extract information from the database in function listCount in the TestDefinitionDAO interface. The entityType parameter can be used to build... |
| CVE-2025-50467 | 2025-08-08 | OpenMetadata <=1.4.4 is vulnerable to SQL Injection. An attacker can extract information from the database in function listCount in the TestDefinitionDAO interface. The supportedDataTypeParam parameter can be used to build... |
| CVE-2025-50468 | 2025-08-08 | OpenMetadata <=1.4.4 is vulnerable to SQL Injection. An attacker can extract information from the database in function listCount in the DocStoreDAO interface. The entityType parameters can be used to build... |
| CVE-2025-50927 | 2025-08-08 | A reflected cross-site scripting (XSS) vulnerability in the List All FTP User Function in EHCP v20.04.1.b allows authenticated attackers to execute arbitrary JavaScript via injecting a crafted payload into the... |
| CVE-2025-50928 | 2025-08-08 | Easy Hosting Control Panel EHCP v20.04.1.b was discovered to contain a SQL injection vulnerability via the id parameter in the Change Settings function. |