Total
295465 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-55415 | 1 Thecontrolgroup | 1 Voyager | 2025-05-23 | N/A | 5.7 MEDIUM |
| DevDojo Voyager through 1.8.0 is vulnerable to path traversal at the /admin/compass. | |||||
| CVE-2025-0792 | 1 Esafenet | 1 Cdg | 2025-05-23 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability, which was classified as critical, was found in ESAFENET CDG V5. Affected is an unknown function of the file /sdTodoDetail.jsp. The manipulation of the argument flowId leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-25858 | 1 Foxit | 2 Pdf Editor, Pdf Reader | 2025-05-23 | N/A | 8.4 HIGH |
| In Foxit PDF Reader before 2024.1 and PDF Editor before 2024.1, code execution via JavaScript could occur because of an unoptimized prompt message for users to review parameters of commands. | |||||
| CVE-2023-48644 | 1 Eptura | 1 Archibus | 2025-05-23 | N/A | 6.1 MEDIUM |
| An issue was discovered in the Archibus app 4.0.3 for iOS. There is an XSS vulnerability in the create work request feature of the maintenance module, via the description field. This allows an attacker to perform an action on behalf of the user, exfiltrate data, and so on. | |||||
| CVE-2024-24278 | 2 Microsoft, Teamwire | 2 Windows, Teamwire | 2025-05-23 | N/A | 7.5 HIGH |
| An issue in Teamwire Windows desktop client v.2.0.1 through v.2.4.0 allows a remote attacker to obtain sensitive information via a crafted payload to the message function. | |||||
| CVE-2024-21805 | 1 Skygroup | 1 Skysea Client View | 2025-05-23 | N/A | 7.8 HIGH |
| Improper access control vulnerability exists in the specific folder of SKYSEA Client View versions from Ver.16.100 prior to Ver.19.2. If this vulnerability is exploited, an arbitrary file may be placed in the specific folder by a user who can log in to the PC where the product's Windows client is installed. In case the file is a specially crafted DLL file, arbitrary code may be executed with SYSTEM privilege. | |||||
| CVE-2024-24964 | 1 Skygroup | 1 Skysea Client View | 2025-05-23 | N/A | 6.3 MEDIUM |
| Improper access control vulnerability exists in the resident process of SKYSEA Client View versions from Ver.11.220 prior to Ver.19.2. If this vulnerability is exploited, an arbitrary process may be executed with SYSTEM privilege by a user who can log in to the PC where the product's Windows client is installed. | |||||
| CVE-2024-2020 | 1 Codepeople | 1 Calculated Fields Form | 2025-05-23 | N/A | 7.2 HIGH |
| The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form page href parameter in all versions up to, and including, 5.1.56 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the professional version or higher. | |||||
| CVE-2024-28662 | 1 Piwigo | 1 Piwigo | 2025-05-23 | N/A | 5.4 MEDIUM |
| A Cross Site Scripting vulnerability exists in Piwigo before 14.3.0 script because of missing sanitization in create_tag in admin/include/functions.php. | |||||
| CVE-2025-0791 | 1 Esafenet | 1 Cdg | 2025-05-23 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability, which was classified as critical, has been found in ESAFENET CDG V5. This issue affects some unknown processing of the file /sdDoneDetail.jsp. The manipulation of the argument flowId leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-25934 | 1 Formfacade | 1 Formfacade | 2025-05-23 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FormFacade allows Stored XSS.This issue affects FormFacade: from n/a through 1.0.0. | |||||
| CVE-2024-24539 | 1 Fusionpbx | 1 Fusionpbx | 2025-05-23 | N/A | 5.3 MEDIUM |
| FusionPBX before 5.2.0 does not validate a session. | |||||
| CVE-2024-23721 | 1 Draytek | 2 Vigor3910, Vigor3910 Firmware | 2025-05-23 | N/A | 7.5 HIGH |
| A Directory Traversal issue was discovered in process_post on Draytek Vigor3910 4.3.2.5 devices. When sending a certain POST request, it calls the function and exports information. | |||||
| CVE-2025-0790 | 1 Esafenet | 1 Cdg | 2025-05-23 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability classified as problematic was found in ESAFENET CDG V5. This vulnerability affects unknown code of the file /doneDetail.jsp. The manipulation of the argument curpage leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-0789 | 1 Esafenet | 1 Cdg | 2025-05-23 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical has been found in ESAFENET CDG V5. This affects an unknown part of the file /doneDetail.jsp. The manipulation of the argument flowId leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-40775 | 2025-05-23 | N/A | 7.5 HIGH | ||
| When an incoming DNS protocol message includes a Transaction Signature (TSIG), BIND always checks it. If the TSIG contains an invalid value in the algorithm field, BIND immediately aborts with an assertion failure. This issue affects BIND 9 versions 9.20.0 through 9.20.8 and 9.21.0 through 9.21.7. | |||||
| CVE-2025-31672 | 2025-05-23 | N/A | 5.3 MEDIUM | ||
| Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files like xlsx, docx and pptx. These file formats are basically zip files and it is possible for malicious users to add zip entries with duplicate names (including the path) in the zip. In this case, products reading the affected file could read different data because 1 of the zip entries with the duplicate name is selected over another but different products may choose a different zip entry. This issue affects Apache POI poi-ooxml before 5.4.0. poi-ooxml 5.4.0 has a check that throws an exception if zip entries with duplicate file names are found in the input file. Users are recommended to upgrade to version poi-ooxml 5.4.0, which fixes the issue. Please read https://poi.apache.org/security.html for recommendations about how to use the POI libraries securely. | |||||
| CVE-2025-1861 | 2025-05-23 | N/A | N/A | ||
| In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location. | |||||
| CVE-2025-1736 | 2025-05-23 | N/A | N/A | ||
| In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be misinterpreted. | |||||
| CVE-2025-1734 | 2025-05-23 | N/A | N/A | ||
| In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers. | |||||