π¨ CVE-2014-0770
By providing an overly long string to the UserName parameter, an
attacker may be able to overflow the static stack buffer. The attacker
may then execute code on the target device remotely.
π@cveNotify
By providing an overly long string to the UserName parameter, an
attacker may be able to overflow the static stack buffer. The attacker
may then execute code on the target device remotely.
π@cveNotify
Advantech
WebAccess - Advantech
Advantech is a leading brand in IoT intelligent systems, Industry 4.0, machine automation, embedding computing, embedded systems, transportation, environment monitoring, power automation, retail, logistics, fleet management, healthcare IT, medical solutionsβ¦
π¨ CVE-2014-0771
The BWOCXRUN.BwocxrunCtrl.1 control contains a method named
βOpenUrlToBuffer.β This method takes a URL as a parameter and returns
its contents to the caller in JavaScript. The URLs are accessed in the
security context of the current browser session. The control does not
perform any URL validation and allows βfile://β URLs that access the
local disk.
The method can be used to open a URL (including file URLs) and read
file URLs through JavaScript. This method could also be used to reach
any arbitrary URL to which the browser has access.
π@cveNotify
The BWOCXRUN.BwocxrunCtrl.1 control contains a method named
βOpenUrlToBuffer.β This method takes a URL as a parameter and returns
its contents to the caller in JavaScript. The URLs are accessed in the
security context of the current browser session. The control does not
perform any URL validation and allows βfile://β URLs that access the
local disk.
The method can be used to open a URL (including file URLs) and read
file URLs through JavaScript. This method could also be used to reach
any arbitrary URL to which the browser has access.
π@cveNotify
Advantech
WebAccess - Advantech
Advantech is a leading brand in IoT intelligent systems, Industry 4.0, machine automation, embedding computing, embedded systems, transportation, environment monitoring, power automation, retail, logistics, fleet management, healthcare IT, medical solutionsβ¦
π¨ CVE-2023-21468
Improper access control vulnerability in Telephony prior to SMR Apr-2023 Release 1 allows attackers to access files with escalated permission.
π@cveNotify
Improper access control vulnerability in Telephony prior to SMR Apr-2023 Release 1 allows attackers to access files with escalated permission.
π@cveNotify
π¨ CVE-2023-21469
Improper access control vulnerability in SLocation prior to SMR Apr-2022 Release 1 allows local attackers to get device location information using com.samsung.android.wifi.GEOFENCE action.
π@cveNotify
Improper access control vulnerability in SLocation prior to SMR Apr-2022 Release 1 allows local attackers to get device location information using com.samsung.android.wifi.GEOFENCE action.
π@cveNotify
π¨ CVE-2023-21470
Improper access control vulnerability in SLocation prior to SMR Apr-2022 Release 1 allows local attackers to get device location information using com.samsung.android.wifi.NETWORK_LOCATION action.
π@cveNotify
Improper access control vulnerability in SLocation prior to SMR Apr-2022 Release 1 allows local attackers to get device location information using com.samsung.android.wifi.NETWORK_LOCATION action.
π@cveNotify
π¨ CVE-2023-21474
Intent redirection vulnerability in SecSettings prior to SMR Apr-2022 Release 1 allows attackers to access arbitrary file with system privilege.
π@cveNotify
Intent redirection vulnerability in SecSettings prior to SMR Apr-2022 Release 1 allows attackers to access arbitrary file with system privilege.
π@cveNotify
π¨ CVE-2023-21478
Improper input validation vulnerability in TIGERF trustlet prior to SMR Apr-2023 Release 1 allows local attackers to access protected data.
π@cveNotify
Improper input validation vulnerability in TIGERF trustlet prior to SMR Apr-2023 Release 1 allows local attackers to access protected data.
π@cveNotify
π¨ CVE-2023-21480
Improper input validation vulnerability in CertByte prior to SMR Apr-2023 Release 1 allows local attackers to launch privileged activities.
π@cveNotify
Improper input validation vulnerability in CertByte prior to SMR Apr-2023 Release 1 allows local attackers to launch privileged activities.
π@cveNotify
π¨ CVE-2025-56706
Edimax BR-6473AX v1.0.28 was discovered to contain a remote code execution (RCE) vulnerability via the Object parameter in the openwrt_getConfig function.
π@cveNotify
Edimax BR-6473AX v1.0.28 was discovered to contain a remote code execution (RCE) vulnerability via the Object parameter in the openwrt_getConfig function.
π@cveNotify
GitHub
CVE/BR-6473AX/1.md at main Β· woaiqjj/CVE
Contribute to woaiqjj/CVE development by creating an account on GitHub.
π¨ CVE-2025-54761
An issue was discovered in PPress 0.0.9 allowing attackers to gain escilated privlidges via crafted session cookie.
π@cveNotify
An issue was discovered in PPress 0.0.9 allowing attackers to gain escilated privlidges via crafted session cookie.
π@cveNotify
GitHub
PPress-CMS_vulnerability_chain_details/CVE-2025-54761 Details.md at main Β· quarter77/PPress-CMS_vulnerability_chain_details
PPress-CMS vulnerability chain details. Contribute to quarter77/PPress-CMS_vulnerability_chain_details development by creating an account on GitHub.
β€1
π¨ CVE-2025-56762
Paracrawl KeOPs v2 is vulnerable to Cross Site Scripting (XSS) in error.php.
π@cveNotify
Paracrawl KeOPs v2 is vulnerable to Cross Site Scripting (XSS) in error.php.
π@cveNotify
GitHub
GitHub - Shaunak-Chatterjee/CVE-2025-56762: Proof of Concept for CVE-2025-56762
Proof of Concept for CVE-2025-56762. Contribute to Shaunak-Chatterjee/CVE-2025-56762 development by creating an account on GitHub.
π¨ CVE-2025-57396
Tandoor Recipes 2.0.0-alpha-1, fixed in 2.0.0-alpha-2, is vulnerable to privilege escalation. This is due to the rework of the API, which resulted in the User Profile API Endpoint containing two boolean values indicating whether a user is staff or administrative. Consequently, any user can escalate their privileges to the highest level.
π@cveNotify
Tandoor Recipes 2.0.0-alpha-1, fixed in 2.0.0-alpha-2, is vulnerable to privilege escalation. This is due to the rework of the API, which resulted in the User Profile API Endpoint containing two boolean values indicating whether a user is staff or administrative. Consequently, any user can escalate their privileges to the highest level.
π@cveNotify
Maximilian Hildebrand
Continuous Checks are Important - Privilege Escalation in Tandoor Recipes
Tandoor Recipes 2.0.0-alpha-1 is vulnerable to privilege escalation. This is due to the rework of the API, which resulted in the User Profile API Endpoint containing two boolean values indicating whether a user is staff or administrative. Consequently, anyβ¦
π¨ CVE-2025-43808
The Commerce component in Liferay Portal 7.3.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and 7.3 service pack 3 through update 35 saves virtual products uploaded to Documents and Media with guest view permission, which allows remote attackers to access and download virtual products for free via a crafted URL.
π@cveNotify
The Commerce component in Liferay Portal 7.3.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and 7.3 service pack 3 through update 35 saves virtual products uploaded to Documents and Media with guest view permission, which allows remote attackers to access and download virtual products for free via a crafted URL.
π@cveNotify
π₯2
π¨ CVE-2025-1691
The MongoDB Shell may be susceptible to control character injection where an attacker with control of the mongosh autocomplete feature, can use the autocompletion feature to input and run obfuscated malicious text. This requires user interaction in the form of the user using βtabβ to autocomplete text that is a prefix of the attackerβs prepared autocompletion. This issue affects mongosh versions prior to 2.3.9.
The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.
π@cveNotify
The MongoDB Shell may be susceptible to control character injection where an attacker with control of the mongosh autocomplete feature, can use the autocompletion feature to input and run obfuscated malicious text. This requires user interaction in the form of the user using βtabβ to autocomplete text that is a prefix of the attackerβs prepared autocompletion. This issue affects mongosh versions prior to 2.3.9.
The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.
π@cveNotify
π¨ CVE-2025-1692
The MongoDB Shell may be susceptible to control character injection where an attacker with control of the userβs clipboard could manipulate them to paste text into mongosh that evaluates arbitrary code. Control characters in the pasted text can be used to obfuscate malicious code. This issue affects mongosh versions prior to 2.3.9
π@cveNotify
The MongoDB Shell may be susceptible to control character injection where an attacker with control of the userβs clipboard could manipulate them to paste text into mongosh that evaluates arbitrary code. Control characters in the pasted text can be used to obfuscate malicious code. This issue affects mongosh versions prior to 2.3.9
π@cveNotify
β€1
π¨ CVE-2025-1693
The MongoDB Shell may be susceptible to control character injection where an attacker with control over the database cluster contents can inject control characters into the shell output. This may result in the display of falsified messages that appear to originate from mongosh or the underlying operating system, potentially misleading users into executing unsafe actions.
The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.
This issue affects mongosh versions prior to 2.3.9
π@cveNotify
The MongoDB Shell may be susceptible to control character injection where an attacker with control over the database cluster contents can inject control characters into the shell output. This may result in the display of falsified messages that appear to originate from mongosh or the underlying operating system, potentially misleading users into executing unsafe actions.
The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.
This issue affects mongosh versions prior to 2.3.9
π@cveNotify
π¨ CVE-2025-10059
An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. This issue occurs when a generic argument (lsid) is provided in a case when it is not applicable. This affects MongoDB Server v6.0 versions prior to 6.0.x, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v8.0 versions prior to 8.0.6.
π@cveNotify
An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. This issue occurs when a generic argument (lsid) is provided in a case when it is not applicable. This affects MongoDB Server v6.0 versions prior to 6.0.x, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v8.0 versions prior to 8.0.6.
π@cveNotify
π¨ CVE-2025-10200
Use after free in Serviceworker in Google Chrome on Desktop prior to 140.0.7339.127 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
π@cveNotify
Use after free in Serviceworker in Google Chrome on Desktop prior to 140.0.7339.127 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
π@cveNotify
Chrome Releases
Stable Channel Update for Desktop
The Stable channel has been updated to 140.0.7339.127/.128 for Windows, 140.0.7339.132/.133 for Mac and 140.0.7339.127 for Linux which w...
π¨ CVE-2025-10201
Inappropriate implementation in Mojo in Google Chrome on Android, Linux, ChromeOS prior to 140.0.7339.127 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
π@cveNotify
Inappropriate implementation in Mojo in Google Chrome on Android, Linux, ChromeOS prior to 140.0.7339.127 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
π@cveNotify
Chrome Releases
Stable Channel Update for Desktop
The Stable channel has been updated to 140.0.7339.127/.128 for Windows, 140.0.7339.132/.133 for Mac and 140.0.7339.127 for Linux which w...