π¨ CVE-2021-42193
nopCommerce 4.40.3 is vulnerable to XSS in the Product Name at /Admin/Product/Edit/[id]. Each time a user views the product in the shop, the XSS payload fires.
π@cveNotify
nopCommerce 4.40.3 is vulnerable to XSS in the Product Name at /Admin/Product/Edit/[id]. Each time a user views the product in the shop, the XSS payload fires.
π@cveNotify
Cxsecurity
nopCommerce 4.40.3 - Stored Cross-Site Scripting (XSS) - CXSecurity.com
Scott Sturrock has realised a new security note nopCommerce 4.40.3 - Stored Cross-Site Scripting (XSS)
π¨ CVE-2025-60956
Cross Site Request Forgery (CSRF) vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, and gain sensitive information.
π@cveNotify
Cross Site Request Forgery (CSRF) vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, and gain sensitive information.
π@cveNotify
π¨ CVE-2025-60957
OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, and gain sensitive information.
π@cveNotify
OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, and gain sensitive information.
π@cveNotify
β€1
π¨ CVE-2025-60959
OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to gain sensitive information.
π@cveNotify
OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to gain sensitive information.
π@cveNotify
π¨ CVE-2025-60960
OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, and gain sensitive information.
π@cveNotify
OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, and gain sensitive information.
π@cveNotify
π¨ CVE-2025-60961
Cross Site Scripting (XSS) vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to gain sensitive information, and possibly other unspecified impacts.
π@cveNotify
Cross Site Scripting (XSS) vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to gain sensitive information, and possibly other unspecified impacts.
π@cveNotify
π¨ CVE-2025-60962
OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to gain sensitive information, and possibly other unspecified impacts.
π@cveNotify
OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to gain sensitive information, and possibly other unspecified impacts.
π@cveNotify
π¨ CVE-2025-60963
OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, and gain sensitive information.
π@cveNotify
OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, and gain sensitive information.
π@cveNotify
π¨ CVE-2025-60964
OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, gain sensitive information, and possibly other unspecified impacts.
π@cveNotify
OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, gain sensitive information, and possibly other unspecified impacts.
π@cveNotify
π¨ CVE-2025-60965
OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, gain sensitive information, and possibly other unspecified impacts.
π@cveNotify
OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, gain sensitive information, and possibly other unspecified impacts.
π@cveNotify
π¨ CVE-2025-60967
Cross Site Scripting (XSS) vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0076-000 Ver 4.00 allows attackers to gain sensitive information.
π@cveNotify
Cross Site Scripting (XSS) vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0076-000 Ver 4.00 allows attackers to gain sensitive information.
π@cveNotify
π¨ CVE-2025-60969
Directory Traversal vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0076-000 Ver 4.00 allows attackers to gain sensitive information.
π@cveNotify
Directory Traversal vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0076-000 Ver 4.00 allows attackers to gain sensitive information.
π@cveNotify
π¨ CVE-2025-56218
An arbitrary file upload vulnerability in SigningHub v8.6.8 allows attackers to execute arbitrary code via uploading a crafted PDF file.
π@cveNotify
An arbitrary file upload vulnerability in SigningHub v8.6.8 allows attackers to execute arbitrary code via uploading a crafted PDF file.
π@cveNotify
GitHub
GitHub - saykino/CVE-2025-56218
Contribute to saykino/CVE-2025-56218 development by creating an account on GitHub.
π¨ CVE-2025-56219
Incorrect access control in SigningHub v8.6.8 allows attackers to arbitrarily add user accounts without any rate limiting. This can lead to a resource exhaustion and a Denial of Service (DoS) when an excessively large number of user accounts are created.
π@cveNotify
Incorrect access control in SigningHub v8.6.8 allows attackers to arbitrarily add user accounts without any rate limiting. This can lead to a resource exhaustion and a Denial of Service (DoS) when an excessively large number of user accounts are created.
π@cveNotify
GitHub
GitHub - saykino/CVE-2025-56219
Contribute to saykino/CVE-2025-56219 development by creating an account on GitHub.
π¨ CVE-2025-56223
A lack of rate limiting in the component /Home/UploadStreamDocument of SigningHub v8.6.8 allows attackers to cause a Denial of Service (DoS) via uploading an excessive number of files.
π@cveNotify
A lack of rate limiting in the component /Home/UploadStreamDocument of SigningHub v8.6.8 allows attackers to cause a Denial of Service (DoS) via uploading an excessive number of files.
π@cveNotify
GitHub
GitHub - saykino/CVE-2025-56223
Contribute to saykino/CVE-2025-56223 development by creating an account on GitHub.
π¨ CVE-2025-56224
A lack of rate limiting in the One-Time Password (OTP) verification endpoint of SigningHub v8.6.8 allows attackers to bypass verification via a bruteforce attack.
π@cveNotify
A lack of rate limiting in the One-Time Password (OTP) verification endpoint of SigningHub v8.6.8 allows attackers to bypass verification via a bruteforce attack.
π@cveNotify
GitHub
GitHub - saykino/CVE-2025-56224
Contribute to saykino/CVE-2025-56224 development by creating an account on GitHub.
π¨ CVE-2025-60511
Moodle OpenAI Chat Block plugin 3.0.1 (2025021700) suffers from an Insecure Direct Object Reference (IDOR) vulnerability due to insufficient validation of the blockId parameter in /blocks/openai_chat/api/completion.php. An authenticated student can impersonate another user's block (e.g., administrator) and send queries that are executed with that block's configuration. This can expose administrator-only Source of Truth entries, alter model behavior, and potentially misuse API resources.
π@cveNotify
Moodle OpenAI Chat Block plugin 3.0.1 (2025021700) suffers from an Insecure Direct Object Reference (IDOR) vulnerability due to insufficient validation of the blockId parameter in /blocks/openai_chat/api/completion.php. An authenticated student can impersonate another user's block (e.g., administrator) and send queries that are executed with that block's configuration. This can expose administrator-only Source of Truth entries, alter model behavior, and potentially misuse API resources.
π@cveNotify
GitHub
GitHub - onurcangnc/moodle_block_openai_chat: The completion.php endpoint uses the blockId parameter to determine which chat blockβ¦
The completion.php endpoint uses the blockId parameter to determine which chat block configuration (prompt templates, source of truth entries, model settings) to use when processing OpenAI completi...
π¨ CVE-2025-56447
TM2 Monitoring v3.04 contains an authentication bypass and plaintext credential disclosure.
π@cveNotify
TM2 Monitoring v3.04 contains an authentication bypass and plaintext credential disclosure.
π@cveNotify
Gist
CVE-2025-56447 Authentication Bypass and Credential Disclosure in TM2 Monitoring v3.04.md
GitHub Gist: instantly share code, notes, and snippets.
π¨ CVE-2025-60419
An issue was discovered in the NDIS Usermode IO driver (RtkIOAC60.sys, version 6.0.5600.16348) allowing local authenticated attackers to send a crafted IOCTL request to the driver to cause a denial of service.
π@cveNotify
An issue was discovered in the NDIS Usermode IO driver (RtkIOAC60.sys, version 6.0.5600.16348) allowing local authenticated attackers to send a crafted IOCTL request to the driver to cause a denial of service.
π@cveNotify
Cybersecurity Research Blog
CVE-2025-60419: Driver-induced Denial of Service via IOCTL handling
CVE-2025-60419 β a null-pointer dereference DoS in RtkIOAC60.sys triggered by sending an empty IRP buffer to IOCTL_NDISPROT_SET_EVENT, with full PoC.
π¨ CVE-2025-56385
A SQL injection vulnerability exists in the login functionality of WellSky Harmony version 4.1.0.2.83 within the 'xmHarmony.asp' endpoint. User-supplied input to the 'TXTUSERID' parameter is not properly sanitized before being incorporated into a SQL query. Successful authentication may lead to authentication bypass, data leakage, or full system compromise of backend database contents.
π@cveNotify
A SQL injection vulnerability exists in the login functionality of WellSky Harmony version 4.1.0.2.83 within the 'xmHarmony.asp' endpoint. User-supplied input to the 'TXTUSERID' parameter is not properly sanitized before being incorporated into a SQL query. Successful authentication may lead to authentication bypass, data leakage, or full system compromise of backend database contents.
π@cveNotify
Machevalia
CVE-2025-56385 Wellsky Harmony SQL Injection β Machevalia
Background A SQL injection vulnerability has been identified in WellSky Harmony v4.1.0.2.83 affecting the xmHarmony.asp login endpoint. WellSky Harmony is used for healthcare and related administrative workflows. User-supplied input to a login parameterβ¦
π¨ CVE-2025-63891
Information Disclosure in web-accessible backup file in SourceCodester Simple Online Book Store System allows a remote unauthenticated attacker to disclose full database contents (including schema and credential hashes) via an unauthenticated HTTP GET request to /obs/database/obs_db.sql.
π@cveNotify
Information Disclosure in web-accessible backup file in SourceCodester Simple Online Book Store System allows a remote unauthenticated attacker to disclose full database contents (including schema and credential hashes) via an unauthenticated HTTP GET request to /obs/database/obs_db.sql.
π@cveNotify
GitHub
CVEs/CVE-2025-63891.md at main Β· lucascdsm/CVEs
Salve! esse Γ© o repositΓ³rio que vai constar as CVEs que for encontrando durante minha jornada - lucascdsm/CVEs