CVE-2025-10371 - eCharge Hardy Barth Salia PLCC api.php unrestricted upload
CVE ID : CVE-2025-10371
Published : Sept. 13, 2025, 6:15 p.m. | 2 hours, 42 minutes ago
Description : A security flaw has been discovered in eCharge Hardy Barth Salia PLCC 2.2.0. This issue affects some unknown processing of the file /api.php. The manipulation of the argument setrfidlist results in unrestricted upload. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-10371
Published : Sept. 13, 2025, 6:15 p.m. | 2 hours, 42 minutes ago
Description : A security flaw has been discovered in eCharge Hardy Barth Salia PLCC 2.2.0. This issue affects some unknown processing of the file /api.php. The manipulation of the argument setrfidlist results in unrestricted upload. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-10372 - Portabilis i-Educar educar_modulo_cad.php cross site scripting
CVE ID : CVE-2025-10372
Published : Sept. 13, 2025, 6:15 p.m. | 2 hours, 42 minutes ago
Description : A weakness has been identified in Portabilis i-Educar up to 2.10. Impacted is an unknown function of the file /intranet/educar_modulo_cad.php. This manipulation of the argument nm_tipo/descricao causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-10372
Published : Sept. 13, 2025, 6:15 p.m. | 2 hours, 42 minutes ago
Description : A weakness has been identified in Portabilis i-Educar up to 2.10. Impacted is an unknown function of the file /intranet/educar_modulo_cad.php. This manipulation of the argument nm_tipo/descricao causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-10373 - Portabilis i-Educar educar_turma_tipo_cad.php cross site scripting
CVE ID : CVE-2025-10373
Published : Sept. 13, 2025, 7:15 p.m. | 1 hour, 42 minutes ago
Description : A security vulnerability has been detected in Portabilis i-Educar up to 2.10. The affected element is an unknown function of the file /intranet/educar_turma_tipo_cad.php. Such manipulation of the argument nm_tipo leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-10373
Published : Sept. 13, 2025, 7:15 p.m. | 1 hour, 42 minutes ago
Description : A security vulnerability has been detected in Portabilis i-Educar up to 2.10. The affected element is an unknown function of the file /intranet/educar_turma_tipo_cad.php. Such manipulation of the argument nm_tipo leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-10374 - Shenzhen Sixun Business Management System OperatorStop improper authorization
CVE ID : CVE-2025-10374
Published : Sept. 13, 2025, 7:15 p.m. | 1 hour, 42 minutes ago
Description : A security flaw has been discovered in Shenzhen Sixun Business Management System 7/11. This affects an unknown part of the file /Adm/OperatorStop. Performing manipulation results in improper authorization. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-10374
Published : Sept. 13, 2025, 7:15 p.m. | 1 hour, 42 minutes ago
Description : A security flaw has been discovered in Shenzhen Sixun Business Management System 7/11. This affects an unknown part of the file /Adm/OperatorStop. Performing manipulation results in improper authorization. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-10384 - yangzongzhuan RuoYi Role cancelAll improper authorization
CVE ID : CVE-2025-10384
Published : Sept. 13, 2025, 8:15 p.m. | 42 minutes ago
Description : A flaw has been found in yangzongzhuan RuoYi up to 4.8.1. Affected by this vulnerability is an unknown functionality of the file /system/role/authUser/cancelAll of the component Role Handler. Executing manipulation of the argument roleId/userIds can lead to improper authorization. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-10384
Published : Sept. 13, 2025, 8:15 p.m. | 42 minutes ago
Description : A flaw has been found in yangzongzhuan RuoYi up to 4.8.1. Affected by this vulnerability is an unknown functionality of the file /system/role/authUser/cancelAll of the component Role Handler. Executing manipulation of the argument roleId/userIds can lead to improper authorization. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-10385 - Mercury KM08-708H GiGA WiFi Wave2 mcr_setSysAdm sub_450B2C buffer overflow
CVE ID : CVE-2025-10385
Published : Sept. 14, 2025, 1:15 a.m. | 3 hours, 42 minutes ago
Description : A vulnerability has been found in Mercury KM08-708H GiGA WiFi Wave2 1.1. Affected by this issue is the function sub_450B2C of the file /goform/mcr_setSysAdm. The manipulation of the argument ChgUserId leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 9.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-10385
Published : Sept. 14, 2025, 1:15 a.m. | 3 hours, 42 minutes ago
Description : A vulnerability has been found in Mercury KM08-708H GiGA WiFi Wave2 1.1. Affected by this issue is the function sub_450B2C of the file /goform/mcr_setSysAdm. The manipulation of the argument ChgUserId leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 9.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-10386 - Yida ECMS Consulting Enterprise Management System POST Request login.do cross site scripting
CVE ID : CVE-2025-10386
Published : Sept. 14, 2025, 2:15 a.m. | 2 hours, 42 minutes ago
Description : A vulnerability was found in Yida ECMS Consulting Enterprise Management System 1.0. This affects an unknown part of the file /login.do of the component POST Request Handler. The manipulation of the argument requestUrl results in cross site scripting. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-10386
Published : Sept. 14, 2025, 2:15 a.m. | 2 hours, 42 minutes ago
Description : A vulnerability was found in Yida ECMS Consulting Enterprise Management System 1.0. This affects an unknown part of the file /login.do of the component POST Request Handler. The manipulation of the argument requestUrl results in cross site scripting. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-10387 - codesiddhant Jasmin Ransomware handshake.php sql injection
CVE ID : CVE-2025-10387
Published : Sept. 14, 2025, 3:15 a.m. | 1 hour, 42 minutes ago
Description : A vulnerability was determined in codesiddhant Jasmin Ransomware up to 1.0.1. This vulnerability affects unknown code of the file /handshake.php. This manipulation of the argument machine_name/computer_user/os/date/time/ip/location/systemid/password causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-10387
Published : Sept. 14, 2025, 3:15 a.m. | 1 hour, 42 minutes ago
Description : A vulnerability was determined in codesiddhant Jasmin Ransomware up to 1.0.1. This vulnerability affects unknown code of the file /handshake.php. This manipulation of the argument machine_name/computer_user/os/date/time/ip/location/systemid/password causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-10388 - Selleo Mentingo Create New Course Basic Settings enroll-course cross site scripting
CVE ID : CVE-2025-10388
Published : Sept. 14, 2025, 4:15 a.m. | 42 minutes ago
Description : A vulnerability was identified in Selleo Mentingo 2025.08.27. This issue affects some unknown processing of the file /api/course/enroll-course of the component Create New Course Basic Settings. Such manipulation of the argument Description leads to cross site scripting. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-10388
Published : Sept. 14, 2025, 4:15 a.m. | 42 minutes ago
Description : A vulnerability was identified in Selleo Mentingo 2025.08.27. This issue affects some unknown processing of the file /api/course/enroll-course of the component Create New Course Basic Settings. Such manipulation of the argument Description leads to cross site scripting. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-10389 - CRMEB Administrator Password SystemAdminServices.php save improper authorization
CVE ID : CVE-2025-10389
Published : Sept. 14, 2025, 4:15 a.m. | 42 minutes ago
Description : A security flaw has been discovered in CRMEB up to 5.6.1. Impacted is the function Save of the file app/services/system/admin/SystemAdminServices.php of the component Administrator Password Handler. Performing manipulation of the argument ID results in improper authorization. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-10389
Published : Sept. 14, 2025, 4:15 a.m. | 42 minutes ago
Description : A security flaw has been discovered in CRMEB up to 5.6.1. Impacted is the function Save of the file app/services/system/admin/SystemAdminServices.php of the component Administrator Password Handler. Performing manipulation of the argument ID results in improper authorization. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-10390 - CRMEB UserAddressServices.php editAddress improper authorization
CVE ID : CVE-2025-10390
Published : Sept. 14, 2025, 4:32 a.m. | 25 minutes ago
Description : A weakness has been identified in CRMEB up to 5.6.1. The affected element is the function editAddress of the file app/services/user/UserAddressServices.php. Executing manipulation of the argument ID can lead to improper authorization. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-10390
Published : Sept. 14, 2025, 4:32 a.m. | 25 minutes ago
Description : A weakness has been identified in CRMEB up to 5.6.1. The affected element is the function editAddress of the file app/services/user/UserAddressServices.php. Executing manipulation of the argument ID can lead to improper authorization. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-10391 - CRMEB OutAccountServices.php testOutUrl server-side request forgery
CVE ID : CVE-2025-10391
Published : Sept. 14, 2025, 5:15 a.m. | 3 hours, 42 minutes ago
Description : A security vulnerability has been detected in CRMEB up to 5.6.1. The impacted element is the function testOutUrl of the file app/services/out/OutAccountServices.php. The manipulation of the argument push_token_url leads to server-side request forgery. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-10391
Published : Sept. 14, 2025, 5:15 a.m. | 3 hours, 42 minutes ago
Description : A security vulnerability has been detected in CRMEB up to 5.6.1. The impacted element is the function testOutUrl of the file app/services/out/OutAccountServices.php. The manipulation of the argument push_token_url leads to server-side request forgery. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59363 - OneLogin OneLogin OIDC Client Secret Disclosure
CVE ID : CVE-2025-59363
Published : Sept. 14, 2025, 5:15 a.m. | 3 hours, 42 minutes ago
Description : In One Identity OneLogin before 2025.3.0, a request returns the OIDC client secret with GET Apps API v2 (even though this secret should only be returned when an App is first created),
Severity: 7.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59363
Published : Sept. 14, 2025, 5:15 a.m. | 3 hours, 42 minutes ago
Description : In One Identity OneLogin before 2025.3.0, a request returns the OIDC client secret with GET Apps API v2 (even though this secret should only be returned when an App is first created),
Severity: 7.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-10392 - Mercury KM08-708H GiGA WiFi Wave2 HTTP Header stack-based overflow
CVE ID : CVE-2025-10392
Published : Sept. 14, 2025, 6:15 a.m. | 2 hours, 42 minutes ago
Description : A vulnerability was detected in Mercury KM08-708H GiGA WiFi Wave2 1.1.14. This affects an unknown function of the component HTTP Header Handler. The manipulation of the argument Host results in stack-based buffer overflow. The attack can be executed remotely. The exploit is now public and may be used.
Severity: 10.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-10392
Published : Sept. 14, 2025, 6:15 a.m. | 2 hours, 42 minutes ago
Description : A vulnerability was detected in Mercury KM08-708H GiGA WiFi Wave2 1.1.14. This affects an unknown function of the component HTTP Header Handler. The manipulation of the argument Host results in stack-based buffer overflow. The attack can be executed remotely. The exploit is now public and may be used.
Severity: 10.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-10393 - miurla morphic HTTP Status Code 3xx advanced-search fetchHtml server-side request forgery
CVE ID : CVE-2025-10393
Published : Sept. 14, 2025, 6:15 a.m. | 2 hours, 42 minutes ago
Description : A flaw has been found in miurla morphic up to 0.4.5. This impacts the function fetchHtml of the file /api/advanced-search of the component HTTP Status Code 3xx Handler. This manipulation causes server-side request forgery. The attack is possible to be carried out remotely. The exploit has been published and may be used.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-10393
Published : Sept. 14, 2025, 6:15 a.m. | 2 hours, 42 minutes ago
Description : A flaw has been found in miurla morphic up to 0.4.5. This impacts the function fetchHtml of the file /api/advanced-search of the component HTTP Status Code 3xx Handler. This manipulation causes server-side request forgery. The attack is possible to be carried out remotely. The exploit has been published and may be used.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-10394 - fcba_zzm ics-park Smart Park Management System Scheduled Task JobController.java code injection
CVE ID : CVE-2025-10394
Published : Sept. 14, 2025, 7:15 a.m. | 1 hour, 42 minutes ago
Description : A vulnerability has been found in fcba_zzm ics-park Smart Park Management System 2.0. Affected is an unknown function of the file ruoyi-quartz/src/main/java/com/ruoyi/quartz/controller/JobController.java of the component Scheduled Task Module. Such manipulation leads to code injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
Severity: 5.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-10394
Published : Sept. 14, 2025, 7:15 a.m. | 1 hour, 42 minutes ago
Description : A vulnerability has been found in fcba_zzm ics-park Smart Park Management System 2.0. Affected is an unknown function of the file ruoyi-quartz/src/main/java/com/ruoyi/quartz/controller/JobController.java of the component Scheduled Task Module. Such manipulation leads to code injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
Severity: 5.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-10395 - Magicblack MacCMS Scheduled Task col_url server-side request forgery
CVE ID : CVE-2025-10395
Published : Sept. 14, 2025, 8:15 a.m. | 42 minutes ago
Description : A vulnerability was found in Magicblack MacCMS 2025.1000.4050. Affected by this vulnerability is the function col_url of the component Scheduled Task Handler. Performing manipulation of the argument cjurl results in server-side request forgery. It is possible to initiate the attack remotely.
Severity: 5.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-10395
Published : Sept. 14, 2025, 8:15 a.m. | 42 minutes ago
Description : A vulnerability was found in Magicblack MacCMS 2025.1000.4050. Affected by this vulnerability is the function col_url of the component Scheduled Task Handler. Performing manipulation of the argument cjurl results in server-side request forgery. It is possible to initiate the attack remotely.
Severity: 5.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-10396 - SourceCodester Pet Grooming Management Software edit_role.php sql injection
CVE ID : CVE-2025-10396
Published : Sept. 14, 2025, 8:32 a.m. | 25 minutes ago
Description : A vulnerability was determined in SourceCodester Pet Grooming Management Software 1.0. Affected by this issue is some unknown functionality of the file /admin/edit_role.php. Executing manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-10396
Published : Sept. 14, 2025, 8:32 a.m. | 25 minutes ago
Description : A vulnerability was determined in SourceCodester Pet Grooming Management Software 1.0. Affected by this issue is some unknown functionality of the file /admin/edit_role.php. Executing manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-10397 - Magicblack MacCMS API server-side request forgery
CVE ID : CVE-2025-10397
Published : Sept. 14, 2025, 11:15 a.m. | 1 hour, 42 minutes ago
Description : A vulnerability was identified in Magicblack MacCMS 2025.1000.4050. This affects an unknown part of the component API Handler. The manipulation of the argument cjurl leads to server-side request forgery. The attack can be initiated remotely. The exploit is publicly available and might be used.
Severity: 5.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-10397
Published : Sept. 14, 2025, 11:15 a.m. | 1 hour, 42 minutes ago
Description : A vulnerability was identified in Magicblack MacCMS 2025.1000.4050. This affects an unknown part of the component API Handler. The manipulation of the argument cjurl leads to server-side request forgery. The attack can be initiated remotely. The exploit is publicly available and might be used.
Severity: 5.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-10398 - fcba_zzm ics-park Smart Park Management System FileUploadUtils.java unrestricted upload
CVE ID : CVE-2025-10398
Published : Sept. 14, 2025, 12:15 p.m. | 42 minutes ago
Description : A security flaw has been discovered in fcba_zzm ics-park Smart Park Management System 2.0. This vulnerability affects unknown code of the file FileUploadUtils.java. The manipulation of the argument File results in unrestricted upload. The attack can be launched remotely. The exploit has been released to the public and may be exploited.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-10398
Published : Sept. 14, 2025, 12:15 p.m. | 42 minutes ago
Description : A security flaw has been discovered in fcba_zzm ics-park Smart Park Management System 2.0. This vulnerability affects unknown code of the file FileUploadUtils.java. The manipulation of the argument File results in unrestricted upload. The attack can be launched remotely. The exploit has been released to the public and may be exploited.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-10204 - Unauth Admin Reset Password on AC Smart II
CVE ID : CVE-2025-10204
Published : Sept. 14, 2025, 12:43 p.m. | 14 minutes ago
Description : A vulnerability has been discovered in AC Smart II where passwords can be changed without authorization. This page contains a hidden form for resetting the administrator password. The attacker can manipulate the page using developer tools to display and use the form. This form allows you to change the administrator password without verifying login status or user permissions.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-10204
Published : Sept. 14, 2025, 12:43 p.m. | 14 minutes ago
Description : A vulnerability has been discovered in AC Smart II where passwords can be changed without authorization. This page contains a hidden form for resetting the administrator password. The attacker can manipulate the page using developer tools to display and use the form. This form allows you to change the administrator password without verifying login status or user permissions.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...