CVE-2025-59698 - Entrust nShield Connect XC/5c/HSMi Physical Bootloader Access Vulnerability
CVE ID : CVE-2025-59698
Published : Dec. 2, 2025, 3:15 p.m. | 2 hours, 21 minutes ago
Description : Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, might allow a physically proximate attacker to gain access to the EOL legacy bootloader.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59698
Published : Dec. 2, 2025, 3:15 p.m. | 2 hours, 21 minutes ago
Description : Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, might allow a physically proximate attacker to gain access to the EOL legacy bootloader.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59699 - Entrust nShield Connect XC Privilege Escalation Vulnerability
CVE ID : CVE-2025-59699
Published : Dec. 2, 2025, 3:15 p.m. | 2 hours, 21 minutes ago
Description : Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker to escalate privileges by booting from a USB device with a valid root filesystem. This occurs because of insecure default settings in the Legacy GRUB Bootloader.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59699
Published : Dec. 2, 2025, 3:15 p.m. | 2 hours, 21 minutes ago
Description : Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker to escalate privileges by booting from a USB device with a valid root filesystem. This occurs because of insecure default settings in the Legacy GRUB Bootloader.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59700 - Entrust nShield Connect XC/HSMi Root Privilege Escalation
CVE ID : CVE-2025-59700
Published : Dec. 2, 2025, 3:15 p.m. | 2 hours, 21 minutes ago
Description : Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker with root access to modify the Recovery Partition (because of a lack of integrity protection).
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59700
Published : Dec. 2, 2025, 3:15 p.m. | 2 hours, 21 minutes ago
Description : Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker with root access to modify the Recovery Partition (because of a lack of integrity protection).
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59701 - Entrust nShield Connect XC, nShield 5c, and nShield HSM Physical Storage Unencrypted Vulnerability
CVE ID : CVE-2025-59701
Published : Dec. 2, 2025, 3:15 p.m. | 2 hours, 21 minutes ago
Description : Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker (with elevated privileges) to read and modify the Appliance SSD contents (because they are unencrypted).
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59701
Published : Dec. 2, 2025, 3:15 p.m. | 2 hours, 21 minutes ago
Description : Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker (with elevated privileges) to read and modify the Appliance SSD contents (because they are unencrypted).
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59702 - Entrust nShield Connect XC, nShield 5c, and nShield HSMi Tamper Bypass Vulnerability
CVE ID : CVE-2025-59702
Published : Dec. 2, 2025, 3:15 p.m. | 2 hours, 21 minutes ago
Description : Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker with elevated privileges to falsify tamper events by accessing internal components.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59702
Published : Dec. 2, 2025, 3:15 p.m. | 2 hours, 21 minutes ago
Description : Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker with elevated privileges to falsify tamper events by accessing internal components.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59705 - Entrust nShield Connect XC, nShield 5c, and nShield HSMi Privilege Escalation Vulnerability
CVE ID : CVE-2025-59705
Published : Dec. 2, 2025, 3:15 p.m. | 2 hours, 21 minutes ago
Description : Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a Physically Proximate Attacker to Escalate Privileges by enabling the USB interface through chassis probe insertion during system boot, aka "Unauthorized Reactivation of the USB interface" or F01.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59705
Published : Dec. 2, 2025, 3:15 p.m. | 2 hours, 21 minutes ago
Description : Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a Physically Proximate Attacker to Escalate Privileges by enabling the USB interface through chassis probe insertion during system boot, aka "Unauthorized Reactivation of the USB interface" or F01.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12630 - Upload.am File Hosting VPN < 1.0.1 - Contributor+ Arbitrary Option Disclosure
CVE ID : CVE-2025-12630
Published : Dec. 2, 2025, 4:15 p.m. | 1 hour, 21 minutes ago
Description : The Upload.am WordPress plugin before 1.0.1 is vulnerable to arbitrary option disclosure due to a missing capability check on its AJAX request handler, allowing users such as contributor to view site options.
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12630
Published : Dec. 2, 2025, 4:15 p.m. | 1 hour, 21 minutes ago
Description : The Upload.am WordPress plugin before 1.0.1 is vulnerable to arbitrary option disclosure due to a missing capability check on its AJAX request handler, allowing users such as contributor to view site options.
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13372 - Potential SQL injection in FilteredRelation column aliases on PostgreSQL
CVE ID : CVE-2025-13372
Published : Dec. 2, 2025, 4:15 p.m. | 1 hour, 21 minutes ago
Description : An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13372
Published : Dec. 2, 2025, 4:15 p.m. | 1 hour, 21 minutes ago
Description : An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13877 - nocobase JWT Service jwt-service.ts hard-coded key
CVE ID : CVE-2025-13877
Published : Dec. 2, 2025, 4:15 p.m. | 1 hour, 21 minutes ago
Description : A vulnerability was detected in nocobase up to 1.9.4/2.0.0-alpha.37. The affected element is an unknown function of the file nocobase\packages\core\auth\src\base\jwt-service.ts of the component JWT Service. The manipulation of the argument API_KEY results in use of hard-coded cryptographic key . The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is described as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13877
Published : Dec. 2, 2025, 4:15 p.m. | 1 hour, 21 minutes ago
Description : A vulnerability was detected in nocobase up to 1.9.4/2.0.0-alpha.37. The affected element is an unknown function of the file nocobase\packages\core\auth\src\base\jwt-service.ts of the component JWT Service. The manipulation of the argument API_KEY results in use of hard-coded cryptographic key . The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is described as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-58113 - PDF-XChange Editor Out-of-Bounds Read Vulnerability
CVE ID : CVE-2025-58113
Published : Dec. 2, 2025, 4:15 p.m. | 1 hour, 21 minutes ago
Description : An out-of-bounds read vulnerability exists in the EMF functionality of PDF-XChange Co. Ltd PDF-XChange Editor 10.7.3.401. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-58113
Published : Dec. 2, 2025, 4:15 p.m. | 1 hour, 21 minutes ago
Description : An out-of-bounds read vulnerability exists in the EMF functionality of PDF-XChange Co. Ltd PDF-XChange Editor 10.7.3.401. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59703 - Entrust nShield Connect XC, nShield 5c, and nShield HSMi Physical Proximity F14 Attack Vulnerability
CVE ID : CVE-2025-59703
Published : Dec. 2, 2025, 4:15 p.m. | 1 hour, 21 minutes ago
Description : Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a Physically Proximate Attacker to access the internal components of the appliance, without leaving tamper evidence. To exploit this, the attacker needs to remove the tamper label and all fixing screws from the device without damaging it. This is called an F14 attack.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59703
Published : Dec. 2, 2025, 4:15 p.m. | 1 hour, 21 minutes ago
Description : Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a Physically Proximate Attacker to access the internal components of the appliance, without leaving tamper evidence. To exploit this, the attacker needs to remove the tamper label and all fixing screws from the device without damaging it. This is called an F14 attack.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59704 - Entrust nShield Connect XC, nShield 5c, and nShield HSMi BIOS Password Bypass
CVE ID : CVE-2025-59704
Published : Dec. 2, 2025, 4:15 p.m. | 1 hour, 21 minutes ago
Description : Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow an attacker to gain access the the BIOS menu because is has no password.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59704
Published : Dec. 2, 2025, 4:15 p.m. | 1 hour, 21 minutes ago
Description : Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow an attacker to gain access the the BIOS menu because is has no password.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63872 - DeepSeek XSS Vector Injection
CVE ID : CVE-2025-63872
Published : Dec. 2, 2025, 4:15 p.m. | 1 hour, 21 minutes ago
Description : DeepSeek V3.2 has a Cross Site Scripting (XSS) vulnerability, which allows JavaScript execution through model-generated SVG content.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-63872
Published : Dec. 2, 2025, 4:15 p.m. | 1 hour, 21 minutes ago
Description : DeepSeek V3.2 has a Cross Site Scripting (XSS) vulnerability, which allows JavaScript execution through model-generated SVG content.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64460 - Potential denial-of-service vulnerability in XML serializer text extraction
CVE ID : CVE-2025-64460
Published : Dec. 2, 2025, 4:15 p.m. | 1 hour, 21 minutes ago
Description : An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64460
Published : Dec. 2, 2025, 4:15 p.m. | 1 hour, 21 minutes ago
Description : An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-65187 - CiviCRM Stored XSS
CVE ID : CVE-2025-65187
Published : Dec. 2, 2025, 4:15 p.m. | 1 hour, 21 minutes ago
Description : A Stored Cross Site Scripting vulnerability exists in CiviCRM before v6.7 in the Accounting Batches field. An authenticated user can inject malicious JavaScript into this field and it executes whenever the page is viewed.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-65187
Published : Dec. 2, 2025, 4:15 p.m. | 1 hour, 21 minutes ago
Description : A Stored Cross Site Scripting vulnerability exists in CiviCRM before v6.7 in the Accounting Batches field. An authenticated user can inject malicious JavaScript into this field and it executes whenever the page is viewed.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13827 - GrapesJsBuilder File Upload allows all file uploads
CVE ID : CVE-2025-13827
Published : Dec. 2, 2025, 5:16 p.m. | 21 minutes ago
Description : Summary Arbitrary files can be uploaded via the GrapesJS Builder, as the types of files that can be uploaded are not restricted. ImpactIf the media folder is not restricted from running files this can lead to a remote code execution.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13827
Published : Dec. 2, 2025, 5:16 p.m. | 21 minutes ago
Description : Summary Arbitrary files can be uploaded via the GrapesJS Builder, as the types of files that can be uploaded are not restricted. ImpactIf the media folder is not restricted from running files this can lead to a remote code execution.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13828 - Mautic user without privileged access to the Marketplace can install and uninstall composer packages
CVE ID : CVE-2025-13828
Published : Dec. 2, 2025, 5:16 p.m. | 21 minutes ago
Description : SummaryA non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked. ImpactA low-privileged user of the platform can install malicious code to obtain higher privileges.
Severity: 9.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13828
Published : Dec. 2, 2025, 5:16 p.m. | 21 minutes ago
Description : SummaryA non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked. ImpactA low-privileged user of the platform can install malicious code to obtain higher privileges.
Severity: 9.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64070 - Sourcecodester Student Grades Management System Cross Site Scripting (XSS)
CVE ID : CVE-2025-64070
Published : Dec. 2, 2025, 5:16 p.m. | 21 minutes ago
Description : Sourcecodester Student Grades Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in the Add New Subject Description field.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64070
Published : Dec. 2, 2025, 5:16 p.m. | 21 minutes ago
Description : Sourcecodester Student Grades Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in the Add New Subject Description field.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-65186 - Grav CMS Stored XSS Vulnerability
CVE ID : CVE-2025-65186
Published : Dec. 2, 2025, 5:16 p.m. | 21 minutes ago
Description : Grav CMS 1.7.49 is vulnerable to Cross Site Scripting (XSS). The page editor allows authenticated users to edit page content via a Markdown editor. The editor fails to properly sanitize
CVE ID : CVE-2025-65186
Published : Dec. 2, 2025, 5:16 p.m. | 21 minutes ago
Description : Grav CMS 1.7.49 is vulnerable to Cross Site Scripting (XSS). The page editor allows authenticated users to edit page content via a Markdown editor. The editor fails to properly sanitize
CVE-2025-65358 - Edoc Doctor Appointment System SQL Injection Vulnerability
CVE ID : CVE-2025-65358
Published : Dec. 2, 2025, 5:16 p.m. | 21 minutes ago
Description : Edoc-doctor-appointment-system v1.0.1 was discovered to contain SQl injection vulnerability via the 'docid' parameter at /admin/appointment.php.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-65358
Published : Dec. 2, 2025, 5:16 p.m. | 21 minutes ago
Description : Edoc-doctor-appointment-system v1.0.1 was discovered to contain SQl injection vulnerability via the 'docid' parameter at /admin/appointment.php.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-65656 - Apache Dcat-Admin File Inclusion Vulnerability
CVE ID : CVE-2025-65656
Published : Dec. 2, 2025, 5:16 p.m. | 21 minutes ago
Description : dcat-admin v2.2.3-beta and before is vulnerable to file inclusion in admin/src/Extend/VersionManager.php.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-65656
Published : Dec. 2, 2025, 5:16 p.m. | 21 minutes ago
Description : dcat-admin v2.2.3-beta and before is vulnerable to file inclusion in admin/src/Extend/VersionManager.php.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...