CVE-2025-59773 - Multiple vulnerabilities in AndSoft's e-TMS
CVE ID : CVE-2025-59773
Published : Oct. 2, 2025, 3:15 p.m. | 2 hours, 7 minutes ago
Description : Cross-site scripting (XSS) vulnerability reflected in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL. The relationship between parameter and assigned identifier is 'l, demo, demo2, TNTLOGIN, UO and SuppConn' parameters in '/clt/LOGINFRM_TP.ASP'.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59773
Published : Oct. 2, 2025, 3:15 p.m. | 2 hours, 7 minutes ago
Description : Cross-site scripting (XSS) vulnerability reflected in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL. The relationship between parameter and assigned identifier is 'l, demo, demo2, TNTLOGIN, UO and SuppConn' parameters in '/clt/LOGINFRM_TP.ASP'.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59774 - Multiple vulnerabilities in AndSoft's e-TMS
CVE ID : CVE-2025-59774
Published : Oct. 2, 2025, 3:15 p.m. | 2 hours, 7 minutes ago
Description : Cross-site scripting (XSS) vulnerability reflected in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL. The relationship between parameter and assigned identifier is 'l, demo, demo2, TNTLOGIN, UO and SuppConn' parameters in '/clt/LOGINFRM_VON.ASP'.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59774
Published : Oct. 2, 2025, 3:15 p.m. | 2 hours, 7 minutes ago
Description : Cross-site scripting (XSS) vulnerability reflected in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL. The relationship between parameter and assigned identifier is 'l, demo, demo2, TNTLOGIN, UO and SuppConn' parameters in '/clt/LOGINFRM_VON.ASP'.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-60782 - PHP Education Manager Cross Site Scripting (XSS)
CVE ID : CVE-2025-60782
Published : Oct. 2, 2025, 3:15 p.m. | 2 hours, 7 minutes ago
Description : PHP Education Manager v1.0 is vulnerable to Cross Site Scripting (XSS) stored Cross-Site Scripting (XSS) vulnerability in the topics management module (topics.php). Attackers can inject malicious JavaScript payloads into the Titlefield during topic creation or updates.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-60782
Published : Oct. 2, 2025, 3:15 p.m. | 2 hours, 7 minutes ago
Description : PHP Education Manager v1.0 is vulnerable to Cross Site Scripting (XSS) stored Cross-Site Scripting (XSS) vulnerability in the topics management module (topics.php). Attackers can inject malicious JavaScript payloads into the Titlefield during topic creation or updates.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-61087 - SourceCodester Pet Grooming Management Software XSS
CVE ID : CVE-2025-61087
Published : Oct. 2, 2025, 3:15 p.m. | 2 hours, 7 minutes ago
Description : SourceCodester Pet Grooming Management Software 1.0 is vulnerable to Cross Site Scripting (XSS) via the Customer Name field under Customer Management Section.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-61087
Published : Oct. 2, 2025, 3:15 p.m. | 2 hours, 7 minutes ago
Description : SourceCodester Pet Grooming Management Software 1.0 is vulnerable to Cross Site Scripting (XSS) via the Customer Name field under Customer Management Section.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-61096 - PHPGurukul Online Shopping Portal Project SQL Injection Vulnerability
CVE ID : CVE-2025-61096
Published : Oct. 2, 2025, 3:15 p.m. | 2 hours, 7 minutes ago
Description : PHPGurukul Online Shopping Portal Project v2.1 is vulnerable to SQL Injection in /shopping/login.php via the fullname parameter.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-61096
Published : Oct. 2, 2025, 3:15 p.m. | 2 hours, 7 minutes ago
Description : PHPGurukul Online Shopping Portal Project v2.1 is vulnerable to SQL Injection in /shopping/login.php via the fullname parameter.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-34208 - Vasion Print (formerly PrinterLogic) Insecure Password Hashing
CVE ID : CVE-2025-34208
Published : Oct. 2, 2025, 4:13 p.m. | 1 hour, 10 minutes ago
Description : Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA/SaaS deployments) store user passwords using unsalted SHA-512 hashes with a fall-back to unsalted SHA-1. The hashing is performed via PHP's `hash()` function in multiple files (server_write_requests_users.php, update_database.php, legacy/Login.php, tests/Unit/Api/IdpControllerTest.php). No per-user salt is used and the fast hash algorithms are unsuitable for password storage. An attacker who obtains the password database can recover cleartext passwords via offline dictionary or rainbow table attacks. The vulnerable code also contains logic that migrates legacy SHA-1 hashes to SHA-512 on login, further exposing users still on the old hash. This vulnerability was partially resolved, but still present within the legacy authentication platform.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-34208
Published : Oct. 2, 2025, 4:13 p.m. | 1 hour, 10 minutes ago
Description : Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA/SaaS deployments) store user passwords using unsalted SHA-512 hashes with a fall-back to unsalted SHA-1. The hashing is performed via PHP's `hash()` function in multiple files (server_write_requests_users.php, update_database.php, legacy/Login.php, tests/Unit/Api/IdpControllerTest.php). No per-user salt is used and the fast hash algorithms are unsuitable for password storage. An attacker who obtains the password database can recover cleartext passwords via offline dictionary or rainbow table attacks. The vulnerable code also contains logic that migrates legacy SHA-1 hashes to SHA-512 on login, further exposing users still on the old hash. This vulnerability was partially resolved, but still present within the legacy authentication platform.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-34210 - Vasion Print (formerly PrinterLogic) Readable Cleartext Passwords
CVE ID : CVE-2025-34210
Published : Oct. 2, 2025, 4:13 p.m. | 1 hour, 9 minutes ago
Description : Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA/SaaS deployments) store a large number of sensitive credentials (database passwords, MySQL root password, SaaS keys, Portainer admin password, etc.) in cleartext files that are world-readable. Any local user - or any process that can read the host filesystem - can retrieve all of these secrets in plain text, leading to credential theft and full compromise of the appliance. The vendor does not consider this to be a security vulnerability as this product "follows a shared responsibility model, where administrators are expected to configure persistent storage encryption."
Severity: 9.4 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-34210
Published : Oct. 2, 2025, 4:13 p.m. | 1 hour, 9 minutes ago
Description : Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA/SaaS deployments) store a large number of sensitive credentials (database passwords, MySQL root password, SaaS keys, Portainer admin password, etc.) in cleartext files that are world-readable. Any local user - or any process that can read the host filesystem - can retrieve all of these secrets in plain text, leading to credential theft and full compromise of the appliance. The vendor does not consider this to be a security vulnerability as this product "follows a shared responsibility model, where administrators are expected to configure persistent storage encryption."
Severity: 9.4 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-56154 - "htmly XSS Reflected"
CVE ID : CVE-2025-56154
Published : Oct. 2, 2025, 4:15 p.m. | 1 hour, 7 minutes ago
Description : htmly v3.0.8 is vulnerable to Cross Site Scripting (XSS) in the /author/:name endpoint of the affected application. The name parameter is not properly sanitized before being reflected in the HTML response, allowing attackers to inject arbitrary JavaScript payloads.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-56154
Published : Oct. 2, 2025, 4:15 p.m. | 1 hour, 7 minutes ago
Description : htmly v3.0.8 is vulnerable to Cross Site Scripting (XSS) in the /author/:name endpoint of the affected application. The name parameter is not properly sanitized before being reflected in the HTML response, allowing attackers to inject arbitrary JavaScript payloads.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-56161 - YOSHOP Unauthenticated Comment Information Disclosure Vulnerability
CVE ID : CVE-2025-56161
Published : Oct. 2, 2025, 4:15 p.m. | 1 hour, 7 minutes ago
Description : YOSHOP 2.0 allows unauthenticated information disclosure via comment-list API endpoints in the Goods module. The Comment model eagerly loads the related User model without field filtering; because User.php defines no $hidden or $visible attributes, sensitive fields (bcrypt password hash, mobile number, pay_money, expend_money.) are exposed in JSON responses. Route names vary per deployment (e.g. /api/goods.pinglun/list), but all call the same vulnerable model logic.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-56161
Published : Oct. 2, 2025, 4:15 p.m. | 1 hour, 7 minutes ago
Description : YOSHOP 2.0 allows unauthenticated information disclosure via comment-list API endpoints in the Goods module. The Comment model eagerly loads the related User model without field filtering; because User.php defines no $hidden or $visible attributes, sensitive fields (bcrypt password hash, mobile number, pay_money, expend_money.) are exposed in JSON responses. Route names vary per deployment (e.g. /api/goods.pinglun/list), but all call the same vulnerable model logic.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-56162 - YOSHOP Unauthenticated SQL Injection
CVE ID : CVE-2025-56162
Published : Oct. 2, 2025, 4:15 p.m. | 1 hour, 7 minutes ago
Description : YOSHOP 2.0 suffers from an unauthenticated SQL injection in the goodsIds parameter of the /api/goods/listByIds endpoint. The getListByIds function concatenates user input into orderRaw('field(goods_id, ...)'), allowing attackers to: (a) enumerate or modify database data, including dumping admin password hashes; (b) write web-shell files or invoke xp_cmdshell, leading to remote code execution on servers configured with sufficient DB privileges.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-56162
Published : Oct. 2, 2025, 4:15 p.m. | 1 hour, 7 minutes ago
Description : YOSHOP 2.0 suffers from an unauthenticated SQL injection in the goodsIds parameter of the /api/goods/listByIds endpoint. The getListByIds function concatenates user input into orderRaw('field(goods_id, ...)'), allowing attackers to: (a) enumerate or modify database data, including dumping admin password hashes; (b) write web-shell files or invoke xp_cmdshell, leading to remote code execution on servers configured with sufficient DB privileges.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-57305 - VitaraCharts SSRF
CVE ID : CVE-2025-57305
Published : Oct. 2, 2025, 4:15 p.m. | 1 hour, 7 minutes ago
Description : VitaraCharts 5.3.5 is vulnerable to Server-Side Request Forgery in fileLoader.jsp.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-57305
Published : Oct. 2, 2025, 4:15 p.m. | 1 hour, 7 minutes ago
Description : VitaraCharts 5.3.5 is vulnerable to Server-Side Request Forgery in fileLoader.jsp.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-60660 - Tenda AC18 Stack Overflow Vulnerability
CVE ID : CVE-2025-60660
Published : Oct. 2, 2025, 4:15 p.m. | 1 hour, 7 minutes ago
Description : Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the mac parameter in the fromAdvSetMacMtuWan function.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-60660
Published : Oct. 2, 2025, 4:15 p.m. | 1 hour, 7 minutes ago
Description : Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the mac parameter in the fromAdvSetMacMtuWan function.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-60662 - Tenda AC18 Stack Overflow Vulnerability
CVE ID : CVE-2025-60662
Published : Oct. 2, 2025, 4:15 p.m. | 1 hour, 7 minutes ago
Description : Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the wanSpeed parameter in the fromAdvSetMacMtuWan function.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-60662
Published : Oct. 2, 2025, 4:15 p.m. | 1 hour, 7 minutes ago
Description : Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the wanSpeed parameter in the fromAdvSetMacMtuWan function.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59403 - Flock Safety Android Collins Unauthenticated Remote Code Execution and Information Disclosure Vulnerability
CVE ID : CVE-2025-59403
Published : Oct. 2, 2025, 5:16 p.m. | 2 hours, 8 minutes ago
Description : The Flock Safety Android Collins application (aka com.flocksafety.android.collins) 6.35.31 for Android lacks authentication. It is responsible for the camera feed on Falcon, Sparrow, and Bravo devices, but exposes administrative API endpoints on port 8080 without authentication. Endpoints include but are not limited to: /reboot, /logs, /crashpack, and /adb/enable. This results in multiple impacts including denial of service (DoS) via /reboot, information disclosure via /logs, and remote code execution (RCE) via /adb/enable. The latter specifically results in adb being started over TCP without debugging confirmation, providing an attacker in the LAN/WLAN with shell access.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59403
Published : Oct. 2, 2025, 5:16 p.m. | 2 hours, 8 minutes ago
Description : The Flock Safety Android Collins application (aka com.flocksafety.android.collins) 6.35.31 for Android lacks authentication. It is responsible for the camera feed on Falcon, Sparrow, and Bravo devices, but exposes administrative API endpoints on port 8080 without authentication. Endpoints include but are not limited to: /reboot, /logs, /crashpack, and /adb/enable. This results in multiple impacts including denial of service (DoS) via /reboot, information disclosure via /logs, and remote code execution (RCE) via /adb/enable. The latter specifically results in adb being started over TCP without debugging confirmation, providing an attacker in the LAN/WLAN with shell access.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59405 - Flock Safety Peripheral Cleartext DataDog API Key Exposure
CVE ID : CVE-2025-59405
Published : Oct. 2, 2025, 5:16 p.m. | 2 hours, 8 minutes ago
Description : The Flock Safety Peripheral com.flocksafety.android.peripheral application 7.38.3 for Android (installed on Falcon and Sparrow License Plate Readers and Bravo Edge AI Compute Devices) contains a cleartext DataDog API key within in its codebase. Because application binaries can be trivially decompiled or inspected, attackers can recover the OAuth secret without special privileges. This secret is intended to remain confidential and should never be embedded directly in client-side software.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59405
Published : Oct. 2, 2025, 5:16 p.m. | 2 hours, 8 minutes ago
Description : The Flock Safety Peripheral com.flocksafety.android.peripheral application 7.38.3 for Android (installed on Falcon and Sparrow License Plate Readers and Bravo Edge AI Compute Devices) contains a cleartext DataDog API key within in its codebase. Because application binaries can be trivially decompiled or inspected, attackers can recover the OAuth secret without special privileges. This secret is intended to remain confidential and should never be embedded directly in client-side software.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59406 - Flock Safety Pisco OAuth Client Secret Exposed
CVE ID : CVE-2025-59406
Published : Oct. 2, 2025, 5:16 p.m. | 2 hours, 8 minutes ago
Description : The Flock Safety Pisco com.flocksafety.android.pisco application 6.21.11 for Android (installed on Falcon and Sparrow License Plate Readers and Bravo Edge AI Compute Devices) has a cleartext Auth0 client secret in its codebase. Because application binaries can be trivially decompiled or inspected, attackers can recover this OAuth secret without special privileges. This secret is intended to remain confidential and should never be embedded directly in client-side software.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59406
Published : Oct. 2, 2025, 5:16 p.m. | 2 hours, 8 minutes ago
Description : The Flock Safety Pisco com.flocksafety.android.pisco application 6.21.11 for Android (installed on Falcon and Sparrow License Plate Readers and Bravo Edge AI Compute Devices) has a cleartext Auth0 client secret in its codebase. Because application binaries can be trivially decompiled or inspected, attackers can recover this OAuth secret without special privileges. This secret is intended to remain confidential and should never be embedded directly in client-side software.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59407 - Flock Safety Java Keystore Hardcoded Password Vulnerability
CVE ID : CVE-2025-59407
Published : Oct. 2, 2025, 5:16 p.m. | 2 hours, 8 minutes ago
Description : The Flock Safety DetectionProcessing com.flocksafety.android.objects application 6.35.33 for Android (installed on Falcon and Sparrow License Plate Readers and Bravo Edge AI Compute Devices) bundles a Java Keystore (flock_rye.bks) along with its hardcoded password (flockhibiki17) in its code. The keystore contains a private key.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59407
Published : Oct. 2, 2025, 5:16 p.m. | 2 hours, 8 minutes ago
Description : The Flock Safety DetectionProcessing com.flocksafety.android.objects application 6.35.33 for Android (installed on Falcon and Sparrow License Plate Readers and Bravo Edge AI Compute Devices) bundles a Java Keystore (flock_rye.bks) along with its hardcoded password (flockhibiki17) in its code. The keystore contains a private key.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59409 - Flock Safety Falcon and Sparrow License Plate Readers Wi-Fi Cleartext Credentials Vulnerability
CVE ID : CVE-2025-59409
Published : Oct. 2, 2025, 5:16 p.m. | 2 hours, 8 minutes ago
Description : Flock Safety Falcon and Sparrow License Plate Readers OPM1.171019.026 ship with development Wi-Fi credentials (test_flck) stored in cleartext in production firmware.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59409
Published : Oct. 2, 2025, 5:16 p.m. | 2 hours, 8 minutes ago
Description : Flock Safety Falcon and Sparrow License Plate Readers OPM1.171019.026 ship with development Wi-Fi credentials (test_flck) stored in cleartext in production firmware.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-60661 - Tenda AC18 Stack Overflow Vulnerability
CVE ID : CVE-2025-60661
Published : Oct. 2, 2025, 5:16 p.m. | 2 hours, 8 minutes ago
Description : Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the cloneType parameter in the fromAdvSetMacMtuWan function.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-60661
Published : Oct. 2, 2025, 5:16 p.m. | 2 hours, 8 minutes ago
Description : Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the cloneType parameter in the fromAdvSetMacMtuWan function.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-60663 - Tenda AC18 Stack Overflow Vulnerability
CVE ID : CVE-2025-60663
Published : Oct. 2, 2025, 5:16 p.m. | 2 hours, 8 minutes ago
Description : Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the wanMTU parameter in the fromAdvSetMacMtuWan function.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-60663
Published : Oct. 2, 2025, 5:16 p.m. | 2 hours, 8 minutes ago
Description : Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the wanMTU parameter in the fromAdvSetMacMtuWan function.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-56019 - Agasta Easytouch+ BLE Unauthenticated Remote Denial of Service (DoS)
CVE ID : CVE-2025-56019
Published : Oct. 2, 2025, 6:15 p.m. | 1 hour, 8 minutes ago
Description : An insecure permission vulnerability exists in the Agasta Easytouch+ version 9.3.97 The device allows unauthorized mobile applications to connect via Bluetooth Low Energy (BLE) without authentication. Once an unauthorized connection is established, legitimate applications are unable to connect, causing a denial of service. The attack requires proximity to the device, making it exploitable from an adjacent network location.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-56019
Published : Oct. 2, 2025, 6:15 p.m. | 1 hour, 8 minutes ago
Description : An insecure permission vulnerability exists in the Agasta Easytouch+ version 9.3.97 The device allows unauthorized mobile applications to connect via Bluetooth Low Energy (BLE) without authentication. Once an unauthorized connection is established, legitimate applications are unable to connect, causing a denial of service. The attack requires proximity to the device, making it exploitable from an adjacent network location.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...