Total
8205 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-24886 | 2025-01-30 | N/A | 7.7 HIGH | ||
| pwn.college is an education platform to learn about, and practice, core cybersecurity concepts in a hands-on fashion. Incorrect symlink checks on user specified dojos allows for users (admin not required) to perform an LFI from the CTFd container. When a user clones or updates repositories, a check is performed to see if the repository had contained any symlinks. A malicious user could craft a repository with symlinks pointed to sensitive files and then retrieve them using the CTFd website. | |||||
| CVE-2024-8494 | 1 Elementor | 1 Website Builder | 2025-01-30 | N/A | 4.3 MEDIUM |
| The Elementor Website Builder Pro plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.25.10 via the 'elementor-template' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including the content of Private, Pending, and Draft Templates. The vulnerability was partially patched in version 3.24.4. | |||||
| CVE-2025-24884 | 2025-01-29 | N/A | N/A | ||
| kube-audit-rest is a simple logger of mutation/creation requests to the k8s api. If the "full-elastic-stack" example vector configuration was used for a real cluster, the previous values of kubernetes secrets would have been disclosed in the audit messages. This vulnerability is fixed in 1.0.16. | |||||
| CVE-2024-10352 | 1 Wpthemespace | 1 Magical Addons For Elementor | 2025-01-29 | N/A | 4.3 MEDIUM |
| The Magical Addons For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.4 via the get_content_type function in includes/widgets/content-reveal.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data. | |||||
| CVE-2024-10285 | 1 Ce21 | 1 Ce21 Suite | 2025-01-29 | N/A | 9.8 CRITICAL |
| The CE21 Suite plugin for WordPress is vulnerable to sensitive information disclosure via the plugin-log.txt in versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to log in the user associated with the JWT token. | |||||
| CVE-2024-10050 | 1 Brainstormforce | 1 Elementor Header \& Footer Builder | 2025-01-29 | N/A | 4.3 MEDIUM |
| The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 1.6.43 via the hfe_template shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to view the contents of Draft, Private and Password-protected posts they do not own. | |||||
| CVE-2024-7630 | 1 Relevanssi | 1 Relevanssi | 2025-01-29 | N/A | 5.3 MEDIUM |
| The Relevanssi – A Better Search plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.22.2 via the relevanssi_do_query() due to insufficient limitations on the posts that are returned when searching. This makes it possible for unauthenticated attackers to extract potentially sensitive information from password protected posts. | |||||
| CVE-2023-24505 | 1 Milesight | 2 Ncr\/camera, Ncr\/camera Firmware | 2025-01-29 | N/A | 5.3 MEDIUM |
| Milesight NCR/camera version 71.8.0.6-r5 discloses sensitive information through an unspecified request. | |||||
| CVE-2025-0659 | 2025-01-28 | N/A | N/A | ||
| A path traversal vulnerability exists in the Rockwell Automation DataEdge Platform DataMosaix Private Cloud. By specifying the character sequence in the body of the vulnerable endpoint, it is possible to overwrite files outside of the intended directory. A threat actor with admin privileges could leverage this vulnerability to overwrite reports including user projects. | |||||
| CVE-2024-24919 | 1 Checkpoint | 5 Cloudguard Network Security, Quantum Security Gateway, Quantum Security Gateway Firmware and 2 more | 2025-01-27 | N/A | 8.6 HIGH |
| Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. A Security fix that mitigates this vulnerability is available. | |||||
| CVE-2025-21214 | 1 Microsoft | 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more | 2025-01-27 | N/A | 4.2 MEDIUM |
| Windows BitLocker Information Disclosure Vulnerability | |||||
| CVE-2023-28357 | 1 Rocket.chat | 1 Rocket.chat | 2025-01-27 | N/A | 4.3 MEDIUM |
| A vulnerability has been identified in Rocket.Chat, where the ACL checks in the Slash Command /mute occur after checking whether a user is a member of a given channel, leaking private channel members to unauthorized users. This allows authenticated users to enumerate whether a username is a member of a channel that they do not have access to. | |||||
| CVE-2024-35171 | 1 Kodezen | 1 Academy Lms | 2025-01-27 | N/A | 5.3 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Academy LMS academy.This issue affects Academy LMS: from n/a through 1.9.25. | |||||
| CVE-2024-10360 | 1 Moveaddons | 1 Move Addons For Elementor | 2025-01-27 | N/A | 4.3 MEDIUM |
| The Move Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.5 via the render function in includes/widgets/accordion/widget.php, includes/widgets/remote-template/widget.php, and other widget.php files. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data. | |||||
| CVE-2025-24360 | 2025-01-25 | N/A | 5.3 MEDIUM | ||
| Nuxt is an open-source web development framework for Vue.js. Starting in version 3.8.1 and prior to version 3.15.3, Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings. Users with the default server.cors option using Vite builder may get the source code stolen by malicious websites. Version 3.15.3 fixes the vulnerability. | |||||
| CVE-2025-21242 | 1 Microsoft | 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more | 2025-01-24 | N/A | 5.9 MEDIUM |
| Windows Kerberos Information Disclosure Vulnerability | |||||
| CVE-2025-21308 | 1 Microsoft | 13 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 10 more | 2025-01-24 | N/A | 6.5 MEDIUM |
| Windows Themes Spoofing Vulnerability | |||||
| CVE-2025-24363 | 2025-01-24 | N/A | 4.2 MEDIUM | ||
| The HL7 FHIR IG publisher is a tool to take a set of inputs and create a standard FHIR IG. Prior to version 1.8.9, in CI contexts, the IG Publisher CLI uses git commands to determine the URL of the originating repo. If the repo was cloned, or otherwise set to use a repo that uses a username and credential based URL, the entire URL will be included in the built Implementation Guide, exposing username and credential. This does not impact users that clone public repos without credentials, such as those using the auto-ig-build continuous integration infrastructure. This problem has been patched in release 1.8.9. Some workarounds are available. Users should ensure the IG repo they are publishing does not have username or credentials included in the `origin` URL. Running the command `git remote origin url` should return a URL that contains no username, password, or token; or users should run the IG Publisher CLI with the `-repo` parameter and specify a URL that contains no username, password, or token. | |||||
| CVE-2025-22612 | 2025-01-24 | N/A | 10.0 CRITICAL | ||
| Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.374, the missing authorization allows an authenticated user to retrieve any existing private keys on a coolify instance in plain text. If the server configuration of IP / domain, port (most likely 22) and user (root) matches with the victim's server configuration, then the attacker can execute arbitrary commands on the remote server. Version 4.0.0-beta.374 fixes the issue. | |||||
| CVE-2023-27870 | 1 Ibm | 1 Spectrum Virtualize | 2025-01-24 | N/A | 5.9 MEDIUM |
| IBM Spectrum Virtualize 8.5, under certain circumstances, could disclose sensitive credential information while a download from Fix Central is in progress. IBM X-Force ID: 249518. | |||||