Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2024-11636 2025-01-13 MEDIUM 4.8 The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of its Text Block options, which could allow high privilege users such…
CVE-2025-29602 2025-05-07 MEDIUM 6.1 flatpress 1.3.1 is vulnerable to Cross Site Scripting (XSS) in Administration area via Manage categories.
CVE-2025-29154 2025-05-07 MEDIUM 6.5 HTML injection vulnerability in lemeconsultoria HCM galera.app v.4.58.0 allows an attacker to execute arbitrary code via the .galera.app/ted/solicitacao_treinamento/, .galera.app/rh/metas/perspectiva_estrategica/edicao/, .galera.app/rh/cadastros/perspectivas/listagem/adc/, .galera.app/escolaridade/listagem/, .galera.app/estados_civis/cadastro/, .galera.app/nivel_hierarquico/listagem/, .galera.app/nivel_decisorio/cadastro/, .galera.app/escolaridade/cadastro/, .galera.app/nivel_decisorio/listagem/, .galera.app/rh/cadastros/perspectivas/listagem/, .galera.app/empresas_grupo/cadastro/,…
CVE-2024-25407 2024-02-13 HIGH 7.5 SteVe v3.6.0 was discovered to use predictable transaction ID's when receiving a StartTransaction request. This vulnerability can allow attackers to cause a Denial of Service (DoS) by using…
CVE-2024-25454 2024-02-09 MEDIUM 5.5 Bento4 v1.6.0-640 was discovered to contain a NULL pointer dereference via the AP4_DescriptorFinder::Test() function.
CVE-2024-25302 2024-02-09 CRITICAL 9.8 Sourcecodester Event Student Attendance System 1.0, allows SQL Injection via the 'student' parameter.
CVE-2024-25003 2024-02-09 HIGH 7.8 KiTTY versions 0.76.1.13 and before is vulnerable to a stack-based buffer overflow via the hostname, occurs due to insufficient bounds checking and input sanitization. This allows an attacker…
CVE-2024-24830 2024-02-08 CRITICAL 9.9 OpenObserve is a observability platform built specifically for logs, metrics, traces, analytics, designed to work at petabyte scale. A vulnerability has been identified in the "/api/{org_id}/users" endpoint. This…
CVE-2024-24216 2024-02-08 CRITICAL 9.8 Zentao v18.0 to v18.10 was discovered to contain a remote code execution (RCE) vulnerability via the checkConnection method of /app/zentao/module/repo/model.php.
CVE-2024-24350 2024-02-08 HIGH 8.8 File Upload vulnerability in Software Publico e-Sic Livre v.2.0 and before allows a remote attacker to execute arbitrary code via the extension filtering component.
CVE-2024-24255 2024-02-06 MEDIUM 4.2 A Race Condition discovered in geofence.cpp and mission_feasibility_checker.cpp in PX4 Autopilot 1.14 and earlier allows attackers to send drones on unintended missions.
CVE-2024-24003 2024-02-08 CRITICAL 9.8 jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.DepotHeadController: com.jsh.erp.utils.BaseResponseInfo findInOutMaterialCount() function of jshERP does not filter `column` and `order` parameters well enough, and an attacker can construct…
CVE-2024-24186 2024-02-07 CRITICAL 9.8 Jsish v3.5.0 (commit 42c694c) was discovered to contain a stack-overflow via the component IterGetKeysCallback at /jsish/src/jsiValue.c.
CVE-2024-22515 2024-02-06 HIGH 8.8 Unrestricted File Upload vulnerability in iSpyConnect.com Agent DVR 5.1.6.0 allows attackers to upload arbitrary files via the upload audio component.
CVE-2024-24112 2024-02-06 CRITICAL 9.8 xmall v1.1 was discovered to contain a SQL injection vulnerability via the orderDir parameter.
CVE-2024-22012 2024-02-07 HIGH 7.8 there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed.…
CVE-2023-33770 2025-05-06 MEDIUM 5.1 Real Estate Management System v1.0 was discovered to contain a SQL injection vulnerability via the message parameter at /contact.php.
CVE-2022-43435 2022-10-19 MEDIUM 5.3 Jenkins 360 FireLine Plugin 1.7.2 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.
CVE-2022-43434 2022-10-19 MEDIUM 5.3 Jenkins NeuVector Vulnerability Scanner Plugin 1.20 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.
CVE-2022-43433 2022-10-19 MEDIUM 4.3 Jenkins ScreenRecorder Plugin 0.7 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.
CVE-2022-43432 2022-10-19 MEDIUM 4.3 Jenkins XFramium Builder Plugin 1.0.22 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.
CVE-2022-43431 2022-10-19 MEDIUM 4.3 Jenkins Compuware Strobe Measurement Plugin 1.0.1 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of…
CVE-2022-43430 2022-10-19 HIGH 7.5 Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2022-43429 2022-10-19 HIGH 7.5 Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control…
CVE-2022-43428 2022-10-19 MEDIUM 5.3 Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control…
CVE-2022-43427 2022-10-19 MEDIUM 4.3 Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs…
CVE-2022-43426 2022-10-19 MEDIUM 5.3 Jenkins S3 Explorer Plugin 1.0.8 and earlier does not mask the AWS_SECRET_ACCESS_KEY form field, increasing the potential for attackers to observe and capture it.
CVE-2022-43425 2022-10-19 MEDIUM 5.4 Jenkins Custom Checkbox Parameter Plugin 1.4 and earlier does not escape the name and description of Custom Checkbox Parameter parameters on views displaying parameters, resulting in a stored…
CVE-2022-43423 2022-10-19 MEDIUM 5.3 Jenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.12 and earlier implements an agent/controller message that does not limit where it can be executed, allowing…
CVE-2022-43422 2022-10-19 MEDIUM 5.3 Jenkins Compuware Topaz Utilities Plugin 1.0.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes…
CVE-2022-43421 2022-10-19 MEDIUM 5.3 A missing permission check in Jenkins Tuleap Git Branch Source Plugin 3.2.4 and earlier allows unauthenticated attackers to trigger Tuleap projects whose configured repository matches the attacker-specified value.
CVE-2022-43420 2022-10-19 MEDIUM 5.4 Jenkins Contrast Continuous Application Security Plugin 3.9 and earlier does not escape data returned from the Contrast service when generating a report, resulting in a stored cross-site scripting…
CVE-2022-43419 2022-10-19 MEDIUM 6.5 Jenkins Katalon Plugin 1.0.32 and earlier stores API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read…
CVE-2022-43418 2022-10-19 MEDIUM 4.3 A cross-site request forgery (CSRF) vulnerability in Jenkins Katalon Plugin 1.0.33 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another…
CVE-2022-43417 2022-10-19 MEDIUM 4.3 Jenkins Katalon Plugin 1.0.32 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified…
CVE-2022-31690 2022-10-31 HIGH 8.1 Spring Security, versions 5.7 prior to 5.7.5, and 5.6 prior to 5.6.9, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious…
CVE-2022-39823 2022-10-20 HIGH 7.5 An issue was discovered in Softing OPC UA C++ SDK 5.66 through 6.x before 6.10. An OPC/UA browse request exceeding the server limit on continuation points may cause…
CVE-2022-37453 2022-10-20 HIGH 7.5 An issue was discovered in Softing OPC UA C++ SDK before 6.10. A buffer overflow or an excess allocation happens due to unchecked array and matrix bounds in…
CVE-2022-3577 2022-10-20 HIGH 7.8 An out-of-bounds memory write flaw was found in the Linux kernel’s Kid-friendly Wired Controller driver. This flaw allows a local user to crash or potentially escalate their privileges…
CVE-2022-2627 2022-10-31 MEDIUM 6.1 The Newspaper WordPress theme before 12 does not sanitise a parameter before outputting it back in an HTML attribute via an AJAX action, leading to a Reflected Cross-Site…
CVE-2024-2159 2024-04-26 MEDIUM 4.7 The Social Sharing Plugin WordPress plugin before 3.3.61 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode…
CVE-2024-0905 2024-04-26 MEDIUM 6.3 The Fancy Product Designer WordPress plugin before 6.1.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting…
CVE-2024-3265 2024-04-25 MEDIUM 4.7 The Advanced Search WordPress plugin through 1.1.6 does not properly escape parameters appended to an SQL query, making it possible for users with the administrator role to conduct…
CVE-2024-3261 2024-04-24 MEDIUM 4.8 The Strong Testimonials WordPress plugin before 3.1.12 does not validate and escape some of its Testimonial fields before outputting them back in a page/post, which could allow users…
CVE-2024-2972 2024-04-24 LOW 3.8 The Floating Chat Widget: Contact Chat Icons, WhatsApp, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button WordPress plugin before 3.1.9 does not sanitise and escape some of…
CVE-2024-2402 2024-04-24 MEDIUM 5.4 The Better Comments WordPress plugin before 1.5.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored…
CVE-2023-7253 2024-04-24 MEDIUM 6.1 The Import WP WordPress plugin before 2.13.1 does not prevent users with the administrator role from pinging conducting SSRF attacks, which may be a problem in multisite configurations.
CVE-2025-3220 2025-04-04 HIGH 7.3 A vulnerability was found in PHPGurukul e-Diary Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /dashboard.php.…
CVE-2025-3217 2025-04-04 HIGH 7.3 A vulnerability was found in PHPGurukul e-Diary Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /registration.php. The manipulation of…
CVE-2025-3216 2025-04-04 HIGH 7.3 A vulnerability was found in PHPGurukul e-Diary Management System 1.0. It has been classified as critical. This affects an unknown part of the file /password-recovery.php. The manipulation of…
« Anterior Página 1260 de 4311 Siguiente »