CVE-2025-0275 - HCL BigFix Mobile 3.3 and earlier is affected by improper access control
CVE ID : CVE-2025-0275
Published : Oct. 16, 2025, 6:15 a.m. | 1 hour, 58 minutes ago
Description : HCL BigFix Mobile 3.3 and earlier is affected by improper access control. Unauthorized users can access a small subset of endpoint actions, potentially allowing access to select internal functions.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-0275
Published : Oct. 16, 2025, 6:15 a.m. | 1 hour, 58 minutes ago
Description : HCL BigFix Mobile 3.3 and earlier is affected by improper access control. Unauthorized users can access a small subset of endpoint actions, potentially allowing access to select internal functions.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-58778 - Ruijie Networks RG-EST300 SSH Default Credentials Disclosure and Privilege Escalation Vulnerability
CVE ID : CVE-2025-58778
Published : Oct. 16, 2025, 6:15 a.m. | 1 hour, 58 minutes ago
Description : Multiple versions of RG-EST300 provided by Ruijie Networks provide SSH server functionality. It is not documented in the manual, and enabled in the initial configuration. Anyone with the knowledge of the related credentials can log in to the affected device, leading to information disclosure, altering the system configurations, or causing a denial of service (DoS) condition.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-58778
Published : Oct. 16, 2025, 6:15 a.m. | 1 hour, 58 minutes ago
Description : Multiple versions of RG-EST300 provided by Ruijie Networks provide SSH server functionality. It is not documented in the manual, and enabled in the initial configuration. Anyone with the knowledge of the related credentials can log in to the affected device, leading to information disclosure, altering the system configurations, or causing a denial of service (DoS) condition.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-10706 - Classified Pro <= 1.0.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation
CVE ID : CVE-2025-10706
Published : Oct. 16, 2025, 7:15 a.m. | 58 minutes ago
Description : The Classified Pro theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'cwp_addons_update_plugin_cb' function in all versions up to, and including, 1.0.14. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the affected site's server which may make remote code execution possible. Note: The required nonce for the vulnerability is in the CubeWP Framework plugin.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-10706
Published : Oct. 16, 2025, 7:15 a.m. | 58 minutes ago
Description : The Classified Pro theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'cwp_addons_update_plugin_cb' function in all versions up to, and including, 1.0.14. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the affected site's server which may make remote code execution possible. Note: The required nonce for the vulnerability is in the CubeWP Framework plugin.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-10742 - Truelysell Core <= 1.8.6 - Unauthenticated Arbitrary User Password Change
CVE ID : CVE-2025-10742
Published : Oct. 16, 2025, 7:15 a.m. | 58 minutes ago
Description : The Truelysell Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.8.6. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note: This can only be exploited unauthenticated if the attacker knows which page contains the 'truelysell_edit_staff' shortcode.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-10742
Published : Oct. 16, 2025, 7:15 a.m. | 58 minutes ago
Description : The Truelysell Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.8.6. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note: This can only be exploited unauthenticated if the attacker knows which page contains the 'truelysell_edit_staff' shortcode.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-10849 - Felan Framework <= 1.1.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Activation/Deactivation via process_plugin_actions
CVE ID : CVE-2025-10849
Published : Oct. 16, 2025, 7:15 a.m. | 58 minutes ago
Description : The Felan Framework plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_plugin_actions' function called via an AJAX action in versions up to, and including, 1.1.4. This makes it possible for unauthenticated attackers to activate or deactivate arbitrary plugins.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-10849
Published : Oct. 16, 2025, 7:15 a.m. | 58 minutes ago
Description : The Felan Framework plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_plugin_actions' function called via an AJAX action in versions up to, and including, 1.1.4. This makes it possible for unauthenticated attackers to activate or deactivate arbitrary plugins.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-10850 - Felan Framework <= 1.1.4 - Hardcoded Credentials
CVE ID : CVE-2025-10850
Published : Oct. 16, 2025, 7:15 a.m. | 58 minutes ago
Description : The Felan Framework plugin for WordPress is vulnerable to improper authentication in versions up to, and including, 1.1.4. This is due to the hardcoded password in the 'fb_ajax_login_or_register' function and in the 'google_ajax_login_or_register' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, if they registered with facebook or google social login and did not change their password.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-10850
Published : Oct. 16, 2025, 7:15 a.m. | 58 minutes ago
Description : The Felan Framework plugin for WordPress is vulnerable to improper authentication in versions up to, and including, 1.1.4. This is due to the hardcoded password in the 'fb_ajax_login_or_register' function and in the 'google_ajax_login_or_register' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, if they registered with facebook or google social login and did not change their password.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55084 - Out of bound read in _nx_secure_tls_proc_clienthello_supported_versions_extension()
CVE ID : CVE-2025-55084
Published : Oct. 16, 2025, 7:15 a.m. | 58 minutes ago
Description : In NetX Duo version before 6.4.4, the component of Eclipse Foundation ThreadX, there was an incorrect bound check in_nx_secure_tls_proc_clienthello_supported_versions_extension() in the extension version field.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-55084
Published : Oct. 16, 2025, 7:15 a.m. | 58 minutes ago
Description : In NetX Duo version before 6.4.4, the component of Eclipse Foundation ThreadX, there was an incorrect bound check in_nx_secure_tls_proc_clienthello_supported_versions_extension() in the extension version field.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55089 - Eclipse ThreadX FileX RAM disk driver buffer overflow
CVE ID : CVE-2025-55089
Published : Oct. 16, 2025, 7:15 a.m. | 58 minutes ago
Description : In FileX before 6.4.2, the file support module for Eclipse Foundation ThreadX, there was a possible buffer overflow in the FileX RAM disk driver. It could cause a remote execurtion after receiving a crafted sequence of packets
Severity: 9.2 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-55089
Published : Oct. 16, 2025, 7:15 a.m. | 58 minutes ago
Description : In FileX before 6.4.2, the file support module for Eclipse Foundation ThreadX, there was a possible buffer overflow in the FileX RAM disk driver. It could cause a remote execurtion after receiving a crafted sequence of packets
Severity: 9.2 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55090 - Potential out of bound read issue in _nx_ipv4_packet_receive() in NetX Duo
CVE ID : CVE-2025-55090
Published : Oct. 16, 2025, 7:15 a.m. | 58 minutes ago
Description : In NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_ipv4_packet_receive() function when received an Ethernet frame with less than 4 bytes of IP packet.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-55090
Published : Oct. 16, 2025, 7:15 a.m. | 58 minutes ago
Description : In NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_ipv4_packet_receive() function when received an Ethernet frame with less than 4 bytes of IP packet.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-62583 - Whale Browser Cross-Site Scripting (XSS)
CVE ID : CVE-2025-62583
Published : Oct. 16, 2025, 7:15 a.m. | 58 minutes ago
Description : Whale Browser before 4.33.325.17 allows an attacker to escape the iframe sandbox in a dual-tab environment.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-62583
Published : Oct. 16, 2025, 7:15 a.m. | 58 minutes ago
Description : Whale Browser before 4.33.325.17 allows an attacker to escape the iframe sandbox in a dual-tab environment.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-62584 - Whale Browser Same-Origin Policy Bypass Vulnerability
CVE ID : CVE-2025-62584
Published : Oct. 16, 2025, 7:15 a.m. | 58 minutes ago
Description : Whale browser before 4.33.325.17 allows an attacker to bypass the Same-Origin Policy in a dual-tab environment.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-62584
Published : Oct. 16, 2025, 7:15 a.m. | 58 minutes ago
Description : Whale browser before 4.33.325.17 allows an attacker to bypass the Same-Origin Policy in a dual-tab environment.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-62585 - Whale Browser Content Security Policy Bypass
CVE ID : CVE-2025-62585
Published : Oct. 16, 2025, 7:15 a.m. | 58 minutes ago
Description : Whale browser before 4.33.325.17 allows an attacker to bypass the Content Security Policy via a specific scheme in a dual-tab environment.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-62585
Published : Oct. 16, 2025, 7:15 a.m. | 58 minutes ago
Description : Whale browser before 4.33.325.17 allows an attacker to bypass the Content Security Policy via a specific scheme in a dual-tab environment.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-41020 - Insecure direct object reference (IDOR) vulnerability in Sergestec's Exito
CVE ID : CVE-2025-41020
Published : Oct. 16, 2025, 8:15 a.m. | 3 hours, 58 minutes ago
Description : Insecure direct object reference (IDOR) vulnerability in Sergestec's Exito v8.0. This vulnerability allows an attacker to access data belonging to other customers through the 'id' parameter in '/admin/ticket_a4.php'.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-41020
Published : Oct. 16, 2025, 8:15 a.m. | 3 hours, 58 minutes ago
Description : Insecure direct object reference (IDOR) vulnerability in Sergestec's Exito v8.0. This vulnerability allows an attacker to access data belonging to other customers through the 'id' parameter in '/admin/ticket_a4.php'.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-41021 - Stored Cross-Site Scripting (XSS) vulnerability in Sergestec's Exito
CVE ID : CVE-2025-41021
Published : Oct. 16, 2025, 8:15 a.m. | 3 hours, 58 minutes ago
Description : Stored Cross-Site Scripting (XSS) in Sergestec's Exito v8.0, consisting of a stored XSS due to a lack of proper validation of user input by sending a POST request using the 'obs' parameter in '/admin/index.php?action=product_update'. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-41021
Published : Oct. 16, 2025, 8:15 a.m. | 3 hours, 58 minutes ago
Description : Stored Cross-Site Scripting (XSS) in Sergestec's Exito v8.0, consisting of a stored XSS due to a lack of proper validation of user input by sending a POST request using the 'obs' parameter in '/admin/index.php?action=product_update'. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-41443 - Guest user can discover active public channels
CVE ID : CVE-2025-41443
Published : Oct. 16, 2025, 8:15 a.m. | 3 hours, 58 minutes ago
Description : Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which allows guest users to discover active public channels and their metadata via the `/api/v4/teams/{team_id}/channels/ids` endpoint
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-41443
Published : Oct. 16, 2025, 8:15 a.m. | 3 hours, 58 minutes ago
Description : Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which allows guest users to discover active public channels and their metadata via the `/api/v4/teams/{team_id}/channels/ids` endpoint
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55091 - Potential out of bound read in _nx_ip_packet_receive()
CVE ID : CVE-2025-55091
Published : Oct. 16, 2025, 8:15 a.m. | 3 hours, 58 minutes ago
Description : In NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_ip_packet_receive() function when received an Ethernet with type set as IP but no IP data.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-55091
Published : Oct. 16, 2025, 8:15 a.m. | 3 hours, 58 minutes ago
Description : In NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_ip_packet_receive() function when received an Ethernet with type set as IP but no IP data.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-0276 - HCL BigFix Modern Client Management (MCM) is affected by an insecure Content Security Policy (CSP)
CVE ID : CVE-2025-0276
Published : Oct. 16, 2025, 9:15 a.m. | 2 hours, 58 minutes ago
Description : HCL BigFix Modern Client Management (MCM) 3.3 and earlier are vulnerable to certain insecure directives within the Content Security Policy (CSP). An attacker could trick users into performing actions by not properly restricting the sources of scripts and other content.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-0276
Published : Oct. 16, 2025, 9:15 a.m. | 2 hours, 58 minutes ago
Description : HCL BigFix Modern Client Management (MCM) 3.3 and earlier are vulnerable to certain insecure directives within the Content Security Policy (CSP). An attacker could trick users into performing actions by not properly restricting the sources of scripts and other content.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-0277 - HCL BigFix Mobile is affected by an insecure Content Security Policy (CSP)
CVE ID : CVE-2025-0277
Published : Oct. 16, 2025, 9:15 a.m. | 2 hours, 58 minutes ago
Description : HCL BigFix Mobile 3.3 and earlier are vulnerable to certain insecure directives within the Content Security Policy (CSP). An attacker could trick users into performing actions by not properly restricting the sources of scripts and other content.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-0277
Published : Oct. 16, 2025, 9:15 a.m. | 2 hours, 58 minutes ago
Description : HCL BigFix Mobile 3.3 and earlier are vulnerable to certain insecure directives within the Content Security Policy (CSP). An attacker could trick users into performing actions by not properly restricting the sources of scripts and other content.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-10545 - Guest user can add unauthorized team users to private channels
CVE ID : CVE-2025-10545
Published : Oct. 16, 2025, 9:15 a.m. | 2 hours, 58 minutes ago
Description : Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the `/api/v4/channels/{channel_id}/members` endpoint
Severity: 3.1 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-10545
Published : Oct. 16, 2025, 9:15 a.m. | 2 hours, 58 minutes ago
Description : Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the `/api/v4/channels/{channel_id}/members` endpoint
Severity: 3.1 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-41410 - Slack import bypasses email verification for team access controls
CVE ID : CVE-2025-41410
Published : Oct. 16, 2025, 9:15 a.m. | 2 hours, 58 minutes ago
Description : Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious Slack import data to bypass email-based team access restrictions
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-41410
Published : Oct. 16, 2025, 9:15 a.m. | 2 hours, 58 minutes ago
Description : Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious Slack import data to bypass email-based team access restrictions
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-53858 - ChatLuck Chat Rooms Cross-Site Scripting (XSS)
CVE ID : CVE-2025-53858
Published : Oct. 16, 2025, 9:15 a.m. | 2 hours, 58 minutes ago
Description : ChatLuck contains a cross-site scripting vulnerability in Chat Rooms. If exploited, an arbitrary script may be executed on the web browser of the user who is accessing the product.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-53858
Published : Oct. 16, 2025, 9:15 a.m. | 2 hours, 58 minutes ago
Description : ChatLuck contains a cross-site scripting vulnerability in Chat Rooms. If exploited, an arbitrary script may be executed on the web browser of the user who is accessing the product.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
❤1