Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2025-41020 2025-10-16 N/A 0.0 Insecure direct object reference (IDOR) vulnerability in Sergestec's Exito v8.0. This vulnerability allows an attacker to access data belonging to other customers through the 'id' parameter in '/admin/ticket_a4.php'.
CVE-2025-41019 2025-10-16 N/A 0.0 SQL injection in Sergestec's SISTICK v7.2. This vulnerability allows an attacker to retrieve, create, update, and delete databases through the 'id' parameter in '/index.php?view=ticket_detail'.
CVE-2025-41018 2025-10-16 N/A 0.0 SQL injection in Sergestec's Exito v8.0. This vulnerability allows an attacker to retrieve, create, update, and delete databases through the 'cat' parameter in '/public.php'.
CVE-2025-62585 2025-10-16 HIGH 7.5 Whale browser before 4.33.325.17 allows an attacker to bypass the Content Security Policy via a specific scheme in a dual-tab environment.
CVE-2025-62584 2025-10-16 HIGH 7.5 Whale browser before 4.33.325.17 allows an attacker to bypass the Same-Origin Policy in a dual-tab environment.
CVE-2025-62583 2025-10-16 CRITICAL 9.8 Whale Browser before 4.33.325.17 allows an attacker to escape the iframe sandbox in a dual-tab environment.
CVE-2025-55090 2025-10-16 N/A 0.0 In NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_ipv4_packet_receive() function when received an…
CVE-2025-55089 2025-10-16 N/A 0.0 In FileX before 6.4.2, the file support module for Eclipse Foundation ThreadX, there was a possible buffer overflow in the FileX RAM disk driver. It could cause a…
CVE-2025-55084 2025-10-16 N/A 0.0 In NetX Duo version before 6.4.4, the component of Eclipse Foundation ThreadX, there was an incorrect bound check in_nx_secure_tls_proc_clienthello_supported_versions_extension() in the extension version field.
CVE-2025-10850 2025-10-16 CRITICAL 9.8 The Felan Framework plugin for WordPress is vulnerable to improper authentication in versions up to, and including, 1.1.4. This is due to the hardcoded password in the 'fb_ajax_login_or_register'…
CVE-2025-10849 2025-10-16 MEDIUM 5.3 The Felan Framework plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_plugin_actions' function called via an AJAX action…
CVE-2025-10742 2025-10-16 CRITICAL 9.8 The Truelysell Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.8.6. This is due to the plugin providing user-controlled…
CVE-2025-10706 2025-10-16 HIGH 8.8 The Classified Pro theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'cwp_addons_update_plugin_cb' function in all versions up to, and…
CVE-2025-58778 2025-10-16 HIGH 7.2 Multiple versions of RG-EST300 provided by Ruijie Networks provide SSH server functionality. It is not documented in the manual, and enabled in the initial configuration. Anyone with the…
CVE-2025-0275 2025-10-16 MEDIUM 5.3 HCL BigFix Mobile 3.3 and earlier is affected by improper access control. Unauthorized users can access a small subset of endpoint actions, potentially allowing access to select internal…
CVE-2025-11814 2025-10-16 MEDIUM 6.4 The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to 3.21.1 (exclusive) due to insufficient input sanitization and output…
CVE-2025-0274 2025-10-16 MEDIUM 5.3 HCL BigFix Modern Client Management (MCM) 3.3 and earlier is affected by improper access control. Unauthorized users can access a small subset of endpoint actions, potentially allowing access…
CVE-2025-10700 2025-10-16 MEDIUM 4.3 The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.0. This is due to…
CVE-2025-62580 2025-10-16 HIGH 7.8 ASDA-Soft Stack-based Buffer Overflow Vulnerability
CVE-2025-62579 2025-10-16 HIGH 7.8 ASDA-Soft Stack-based Buffer Overflow Vulnerability
CVE-2025-11683 2025-10-16 MEDIUM 6.5 YAML::Syck versions before 1.36 for Perl has missing null-terminators which causes out-of-bounds read and potential information disclosure Missing null terminators in token.c leads to but-of-bounds read which allows…
CVE-2025-62375 2025-10-15 N/A 0.0 go-witness and witness are Go modules for generating attestations. In go-witness versions 0.8.6 and earlier and witness versions 0.9.2 and earlier the AWS attestor improperly verifies AWS EC2…
CVE-2025-11619 2025-10-15 HIGH 8.8 Improper certificate validation when connecting to gateways in Devolutions Server 2025.3.2 and earlier allows attackers in MitM position to intercept traffic.
CVE-2025-11568 2025-10-15 MEDIUM 4.4 A data corruption vulnerability has been identified in the luksmeta utility when used with the LUKS1 disk encryption format. An attacker with the necessary permissions can exploit this…
CVE-2025-11832 2025-10-15 N/A 0.0 Allocation of Resources Without Limits or Throttling vulnerability in Azure Access Technology BLU-IC2, Azure Access Technology BLU-IC4 allows Flooding.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
CVE-2025-62410 2025-10-15 N/A 0.0 In versions before 20.0.2, it was found that --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom. The untrusted script and the rest of the application still…
CVE-2025-62382 2025-10-15 HIGH 7.7 Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.2, Frigate's export workflow allows an authenticated operator to nominate any…
CVE-2025-62381 2025-10-15 N/A 0.0 sveltekit-superforms makes SvelteKit forms a pleasure to use. sveltekit-superforms v2.27.3 and prior are susceptible to a prototype pollution vulnerability within the parseFormData function of formData.js. An attacker can…
CVE-2025-62371 2025-10-15 HIGH 7.4 OpenSearch Data Prepper as an open source data collector for observability data. In versions prior to 2.12.2, the OpenSearch sink and source plugins in Data Prepper trust all…
CVE-2025-55039 2025-10-15 MEDIUM 6.5 This issue affects Apache Spark versions before 3.4.4, 3.5.2 and 4.0.0. Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication…
CVE-2025-56749 2025-10-15 CRITICAL 9.4 Creativeitem Academy LMS up to and including 6.14 uses a hardcoded default JWT secret for token signing. This predictable secret allows attackers to forge valid JWT tokens, leading…
CVE-2025-56748 2025-10-15 MEDIUM 6.4 Creativeitem Academy LMS up to and including 5.13 uses predictable password reset tokens based on Base64 encoded templates without rate limiting, allowing brute force attacks to guess valid…
CVE-2025-62380 2025-10-15 N/A 0.0 mailgen is a Node.js package that generates responsive HTML e-mails for sending transactional mail. Mailgen versions through 2.0.31 contain an HTML injection vulnerability in plaintext emails generated with…
CVE-2025-62378 2025-10-15 MEDIUM 6.1 CommandKit is the discord.js meta-framework for building Discord bots. In versions 1.2.0-rc.1 through 1.2.0-rc.11, a logic flaw exists in the message command handler that affects how the commandName…
CVE-2025-58133 2025-10-15 MEDIUM 5.3 Authentication bypass in some Zoom Rooms Clients before version 6.5.1 may allow an unauthenticated user to conduct a disclosure of information via network access.
CVE-2025-58132 2025-10-15 MEDIUM 4.1 Command injection in some Zoom Clients for Windows may allow an authenticated user to conduct a disclosure of information via network access.
CVE-2025-54271 2025-10-15 MEDIUM 5.6 Creative Cloud Desktop versions 6.7.0.278 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could lead to arbitrary file system write. A low-privileged attacker…
CVE-2025-20360 2025-10-15 MEDIUM 5.8 Multiple Cisco products are affected by a vulnerability in the Snort 3 HTTP Decoder that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine…
CVE-2025-20359 2025-10-15 MEDIUM 6.5 Multiple Cisco products are affected by a vulnerability in the Snort 3 HTTP Decoder that could allow an unauthenticated, remote attacker to cause the disclosure of possible sensitive…
CVE-2025-20351 2025-10-15 MEDIUM 6.1 A vulnerability in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 running Cisco SIP Software…
CVE-2025-20350 2025-10-15 HIGH 7.5 A vulnerability in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 running Cisco SIP Software…
CVE-2025-20329 2025-10-15 MEDIUM 4.9 A vulnerability in the logging component of Cisco TelePresence Collaboration Endpoint (CE) and Cisco RoomOS Software could allow an authenticated, remote attacker to view sensitive information in clear…
CVE-2025-10577 2025-10-15 N/A 0.0 Potential vulnerabilities have been identified in the audio package for certain HP PC products using the Sound Research SECOMN64 driver, which might allow escalation of privilege. HP is…
CVE-2025-10576 2025-10-15 N/A 0.0 Potential vulnerabilities have been identified in the audio package for certain HP PC products using the Sound Research SECOMN64 driver, which might allow escalation of privilege. HP is…
CVE-2025-62379 2025-10-15 LOW 3.1 Reflex is a library to build full-stack web apps in pure Python. In versions 0.5.4 through 0.8.14, the /auth-codespace endpoint automatically assigns the redirect_to query parameter value directly…
CVE-2025-62370 2025-10-15 HIGH 7.5 Alloy Core libraries at the root of the Rust Ethereum ecosystem. Prior to 0.8.26 and 1.4.1, an uncaught panic triggered by malformed input to alloy_dyn_abi::TypedData could lead to…
CVE-2025-61990 2025-10-15 HIGH 7.5 When using a multi-bladed platform with more than one blade, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.  Note: Software versions which have reached End…
CVE-2025-61935 2025-10-15 HIGH 7.5 When a BIG IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed requests can cause the bd process to terminate.  Note: Software versions which…
CVE-2025-61933 2025-10-15 MEDIUM 6.1 A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of BIG-IP APM that allows an attacker to run JavaScript in the context of the targeted logged-out…
CVE-2025-59419 2025-10-15 N/A 0.0 Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.128.Final and 4.2.7.Final, the SMTP codec in Netty contains an SMTP command injection vulnerability due to…
« Anterior Página 368 de 3934 Siguiente »