CVE-2025-43745 - Liferay Portal CSRF Attack
CVE ID : CVE-2025-43745
Published : Aug. 19, 2025, 7:15 p.m. | 59 minutes ago
Description : A CSRF vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.7, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 allows remote attackers to performs cross-origin request on behalf of the authenticated user via the endpoint parameter.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-43745
Published : Aug. 19, 2025, 7:15 p.m. | 59 minutes ago
Description : A CSRF vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.7, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 allows remote attackers to performs cross-origin request on behalf of the authenticated user via the endpoint parameter.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-50891 - Adform Site Tracking Cross-Site Scripting (XSS)
CVE ID : CVE-2025-50891
Published : Aug. 19, 2025, 7:15 p.m. | 59 minutes ago
Description : Adform Site Tracking 1.1 allows attackers to inject HTML or execute arbitrary code via cookie hijacking.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-50891
Published : Aug. 19, 2025, 7:15 p.m. | 59 minutes ago
Description : Adform Site Tracking 1.1 allows attackers to inject HTML or execute arbitrary code via cookie hijacking.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-52338 - LogicData eCommerce Framework Authentication Bypass
CVE ID : CVE-2025-52338
Published : Aug. 19, 2025, 7:15 p.m. | 59 minutes ago
Description : An issue in the default configuration of the password reset function in LogicData eCommerce Framework v5.0.9.7000 allows attackers to bypass authentication and compromise user accounts via a bruteforce attack.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-52338
Published : Aug. 19, 2025, 7:15 p.m. | 59 minutes ago
Description : An issue in the default configuration of the password reset function in LogicData eCommerce Framework v5.0.9.7000 allows attackers to bypass authentication and compromise user accounts via a bruteforce attack.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55303 - Astro Image Optimization Endpoint Protocol-Relative URL Injection
CVE ID : CVE-2025-55303
Published : Aug. 19, 2025, 7:15 p.m. | 59 minutes ago
Description : Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images. A bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png. This vulnerability is fixed in 5.13.2 and 4.16.18.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-55303
Published : Aug. 19, 2025, 7:15 p.m. | 59 minutes ago
Description : Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images. A bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png. This vulnerability is fixed in 5.13.2 and 4.16.18.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55306 - GenX FX Exposed API Keys and Authentication Tokens
CVE ID : CVE-2025-55306
Published : Aug. 19, 2025, 7:15 p.m. | 59 minutes ago
Description : GenX_FX is an advance IA trading platform that will focus on forex trading. A vulnerability was identified in the GenX FX backend where API keys and authentication tokens may be exposed if environment variables are misconfigured. Unauthorized users could gain access to cloud resources (Google Cloud, Firebase, GitHub, etc.).
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-55306
Published : Aug. 19, 2025, 7:15 p.m. | 59 minutes ago
Description : GenX_FX is an advance IA trading platform that will focus on forex trading. A vulnerability was identified in the GenX FX backend where API keys and authentication tokens may be exposed if environment variables are misconfigured. Unauthorized users could gain access to cloud resources (Google Cloud, Firebase, GitHub, etc.).
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55733 - DeepChat Custom URL Handler Remote Code Execution Vulnerability
CVE ID : CVE-2025-55733
Published : Aug. 19, 2025, 7:15 p.m. | 59 minutes ago
Description : DeepChat is a smart assistant that connects powerful AI to your personal world. DeepChat before 0.3.1 has a one-click remote code execution vulnerability. An attacker can exploit this vulnerability by embedding a specially crafted deepchat: URL on any website, including a malicious one they control. When a victim visits such a site or clicks on the link, the browser triggers the app’s custom URL handler (deepchat:), causing the DeepChat application to launch and process the URL, leading to remote code execution on the victim’s machine. This vulnerability is fixed in 0.3.1.
Severity: 9.6 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-55733
Published : Aug. 19, 2025, 7:15 p.m. | 59 minutes ago
Description : DeepChat is a smart assistant that connects powerful AI to your personal world. DeepChat before 0.3.1 has a one-click remote code execution vulnerability. An attacker can exploit this vulnerability by embedding a specially crafted deepchat: URL on any website, including a malicious one they control. When a victim visits such a site or clicks on the link, the browser triggers the app’s custom URL handler (deepchat:), causing the DeepChat application to launch and process the URL, leading to remote code execution on the victim’s machine. This vulnerability is fixed in 0.3.1.
Severity: 9.6 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55734 - FlaskBlog Unauthenticated Access to Sensitive Pages
CVE ID : CVE-2025-55734
Published : Aug. 19, 2025, 7:15 p.m. | 59 minutes ago
Description : flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, the code checks if the userRole is "admin" only when visiting the /admin page, but not when visiting its subroutes. Specifically, only the file routes/adminPanel.py checks the user role when a user is trying to access the admin page, but that control is not done for the pages routes/adminPanelComments.py and routes/adminPanelPosts.py. Thus, an unauthorized user can bypass the intended restrictions, leaking sensitive data and accessing the following pages: /admin/posts, /adminpanel/posts, /admin/comments, and /adminpanel/comments.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-55734
Published : Aug. 19, 2025, 7:15 p.m. | 59 minutes ago
Description : flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, the code checks if the userRole is "admin" only when visiting the /admin page, but not when visiting its subroutes. Specifically, only the file routes/adminPanel.py checks the user role when a user is trying to access the admin page, but that control is not done for the pages routes/adminPanelComments.py and routes/adminPanelPosts.py. Thus, an unauthorized user can bypass the intended restrictions, leaking sensitive data and accessing the following pages: /admin/posts, /adminpanel/posts, /admin/comments, and /adminpanel/comments.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55735 - FlaskBlog Stored XSS Vulnerability
CVE ID : CVE-2025-55735
Published : Aug. 19, 2025, 7:15 p.m. | 59 minutes ago
Description : flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when creating a post, there's no validation of the content of the post stored in the variable "postContent". The vulnerability arises when displaying the content of the post using the | safe filter, that tells the engine to not escape the rendered content. This can lead to a stored XSS inside the content of the post. The code that causes the problem is in template/routes.html.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-55735
Published : Aug. 19, 2025, 7:15 p.m. | 59 minutes ago
Description : flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when creating a post, there's no validation of the content of the post stored in the variable "postContent". The vulnerability arises when displaying the content of the post using the | safe filter, that tells the engine to not escape the rendered content. This can lead to a stored XSS inside the content of the post. The code that causes the problem is in template/routes.html.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55736 - FlaskBlog Role Elevation Vulnerability
CVE ID : CVE-2025-55736
Published : Aug. 19, 2025, 7:15 p.m. | 59 minutes ago
Description : flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to "admin", giving its relative privileges (e.g. delete users, posts, comments etc.). The problem is in the routes/adminPanelUsers file.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-55736
Published : Aug. 19, 2025, 7:15 p.m. | 59 minutes ago
Description : flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to "admin", giving its relative privileges (e.g. delete users, posts, comments etc.). The problem is in the routes/adminPanelUsers file.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-9153 - iSourcecode Online Tour and Travel Management System File Upload Vulnerability
CVE ID : CVE-2025-9153
Published : Aug. 19, 2025, 7:15 p.m. | 59 minutes ago
Description : A vulnerability was detected in itsourcecode Online Tour and Travel Management System 1.0. This vulnerability affects unknown code of the file /admin/operations/travellers.php. The manipulation of the argument photo results in unrestricted upload. The attack can be launched remotely. The exploit is now public and may be used.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-9153
Published : Aug. 19, 2025, 7:15 p.m. | 59 minutes ago
Description : A vulnerability was detected in itsourcecode Online Tour and Travel Management System 1.0. This vulnerability affects unknown code of the file /admin/operations/travellers.php. The manipulation of the argument photo results in unrestricted upload. The attack can be launched remotely. The exploit is now public and may be used.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-9154 - iSourcecode Online Tour and Travel Management System SQL Injection
CVE ID : CVE-2025-9154
Published : Aug. 19, 2025, 7:15 p.m. | 59 minutes ago
Description : A flaw has been found in itsourcecode Online Tour and Travel Management System 1.0. This issue affects some unknown processing of the file /user/page-login.php. This manipulation of the argument email causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-9154
Published : Aug. 19, 2025, 7:15 p.m. | 59 minutes ago
Description : A flaw has been found in itsourcecode Online Tour and Travel Management System 1.0. This issue affects some unknown processing of the file /user/page-login.php. This manipulation of the argument email causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55028 - Firefox for iOS JavaScript Alert Denial of Service
CVE ID : CVE-2025-55028
Published : Aug. 19, 2025, 9:15 p.m. | 2 hours, 59 minutes ago
Description : Malicious scripts utilizing repetitive JavaScript alerts could prevent client user interaction in some scenarios and allow for denial of service attacks This vulnerability affects Firefox for iOS < 142.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-55028
Published : Aug. 19, 2025, 9:15 p.m. | 2 hours, 59 minutes ago
Description : Malicious scripts utilizing repetitive JavaScript alerts could prevent client user interaction in some scenarios and allow for denial of service attacks This vulnerability affects Firefox for iOS < 142.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55029 - Firefox for iOS Script Injection Vulnerability
CVE ID : CVE-2025-55029
Published : Aug. 19, 2025, 9:15 p.m. | 2 hours, 59 minutes ago
Description : Malicious scripts could bypass the popup blocker to spam new tabs, potentially resulting in denial of service attacks This vulnerability affects Firefox for iOS < 142.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-55029
Published : Aug. 19, 2025, 9:15 p.m. | 2 hours, 59 minutes ago
Description : Malicious scripts could bypass the popup blocker to spam new tabs, potentially resulting in denial of service attacks This vulnerability affects Firefox for iOS < 142.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55030 - Firefox for iOS MIME Type Misinterpretation Vulnerability
CVE ID : CVE-2025-55030
Published : Aug. 19, 2025, 9:15 p.m. | 2 hours, 59 minutes ago
Description : Firefox for iOS would not respect a Content-Disposition header of type Attachment and would incorrectly display the content inline rather than downloading, potentially allowing for XSS attacks This vulnerability affects Firefox for iOS < 142.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-55030
Published : Aug. 19, 2025, 9:15 p.m. | 2 hours, 59 minutes ago
Description : Firefox for iOS would not respect a Content-Disposition header of type Attachment and would incorrectly display the content inline rather than downloading, potentially allowing for XSS attacks This vulnerability affects Firefox for iOS < 142.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55031 - Firefox for iOS Bluetooth Hybrid Passkey Transport Vulnerability
CVE ID : CVE-2025-55031
Published : Aug. 19, 2025, 9:15 p.m. | 2 hours, 59 minutes ago
Description : Malicious pages could use Firefox for iOS to pass FIDO: links to the OS and trigger the hybrid passkey transport. An attacker within Bluetooth range could have used this to trick the user into using their passkey to log the attacker's computer into the target account. This vulnerability affects Firefox for iOS < 142 and Focus for iOS < 142.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-55031
Published : Aug. 19, 2025, 9:15 p.m. | 2 hours, 59 minutes ago
Description : Malicious pages could use Firefox for iOS to pass FIDO: links to the OS and trigger the hybrid passkey transport. An attacker within Bluetooth range could have used this to trick the user into using their passkey to log the attacker's computer into the target account. This vulnerability affects Firefox for iOS < 142 and Focus for iOS < 142.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55032 - Focus for iOS MIME Type Vulnerability
CVE ID : CVE-2025-55032
Published : Aug. 19, 2025, 9:15 p.m. | 2 hours, 59 minutes ago
Description : Focus for iOS would not respect a Content-Disposition header of type Attachment and would incorrectly display the content inline, potentially allowing for XSS attacks This vulnerability affects Focus for iOS < 142.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-55032
Published : Aug. 19, 2025, 9:15 p.m. | 2 hours, 59 minutes ago
Description : Focus for iOS would not respect a Content-Disposition header of type Attachment and would incorrectly display the content inline, potentially allowing for XSS attacks This vulnerability affects Focus for iOS < 142.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55033 - Focus for iOS JavaScript Injection Vulnerability
CVE ID : CVE-2025-55033
Published : Aug. 19, 2025, 9:15 p.m. | 2 hours, 59 minutes ago
Description : Dragging JavaScript links to the URL bar in Focus for iOS could be utilized to run malicious scripts, potentially resulting in XSS attacks This vulnerability affects Focus for iOS < 142.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-55033
Published : Aug. 19, 2025, 9:15 p.m. | 2 hours, 59 minutes ago
Description : Dragging JavaScript links to the URL bar in Focus for iOS could be utilized to run malicious scripts, potentially resulting in XSS attacks This vulnerability affects Focus for iOS < 142.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-8041 - Firefox for Android URL Truncation Vulnerability
CVE ID : CVE-2025-8041
Published : Aug. 19, 2025, 9:15 p.m. | 2 hours, 59 minutes ago
Description : In the address bar, Firefox for Android truncated the display of URLs from the end instead of prioritizing the origin. This vulnerability affects Firefox < 141.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-8041
Published : Aug. 19, 2025, 9:15 p.m. | 2 hours, 59 minutes ago
Description : In the address bar, Firefox for Android truncated the display of URLs from the end instead of prioritizing the origin. This vulnerability affects Firefox < 141.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-8042 - Firefox for Android Cross-Site Download Vulnerability
CVE ID : CVE-2025-8042
Published : Aug. 19, 2025, 9:15 p.m. | 2 hours, 59 minutes ago
Description : Firefox for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads. This vulnerability affects Firefox < 141.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-8042
Published : Aug. 19, 2025, 9:15 p.m. | 2 hours, 59 minutes ago
Description : Firefox for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads. This vulnerability affects Firefox < 141.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-8364 - Mozilla Firefox Android URI Spoofing Vulnerability
CVE ID : CVE-2025-8364
Published : Aug. 19, 2025, 9:15 p.m. | 2 hours, 59 minutes ago
Description : A crafted URL using a blob: URI could have hidden the true origin of the page, resulting in a potential spoofing attack. *Note: This issue only affected Android operating systems. Other operating systems are unaffected.* This vulnerability affects Firefox < 141.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-8364
Published : Aug. 19, 2025, 9:15 p.m. | 2 hours, 59 minutes ago
Description : A crafted URL using a blob: URI could have hidden the true origin of the page, resulting in a potential spoofing attack. *Note: This issue only affected Android operating systems. Other operating systems are unaffected.* This vulnerability affects Firefox < 141.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-9167 - SolidInvoice Cross-Site Scripting Vulnerability
CVE ID : CVE-2025-9167
Published : Aug. 19, 2025, 9:15 p.m. | 2 hours, 59 minutes ago
Description : A vulnerability has been found in SolidInvoice up to 2.4.0. This vulnerability affects unknown code of the file /invoice/recurring of the component Recurring Invoice Module. The manipulation of the argument client name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-9167
Published : Aug. 19, 2025, 9:15 p.m. | 2 hours, 59 minutes ago
Description : A vulnerability has been found in SolidInvoice up to 2.4.0. This vulnerability affects unknown code of the file /invoice/recurring of the component Recurring Invoice Module. The manipulation of the argument client name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...