Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

CVE ID	Publicado	Severidad	CVSS	Descripción
CVE-2025-67844	2025-12-19	MEDIUM	5.0	The GitHub Integration API in Mintlify Platform before 2025-11-15 allows remote attackers to obtain sensitive repository metadata via the repository owner and name fields. It fails to validate…
CVE-2025-67843	2025-12-19	HIGH	8.3	A Server-Side Template Injection (SSTI) vulnerability in the MDX Rendering Engine in Mintlify Platform before 2025-11-15 allows remote attackers to execute arbitrary code via inline JSX expressions in…
CVE-2025-67842	2025-12-19	MEDIUM	6.4	The Static Asset API in Mintlify Platform before 2025-11-15 allows remote attackers to inject arbitrary web script or HTML via the subdomain parameter because any tenant's assets can…
CVE-2025-52692	2025-12-19	HIGH	8.8	Successful exploitation of the vulnerability could allow an attacker with local network access to send a specially crafted URL to access certain administration functions without login credentials.
CVE-2025-14910	2025-12-19	MEDIUM	4.3	A vulnerability was detected in Edimax BR-6208AC 1.02. This impacts the function handle_retr of the component FTP Daemon Service. The manipulation results in path traversal. The attack may…
CVE-2025-14909	2025-12-19	MEDIUM	4.3	A weakness has been identified in JeecgBoot up to 3.9.0. The impacted element is the function SysUserOnlineController of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysUserOnlineController.java. Executing manipulation can lead to manage user…
CVE-2025-13941	2025-12-19	HIGH	8.8	A local privilege escalation vulnerability exists in the Foxit PDF Reader/Editor Update Service. During plugin installation, incorrect file system permissions are assigned to resources used by the update…
CVE-2025-14908	2025-12-19	MEDIUM	6.3	A security flaw has been discovered in JeecgBoot up to 3.9.0. The affected element is an unknown function of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysTenantController.java of the component Multi-Tenant Management Module.…
CVE-2025-14900	2025-12-19	MEDIUM	4.7	A security vulnerability has been detected in CodeAstro Real Estate Management System 1.0. Affected is an unknown function of the file /admin/userdelete.php of the component Administrator Endpoint. Such…
CVE-2025-14899	2025-12-19	MEDIUM	4.7	A weakness has been identified in CodeAstro Real Estate Management System 1.0. This impacts an unknown function of the file /admin/stateadd.php of the component Administrator Endpoint. This manipulation…
CVE-2025-11774	2025-12-19	HIGH	8.2	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in the software keyboard function (hereinafter referred to as "keypad function") of Mitsubishi Electric…
CVE-2025-64675	2025-12-19	HIGH	8.3	Improper neutralization of input during web page generation ('cross-site scripting') in Azure Cosmos DB allows an unauthorized attacker to perform spoofing over a network.
CVE-2025-14898	2025-12-19	MEDIUM	4.7	A security flaw has been discovered in CodeAstro Real Estate Management System 1.0. This affects an unknown function of the file /admin/userbuilderdelete.php of the component Administrator Endpoint. The…
CVE-2025-14897	2025-12-19	MEDIUM	4.7	A vulnerability was identified in CodeAstro Real Estate Management System 1.0. The impacted element is an unknown function of the file /admin/useragentdelete.php of the component Administrator Endpoint. The…
CVE-2025-68422	2025-12-18	MEDIUM	4.3	Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to bypass intended permission restrictions via a crafted HTTP request. This allows…
CVE-2025-68398	2025-12-18	CRITICAL	9.1	Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Git configuration remotely and override some of its behavior. Version 5.15.1…
CVE-2025-68390	2025-12-18	MEDIUM	4.9	Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation (CAPEC-130) of memory and a…
CVE-2025-68389	2025-12-18	MEDIUM	6.5	Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) of computing resources and a denial of…
CVE-2025-68387	2025-12-18	MEDIUM	6.1	Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web…
CVE-2025-68386	2025-12-18	MEDIUM	4.3	Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document's sharing type to "global," even though they do…
CVE-2025-68385	2025-12-18	HIGH	7.2	Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web…
CVE-2025-68279	2025-12-18	HIGH	7.7	Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links…
CVE-2025-68388	2025-12-18	MEDIUM	5.3	Allocation of resources without limits or throttling (CWE-770) allows an unauthenticated remote attacker to cause excessive allocation (CAPEC-130) of memory and CPU via the integration of malicious IPv4…
CVE-2025-68384	2025-12-18	MEDIUM	6.5	Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) causing a persistent denial of service (OOM…
CVE-2025-68383	2025-12-18	MEDIUM	6.5	Improper Validation of Specified Index, Position, or Offset in Input (CWE-1285) in Filebeat Syslog parser and the Libbeat Dissect processor can allow a user to trigger a Buffer…
CVE-2025-68382	2025-12-18	MEDIUM	6.5	Out-of-bounds read (CWE-125) allows an unauthenticated remote attacker to perform a buffer overflow (CAPEC-100) via the NFS protocol dissector, leading to a denial-of-service (DoS) through a reliable process…
CVE-2025-68381	2025-12-18	MEDIUM	6.5	Improper Bounds Check (CWE-787) in Packetbeat can allow a remote unauthenticated attacker to exploit a Buffer Overflow (CAPEC-100) and reliably crash the application or cause significant resource exhaustion…
CVE-2025-65046	2025-12-18	LOW	3.1	Microsoft Edge (Chromium-based) Spoofing Vulnerability
CVE-2025-65041	2025-12-18	CRITICAL	10.0	Improper authorization in Microsoft Partner Center allows an unauthorized attacker to elevate privileges over a network.
CVE-2025-65037	2025-12-18	CRITICAL	10.0	Improper control of generation of code ('code injection') in Azure Container Apps allows an unauthorized attacker to execute code over a network.
CVE-2025-64677	2025-12-18	HIGH	8.2	Improper neutralization of input during web page generation ('cross-site scripting') in Office Out-of-Box Experience allows an unauthorized attacker to perform spoofing over a network.
CVE-2025-64676	2025-12-18	HIGH	7.2	'.../...//' in Microsoft Purview allows an authorized attacker to execute code over a network.
CVE-2025-64663	2025-12-18	CRITICAL	9.9	Custom Question Answering Elevation of Privilege Vulnerability
CVE-2025-34452	2025-12-18	N/A	0.0	Streama versions 1.10.0 through 1.10.5 and prior to commit b7c8767 contain a combination of path traversal and server-side request forgery (SSRF) vulnerabilities in that allow an authenticated attacker to…
CVE-2025-34451	2025-12-18	N/A	0.0	rofl0r/proxychains-ng versions up to and including 4.17 and prior to commit cc005b7 contain a stack-based buffer overflow vulnerability in the function proxy_from_string() located in src/libproxychains.c. When parsing crafted…
CVE-2025-34450	2025-12-18	N/A	0.0	merbanan/rtl_433 versions up to and including 25.02 and prior to commit 25e47f8 contain a stack-based buffer overflow vulnerability in the function parse_rfraw() located in src/rfraw.c. When processing crafted…
CVE-2025-34449	2025-12-18	N/A	0.0	Genymobile/scrcpy versions up to and including 3.3.3 and prior to commit 3e40b24 contain a global buffer overflow vulnerability in the function sc_read32be, invoked via sc_device_msg_deserialize() and process_msgs(). Processing crafted…
CVE-2025-13427	2025-12-18	N/A	0.0	An authentication bypass vulnerability in Google Cloud Dialogflow CX Messenger allowed unauthenticated users to interact with restricted chat agents, gaining access to the agents' knowledge and the ability…
CVE-2025-68161	2025-12-18	N/A	0.0	The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute…
CVE-2025-67653	2025-12-18	MEDIUM	4.3	Advantech WebAccess/SCADA is vulnerable to directory traversal, which may allow an attacker to determine the existence of arbitrary files.
CVE-2025-63951	2025-12-18	HIGH	7.5	An insecure deserialization vulnerability exists in the rss-mp3.php script of the MiczFlor RPi-Jukebox-RFID project through commit 4b2334f0ae0e87c0568876fc41c48c38aa9a7014 (2025-10-07). The 'rss' GET parameter receives data that is passed directly…
CVE-2025-63950	2025-12-18	HIGH	7.5	An insecure deserialization vulnerability exists in the download.php script of the to3k Twittodon application through commit b1c58a7d1dc664b38deb486ca290779621342c0b (2023-02-28). The 'obj' parameter receives base64-encoded data that is passed directly…
CVE-2025-63949	2025-12-18	MEDIUM	6.1	A Reflected Cross-Site Scripting (XSS) vulnerability in yohanawi Hotel Management System (commit 87e004a) allows a remote attacker to execute arbitrary web script via the 'error' parameter in pages/room.php.
CVE-2025-63948	2025-12-18	MEDIUM	5.4	A SQL Injection vulnerability exists in phpMsAdmin version 2.2 in the database_mode.php file. An attacker can execute arbitrary SQL commands via the dbname parameter, potentially leading to information…
CVE-2025-63947	2025-12-18	MEDIUM	5.4	A Reflected Cross-Site Scripting (XSS) vulnerability exists in phpMsAdmin version 2.2 in the database_mode.php file. An attacker can execute arbitrary web script or HTML via the dbname parameter…
CVE-2025-62004	2025-12-18	MEDIUM	6.2	BullWall Server Intrusion Protection services are initialized after login services. An authenticated attacker with administrative permissions can log in after boot and bypass MFA. SIP service does not…
CVE-2025-62003	2025-12-18	MEDIUM	6.2	BullWall Server Intrusion Protection has a noticeable delay before the MFA check when connecting via RDP. A remote authenticated attacker with administrative privileges can potentially bypass detection during…
CVE-2025-62002	2025-12-18	MEDIUM	4.3	BullWall Ransomware Containment relies on the number of file modifications to trigger detection. An authenticated attacker could encrypt a single large file without triggering a detection alert. Versions…
CVE-2025-62001	2025-12-18	HIGH	8.8	BullWall Ransomware Containment contains excluded file paths, such as '$recycle.bin' that are not monitored. An attacker with file write permissions could bypass detection by renaming a directory. Versions…
CVE-2025-62000	2025-12-18	HIGH	7.1	BullWall Ransomware Containment does not entirely inspect a file to determine if it is ransomware. An authenticated attacker could bypass detection by encrypting a file and leaving the…

« Anterior Página 189 de 3934 Siguiente »