The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date |
---|---|---|---|
CVE-2021-30745 | Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | -- | Jan 24, 2025 |
CVE-2025-24530 | An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS. | -- | Jan 23, 2025 |
CVE-2025-24529 | An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab. | -- | Jan 23, 2025 |
CVE-2025-24403 | A missing permission check in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of Azure credentials stored in Jenkins. | -- | Jan 23, 2025 |
CVE-2025-24402 | A cross-site request forgery (CSRF) vulnerability in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers to connect to a Service Fabric URL using attacker-specified credentials IDs obtained through another method. | -- | Jan 23, 2025 |
CVE-2025-24401 | Jenkins Folder-based Authorization Strategy Plugin 217.vd5b_18537403e and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they\'re no longer entitled to. | -- | Jan 23, 2025 |
CVE-2025-24400 | Jenkins Eiffel Broadcaster Plugin 2.8.0 through 2.10.2 (both inclusive) uses the credential ID as the cache key during signing operations, allowing attackers able to create a credential with the same ID as a legitimate one in a different credentials store to sign an event published to RabbitMQ with the legitimate credentials. | -- | Jan 23, 2025 |
CVE-2025-24399 | Jenkins OpenId Connect Authentication Plugin 4.452.v2849b_d3945fa_ and earlier, except 4.438.440.v3f5f201de5dc, treats usernames as case-insensitive, allowing attackers on Jenkins instances configured with a case-sensitive OpenID Connect provider to log in as any user by providing a username that differs only in letter case, potentially gaining administrator access to Jenkins. | -- | Jan 23, 2025 |
CVE-2025-24398 | Jenkins Bitbucket Server Integration Plugin 2.1.0 through 4.1.3 (both inclusive) allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins. | -- | Jan 23, 2025 |
CVE-2025-24397 | An incorrect permission check in Jenkins GitLab Plugin 1.9.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credential IDs of GitLab API token and Secret text credentials stored in Jenkins. | -- | Jan 23, 2025 |
CVE-2025-24353 | Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.2.0, when sharing an item, a typical user can specify an arbitrary role. It allows the user to use a higher-privileged role to see fields that otherwise the user should not be able to see. Instances that are impacted are those that use the share feature and have specific roles hierarchy and fields that are not visible for certain roles. Version 11.2.0 contains a patch the issue. | -- | Jan 23, 2025 |
CVE-2025-24034 | Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Starting in version 0.7.0 and prior to versions 0.7.15 and 0.8.3, Himmelblau is vulnerable to leaking credentials in debug logs. When debug logging is enabled, user access tokens are inadvertently logged, potentially exposing sensitive authentication data. Similarly, Kerberos Ticket-Granting Tickets (TGTs) are logged when debug logging is enabled. Both issues pose a risk of exposing sensitive credentials, particularly in environments where debug logging is enabled. Himmelblau versions 0.7.15 and 0.8.3 contain a patch that fixes both issues. Some workarounds are available for users who are unable to upgrade. For the **logon compliance script issue**, disable the `logon_script` option in `/etc/himmelblau/himmelblau.conf`, and avoid using the `-d` flag when starting the `himmelblaud` daemon. For the Kerberos CCache issue, one may disable debug logging globally by setting the `debug` option in `/etc/himmelblau/himmelblau.conf` to `false` and avoiding the `-d` parameter when starting `himmelblaud`. | -- | Jan 23, 2025 |
CVE-2025-24033 | @fastify/multipart is a Fastify plugin for parsing the multipart content-type. Prior to versions 8.3.1 and 9.0.3, the `saveRequestFiles` function does not delete the uploaded temporary files when user cancels the request. The issue is fixed in versions 8.3.1 and 9.0.3. As a workaround, do not use `saveRequestFiles`. | -- | Jan 23, 2025 |
CVE-2025-24030 | Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. A user with access to the Kubernetes cluster can use a path traversal attack to execute Envoy Admin interface commands on proxies managed by any version of Envoy Gateway prior to 1.2.6. The admin interface can be used to terminate the Envoy process and extract the Envoy configuration (possibly containing confidential data). Version 1.2.6 fixes the issue. As a workaround, the `EnvoyProxy` API can be used to apply a bootstrap config patch that restricts access strictly to the prometheus stats endpoint. Find below an example of such a bootstrap patch. | -- | Jan 23, 2025 |
CVE-2025-23960 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in basteln3rk Save & Import Image from URL allows Reflected XSS. This issue affects Save & Import Image from URL: from n/a through 0.7. | -- | Jan 23, 2025 |
CVE-2025-23894 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Tatsuya Fukata, Alexander Ovsov wp-flickr-press allows Reflected XSS. This issue affects wp-flickr-press: from n/a through 2.6.4. | -- | Jan 23, 2025 |
CVE-2025-23836 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in SuryaBhan Custom Coming Soon allows Reflected XSS. This issue affects Custom Coming Soon: from n/a through 2.2. | -- | Jan 23, 2025 |
CVE-2025-23835 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in NotFound Legal + allows Reflected XSS. This issue affects Legal +: from n/a through 1.0. | -- | Jan 23, 2025 |
CVE-2025-23834 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in NotFound Links/Problem Reporter allows Reflected XSS. This issue affects Links/Problem Reporter: from n/a through 2.6.0. | -- | Jan 23, 2025 |
CVE-2025-23733 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in sayocode SC Simple Zazzle allows Reflected XSS. This issue affects SC Simple Zazzle: from n/a through 1.1.6. | -- | Jan 23, 2025 |
CVE-2025-23730 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in NotFound FLX Dashboard Groups allows Reflected XSS. This issue affects FLX Dashboard Groups: from n/a through 0.0.7. | -- | Jan 23, 2025 |
CVE-2025-23729 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in fures XTRA Settings allows Reflected XSS. This issue affects XTRA Settings: from n/a through 2.1.8. | -- | Jan 23, 2025 |
CVE-2025-23727 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in NotFound AZ Content Finder allows Reflected XSS. This issue affects AZ Content Finder: from n/a through 0.1. | -- | Jan 23, 2025 |
CVE-2025-23725 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in TaskMeister Accessibility Task Manager allows Reflected XSS. This issue affects Accessibility Task Manager: from n/a through 1.2.1. | -- | Jan 23, 2025 |
CVE-2025-23724 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Oleksandr Ustymenko University Quizzes Online allows Reflected XSS. This issue affects University Quizzes Online: from n/a through 1.4. | -- | Jan 23, 2025 |
CVE-2025-23723 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Plestar Inc Plestar Directory Listing allows Reflected XSS. This issue affects Plestar Directory Listing: from n/a through 1.0. | -- | Jan 23, 2025 |
CVE-2025-23722 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in NotFound Mind3doM RyeBread Widgets allows Reflected XSS. This issue affects Mind3doM RyeBread Widgets: from n/a through 1.0. | -- | Jan 23, 2025 |
CVE-2025-23636 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Dimitar Atanasov My Favorite Car allows Reflected XSS. This issue affects My Favorite Car: from n/a through 1.0. | -- | Jan 23, 2025 |
CVE-2025-23634 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in NotFound Youtube Video Grid allows Reflected XSS. This issue affects Youtube Video Grid: from n/a through 1.9. | -- | Jan 23, 2025 |
CVE-2025-23629 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Subhasis Laha Gallerio allows Reflected XSS. This issue affects Gallerio: from n/a through 1.0.1. | -- | Jan 23, 2025 |
CVE-2025-23628 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in New Media One GeoDigs allows Reflected XSS. This issue affects GeoDigs: from n/a through 3.4.1. | -- | Jan 23, 2025 |
CVE-2025-23626 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Hidetoshi Fukushima Kumihimo allows Reflected XSS. This issue affects Kumihimo: from n/a through 1.0.2. | -- | Jan 23, 2025 |
CVE-2025-23624 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Alessandro Benoit WpDevTool allows Reflected XSS. This issue affects WpDevTool: from n/a through 0.1.1. | -- | Jan 23, 2025 |
CVE-2025-23545 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Navnish Bhardwaj WP Social Broadcast allows Reflected XSS. This issue affects WP Social Broadcast: from n/a through 1.0.0. | -- | Jan 23, 2025 |
CVE-2025-23544 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in heart5 StatPressCN allows Reflected XSS. This issue affects StatPressCN: from n/a through 1.9.1. | -- | Jan 23, 2025 |
CVE-2025-23541 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in edmon Download, Downloads allows Reflected XSS. This issue affects Download, Downloads : from n/a through 1.4.2. | -- | Jan 23, 2025 |
CVE-2025-23540 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Mohsin khan WP Front-end login and register allows Reflected XSS. This issue affects WP Front-end login and register: from n/a through 2.1.0. | -- | Jan 23, 2025 |
CVE-2025-23227 | IBM Tivoli Application Dependency Discovery Manager 7.3.0.0 through 7.3.0.11 is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | -- | Jan 23, 2025 |
CVE-2025-23089 | This CVE has been issued to inform users that they are using End-of-Life (EOL) versions of Node.js. These versions are no longer supported and do not receive updates, including security patches. The continued use of EOL versions may expose systems to potential security risks due to unaddressed software vulnerabilities or dependencies (CWE-1104: Use of Unmaintained Third-Party Components). Users are advised to upgrade to actively supported versions of Node.js to ensure continued security updates and support. | -- | Jan 23, 2025 |
CVE-2025-23088 | This CVE has been issued to inform users that they are using End-of-Life (EOL) versions of Node.js. These versions are no longer supported and do not receive updates, including security patches. The continued use of EOL versions may expose systems to potential security risks due to unaddressed software vulnerabilities or dependencies (CWE-1104: Use of Unmaintained Third-Party Components). Users are advised to upgrade to actively supported versions of Node.js to ensure continued security updates and support. | -- | Jan 23, 2025 |
CVE-2025-23087 | This CVE has been issued to inform users that they are using End-of-Life (EOL) versions of Node.js. These versions are no longer supported and do not receive updates, including security patches. The continued use of EOL versions may expose systems to potential security risks due to unaddressed software vulnerabilities or dependencies (CWE-1104: Use of Unmaintained Third-Party Components). Users are advised to upgrade to actively supported versions of Node.js to ensure continued security updates and support. | -- | Jan 23, 2025 |
CVE-2025-23012 | Fedora Repository 3.8.x includes a service account (fedoraIntCallUser) with default credentials and privileges to read read local files by manipulating datastreams. Fedora Repository 3.8.1 was released on 2015-06-11 and is no longer maintained. Migrate to a currently supported version (6.5.1 as of 2025-01-23). | -- | Jan 23, 2025 |
CVE-2025-23011 | Fedora Repository 3.8.1 allows path traversal when extracting uploaded archives (Zip Slip). A remote, authenticated attacker can upload a specially crafted archive that will extract an arbitrary JSP file to a location that can be executed by an unauthenticated GET request. Fedora Repository 3.8.1 was released on 2015-06-11 and is no longer maintained. Migrate to a currently supported version (6.5.1 as of 2025-01-23). | -- | Jan 23, 2025 |
CVE-2025-23006 | Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands. | -- | Jan 23, 2025 |
CVE-2025-22866 | crypto/internal/fips140/nistec: p256NegCond is variable time on ppc64le | -- | Jan 23, 2025 |
CVE-2025-22768 | Cross-Site Request Forgery (CSRF) vulnerability in Qwerty23 Rocket Media Library Mime Type allows Stored XSS. This issue affects Rocket Media Library Mime Type: from n/a through 2.1.0. | -- | Jan 23, 2025 |
CVE-2025-22264 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Tarak Patel WP Query Creator allows Reflected XSS. This issue affects WP Query Creator: from n/a through 1.0. | -- | Jan 23, 2025 |
CVE-2025-22153 | RestrictedPython is a tool that helps to define a subset of the Python language which allows to provide a program input into a trusted environment. Via a type confusion bug in versions of the CPython interpreter starting in 3.11 and prior to 3.13.2 when using `try/except*`, RestrictedPython starting in version 6.0 and prior to version 8.0 could be bypassed. The issue is patched in version 8.0 of RestrictedPython by removing support for `try/except*` clauses. No known workarounds are available. | -- | Jan 23, 2025 |
CVE-2025-21664 | In the Linux kernel, the following vulnerability has been resolved: dm thin: make get_first_thin use rcu-safe list first function The documentation in rculist.h explains the absence of list_empty_rcu() and cautions programmers against relying on a list_empty() -> list_first() sequence in RCU safe code. This is because each of these functions performs its own READ_ONCE() of the list head. This can lead to a situation where the list_empty() sees a valid list entry, but the subsequent list_first() sees a different view of list head state after a modification. In the case of dm-thin, this author had a production box crash from a GP fault in the process_deferred_bios path. This function saw a valid list head in get_first_thin() but when it subsequently dereferenced that and turned it into a thin_c, it got the inside of the struct pool, since the list was now empty and referring to itself. The kernel on which this occurred printed both a warning about a refcount_t being saturated, and a UBSAN error for an out-of-bounds cpuid access in the queued spinlock, prior to the fault itself. When the resulting kdump was examined, it was possible to see another thread patiently waiting in thin_dtr\'s synchronize_rcu. The thin_dtr call managed to pull the thin_c out of the active thins list (and have it be the last entry in the active_thins list) at just the wrong moment which lead to this crash. Fortunately, the fix here is straight forward. Switch get_first_thin() function to use list_first_or_null_rcu() which performs just a single READ_ONCE() and returns NULL if the list is already empty. This was run against the devicemapper test suite\'s thin-provisioning suites for delete and suspend and no regressions were observed. | -- | Jan 23, 2025 |
CVE-2025-21513 | Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are Prior to 9.2.9.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in JD Edwards EnterpriseOne Tools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of JD Edwards EnterpriseOne Tools accessible data as well as unauthorized read access to a subset of JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | -- | Jan 23, 2025 |