Total
299014 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-40571 | 2025-06-12 | N/A | 2.2 LOW | ||
| A vulnerability has been identified in Mendix OIDC SSO (Mendix 10 compatible) (All versions < V4.1.0), Mendix OIDC SSO (Mendix 10.12 compatible) (All versions < V4.0.1), Mendix OIDC SSO (Mendix 9 compatible) (All versions). The Mendix OIDC SSO module grants read and write access to all tokens exclusively to the Administrator role and could result in privilege misuse by an adversary modifying the module during Mendix development. | |||||
| CVE-2025-1732 | 2025-06-12 | N/A | 6.7 MEDIUM | ||
| An improper privilege management vulnerability in the recovery function of the Zyxel USG FLEX H series uOS firmware version V1.31 and earlier could allow an authenticated local attacker with administrator privileges to upload a crafted configuration file and escalate privileges on a vulnerable device. | |||||
| CVE-2025-1731 | 2025-06-12 | N/A | 7.8 HIGH | ||
| An incorrect permission assignment vulnerability in the PostgreSQL commands of the Zyxel USG FLEX H series uOS firmware versions from V1.20 through V1.31 could allow an authenticated local attacker with low privileges to gain access to the Linux shell and escalate their privileges by crafting malicious scripts or modifying system configurations with administrator-level access through a stolen token. Modifying the system configuration is only possible if the administrator has not logged out and the token remains valid. | |||||
| CVE-2025-49822 | 2025-06-12 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-49821 | 2025-06-12 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-49820 | 2025-06-12 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-49819 | 2025-06-12 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-49818 | 2025-06-12 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-49817 | 2025-06-12 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-49816 | 2025-06-12 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-49815 | 2025-06-12 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-49814 | 2025-06-12 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2023-36636 | 2025-06-12 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2024-45516 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 6.1 MEDIUM |
| An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, including malformed <img> tags with embedded JavaScript. The vulnerability is triggered when a user views a specially crafted email in the Classic UI, requiring no additional user interaction. | |||||
| CVE-2025-32354 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 8.8 HIGH |
| In Zimbra Collaboration (ZCS) 9.0 through 10.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the GraphQL endpoint (/service/extension/graphql) of Zimbra webmail due to a lack of CSRF token validation. This allows attackers to perform unauthorized GraphQL operations, such as modifying contacts, changing account settings, and accessing sensitive user data when an authenticated user visits a malicious website. | |||||
| CVE-2025-25065 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 5.3 MEDIUM |
| SSRF vulnerability in the RSS feed parser in Zimbra Collaboration 9.0.0 before Patch 43, 10.0.x before 10.0.12, and 10.1.x before 10.1.4 allows unauthorized redirection to internal network endpoints. | |||||
| CVE-2025-25064 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 8.8 HIGH |
| SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a specific parameter in the request, allowing them to inject arbitrary SQL queries that could retrieve email metadata. | |||||
| CVE-2024-54663 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 7.5 HIGH |
| An issue was discovered in the Webmail Classic UI in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A Local File Inclusion (LFI) vulnerability exists in the /h/rest endpoint, allowing authenticated remote attackers to include and access sensitive files in the WebRoot directory. Exploitation requires a valid auth token and involves crafting a malicious request targeting specific file paths. | |||||
| CVE-2024-45517 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 5.4 MEDIUM |
| An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A Cross-Site Scripting (XSS) vulnerability in the /h/rest endpoint of the Zimbra webmail and admin panel interfaces allows attackers to execute arbitrary JavaScript in the victim's session. This issue is caused by improper sanitization of user input, leading to potential compromise of sensitive information. Exploitation requires user interaction to access the malicious URL. | |||||
| CVE-2024-45513 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 4.8 MEDIUM |
| An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A stored Cross-Site Scripting (XSS) vulnerability exists in the /modern/contacts/print endpoint of Zimbra webmail. This allows an attacker to inject and execute arbitrary JavaScript code in the context of the victim's browser when a crafted vCard (VCF) file is processed and printed. This could lead to unauthorized actions within the victim's session. | |||||