๐จ CVE-2025-12939
A security flaw has been discovered in SourceCodester Interview Management System up to 1.0. Affected by this issue is some unknown functionality of the file /addCandidate.php. The manipulation of the argument candName results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be exploited.
๐@cveNotify
A security flaw has been discovered in SourceCodester Interview Management System up to 1.0. Affected by this issue is some unknown functionality of the file /addCandidate.php. The manipulation of the argument candName results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be exploited.
๐@cveNotify
GitHub
SOURCECODESTER Interview Management System Project V1.0 /addCandidate.php SQL injection and Input Validation ยท Issue #10 ยท puppytgyh/โฆ
SOURCECODESTER Interview Management System Project V1.0 /addCandidate.php SQL injection and Input Validation NAME OF AFFECTED PRODUCT(S) Interview Management System Project Vendor Homepage https://...
๐จ CVE-2025-6032
A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.
๐@cveNotify
A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.
๐@cveNotify
๐จ CVE-2025-4953
A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the created files accessible.
๐@cveNotify
A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the created files accessible.
๐@cveNotify
๐จ CVE-2025-12735
The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted variables object into the evaluate() function and trigger arbitrary code execution.
๐@cveNotify
The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted variables object into the evaluate() function and trigger arbitrary code execution.
๐@cveNotify
GitHub
GitHub - jorenbroekema/expr-eval: Mathematical expression evaluator in JavaScript
Mathematical expression evaluator in JavaScript. Contribute to jorenbroekema/expr-eval development by creating an account on GitHub.
๐จ CVE-2025-64456
In JetBrains ReSharper before 2025.2.4 missing signature verification in DPA Collector allows local privilege escalation
๐@cveNotify
In JetBrains ReSharper before 2025.2.4 missing signature verification in DPA Collector allows local privilege escalation
๐@cveNotify
JetBrains
Fixed security issues
This page contains information about resolved security issues, including description, severity, assigned CVEs, and the product versions in which they were resolved.
๐จ CVE-2025-64457
In JetBrains dotTrace before 2025.2.5 local privilege escalation possible via race condition
๐@cveNotify
In JetBrains dotTrace before 2025.2.5 local privilege escalation possible via race condition
๐@cveNotify
JetBrains
Fixed security issues
This page contains information about resolved security issues, including description, severity, assigned CVEs, and the product versions in which they were resolved.
๐จ CVE-2025-64681
In JetBrains Hub before 2025.3.104992 a race condition allowed bypass of the user limit via invitations
๐@cveNotify
In JetBrains Hub before 2025.3.104992 a race condition allowed bypass of the user limit via invitations
๐@cveNotify
JetBrains
Fixed security issues
This page contains information about resolved security issues, including description, severity, assigned CVEs, and the product versions in which they were resolved.
๐จ CVE-2025-64682
In JetBrains Hub before 2025.3.104432 a race condition allowed bypass of the Agent-user limit
๐@cveNotify
In JetBrains Hub before 2025.3.104432 a race condition allowed bypass of the Agent-user limit
๐@cveNotify
JetBrains
Fixed security issues
This page contains information about resolved security issues, including description, severity, assigned CVEs, and the product versions in which they were resolved.
๐จ CVE-2025-64683
In JetBrains Hub before 2025.3.104432 information disclosure was possible via the Users API
๐@cveNotify
In JetBrains Hub before 2025.3.104432 information disclosure was possible via the Users API
๐@cveNotify
JetBrains
Fixed security issues
This page contains information about resolved security issues, including description, severity, assigned CVEs, and the product versions in which they were resolved.
๐จ CVE-2025-64684
In JetBrains YouTrack before 2025.3.104432 information disclosure was possible via the feedback form
๐@cveNotify
In JetBrains YouTrack before 2025.3.104432 information disclosure was possible via the feedback form
๐@cveNotify
JetBrains
Fixed security issues
This page contains information about resolved security issues, including description, severity, assigned CVEs, and the product versions in which they were resolved.
๐จ CVE-2025-64685
In JetBrains YouTrack before 2025.3.104432 missing TLS certificate validation enabled data disclosure
๐@cveNotify
In JetBrains YouTrack before 2025.3.104432 missing TLS certificate validation enabled data disclosure
๐@cveNotify
JetBrains
Fixed security issues
This page contains information about resolved security issues, including description, severity, assigned CVEs, and the product versions in which they were resolved.
๐จ CVE-2025-64686
In JetBrains YouTrack before 2025.3.104432 missing user principal cleanup led to reuse of incorrect authorization context
๐@cveNotify
In JetBrains YouTrack before 2025.3.104432 missing user principal cleanup led to reuse of incorrect authorization context
๐@cveNotify
JetBrains
Fixed security issues
This page contains information about resolved security issues, including description, severity, assigned CVEs, and the product versions in which they were resolved.
๐จ CVE-2025-64687
In JetBrains YouTrack before 2025.3.104432 improper access control allowed modify MCP tool logic
๐@cveNotify
In JetBrains YouTrack before 2025.3.104432 improper access control allowed modify MCP tool logic
๐@cveNotify
JetBrains
Fixed security issues
This page contains information about resolved security issues, including description, severity, assigned CVEs, and the product versions in which they were resolved.
๐จ CVE-2025-64688
In JetBrains YouTrack before 2025.3.104432 missing VCS URL validation allowed delegation to unauthorized repositories from the Junie widget
๐@cveNotify
In JetBrains YouTrack before 2025.3.104432 missing VCS URL validation allowed delegation to unauthorized repositories from the Junie widget
๐@cveNotify
JetBrains
Fixed security issues
This page contains information about resolved security issues, including description, severity, assigned CVEs, and the product versions in which they were resolved.
๐จ CVE-2025-64689
In JetBrains YouTrack before 2025.3.104432 misconfiguration in the Junie could lead to exposure of the global Junie token
๐@cveNotify
In JetBrains YouTrack before 2025.3.104432 misconfiguration in the Junie could lead to exposure of the global Junie token
๐@cveNotify
JetBrains
Fixed security issues
This page contains information about resolved security issues, including description, severity, assigned CVEs, and the product versions in which they were resolved.
๐จ CVE-2025-64690
In JetBrains YouTrack before 2025.3.104432 insecure Junie configuration could lead to data exposure and unauthorized changes
๐@cveNotify
In JetBrains YouTrack before 2025.3.104432 insecure Junie configuration could lead to data exposure and unauthorized changes
๐@cveNotify
JetBrains
Fixed security issues
This page contains information about resolved security issues, including description, severity, assigned CVEs, and the product versions in which they were resolved.
๐จ CVE-2020-8657
An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version 2.4.2) by default for all installations, hence allowing an attacker to calculate/guess the admin access token.
๐@cveNotify
An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version 2.4.2) by default for all installations, hence allowing an attacker to calculate/guess the admin access token.
๐@cveNotify
packetstorm.news
Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories, and Whitepapers
๐จ CVE-2020-8655
An issue was discovered in EyesOfNetwork 5.3. The sudoers configuration is prone to a privilege escalation vulnerability, allowing the apache user to run arbitrary commands as root via a crafted NSE script for nmap 7.
๐@cveNotify
An issue was discovered in EyesOfNetwork 5.3. The sudoers configuration is prone to a privilege escalation vulnerability, allowing the apache user to run arbitrary commands as root via a crafted NSE script for nmap 7.
๐@cveNotify
packetstorm.news
Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories, and Whitepapers
๐จ CVE-2020-9054
Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2
๐@cveNotify
Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2
๐@cveNotify
cwe.mitre.org
CWE -
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (4.19.1)
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (4.19.1)
Common Weakness Enumeration (CWE) is a list of software weaknesses.
๐จ CVE-2020-8816
Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease.
๐@cveNotify
Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease.
๐@cveNotify
packetstorm.news
Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories, and Whitepapers
๐จ CVE-2020-9377
D-Link DIR-610 devices allow Remote Command Execution via the cmd parameter to command.php. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
๐@cveNotify
D-Link DIR-610 devices allow Remote Command Execution via the cmd parameter to command.php. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
๐@cveNotify