CVE-2025-4123 - Grafana Cross-Site Scripting (XSS) via Client Path Traversal and Open Redirect
CVE ID : CVE-2025-4123
Published : May 22, 2025, 8:15 a.m. | 1 hour, 11 minutes ago
Description : A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.
Severity: 7.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-4123
Published : May 22, 2025, 8:15 a.m. | 1 hour, 11 minutes ago
Description : A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.
Severity: 7.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-9544 - MapSVG WordPress Stored Cross-Site Scripting Vulnerability
CVE ID : CVE-2024-9544
Published : May 22, 2025, 10:15 a.m. | 3 hours, 11 minutes ago
Description : The MapSVG plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 8.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-9544
Published : May 22, 2025, 10:15 a.m. | 3 hours, 11 minutes ago
Description : The MapSVG plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 8.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-4280 - Poedit for MacOS Privilege Escalation Vulnerability
CVE ID : CVE-2025-4280
Published : May 22, 2025, 10:15 a.m. | 3 hours, 11 minutes ago
Description : MacOS version of Poedit bundles a Python interpreter that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle. An attacker with local user access can invoke this interpreter with arbitrary commands or scripts, leveraging the application's previously granted TCC permissions to access user's files in privacy-protected folders without triggering user prompts. Accessing other resources beyond previously granted TCC permissions will prompt the user for approval in the name of Poedit, potentially disguising attacker's malicious intent. This issue has been fixed in 3.6.3 version of Poedit.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-4280
Published : May 22, 2025, 10:15 a.m. | 3 hours, 11 minutes ago
Description : MacOS version of Poedit bundles a Python interpreter that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle. An attacker with local user access can invoke this interpreter with arbitrary commands or scripts, leveraging the application's previously granted TCC permissions to access user's files in privacy-protected folders without triggering user prompts. Accessing other resources beyond previously granted TCC permissions will prompt the user for approval in the name of Poedit, potentially disguising attacker's malicious intent. This issue has been fixed in 3.6.3 version of Poedit.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-4405 - WordPress Hot Random Image Stored Cross-Site Scripting Vulnerability
CVE ID : CVE-2025-4405
Published : May 22, 2025, 10:15 a.m. | 3 hours, 11 minutes ago
Description : The Hot Random Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter in all versions up to, and including, 1.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-4405
Published : May 22, 2025, 10:15 a.m. | 3 hours, 11 minutes ago
Description : The Hot Random Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter in all versions up to, and including, 1.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-4419 - WordPress Hot Random Image Path Traversal Vulnerability
CVE ID : CVE-2025-4419
Published : May 22, 2025, 10:15 a.m. | 3 hours, 11 minutes ago
Description : The Hot Random Image plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.9.2 via the 'path' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to access arbitrary images with allowed extensions, outside of the originally intended directory.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-4419
Published : May 22, 2025, 10:15 a.m. | 3 hours, 11 minutes ago
Description : The Hot Random Image plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.9.2 via the 'path' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to access arbitrary images with allowed extensions, outside of the originally intended directory.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-25010 - Ericsson RAN Compute and Site Controller Code Injection Vulnerability
CVE ID : CVE-2024-25010
Published : May 22, 2025, 11:15 a.m. | 2 hours, 11 minutes ago
Description : Ericsson RAN Compute and Site Controller 6610 contains in certain configurations a high severity vulnerability where improper input validation could be exploited leading to arbitrary code execution.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-25010
Published : May 22, 2025, 11:15 a.m. | 2 hours, 11 minutes ago
Description : Ericsson RAN Compute and Site Controller 6610 contains in certain configurations a high severity vulnerability where improper input validation could be exploited leading to arbitrary code execution.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-3444 - Zohocorp ManageEngine ServiceDesk Plus MSP and SupportCenter Plus LFI Vulnerability
CVE ID : CVE-2025-3444
Published : May 22, 2025, 11:15 a.m. | 2 hours, 11 minutes ago
Description : Zohocorp ManageEngine ServiceDesk Plus MSP and SupportCenter Plus versions below 14920 are vulnerable to authenticated Local File Inclusion (LFI) in the Admin module, where help card content is loaded.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-3444
Published : May 22, 2025, 11:15 a.m. | 2 hours, 11 minutes ago
Description : Zohocorp ManageEngine ServiceDesk Plus MSP and SupportCenter Plus versions below 14920 are vulnerable to authenticated Local File Inclusion (LFI) in the Admin module, where help card content is loaded.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-3836 - Zohocorp ManageEngine ADAudit Plus SQL Injection Vulnerability
CVE ID : CVE-2025-3836
Published : May 22, 2025, 11:15 a.m. | 2 hours, 11 minutes ago
Description : Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in the logon events aggregate report.
Severity: 8.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-3836
Published : May 22, 2025, 11:15 a.m. | 2 hours, 11 minutes ago
Description : Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in the logon events aggregate report.
Severity: 8.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-41403 - Zohocorp ManageEngine ADAudit Plus SQL Injection
CVE ID : CVE-2025-41403
Published : May 22, 2025, 11:15 a.m. | 2 hours, 11 minutes ago
Description : Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection while fetching service account audit data.
Severity: 8.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-41403
Published : May 22, 2025, 11:15 a.m. | 2 hours, 11 minutes ago
Description : Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection while fetching service account audit data.
Severity: 8.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-5073 - FreeFloat FTP Server Buffer Overflow Vulnerability
CVE ID : CVE-2025-5073
Published : May 22, 2025, 11:15 a.m. | 2 hours, 11 minutes ago
Description : A vulnerability, which was classified as critical, has been found in FreeFloat FTP Server 1.0. This issue affects some unknown processing of the component MKDIR Command Handler. The manipulation leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-5073
Published : May 22, 2025, 11:15 a.m. | 2 hours, 11 minutes ago
Description : A vulnerability, which was classified as critical, has been found in FreeFloat FTP Server 1.0. This issue affects some unknown processing of the component MKDIR Command Handler. The manipulation leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-5074 - FreeFloat FTP Server Buffer Overflow Vulnerability
CVE ID : CVE-2025-5074
Published : May 22, 2025, 12:15 p.m. | 1 hour, 11 minutes ago
Description : A vulnerability, which was classified as critical, was found in FreeFloat FTP Server 1.0. Affected is an unknown function of the component PROMPT Command Handler. The manipulation leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-5074
Published : May 22, 2025, 12:15 p.m. | 1 hour, 11 minutes ago
Description : A vulnerability, which was classified as critical, was found in FreeFloat FTP Server 1.0. Affected is an unknown function of the component PROMPT Command Handler. The manipulation leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-3111 - GitLab Kubernetes Denial of Service Vulnerability
CVE ID : CVE-2025-3111
Published : May 22, 2025, 2:16 p.m. | 3 hours, 11 minutes ago
Description : An issue has been discovered in GitLab CE/EE affecting all versions from 10.2 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A lack of input validation in the Kubernetes integration could allow an authenticated user to cause denial of service..
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-3111
Published : May 22, 2025, 2:16 p.m. | 3 hours, 11 minutes ago
Description : An issue has been discovered in GitLab CE/EE affecting all versions from 10.2 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A lack of input validation in the Kubernetes integration could allow an authenticated user to cause denial of service..
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-4575 - OpenSSL -addreject Option Truncation Vulnerability
CVE ID : CVE-2025-4575
Published : May 22, 2025, 2:16 p.m. | 3 hours, 11 minutes ago
Description : Issue summary: Use of -addreject option with the openssl x509 application adds a trusted use instead of a rejected use for a certificate. Impact summary: If a user intends to make a trusted certificate rejected for a particular use it will be instead marked as trusted for that use. A copy & paste error during minor refactoring of the code introduced this issue in the OpenSSL 3.5 version. If, for example, a trusted CA certificate should be trusted only for the purpose of authenticating TLS servers but not for CMS signature verification and the CMS signature verification is intended to be marked as rejected with the -addreject option, the resulting CA certificate will be trusted for CMS signature verification purpose instead. Only users which use the trusted certificate format who use the openssl x509 command line application to add rejected uses are affected by this issue. The issues affecting only the command line application are considered to be Low severity. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 3.4, 3.3, 3.2, 3.1, 3.0, 1.1.1 and 1.0.2 are also not affected by this issue.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-4575
Published : May 22, 2025, 2:16 p.m. | 3 hours, 11 minutes ago
Description : Issue summary: Use of -addreject option with the openssl x509 application adds a trusted use instead of a rejected use for a certificate. Impact summary: If a user intends to make a trusted certificate rejected for a particular use it will be instead marked as trusted for that use. A copy & paste error during minor refactoring of the code introduced this issue in the OpenSSL 3.5 version. If, for example, a trusted CA certificate should be trusted only for the purpose of authenticating TLS servers but not for CMS signature verification and the CMS signature verification is intended to be marked as rejected with the -addreject option, the resulting CA certificate will be trusted for CMS signature verification purpose instead. Only users which use the trusted certificate format who use the openssl x509 command line application to add rejected uses are affected by this issue. The issues affecting only the command line application are considered to be Low severity. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 3.4, 3.3, 3.2, 3.1, 3.0, 1.1.1 and 1.0.2 are also not affected by this issue.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-4979 - GitLab Information Disclosure Vulnerability
CVE ID : CVE-2025-4979
Published : May 22, 2025, 2:16 p.m. | 3 hours, 11 minutes ago
Description : An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. An attacker may be able to reveal masked or hidden CI variables (that they did not author) in the WebUI, by simply creating their own variable and observing the HTTP response.
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-4979
Published : May 22, 2025, 2:16 p.m. | 3 hours, 11 minutes ago
Description : An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. An attacker may be able to reveal masked or hidden CI variables (that they did not author) in the WebUI, by simply creating their own variable and observing the HTTP response.
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-5076 - FreeFloat FTP Server Buffer Overflow
CVE ID : CVE-2025-5076
Published : May 22, 2025, 2:16 p.m. | 3 hours, 11 minutes ago
Description : A vulnerability was found in FreeFloat FTP Server 1.0 and classified as critical. Affected by this issue is some unknown functionality of the component SEND Command Handler. The manipulation leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-5076
Published : May 22, 2025, 2:16 p.m. | 3 hours, 11 minutes ago
Description : A vulnerability was found in FreeFloat FTP Server 1.0 and classified as critical. Affected by this issue is some unknown functionality of the component SEND Command Handler. The manipulation leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-5077 - Campcodes Online Shopping Portal SQL Injection Vulnerability
CVE ID : CVE-2025-5077
Published : May 22, 2025, 2:16 p.m. | 3 hours, 11 minutes ago
Description : A vulnerability was found in Campcodes Online Shopping Portal 1.0. It has been classified as critical. This affects an unknown part of the file /admin/edit-subcategory.php. The manipulation of the argument Category leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-5077
Published : May 22, 2025, 2:16 p.m. | 3 hours, 11 minutes ago
Description : A vulnerability was found in Campcodes Online Shopping Portal 1.0. It has been classified as critical. This affects an unknown part of the file /admin/edit-subcategory.php. The manipulation of the argument Category leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-5078 - Campcodes Online Shopping Portal SQL Injection
CVE ID : CVE-2025-5078
Published : May 22, 2025, 2:16 p.m. | 3 hours, 11 minutes ago
Description : A vulnerability was found in Campcodes Online Shopping Portal 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/subcategory.php. The manipulation of the argument Category leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-5078
Published : May 22, 2025, 2:16 p.m. | 3 hours, 11 minutes ago
Description : A vulnerability was found in Campcodes Online Shopping Portal 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/subcategory.php. The manipulation of the argument Category leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-12093 - GitLab SAML XPath Validation Bypass
CVE ID : CVE-2024-12093
Published : May 22, 2025, 3:16 p.m. | 2 hours, 11 minutes ago
Description : An issue has been discovered in GitLab CE/EE affecting all versions from 11.1 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Improper XPath validation allows modified SAML response to bypass 2FA requirement under specialized conditions.
Severity: 6.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-12093
Published : May 22, 2025, 3:16 p.m. | 2 hours, 11 minutes ago
Description : An issue has been discovered in GitLab CE/EE affecting all versions from 11.1 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Improper XPath validation allows modified SAML response to bypass 2FA requirement under specialized conditions.
Severity: 6.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-54188 - Infoblox NETMRI File Disclosure
CVE ID : CVE-2024-54188
Published : May 22, 2025, 3:16 p.m. | 2 hours, 11 minutes ago
Description : Infoblox NETMRI before 7.6.1 has a vulnerability allowing remote authenticated users to read arbitrary files with root access.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-54188
Published : May 22, 2025, 3:16 p.m. | 2 hours, 11 minutes ago
Description : Infoblox NETMRI before 7.6.1 has a vulnerability allowing remote authenticated users to read arbitrary files with root access.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-0605 - GitLab Two-Factor Authentication Bypass
CVE ID : CVE-2025-0605
Published : May 22, 2025, 3:16 p.m. | 2 hours, 11 minutes ago
Description : An issue has been discovered in GitLab CE/EE affecting all versions from 16.8 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Group access controls could allow certain users to bypass two-factor authentication requirements.
Severity: 4.6 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-0605
Published : May 22, 2025, 3:16 p.m. | 2 hours, 11 minutes ago
Description : An issue has been discovered in GitLab CE/EE affecting all versions from 16.8 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Group access controls could allow certain users to bypass two-factor authentication requirements.
Severity: 4.6 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-0679 - GitLab Email Address Disclosure Vulnerability
CVE ID : CVE-2025-0679
Published : May 22, 2025, 3:16 p.m. | 2 hours, 11 minutes ago
Description : An issue has been discovered in GitLab CE/EE affecting all versions from 17.1 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Under certain conditions un-authorised users can view full email addresses that should be partially obscured.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-0679
Published : May 22, 2025, 3:16 p.m. | 2 hours, 11 minutes ago
Description : An issue has been discovered in GitLab CE/EE affecting all versions from 17.1 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Under certain conditions un-authorised users can view full email addresses that should be partially obscured.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...