Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2025-59849 2025-12-17 MEDIUM 4.7 Improper management of Content Security Policy in HCL BigFix Remote Control Lite Web Portal (versions 10.1.0.0326 and lower) may allow the execution of malicious code in web pages.
CVE-2025-55254 2025-12-17 LOW 3.7 Improper management of Path-relative stylesheet import in HCL BigFix Remote Control Lite Web Portal (versions 10.1.0.0326 and lower) may allow to execute malicious code in certain web pages.
CVE-2025-14764 2025-12-17 MEDIUM 5.3 Missing cryptographic key commitment in the Amazon S3 Encryption Client for Go may allow a user with write access to the S3 bucket to introduce a new EDK…
CVE-2025-14763 2025-12-17 MEDIUM 5.3 Missing cryptographic key commitment in the Amazon S3 Encryption Client for Java may allow a user with write access to the S3 bucket to introduce a new EDK…
CVE-2025-14762 2025-12-17 MEDIUM 5.3 Missing cryptographic key commitment in the AWS SDK for Ruby may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts…
CVE-2025-14761 2025-12-17 MEDIUM 5.3 Missing cryptographic key commitment in the AWS SDK for PHP may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts…
CVE-2025-67787 2025-12-17 CRITICAL 9.6 An issue was discovered in 25.1.2 before 25.1.5. A Cross Site Scripting (XSS) issue in DriveLock Operations Center allows for session takeover over a network.
CVE-2025-67781 2025-12-17 CRITICAL 9.9 An issue was discovered in DriveLock 24.1 before 24.1.6, 24.2 before 24.2.7, and 25.1 before 25.1.5. Local unprivileged users can manipulate privileged processes to gain more privileges on…
CVE-2025-67074 2025-12-17 N/A 0.0 A Buffer overflow vulnerability in function fromAdvSetMacMtuWan of bin httpd in Tenda AC10V4.0 V16.03.10.20 allows remote attackers to cause denial of service and possibly code execution by sending…
CVE-2025-67073 2025-12-17 CRITICAL 9.8 A Buffer overflow vulnerability in function fromAdvSetMacMtuWan of bin httpd in Tenda AC10V4.0 V16.03.10.20 allows remote attackers to cause denial of service and possibly code execution by sending…
CVE-2025-66646 2025-12-17 N/A 0.0 RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. A vulnerability was discovered in the…
CVE-2025-66397 2025-12-17 HIGH 8.3 ChurchCRM is an open-source church management system. Prior to version 6.5.3, the allowRegistration, acceptKiosk, reloadKiosk, and identifyKiosk functions in the Kiosk Manager feature suffers from broken access control,…
CVE-2025-66396 2025-12-17 HIGH 7.2 ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/UserEditor.php` file. When an administrator saves a user's configuration settings,…
CVE-2025-65233 2025-12-17 MEDIUM 6.1 Reflected cross-site scripting (XSS) in SLiMS (slims9_bulian) before 9.6.0 via improper handling of $_SERVER['PHP_SELF' ] in index.php/sysconfig.inc.php, which allows remote attackers to execute arbitrary JavaScript in a victim's…
CVE-2025-34442 2025-12-17 N/A 0.0 AVideo versions prior to 20.0 disclose absolute filesystem paths via multiple public API endpoints. Returned metadata includes full server paths to media files, revealing underlying filesystem structure and…
CVE-2025-34441 2025-12-17 N/A 0.0 AVideo versions prior to 20.0 expose sensitive user information through an unauthenticated public API endpoint. Responses include emails, usernames, administrative status, and last login times, enabling user enumeration…
CVE-2025-34440 2025-12-17 N/A 0.0 AVideo versions prior to 20.0 contain an open redirect vulnerability caused by insufficient validation of the siteRedirectUri parameter during user registration. Attackers can redirect users to external sites,…
CVE-2025-34439 2025-12-17 N/A 0.0 AVideo versions prior to 20.0 are vulnerable to an open redirect flaw due to missing validation of the cancelUri parameter during user login. An attacker can craft a link…
CVE-2025-34438 2025-12-17 N/A 0.0 AVideo versions prior to 20.0 contain an insecure direct object reference vulnerability allowing users with upload permissions to modify the rotation metadata of any video. The endpoint verifies…
CVE-2025-34437 2025-12-17 N/A 0.0 AVideo versions prior to 20.0 permit any authenticated user to upload comment images to videos owned by other users. The endpoint validates authentication but omits ownership checks, allowing…
CVE-2025-34436 2025-12-17 N/A 0.0 AVideo versions prior to 20.0 allow any authenticated user to upload files into directories belonging to other users due to an insecure direct object reference. The upload functionality…
CVE-2025-34435 2025-12-17 N/A 0.0 AVideo versions prior to 20.0 are vulnerable to an insecure direct object reference (IDOR) that allows any authenticated user to delete media files belonging to other users. The affected…
CVE-2025-34434 2025-12-17 N/A 0.0 AVideo versions prior to 20.0 with the ImageGallery plugin enabled is vulnerable to unauthenticated file upload and deletion. Plugin endpoints responsible for managing gallery images fail to enforce…
CVE-2025-14760 2025-12-17 MEDIUM 5.3 Missing cryptographic key commitment in the AWS SDK for C++ may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts…
CVE-2025-14759 2025-12-17 MEDIUM 5.3 Missing cryptographic key commitment in the Amazon S3 Encryption Client for .NET may allow a user with write access to the S3 bucket to introduce a new EDK…
CVE-2025-67174 2025-12-17 N/A 0.0 A local file inclusion (LFI) vulnerability in RiteCMS v3.1.0 allows attackers to read arbitrary files on the host via a directory traversal in the admin_language_file and default_page_language_file in…
CVE-2025-67173 2025-12-17 MEDIUM 6.8 A Cross-Site Request Forgery (CSRF) in the page creation/editing function of RiteCMS v3.1.0 allows attackers to arbitrarily create pages via a crafted POST request.
CVE-2025-67171 2025-12-17 HIGH 7.5 Incorrect access control in the /templates/ component of RiteCMS v3.1.0 allows attackers to access sensitive files via directory traversal.
CVE-2025-67170 2025-12-17 MEDIUM 6.1 A reflected cross-site scripting (XSS) vulnerability in RiteCMS v3.1.0 allows attackers to execute arbitrary code in the context of a user's browser via a crafted payload.
CVE-2025-67168 2025-12-17 MEDIUM 5.3 RiteCMS v3.1.0 was discovered to use insecure encryption to store passwords.
CVE-2025-66953 2025-12-17 N/A 0.0 CSRF vulnerability in narda miteq Uplink Power Contril Unit UPC2 v.1.17 allows a remote attacker to execute arbitrary code via the Web-based management interface and specifically the /system_setup.htm,…
CVE-2025-66395 2025-12-17 HIGH 8.8 ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/ListEvents.php` file. When filtering events by type, the `WhichType` POST…
CVE-2025-62521 2025-12-17 CRITICAL 10.0 ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP…
CVE-2025-14081 2025-12-17 MEDIUM 4.3 The Ultimate Member plugin for WordPress is vulnerable to Profile Privacy Setting Bypass in all versions up to, and including, 2.11.0. This is due to a flaw in…
CVE-2025-13537 2025-12-17 MEDIUM 6.4 The Live Composer – Free WordPress Website Builder plugin for WordPress is vulnerable to multiple Stored Cross-Site Scripting vulnerabilities via DOM manipulation in all versions up to, and…
CVE-2025-13326 2025-12-17 LOW 3.9 Mattermost Desktop App versions
CVE-2025-13324 2025-12-17 MEDIUM 4.3 Mattermost versions 10.11.x
CVE-2025-13321 2025-12-17 LOW 3.3 Mattermost Desktop App versions
CVE-2025-13217 2025-12-17 MEDIUM 6.4 The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the YouTube Video 'value'…
CVE-2025-12689 2025-12-17 MEDIUM 6.5 Mattermost versions 11.0.x
CVE-2024-46062 2025-12-17 N/A 0.0 Miniconda3 macOS installers before 23.11.0-1 contain a local privilege escalation vulnerability when installed outside the user's home directory. During installation, world-writable files are created and executed with root…
CVE-2024-46060 2025-12-17 N/A 0.0 Anaconda3 macOS installers before 2024.06-1 contain a local privilege escalation vulnerability when installed outside the user's home directory. During installation, world-writable files are created and executed with root…
CVE-2025-67172 2025-12-17 HIGH 7.2 RiteCMS v3.1.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the parse_special_tags() function.
CVE-2025-66924 2025-12-17 MEDIUM 6.1 A Cross-site scripting (XSS) vulnerability in Create/Update Item Kit(s) in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the…
CVE-2025-66923 2025-12-17 HIGH 7.2 A Cross-site scripting (XSS) vulnerability in Create/Update Customer(s) in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the phone_number…
CVE-2025-65203 2025-12-17 HIGH 7.1 KeePassXC-Browser thru 1.9.9.2 autofills or prompts to fill stored credentials into documents rendered under a browser-enforced CSP directive and iframe attribute sandbox, allowing attacker-controlled script in the sandboxed…
CVE-2025-65000 2025-12-18 N/A 0.0 SSH private keys of the "Remote alert handlers (Linux)" rule were exposed in the rule page's HTML source in Checkmk
CVE-2025-40898 2025-12-18 HIGH 8.1 A path traversal vulnerability was discovered in the Import Arc data archive functionality due to insufficient validation of the input file. An authenticated user with limited privileges, by…
CVE-2025-40893 2025-12-18 MEDIUM 6.1 A Stored HTML Injection vulnerability was discovered in the Asset List functionality due to improper validation of network traffic data. An unauthenticated attacker can send specially crafted network…
CVE-2025-40892 2025-12-18 HIGH 8.9 A Stored Cross-Site Scripting vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a…
« Anterior Página 199 de 3934 Siguiente »