CVE-2025-59454 - Apache CloudStack: Lack of user permission validation leading to data leak for few APIs
CVE ID : CVE-2025-59454
Published : Nov. 27, 2025, 12:15 p.m. | 54 minutes ago
Description : In Apache CloudStack, a gap in access control checks affected the APIs - createNetworkACL - listNetworkACLs - listResourceDetails - listVirtualMachinesUsageHistory - listVolumesUsageHistory While these APIs were accessible only to authorized users, insufficient permission validation meant that users could occasionally access information beyond their intended scope. Users are recommended to upgrade to Apache CloudStack 4.20.2.0 or 4.22.0.0, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59454
Published : Nov. 27, 2025, 12:15 p.m. | 54 minutes ago
Description : In Apache CloudStack, a gap in access control checks affected the APIs - createNetworkACL - listNetworkACLs - listResourceDetails - listVirtualMachinesUsageHistory - listVolumesUsageHistory While these APIs were accessible only to authorized users, insufficient permission validation meant that users could occasionally access information beyond their intended scope. Users are recommended to upgrade to Apache CloudStack 4.20.2.0 or 4.22.0.0, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12971 - Folders <= 3.1.5 - Incorrect Authorization to Authenticated (Contributor+) Folder Content Manipulation
CVE ID : CVE-2025-12971
Published : Nov. 27, 2025, 12:31 p.m. | 39 minutes ago
Description : The Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the 'wcp_change_post_folder' function in all versions up to, and including, 3.1.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to move arbitrary folder contents to arbitrary folders.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12971
Published : Nov. 27, 2025, 12:31 p.m. | 39 minutes ago
Description : The Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the 'wcp_change_post_folder' function in all versions up to, and including, 3.1.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to move arbitrary folder contents to arbitrary folders.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12140 - RCE in Wirtualna Uczelnia
CVE ID : CVE-2025-12140
Published : Nov. 27, 2025, 2:15 p.m. | 2 hours, 55 minutes ago
Description : The application contains an insecure 'redirectToUrl' mechanism that incorrectly processes the value of the 'redirectUrlParameter' parameter. The application interprets the entered string of characters as a Java expression, allowing an unauthenticated attacer to perform arbitrary code execution. This issue was fixed in version wu#2016.1.5513#0#20251014_113353
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12140
Published : Nov. 27, 2025, 2:15 p.m. | 2 hours, 55 minutes ago
Description : The application contains an insecure 'redirectToUrl' mechanism that incorrectly processes the value of the 'redirectUrlParameter' parameter. The application interprets the entered string of characters as a Java expression, allowing an unauthenticated attacer to perform arbitrary code execution. This issue was fixed in version wu#2016.1.5513#0#20251014_113353
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13692 - Unlimited Elements For Elementor and Unlimited Elements For Elementor (Premium) <= 2.0 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload
CVE ID : CVE-2025-13692
Published : Nov. 27, 2025, 2:15 p.m. | 2 hours, 55 minutes ago
Description : The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. A form with a file upload field must be created with the premium version of the plugin in order to exploit the vulnerability. However, once the form exists, the vulnerability is exploitable even if the premium version is deactivated and/or uninstalled.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13692
Published : Nov. 27, 2025, 2:15 p.m. | 2 hours, 55 minutes ago
Description : The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. A form with a file upload field must be created with the premium version of the plugin in order to exploit the vulnerability. However, once the form exists, the vulnerability is exploitable even if the premium version is deactivated and/or uninstalled.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-8890 - Authenticated RCE in SDMC NE6037 router
CVE ID : CVE-2025-8890
Published : Nov. 27, 2025, 2:15 p.m. | 2 hours, 55 minutes ago
Description : Firmware in SDMC NE6037 routers prior to version 7.1.12.2.44 has a network diagnostics tool vulnerable to a shell command injection attacks. In order to exploit this vulnerability, an attacker has to log in to the router's administrative portal, which by default is reachable only via LAN ports.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-8890
Published : Nov. 27, 2025, 2:15 p.m. | 2 hours, 55 minutes ago
Description : Firmware in SDMC NE6037 routers prior to version 7.1.12.2.44 has a network diagnostics tool vulnerable to a shell command injection attacks. In order to exploit this vulnerability, an attacker has to log in to the router's administrative portal, which by default is reachable only via LAN ports.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12419 - Account takeover on OAuth/OpenID-enabled servers
CVE ID : CVE-2025-12419
Published : Nov. 27, 2025, 4:15 p.m. | 55 minutes ago
Description : Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation or admin privileges to take over any user account via manipulation of authentication data during the OAuth completion flow
Severity: 9.9 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12419
Published : Nov. 27, 2025, 4:15 p.m. | 55 minutes ago
Description : Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation or admin privileges to take over any user account via manipulation of authentication data during the OAuth completion flow
Severity: 9.9 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13757 - Devolutions Server SQL Injection
CVE ID : CVE-2025-13757
Published : Nov. 27, 2025, 4:15 p.m. | 55 minutes ago
Description : SQL Injection vulnerability in last usage logs in Devolutions Server.This issue affects Devolutions Server: through 2025.2.20, through 2025.3.8.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13757
Published : Nov. 27, 2025, 4:15 p.m. | 55 minutes ago
Description : SQL Injection vulnerability in last usage logs in Devolutions Server.This issue affects Devolutions Server: through 2025.2.20, through 2025.3.8.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13758 - Devolutions Server Exposed Credentials Vulnerability
CVE ID : CVE-2025-13758
Published : Nov. 27, 2025, 4:15 p.m. | 55 minutes ago
Description : Exposure of credentials in unintended requests in Devolutions Server.This issue affects Server: through 2025.2.20, through 2025.3.8.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13758
Published : Nov. 27, 2025, 4:15 p.m. | 55 minutes ago
Description : Exposure of credentials in unintended requests in Devolutions Server.This issue affects Server: through 2025.2.20, through 2025.3.8.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13765 - Devolutions Server Unsecured Email Credentials Exposure
CVE ID : CVE-2025-13765
Published : Nov. 27, 2025, 4:15 p.m. | 55 minutes ago
Description : Exposure of email service credentials to users without administrative rights in Devolutions Server.This issue affects Devolutions Server: before 2025.2.21, before 2025.3.9.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13765
Published : Nov. 27, 2025, 4:15 p.m. | 55 minutes ago
Description : Exposure of email service credentials to users without administrative rights in Devolutions Server.This issue affects Devolutions Server: before 2025.2.21, before 2025.3.9.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12559 - Information Disclosure in Common Teams API
CVE ID : CVE-2025-12559
Published : Nov. 27, 2025, 4:36 p.m. | 34 minutes ago
Description : Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/common_teams endpoint
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12559
Published : Nov. 27, 2025, 4:36 p.m. | 34 minutes ago
Description : Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/common_teams endpoint
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12421 - Account Takeover via Code Exchange Endpoint
CVE ID : CVE-2025-12421
Published : Nov. 27, 2025, 6:15 p.m. | 2 hours, 56 minutes ago
Description : Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email address used when switching authentication methods and sending a request to the /users/login/sso/code-exchange endpoint. The vulnerability requires ExperimentalEnableAuthenticationTransfer to be enabled (default: enabled) and RequireEmailVerification to be disabled (default: disabled).
Severity: 9.9 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12421
Published : Nov. 27, 2025, 6:15 p.m. | 2 hours, 56 minutes ago
Description : Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email address used when switching authentication methods and sending a request to the /users/login/sso/code-exchange endpoint. The vulnerability requires ExperimentalEnableAuthenticationTransfer to be enabled (default: enabled) and RequireEmailVerification to be disabled (default: disabled).
Severity: 9.9 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-3261 - Stored Cross-Site Scripting (XSS) in ThingsBoard
CVE ID : CVE-2025-3261
Published : Nov. 27, 2025, 6:15 p.m. | 2 hours, 56 minutes ago
Description : ThingsBoard in versions prior to v4.2.1 allows an authenticated user to upload malicious SVG images via the "Image Gallery", leading to a Stored Cross-Site Scripting (XSS) vulnerability. The exploit can be triggered when any user accesses the public API endpoint of the malicious SVG images, or if the malicious images are embedded in an `iframe` element, during a widget creation, deployed to any page of the platform (e.g., dashboards), and accessed during normal operations. The vulnerability resides in the `ImageController`, which fails to restrict the execution of JavaScript code when an image is loaded by the user's browser. This vulnerability can lead to the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and allowing unauthorized actions.
Severity: 6.2 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-3261
Published : Nov. 27, 2025, 6:15 p.m. | 2 hours, 56 minutes ago
Description : ThingsBoard in versions prior to v4.2.1 allows an authenticated user to upload malicious SVG images via the "Image Gallery", leading to a Stored Cross-Site Scripting (XSS) vulnerability. The exploit can be triggered when any user accesses the public API endpoint of the malicious SVG images, or if the malicious images are embedded in an `iframe` element, during a widget creation, deployed to any page of the platform (e.g., dashboards), and accessed during normal operations. The vulnerability resides in the `ImageController`, which fails to restrict the execution of JavaScript code when an image is loaded by the user's browser. This vulnerability can lead to the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and allowing unauthorized actions.
Severity: 6.2 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13338 - Apache HTTP Server Cross-Site Scripting
CVE ID : CVE-2025-13338
Published : Nov. 27, 2025, 11:15 p.m. | 1 hour, 57 minutes ago
Description : Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13338
Published : Nov. 27, 2025, 11:15 p.m. | 1 hour, 57 minutes ago
Description : Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-66359 - Logpoint Cross-Site Scripting Vulnerability
CVE ID : CVE-2025-66359
Published : Nov. 28, 2025, 12:15 a.m. | 57 minutes ago
Description : An issue was discovered in Logpoint before 7.7.0. Insufficient input validation and a lack of output escaping in multiple components leads to a cross-site scripting (XSS) vulnerability.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-66359
Published : Nov. 28, 2025, 12:15 a.m. | 57 minutes ago
Description : An issue was discovered in Logpoint before 7.7.0. Insufficient input validation and a lack of output escaping in multiple components leads to a cross-site scripting (XSS) vulnerability.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-66360 - Logpoint Access Control Policy Privilege Escalation Vulnerability
CVE ID : CVE-2025-66360
Published : Nov. 28, 2025, 12:15 a.m. | 57 minutes ago
Description : An issue was discovered in Logpoint before 7.7.0. An improperly configured access control policy exposes sensitive Logpoint internal service (Redis) information to li-admin users. This can lead to privilege escalation.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-66360
Published : Nov. 28, 2025, 12:15 a.m. | 57 minutes ago
Description : An issue was discovered in Logpoint before 7.7.0. An improperly configured access control policy exposes sensitive Logpoint internal service (Redis) information to li-admin users. This can lead to privilege escalation.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-66361 - Logpoint Exposes Sensitive Information
CVE ID : CVE-2025-66361
Published : Nov. 28, 2025, 12:15 a.m. | 57 minutes ago
Description : An issue was discovered in Logpoint before 7.7.0. Sensitive information is exposed in System Processes for an extended period during high CPU load.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-66361
Published : Nov. 28, 2025, 12:15 a.m. | 57 minutes ago
Description : An issue was discovered in Logpoint before 7.7.0. Sensitive information is exposed in System Processes for an extended period during high CPU load.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-58294 - Cisco Print Module Information Disclosure
CVE ID : CVE-2025-58294
Published : Nov. 28, 2025, 3:15 a.m. | 1 hour, 57 minutes ago
Description : Permission control vulnerability in the print module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.
Severity: 6.2 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-58294
Published : Nov. 28, 2025, 3:15 a.m. | 1 hour, 57 minutes ago
Description : Permission control vulnerability in the print module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.
Severity: 6.2 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-58303 - Adobe Screen Recorder Use-After-Free Vulnerability
CVE ID : CVE-2025-58303
Published : Nov. 28, 2025, 3:15 a.m. | 1 hour, 57 minutes ago
Description : UAF vulnerability in the screen recording framework module. Impact: Successful exploitation of this vulnerability may affect availability.
Severity: 8.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-58303
Published : Nov. 28, 2025, 3:15 a.m. | 1 hour, 57 minutes ago
Description : UAF vulnerability in the screen recording framework module. Impact: Successful exploitation of this vulnerability may affect availability.
Severity: 8.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-58307 - Apache Screen Recording Framework Use-After-Free
CVE ID : CVE-2025-58307
Published : Nov. 28, 2025, 3:15 a.m. | 1 hour, 57 minutes ago
Description : UAF vulnerability in the screen recording framework module. Impact: Successful exploitation of this vulnerability may affect availability.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-58307
Published : Nov. 28, 2025, 3:15 a.m. | 1 hour, 57 minutes ago
Description : UAF vulnerability in the screen recording framework module. Impact: Successful exploitation of this vulnerability may affect availability.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-58309 - Apache Startup Recovery Unauthenticated Remote Code Execution and Information Disclosure
CVE ID : CVE-2025-58309
Published : Nov. 28, 2025, 3:15 a.m. | 1 hour, 57 minutes ago
Description : Permission control vulnerability in the startup recovery module. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality.
Severity: 6.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-58309
Published : Nov. 28, 2025, 3:15 a.m. | 1 hour, 57 minutes ago
Description : Permission control vulnerability in the startup recovery module. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality.
Severity: 6.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-58310 - Apache Distributed Component Permission Control Bypass
CVE ID : CVE-2025-58310
Published : Nov. 28, 2025, 3:15 a.m. | 1 hour, 57 minutes ago
Description : Permission control vulnerability in the distributed component. Impact: Successful exploitation of this vulnerability may affect service confidentiality.
Severity: 8.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-58310
Published : Nov. 28, 2025, 3:15 a.m. | 1 hour, 57 minutes ago
Description : Permission control vulnerability in the distributed component. Impact: Successful exploitation of this vulnerability may affect service confidentiality.
Severity: 8.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...