Total
4104 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-61541 | 1 Webmin | 1 Webmin | 2025-11-06 | N/A | 7.1 HIGH |
| Webmin 2.510 is vulnerable to a Host Header Injection in the password reset functionality (forgot_send.cgi). The reset link sent to users is constructed using the HTTP Host header via get_webmin_email_url(). An attacker can manipulate the Host header to inject a malicious domain into the reset email. If a victim follows the poisoned link, the attacker can intercept the reset token and gain full control of the target account. | |||||
| CVE-2025-2348 | 1 Iroadau | 2 Fx2, Fx2 Firmware | 2025-11-06 | 3.3 LOW | 4.3 MEDIUM |
| A vulnerability was found in IROAD Dash Cam FX2 up to 20250308. It has been classified as problematic. Affected is an unknown function of the file /mnt/extsd/event/ of the component HTTP/RTSP. The manipulation leads to information disclosure. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-2350 | 1 Iroadau | 2 Fx2, Fx2 Firmware | 2025-11-06 | 5.8 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in IROAD Dash Cam FX2 up to 20250308. It has been rated as critical. Affected by this issue is some unknown functionality of the file /action/upload_file. The manipulation leads to unrestricted upload. Access to the local network is required for this attack to succeed. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-30133 | 1 Iroadau | 2 Fx2, Fx2 Firmware | 2025-11-06 | N/A | 9.8 CRITICAL |
| An issue was discovered on IROAD Dashcam FX2 devices. Bypass of Device Pairing/Registration can occur. It requires device registration via the "IROAD X View" app for authentication, but its HTTP server lacks this restriction. Once connected to the dashcam's Wi-Fi network via the default password ("qwertyuiop"), an attacker can directly access the HTTP server at http://192.168.10.1 without undergoing the pairing process. Additionally, no alert is triggered on the device when an attacker connects, making this intrusion completely silent. | |||||
| CVE-2025-12346 | 1 Max-3000 | 1 Maxsite Cms | 2025-11-06 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was detected in MaxSite CMS up to 109. This vulnerability affects unknown code of the file application/maxsite/admin/plugins/auto_post/uploads-require-maxsite.php of the component HTTP Header Handler. Performing manipulation of the argument X-Requested-FileName/X-Requested-FileUpDir results in unrestricted upload. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-12347 | 1 Max-3000 | 1 Maxsite Cms | 2025-11-06 | 6.5 MEDIUM | 6.3 MEDIUM |
| A flaw has been found in MaxSite CMS up to 109. This issue affects some unknown processing of the file application/maxsite/admin/plugins/editor_files/save-file-ajax.php. Executing manipulation of the argument file_path/content can lead to unrestricted upload. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-57130 | 2025-11-06 | N/A | 8.3 HIGH | ||
| An Incorrect Access Control vulnerability in the user management component of ZwiiCMS up to v13.6.07 allows a remote, authenticated attacker to escalate their privileges. By sending a specially crafted HTTP request, a low-privilege user can access and modify the profile data of any other user, including administrators. | |||||
| CVE-2025-60784 | 2025-11-06 | N/A | 6.5 MEDIUM | ||
| A vulnerability in the XiaozhangBang Voluntary Like System V8.8 allows remote attackers to manipulate the zhekou parameter in the /topfirst.php Pay module, enabling unauthorized discounts. By sending a crafted HTTP POST request with zhekou set to an abnormally low value, an attacker can purchase votes at a reduced cost. Furthermore, by modifying the zid parameter, attackers can influence purchases made by other users, amplifying the impact. This issue stems from insufficient server-side validation of these parameters, potentially leading to economic loss and unfair manipulation of vote counts. | |||||
| CVE-2025-60800 | 1 Jishenghua | 1 Jsherp | 2025-11-06 | N/A | 7.5 HIGH |
| Incorrect access control in the /jshERP-boot/user/info interface of jshERP up to commit 90c411a allows attackers to access sensitive information via a crafted GET request. | |||||
| CVE-2019-11634 | 1 Citrix | 2 Receiver, Workspace | 2025-11-06 | 7.5 HIGH | 9.8 CRITICAL |
| Citrix Workspace App before 1904 for Windows has Incorrect Access Control. | |||||
| CVE-2025-7939 | 1 Jerryshensjf | 1 Jpacookieshop | 2025-11-06 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in jerryshensjf JPACookieShop 蛋糕商城JPA版 1.0. It has been classified as critical. Affected is the function addGoods of the file GoodsController.java. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. | |||||
| CVE-2024-48932 | 1 Zimaspace | 1 Zimaos | 2025-11-05 | N/A | 5.3 MEDIUM |
| ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions below 1.5.0, the API endpoint `http://<Server-ip>/v1/users/name` allows unauthenticated users to access sensitive information, such as usernames, without any authorization. This vulnerability could be exploited by an attacker to enumerate usernames and leverage them for further attacks, such as brute-force or phishing campaigns. As of time of publication, no known patched versions are available. | |||||
| CVE-2025-12297 | 1 Pybbs Project | 1 Pybbs | 2025-11-05 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was detected in atjiu pybbs up to 6.0.0. This affects an unknown function of the file UserApiController.java. The manipulation results in information disclosure. The attack may be launched remotely. The exploit is now public and may be used. | |||||
| CVE-2025-63562 | 1 Summerpearlgroup | 1 Vacation Rental Management Platform | 2025-11-05 | N/A | 6.3 MEDIUM |
| Summer Pearl Group Vacation Rental Management Platform prior to v1.0.2 suffers from insufficient server-side authorization. Authenticated attackers can call several endpoints and perform create/update/delete actions on resources owned by arbitrary users by manipulating request parameters (e.g., owner or resource id). | |||||
| CVE-2025-43499 | 1 Apple | 1 Macos | 2025-11-05 | N/A | 5.5 MEDIUM |
| This issue was addressed with additional entitlement checks. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. An app may be able to access sensitive user data. | |||||
| CVE-2025-43495 | 1 Apple | 2 Ipados, Iphone Os | 2025-11-05 | N/A | 5.4 MEDIUM |
| The issue was addressed with improved checks. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. An app may be able to monitor keystrokes without user permission. | |||||
| CVE-2025-43454 | 1 Apple | 2 Ipados, Iphone Os | 2025-11-05 | N/A | 7.5 HIGH |
| This issue was addressed through improved state management. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. A device may persistently fail to lock. | |||||
| CVE-2025-43450 | 1 Apple | 2 Ipados, Iphone Os | 2025-11-05 | N/A | 7.5 HIGH |
| A logic issue was addressed with improved checks. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. An app may be able to learn information about the current camera view before being granted camera access. | |||||
| CVE-2025-12593 | 1 Fabian | 1 Simple Online Hotel Reservation System | 2025-11-05 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was identified in code-projects Simple Online Hotel Reservation System 2.0. The impacted element is an unknown function of the file /admin/edit_room.php of the component Photo Handler. The manipulation leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. | |||||
| CVE-2025-43481 | 1 Apple | 1 Macos | 2025-11-05 | N/A | 5.2 MEDIUM |
| This issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.7.2. An app may be able to break out of its sandbox. | |||||