The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2025-24530 | An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS. | -- | Jan 23, 2025 |
| CVE-2025-24529 | An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab. | -- | Jan 23, 2025 |
| CVE-2025-24461 | In JetBrains TeamCity before 2024.12.1 decryption of connection secrets without proper permissions was possible via Test Connection endpoint | -- | Jan 21, 2025 |
| CVE-2025-24460 | In JetBrains TeamCity before 2024.12.1 improper access control allowed to see Projects’ names in the agent pool | -- | Jan 21, 2025 |
| CVE-2025-24459 | In JetBrains TeamCity before 2024.12.1 reflected XSS was possible on the Vault Connection page | -- | Jan 21, 2025 |
| CVE-2025-24458 | In JetBrains YouTrack before 2024.3.55417 account takeover was possible via spoofed email and Helpdesk integration | -- | Jan 21, 2025 |
| CVE-2025-24457 | In JetBrains YouTrack before 2024.3.55417 permanent tokens could be exposed in logs | -- | Jan 21, 2025 |
| CVE-2025-24456 | In JetBrains Hub before 2024.3.55417 privilege escalation was possible via LDAP authentication mapping | -- | Jan 21, 2025 |
| CVE-2025-24403 | A missing permission check in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of Azure credentials stored in Jenkins. | -- | Jan 23, 2025 |
| CVE-2025-24402 | A cross-site request forgery (CSRF) vulnerability in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers to connect to a Service Fabric URL using attacker-specified credentials IDs obtained through another method. | -- | Jan 23, 2025 |
| CVE-2025-24401 | Jenkins Folder-based Authorization Strategy Plugin 217.vd5b_18537403e and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they\'re no longer entitled to. | -- | Jan 23, 2025 |
| CVE-2025-24400 | Jenkins Eiffel Broadcaster Plugin 2.8.0 through 2.10.2 (both inclusive) uses the credential ID as the cache key during signing operations, allowing attackers able to create a credential with the same ID as a legitimate one in a different credentials store to sign an event published to RabbitMQ with the legitimate credentials. | -- | Jan 23, 2025 |
| CVE-2025-24399 | Jenkins OpenId Connect Authentication Plugin 4.452.v2849b_d3945fa_ and earlier, except 4.438.440.v3f5f201de5dc, treats usernames as case-insensitive, allowing attackers on Jenkins instances configured with a case-sensitive OpenID Connect provider to log in as any user by providing a username that differs only in letter case, potentially gaining administrator access to Jenkins. | -- | Jan 23, 2025 |
| CVE-2025-24398 | Jenkins Bitbucket Server Integration Plugin 2.1.0 through 4.1.3 (both inclusive) allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins. | -- | Jan 23, 2025 |
| CVE-2025-24397 | An incorrect permission check in Jenkins GitLab Plugin 1.9.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credential IDs of GitLab API token and Secret text credentials stored in Jenkins. | -- | Jan 23, 2025 |
| CVE-2025-24353 | Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.2.0, when sharing an item, a typical user can specify an arbitrary role. It allows the user to use a higher-privileged role to see fields that otherwise the user should not be able to see. Instances that are impacted are those that use the share feature and have specific roles hierarchy and fields that are not visible for certain roles. Version 11.2.0 contains a patch the issue. | -- | Jan 23, 2025 |
| CVE-2025-24337 | WriteFreely through 0.15.1, when MySQL is used, allows local users to discover credentials by reading config.ini. | -- | Jan 20, 2025 |
| CVE-2025-24034 | Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Starting in version 0.7.0 and prior to versions 0.7.15 and 0.8.3, Himmelblau is vulnerable to leaking credentials in debug logs. When debug logging is enabled, user access tokens are inadvertently logged, potentially exposing sensitive authentication data. Similarly, Kerberos Ticket-Granting Tickets (TGTs) are logged when debug logging is enabled. Both issues pose a risk of exposing sensitive credentials, particularly in environments where debug logging is enabled. Himmelblau versions 0.7.15 and 0.8.3 contain a patch that fixes both issues. Some workarounds are available for users who are unable to upgrade. For the **logon compliance script issue**, disable the `logon_script` option in `/etc/himmelblau/himmelblau.conf`, and avoid using the `-d` flag when starting the `himmelblaud` daemon. For the Kerberos CCache issue, one may disable debug logging globally by setting the `debug` option in `/etc/himmelblau/himmelblau.conf` to `false` and avoiding the `-d` parameter when starting `himmelblaud`. | -- | Jan 23, 2025 |
| CVE-2025-24033 | @fastify/multipart is a Fastify plugin for parsing the multipart content-type. Prior to versions 8.3.1 and 9.0.3, the `saveRequestFiles` function does not delete the uploaded temporary files when user cancels the request. The issue is fixed in versions 8.3.1 and 9.0.3. As a workaround, do not use `saveRequestFiles`. | -- | Jan 23, 2025 |
| CVE-2025-24030 | Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. A user with access to the Kubernetes cluster can use a path traversal attack to execute Envoy Admin interface commands on proxies managed by any version of Envoy Gateway prior to 1.2.6. The admin interface can be used to terminate the Envoy process and extract the Envoy configuration (possibly containing confidential data). Version 1.2.6 fixes the issue. As a workaround, the `EnvoyProxy` API can be used to apply a bootstrap config patch that restricts access strictly to the prometheus stats endpoint. Find below an example of such a bootstrap patch. | -- | Jan 23, 2025 |
| CVE-2025-24027 | ps_contactinfo, a PrestaShop module for displaying store contact information, has a cross-site scripting (XSS) vulnerability in versions up to and including 3.3.2. This can not be exploited in a fresh install of PrestaShop, only shops made vulnerable by third party modules are concerned. For example, if the shop has a third party module vulnerable to SQL injections, then ps_contactinfo might execute a stored cross-site scripting in formatting objects. Commit d60f9a5634b4fc2d3a8831fb08fe2e1f23cbfa39 keeps formatted addresses from displaying a XSS stored in the database, and the fix is expected to be available in version 3.3.3. No workarounds are available aside from applying the fix and keeping all modules maintained and update. | -- | Jan 22, 2025 |
| CVE-2025-24024 | Mjolnir is a moderation tool for Matrix. Mjolnir v1.9.0 responds to management commands from any room the bot is member of. This can allow users who aren\'t operators of the bot to use the bot\'s functions, including server administration components if enabled. Version 1.9.1 reverts the feature that introduced the bug, and version 1.9.2 reintroduces the feature safely. Downgrading to version 1.8.3 is recommended if upgrading to 1.9.1 or higher isn\'t possible. | -- | Jan 21, 2025 |
| CVE-2025-24020 | WeGIA is a Web manager for charitable institutions. An Open Redirect vulnerability was identified in the `control.php` endpoint of versions up to and including 3.2.10 of the WeGIA application. The vulnerability allows the `nextPage` parameter to be manipulated, redirecting authenticated users to arbitrary external URLs without validation. The issue stems from the lack of validation for the `nextPage` parameter, which accepts external URLs as redirection destinations. This vulnerability can be exploited to perform phishing attacks or redirect users to malicious websites. Version 3.2.11 contains a fix for the issue. | -- | Jan 21, 2025 |
| CVE-2025-24019 | YesWiki is a wiki system written in PHP. In versions up to and including 4.4.5, it is possible for any authenticated user, through the use of the filemanager to delete any file owned by the user running the FastCGI Process Manager (FPM) on the host without any limitation on the filesystem\'s scope. This vulnerability allows any authenticated user to arbitrarily remove content from the Wiki resulting in partial loss of data and defacement/deterioration of the website. In the context of a container installation of YesWiki without any modification, the `yeswiki` files (for example .php) are not owned by the same user (root) as the one running the FPM process (www-data). However in a standard installation, www-data may also be the owner of the PHP files, allowing a malicious user to completely cut the access to the wiki by deleting all important PHP files (like index.php or core files of YesWiki). Version 4.5.0 contains a patch for this issue. | -- | Jan 21, 2025 |
| CVE-2025-24018 | YesWiki is a wiki system written in PHP. In versions up to and including 4.4.5, it is possible for an authenticated user with rights to edit/create a page or comment to trigger a stored XSS which will be reflected on any page where the resource is loaded. The vulnerability makes use of the content edition feature and more specifically of the `{{attach}}` component allowing users to attach files/medias to a page. When a file is attached using the `{{attach}}` component, if the resource contained in the `file` attribute doesn\'t exist, then the server will generate a file upload button containing the filename. This vulnerability allows any malicious authenticated user that has the right to create a comment or edit a page to be able to steal accounts and therefore modify pages, comments, permissions, extract user data (emails), thus impacting the integrity, availability and confidentiality of a YesWiki instance. Version 4.5.0 contains a patch for the issue. | -- | Jan 21, 2025 |
| CVE-2025-24017 | YesWiki is a wiki system written in PHP. Versions up to and including 4.4.5 are vulnerable to any end-user crafting a DOM based XSS on all of YesWiki\'s pages which is triggered when a user clicks on a malicious link. The vulnerability makes use of the search by tag feature. When a tag doesn\'t exist, the tag is reflected on the page and isn\'t properly sanitized on the server side which allows a malicious user to generate a link that will trigger an XSS on the client\'s side when clicked. This vulnerability allows any user to generate a malicious link that will trigger an account takeover when clicked, therefore allowing a user to steal other accounts, modify pages, comments, permissions, extract user data (emails), thus impacting the integrity, availability and confidentiality of a YesWiki instance. Version 4.5.0 contains a patch for the issue. | -- | Jan 21, 2025 |
| CVE-2025-24014 | Vim is an open source, command line text editor. A segmentation fault was found in Vim before 9.1.1043. In silent Ex mode (-s -e), Vim typically doesn\'t show a screen and just operates silently in batch mode. However, it is still possible to trigger the function that handles the scrolling of a gui version of Vim by feeding some binary characters to Vim. The function that handles the scrolling however may be triggering a redraw, which will access the ScreenLines pointer, even so this variable hasn\'t been allocated (since there is no screen). This vulnerability is fixed in 9.1.1043. | -- | Jan 21, 2025 |
| CVE-2025-24013 | CodeIgniter is a PHP full-stack web framework. Prior to 4.5.8, CodeIgniter lacked proper header validation for its name and value. The potential attacker can construct deliberately malformed headers with Header class. This could disrupt application functionality, potentially causing errors or generating invalid HTTP requests. In some cases, these malformed requests might lead to a DoS scenario if a remote service’s web application firewall interprets them as malicious and blocks further communication with the application. This vulnerability is fixed in 4.5.8. | -- | Jan 20, 2025 |
| CVE-2025-24012 | Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, authenticated users are able to exploit a cross-site scripting vulnerability when viewing certain localized backoffice components. Versions 14.3.2 and 15.1.2 contain a patch. | -- | Jan 21, 2025 |
| CVE-2025-24011 | Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, it\'s possible to determine whether an account exists based on an analysis of response codes and timing of Umbraco management API responses. Versions 14.3.2 and 15.1.2 contain a patch. No known workarounds are available. | -- | Jan 21, 2025 |
| CVE-2025-24010 | Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and 4.5.6. | -- | Jan 20, 2025 |
| CVE-2025-24001 | Cross-Site Request Forgery (CSRF) vulnerability in PPO Vi?t Nam (ppo.vn) PPO Call To Actions allows Cross Site Request Forgery. This issue affects PPO Call To Actions: from n/a through 0.1.3. | -- | Jan 21, 2025 |
| CVE-2025-23998 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Rara Theme UltraLight allows Reflected XSS. This issue affects UltraLight: from n/a through 1.2. | -- | Jan 21, 2025 |
| CVE-2025-23997 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in dev@tamara.co Tamara Checkout allows Stored XSS. This issue affects Tamara Checkout: from n/a through 1.9.8. | -- | Jan 21, 2025 |
| CVE-2025-23996 | Cross-Site Request Forgery (CSRF) vulnerability in anyroad.com AnyRoad allows Cross Site Request Forgery. This issue affects AnyRoad: from n/a through 1.3.2. | -- | Jan 21, 2025 |
| CVE-2025-23994 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Estatebud Estatebud – Properties & Listings allows Stored XSS. This issue affects Estatebud – Properties & Listings: from n/a through 5.5.0. | -- | Jan 21, 2025 |
| CVE-2025-23992 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Leetoo Toocheke Companion allows Stored XSS. This issue affects Toocheke Companion: from n/a through 1.166. | -- | Jan 22, 2025 |
| CVE-2025-23966 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in AlaFalaki a Gateway for Pasargad Bank on WooCommerce allows Reflected XSS. This issue affects a Gateway for Pasargad Bank on WooCommerce: from n/a through 2.5.2. | -- | Jan 22, 2025 |
| CVE-2025-23965 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Kopatheme Kopa Nictitate Toolkit allows Stored XSS.This issue affects Kopa Nictitate Toolkit: from n/a through 1.0.2. | -- | Jan 16, 2025 |
| CVE-2025-23963 | Missing Authorization vulnerability in Sven Hofmann & Michael Schoenrock Mark Posts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mark Posts: from n/a through 2.2.3. | -- | Jan 16, 2025 |
| CVE-2025-23962 | Missing Authorization vulnerability in Goldstar Goldstar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Goldstar: from n/a through 2.1.1. | -- | Jan 16, 2025 |
| CVE-2025-23961 | Missing Authorization vulnerability in WP Tasker WordPress Graphs & Charts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress Graphs & Charts: from n/a through 2.0.8. | -- | Jan 16, 2025 |
| CVE-2025-23960 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in basteln3rk Save & Import Image from URL allows Reflected XSS. This issue affects Save & Import Image from URL: from n/a through 0.7. | -- | Jan 23, 2025 |
| CVE-2025-23959 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Linus Lundahl Good Old Gallery allows Reflected XSS. This issue affects Good Old Gallery: from n/a through 2.1.2. | -- | Jan 22, 2025 |
| CVE-2025-23957 | Missing Authorization vulnerability in Sur.ly Sur.ly allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sur.ly: from n/a through 3.0.3. | -- | Jan 16, 2025 |
| CVE-2025-23955 | Missing Authorization vulnerability in xola.com Xola allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Xola: from n/a through 1.6. | -- | Jan 16, 2025 |
| CVE-2025-23954 | Missing Authorization vulnerability in AWcode & KingfisherFox Salvador – AI Image Generator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Salvador – AI Image Generator: from n/a through 1.0.11. | -- | Jan 16, 2025 |
| CVE-2025-23953 | Unrestricted Upload of File with Dangerous Type vulnerability in Innovative Solutions user files allows Upload a Web Shell to a Web Server. This issue affects user files: from n/a through 2.4.2. | -- | Jan 22, 2025 |
| CVE-2025-23951 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in DivEngine Gallery: Hybrid – Advanced Visual Gallery allows Stored XSS.This issue affects Gallery: Hybrid – Advanced Visual Gallery: from n/a through 1.4.0.2. | -- | Jan 16, 2025 |
| CVE-2025-23950 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Said Shiripour EZPlayer allows Stored XSS.This issue affects EZPlayer: from n/a through 1.0.10. | -- | Jan 16, 2025 |
