CVE-2025-61113 - TalkTalk Android App Improper Access Control Vulnerability
CVE ID : CVE-2025-61113
Published : Oct. 30, 2025, 4:15 p.m. | 54 minutes ago
Description : TalkTalk 3.3.6 Android App contains improper access control vulnerabilities in multiple API endpoints. By modifying request parameters, attackers may obtain sensitive user information (such as device identifiers and birthdays) and access private group information, including join credentials. Successful exploitation may result in privacy breaches and unauthorized access to restricted resources.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-61113
Published : Oct. 30, 2025, 4:15 p.m. | 54 minutes ago
Description : TalkTalk 3.3.6 Android App contains improper access control vulnerabilities in multiple API endpoints. By modifying request parameters, attackers may obtain sensitive user information (such as device identifiers and birthdays) and access private group information, including join credentials. Successful exploitation may result in privacy breaches and unauthorized access to restricted resources.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-61115 - ABC Fine Wine & Spirits Android App Password Bypass Vulnerability
CVE ID : CVE-2025-61115
Published : Oct. 30, 2025, 4:15 p.m. | 54 minutes ago
Description : ABC Fine Wine & Spirits Android App version v.11.27.5 and before (package name com.cta.abcfinewineandspirits), developed by ABC Liquors, Inc., contains an improper access control vulnerability in its login mechanism. The application does not properly validate user passwords during authentication, allowing attackers to bypass login checks and obtain valid session identifiers. Successful exploitation could result in unauthorized account access, privacy breaches, and misuse of the platform.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-61115
Published : Oct. 30, 2025, 4:15 p.m. | 54 minutes ago
Description : ABC Fine Wine & Spirits Android App version v.11.27.5 and before (package name com.cta.abcfinewineandspirits), developed by ABC Liquors, Inc., contains an improper access control vulnerability in its login mechanism. The application does not properly validate user passwords during authentication, allowing attackers to bypass login checks and obtain valid session identifiers. Successful exploitation could result in unauthorized account access, privacy breaches, and misuse of the platform.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-61116 - AdForest Android App Authentication Improper Access Control Vulnerability
CVE ID : CVE-2025-61116
Published : Oct. 30, 2025, 4:15 p.m. | 54 minutes ago
Description : AdForest - Classified Android App version 4.0.12 (package name scriptsbundle.adforest), developed by Muhammad Jawad Arshad, contains an improper access control vulnerability in its authentication mechanism. The app uses a Base64-encoded email address as the authorization credential, which can be manipulated by attackers to gain unauthorized access to user accounts. Successful exploitation could result in account compromise, privacy breaches, and misuse of the platform.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-61116
Published : Oct. 30, 2025, 4:15 p.m. | 54 minutes ago
Description : AdForest - Classified Android App version 4.0.12 (package name scriptsbundle.adforest), developed by Muhammad Jawad Arshad, contains an improper access control vulnerability in its authentication mechanism. The app uses a Base64-encoded email address as the authorization credential, which can be manipulated by attackers to gain unauthorized access to user accounts. Successful exploitation could result in account compromise, privacy breaches, and misuse of the platform.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-61117 - Senza: Keto & Fasting Android App Account Takeover Vulnerability
CVE ID : CVE-2025-61117
Published : Oct. 30, 2025, 4:15 p.m. | 54 minutes ago
Description : Senza: Keto & Fasting Android App version 2.10.15 (package name com.gl.senza), developed by Paul Itoi, contains an improper access control vulnerability. By exploiting insufficient checks in user data API endpoints, attackers can obtain authentication tokens and perform account takeover. Successful exploitation could result in unauthorized account access, privacy breaches, and misuse of the platform.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-61117
Published : Oct. 30, 2025, 4:15 p.m. | 54 minutes ago
Description : Senza: Keto & Fasting Android App version 2.10.15 (package name com.gl.senza), developed by Paul Itoi, contains an improper access control vulnerability. By exploiting insufficient checks in user data API endpoints, attackers can obtain authentication tokens and perform account takeover. Successful exploitation could result in unauthorized account access, privacy breaches, and misuse of the platform.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-61118 - "mCarFix Motorists App Authentication Bypass and Data Access Vulnerability"
CVE ID : CVE-2025-61118
Published : Oct. 30, 2025, 4:15 p.m. | 54 minutes ago
Description : mCarFix Motorists App version 2.3 (package name com.skytop.mcarfix), developed by Paniel Mwaura, contains improper access control vulnerabilities. Attackers may bypass verification to arbitrarily register accounts, and by tampering with sequential numeric IDs, gain unauthorized access to user data and groups. Successful exploitation could result in fake account creation, privacy breaches, and misuse of the platform.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-61118
Published : Oct. 30, 2025, 4:15 p.m. | 54 minutes ago
Description : mCarFix Motorists App version 2.3 (package name com.skytop.mcarfix), developed by Paniel Mwaura, contains improper access control vulnerabilities. Attackers may bypass verification to arbitrarily register accounts, and by tampering with sequential numeric IDs, gain unauthorized access to user data and groups. Successful exploitation could result in fake account creation, privacy breaches, and misuse of the platform.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-62712 - JumpServer Connection Token Leak Vulnerability
CVE ID : CVE-2025-62712
Published : Oct. 30, 2025, 4:15 p.m. | 54 minutes ago
Description : JumpServer is an open source bastion host and an operation and maintenance security audit system. In JumpServer versions prior to v3.10.20-lts and v4.10.11-lts, an authenticated, non-privileged user can retrieve connection tokens belonging to other users via the super-connection API endpoint (/api/v1/authentication/super-connection-token/). When accessed from a web browser, this endpoint returns connection tokens created by all users instead of restricting results to tokens owned by or authorized for the requester. An attacker who obtains these tokens can use them to initiate connections to managed assets on behalf of the original token owners, resulting in unauthorized access and privilege escalation across sensitive systems. This vulnerability is fixed in v3.10.20-lts and v4.10.11-lts.
Severity: 9.6 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-62712
Published : Oct. 30, 2025, 4:15 p.m. | 54 minutes ago
Description : JumpServer is an open source bastion host and an operation and maintenance security audit system. In JumpServer versions prior to v3.10.20-lts and v4.10.11-lts, an authenticated, non-privileged user can retrieve connection tokens belonging to other users via the super-connection API endpoint (/api/v1/authentication/super-connection-token/). When accessed from a web browser, this endpoint returns connection tokens created by all users instead of restricting results to tokens owned by or authorized for the requester. An attacker who obtains these tokens can use them to initiate connections to managed assets on behalf of the original token owners, resulting in unauthorized access and privilege escalation across sensitive systems. This vulnerability is fixed in v3.10.20-lts and v4.10.11-lts.
Severity: 9.6 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-62726 - n8n Vulnerable to Remote Code Execution via Git Node Pre-Commit Hook
CVE ID : CVE-2025-62726
Published : Oct. 30, 2025, 4:24 p.m. | 45 minutes ago
Description : n8n is an open source workflow automation platform. Prior to 1.113.0, a remote code execution vulnerability exists in the Git Node component available in both Cloud and Self-Hosted versions of n8n. When a malicious actor clones a remote repository containing a pre-commit hook, the subsequent use of the Commit operation in the Git Node can inadvertently trigger the hook’s execution. This allows attackers to execute arbitrary code within the n8n environment, potentially compromising the system and any connected credentials or workflows. This vulnerability is fixed in 1.113.0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-62726
Published : Oct. 30, 2025, 4:24 p.m. | 45 minutes ago
Description : n8n is an open source workflow automation platform. Prior to 1.113.0, a remote code execution vulnerability exists in the Git Node component available in both Cloud and Self-Hosted versions of n8n. When a malicious actor clones a remote repository containing a pre-commit hook, the subsequent use of the Commit operation in the Git Node can inadvertently trigger the hook’s execution. This allows attackers to execute arbitrary code within the n8n environment, potentially compromising the system and any connected credentials or workflows. This vulnerability is fixed in 1.113.0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-61121 - Glority Global Group Ltd. Mobile Scanner Android App Credential Leakage Vulnerability
CVE ID : CVE-2025-61121
Published : Oct. 30, 2025, 5:15 p.m. | 3 hours, 58 minutes ago
Description : Mobile Scanner Android App version 2.12.38 (package name com.glority.everlens), developed by Glority Global Group Ltd., contains a credential leakage vulnerability. Improper handling of cloud service credentials may allow attackers to obtain them and carry out unauthorized actions, such as sensitive information disclosure and abuse of cloud resources. Successful exploitation could result in privacy breaches and misuse of the platform infrastructure.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-61121
Published : Oct. 30, 2025, 5:15 p.m. | 3 hours, 58 minutes ago
Description : Mobile Scanner Android App version 2.12.38 (package name com.glority.everlens), developed by Glority Global Group Ltd., contains a credential leakage vulnerability. Improper handling of cloud service credentials may allow attackers to obtain them and carry out unauthorized actions, such as sensitive information disclosure and abuse of cloud resources. Successful exploitation could result in privacy breaches and misuse of the platform infrastructure.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-61196 - BusinessNext CRMnext Remote Code Execution (RCE)
CVE ID : CVE-2025-61196
Published : Oct. 30, 2025, 5:15 p.m. | 3 hours, 58 minutes ago
Description : An issue in BusinessNext CRMnext v.10.8.3.0 allows a remote attacker to execute arbitrary code via the comments unput parameter
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-61196
Published : Oct. 30, 2025, 5:15 p.m. | 3 hours, 58 minutes ago
Description : An issue in BusinessNext CRMnext v.10.8.3.0 allows a remote attacker to execute arbitrary code via the comments unput parameter
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-62795 - JumpServer Unauthorized LDAP Configuration Access via WebSocket
CVE ID : CVE-2025-62795
Published : Oct. 30, 2025, 5:15 p.m. | 3 hours, 58 minutes ago
Description : JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.21-lts and v4.10.12-lts, a low-privileged authenticated user can invoke LDAP configuration tests and start LDAP synchronization by sending crafted messages to the /ws/ldap/ WebSocket endpoint, bypassing authorization checks and potentially exposing LDAP credentials or causing unintended sync operations. This vulnerability is fixed in v3.10.21-lts and v4.10.12-lts.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-62795
Published : Oct. 30, 2025, 5:15 p.m. | 3 hours, 58 minutes ago
Description : JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.21-lts and v4.10.12-lts, a low-privileged authenticated user can invoke LDAP configuration tests and start LDAP synchronization by sending crafted messages to the /ws/ldap/ WebSocket endpoint, bypassing authorization checks and potentially exposing LDAP credentials or causing unintended sync operations. This vulnerability is fixed in v3.10.21-lts and v4.10.12-lts.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63885 - AIxBlock Stored XSS Vulnerability
CVE ID : CVE-2025-63885
Published : Oct. 30, 2025, 5:15 p.m. | 3 hours, 58 minutes ago
Description : A stored cross-site scripting (XSS) vulnerability in AIxBlock commit 04f305 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the model_desc field.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-63885
Published : Oct. 30, 2025, 5:15 p.m. | 3 hours, 58 minutes ago
Description : A stored cross-site scripting (XSS) vulnerability in AIxBlock commit 04f305 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the model_desc field.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64096 - CryptoLib vulnerable to Stack Buffer Overflow in Crypto_Key_Update due to missing TLV length check
CVE ID : CVE-2025-64096
Published : Oct. 30, 2025, 5:15 p.m. | 3 hours, 58 minutes ago
Description : CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prier to 1.4.2, there is a missing bounds check in Crypto_Key_update() (crypto_key_mgmt.c) which allows a remote attacker to trigger a stack-based buffer overflow by supplying a TLV packet with a spoofed length field. The function calculates the number of keys from an attacker-controlled field (pdu_len), which may exceed the static array size (kblk[98]), leading to an out-of-bounds write and potential memory corruption. This vulnerability is fixed in 1.4.2.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64096
Published : Oct. 30, 2025, 5:15 p.m. | 3 hours, 58 minutes ago
Description : CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prier to 1.4.2, there is a missing bounds check in Crypto_Key_update() (crypto_key_mgmt.c) which allows a remote attacker to trigger a stack-based buffer overflow by supplying a TLV packet with a spoofed length field. The function calculates the number of keys from an attacker-controlled field (pdu_len), which may exceed the static array size (kblk[98]), leading to an out-of-bounds write and potential memory corruption. This vulnerability is fixed in 1.4.2.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-56313 - JATOS Reflected Cross-Site Scripting (XSS) Vulnerability
CVE ID : CVE-2025-56313
Published : Oct. 30, 2025, 6:15 p.m. | 2 hours, 58 minutes ago
Description : A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the /publix/run endpoint of JATOS 3.7.1 through 3.9.6 (inclusive). This allows remote attackers to execute arbitrary JavaScript in a user's web browser by including a malicious payload in the "code" URL parameter. When an authenticated admin user accesses the study's URL, the malicious script gets interpreted and executes within their browser, which can lead to unauthorized actions, account compromise, and privilege escalation.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-56313
Published : Oct. 30, 2025, 6:15 p.m. | 2 hours, 58 minutes ago
Description : A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the /publix/run endpoint of JATOS 3.7.1 through 3.9.6 (inclusive). This allows remote attackers to execute arbitrary JavaScript in a user's web browser by including a malicious payload in the "code" URL parameter. When an authenticated admin user accesses the study's URL, the malicious script gets interpreted and executes within their browser, which can lead to unauthorized actions, account compromise, and privilege escalation.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-62266 - Liferay Portal DNS Rebinding Vulnerability
CVE ID : CVE-2025-62266
Published : Oct. 30, 2025, 6:15 p.m. | 2 hours, 58 minutes ago
Description : By default, Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions is vulnerable to DNS rebinding attacks, which allows remote attackers to redirect users to arbitrary external URLs. This vulnerability can be mitigated by changing the redirect URL security from IP to domain.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-62266
Published : Oct. 30, 2025, 6:15 p.m. | 2 hours, 58 minutes ago
Description : By default, Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions is vulnerable to DNS rebinding attacks, which allows remote attackers to redirect users to arbitrary external URLs. This vulnerability can be mitigated by changing the redirect URL security from IP to domain.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64112 - Statmatic vulnerable to Stored Cross-Site Scripting
CVE ID : CVE-2025-64112
Published : Oct. 30, 2025, 6:15 p.m. | 2 hours, 58 minutes ago
Description : Statmatic is a Laravel and Git powered content management system (CMS). Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This vulnerability is fixed in 5.22.1.
Severity: 8.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64112
Published : Oct. 30, 2025, 6:15 p.m. | 2 hours, 58 minutes ago
Description : Statmatic is a Laravel and Git powered content management system (CMS). Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This vulnerability is fixed in 5.22.1.
Severity: 8.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64115 - Movary unvalidated Referer header allows open redirect and phishing
CVE ID : CVE-2025-64115
Published : Oct. 30, 2025, 6:15 p.m. | 2 hours, 58 minutes ago
Description : Movary is a web application to track, rate and explore your movie watch history. Versions up to and including 0.68.0 use the HTTP Referer header value directly for redirects in multiple settings endpoints, allowing a crafted link to cause an open redirect to an attacker-controlled site and facilitate phishing. This vulnerability is fixed in 0.69.0.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64115
Published : Oct. 30, 2025, 6:15 p.m. | 2 hours, 58 minutes ago
Description : Movary is a web application to track, rate and explore your movie watch history. Versions up to and including 0.68.0 use the HTTP Referer header value directly for redirects in multiple settings endpoints, allowing a crafted link to cause an open redirect to an attacker-controlled site and facilitate phishing. This vulnerability is fixed in 0.69.0.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64116 - Movary vulnerable to an open redirect
CVE ID : CVE-2025-64116
Published : Oct. 30, 2025, 6:15 p.m. | 2 hours, 58 minutes ago
Description : Movary is a web application to track, rate and explore your movie watch history. Prior to 0.69.0, the login page accepts a redirect parameter without validation, allowing attackers to redirect authenticated users to arbitrary external sites. This vulnerability is fixed in 0.69.0.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64116
Published : Oct. 30, 2025, 6:15 p.m. | 2 hours, 58 minutes ago
Description : Movary is a web application to track, rate and explore your movie watch history. Prior to 0.69.0, the login page accepts a redirect parameter without validation, allowing attackers to redirect authenticated users to arbitrary external sites. This vulnerability is fixed in 0.69.0.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64118 - node-tar vulnerable to race condition leading to uninitialized memory exposure
CVE ID : CVE-2025-64118
Published : Oct. 30, 2025, 6:15 p.m. | 2 hours, 58 minutes ago
Description : node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64118
Published : Oct. 30, 2025, 6:15 p.m. | 2 hours, 58 minutes ago
Description : node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-36137 - IBM Sterling Connect:Direct for UNIX command execution
CVE ID : CVE-2025-36137
Published : Oct. 30, 2025, 7:16 p.m. | 1 hour, 57 minutes ago
Description : IBM Sterling Connect Direct for Unix 6.2.0.7 through 6.2.0.9 iFix004, 6.4.0.0 through 6.4.0.2 iFix001, and 6.3.0.2 through 6.3.0.5 iFix002 incorrectly assigns permissions for maintenance tasks to Control Center Director (CCD) users that could allow a privileged user to escalate their privileges further due to unnecessary privilege assignment for post update scripts.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-36137
Published : Oct. 30, 2025, 7:16 p.m. | 1 hour, 57 minutes ago
Description : IBM Sterling Connect Direct for Unix 6.2.0.7 through 6.2.0.9 iFix004, 6.4.0.0 through 6.4.0.2 iFix001, and 6.3.0.2 through 6.3.0.5 iFix002 incorrectly assigns permissions for maintenance tasks to Control Center Director (CCD) users that could allow a privileged user to escalate their privileges further due to unnecessary privilege assignment for post update scripts.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-52179 - Zucchetti Ad Hoc Revolution XSS
CVE ID : CVE-2025-52179
Published : Oct. 30, 2025, 7:16 p.m. | 1 hour, 57 minutes ago
Description : Cross-site scripting (XSS) vulnerability in Zucchetti Ad Hoc Revolution 4.1 and earlier allows remote unauthenticated attackers to inject arbitrary JavaScript via the pHtmlSource parameter of the /ahrw/jsp/gsfr_feditorHTML.jsp endpoint.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-52179
Published : Oct. 30, 2025, 7:16 p.m. | 1 hour, 57 minutes ago
Description : Cross-site scripting (XSS) vulnerability in Zucchetti Ad Hoc Revolution 4.1 and earlier allows remote unauthenticated attackers to inject arbitrary JavaScript via the pHtmlSource parameter of the /ahrw/jsp/gsfr_feditorHTML.jsp endpoint.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-52180 - Zucchetti Ad Hoc Infinity XSS
CVE ID : CVE-2025-52180
Published : Oct. 30, 2025, 7:16 p.m. | 1 hour, 57 minutes ago
Description : Cross-site scripting (XSS) vulnerability in Zucchetti Ad Hoc Infinity 4.2 and earlier allows remote unauthenticated attackers to inject arbitrary JavaScript via the pHtmlSource parameter of the /ahi/jsp/gsfr_feditorHTML.jsp?pHtmlSource endpoint.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-52180
Published : Oct. 30, 2025, 7:16 p.m. | 1 hour, 57 minutes ago
Description : Cross-site scripting (XSS) vulnerability in Zucchetti Ad Hoc Infinity 4.2 and earlier allows remote unauthenticated attackers to inject arbitrary JavaScript via the pHtmlSource parameter of the /ahi/jsp/gsfr_feditorHTML.jsp?pHtmlSource endpoint.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...