The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2025-30022 | CM Soluces Informatica Ltda Auto Atendimento 1.x.x was discovered to contain a SQL injection via the DATANASC parameter. | -- | Mar 14, 2025 | n/a |
| CVE-2025-29998 | This vulnerability exists in the CAP back office application due to missing rate limiting on OTP requests in an API endpoint. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoint which could lead to the OTP bombing/flooding on the targeted system. | -- | Mar 13, 2025 | n/a |
| CVE-2025-29997 | This vulnerability exists in the CAP back office application due to improper authorization checks on certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating API request URL to gain unauthorized access to other user accounts. | -- | Mar 13, 2025 | n/a |
| CVE-2025-29996 | This vulnerability exists in the CAP back office application due to improper implementation of OTP verification mechanism in its API based login. A remote attacker with valid credentials could exploit this vulnerability by manipulating API request URL/payload. Successful exploitation of this vulnerability could allow the attacker to bypass Two-Factor Authentication (2FA) for other user accounts. | -- | Mar 13, 2025 | n/a |
| CVE-2025-29995 | This vulnerability exists in the CAP back office application due to a weak password-reset mechanism implemented at API endpoints. An authenticated remote attacker with a valid login ID could exploit this vulnerability through vulnerable API endpoint which could lead to account takeover of targeted users. | -- | Mar 13, 2025 | n/a |
| CVE-2025-29994 | This vulnerability exists in the CAP back office application due to improper authentication check at the API endpoint. An unauthenticated remote attacker with a valid login ID could exploit this vulnerability by manipulating API input parameters through API request URL/payload leading to unauthorized access to other user accounts. | -- | Mar 13, 2025 | n/a |
| CVE-2025-29904 | In JetBrains Ktor before 3.1.1 an HTTP Request Smuggling was possible | -- | Mar 12, 2025 | n/a |
| CVE-2025-29903 | In JetBrains Runtime before 21.0.6b872.80 arbitrary dynamic library execution due to insecure macOS flags was possible | -- | Mar 12, 2025 | n/a |
| CVE-2025-29891 | Bypass/Injection vulnerability in Apache Camel. This issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4. Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. This vulnerability is present in Camel\'s default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, or the camel-exec component. If you have Camel applications that are directly connected to the internet via HTTP, then an attacker could include parameters in the HTTP requests that are sent to the Camel application that get translated into headers. The headers could be both provided as request parameters for an HTTP methods invocation or as part of the payload of the HTTP methods invocation. All the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box. This CVE is related to the CVE-2025-27636: while they have the same root cause and are fixed with the same fix, CVE-2025-27636 was assumed to only be exploitable if an attacker could add malicious HTTP headers, while we have now determined that it is also exploitable via HTTP parameters. Like in CVE-2025-27636, exploitation is only possible if the Camel route uses particular vulnerable components. | -- | Mar 13, 2025 | n/a |
| CVE-2025-29773 | Froxlor is open-source server administration software. A vulnerability in versions prior to 2.2.6 allows users (such as resellers or customers) to create accounts with the same email address as an existing account. This creates potential issues with account identification and security. This vulnerability can be exploited by authenticated users (e.g., reseller, customer) who can create accounts with the same email address that has already been used by another account, such as the admin. The attack vector is email-based, as the system does not prevent multiple accounts from registering the same email address, leading to possible conflicts and security issues. Version 2.2.6 fixes the issue. | -- | Mar 13, 2025 | n/a |
| CVE-2025-29768 | Vim, a text editor, is vulnerable to potential data loss with zip.vim and special crafted zip files in versions prior to 9.1.1198. The impact is medium because a user must be made to view such an archive with Vim and then press \'x\' on such a strange filename. The issue has been fixed as of Vim patch v9.1.1198. | -- | Mar 13, 2025 | n/a |
| CVE-2025-29363 | Tenda RX3 US_RX3V1.0br_V16.03.13.11_multi_TDE01 is vulnerable to buffer overflow via the schedStartTime and schedEndTime parameters at /goform/saveParentControlInfo. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted packet. | -- | Mar 13, 2025 | n/a |
| CVE-2025-29362 | Tenda RX3 US_RX3V1.0br_V16.03.13.11_multi_TDE01 is vulnerable to Buffer Overflow via the list parameter at /goform/setPptpUserList. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted packet. | -- | Mar 13, 2025 | n/a |
| CVE-2025-29361 | Tenda RX3 US_RX3V1.0br_V16.03.13.11_multi_TDE01 is vulnerable to Buffer Overflow via the list parameter at /goform/SetVirtualServerCfg. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted packet. | -- | Mar 13, 2025 | n/a |
| CVE-2025-29360 | Tenda RX3 US_RX3V1.0br_V16.03.13.11_multi_TDE01 is vulnerable to Buffer Overflow via the time and timeZone parameters at /goform/SetSysTimeCfg. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted packet. | -- | Mar 13, 2025 | n/a |
| CVE-2025-29359 | Tenda RX3 US_RX3V1.0br_V16.03.13.11_multi_TDE01 is vulnerable to Buffer Overflow via the deviceId parameter at /goform/saveParentControlInfo. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted packet. | -- | Mar 13, 2025 | n/a |
| CVE-2025-29358 | Tenda RX3 US_RX3V1.0br_V16.03.13.11_multi_TDE01 is vulnerable to Buffer Overflow via the firewallEn parameter at /goform/SetFirewallCfg. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted packet. | -- | Mar 13, 2025 | n/a |
| CVE-2025-29357 | Tenda RX3 US_RX3V1.0br_V16.03.13.11_multi_TDE01 is vulnerable to Buffer Overflow via the startIp and endIp parameters at /goform/SetPptpServerCfg. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted packet. | -- | Mar 13, 2025 | n/a |
| CVE-2025-28943 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in mylo2h2s DP ALTerminator - Missing ALT manager allows Stored XSS. This issue affects DP ALTerminator - Missing ALT manager: from n/a through 1.0.2. | -- | Mar 11, 2025 | n/a |
| CVE-2025-28941 | Cross-Site Request Forgery (CSRF) vulnerability in ohtan Spam Byebye allows Cross Site Request Forgery. This issue affects Spam Byebye: from n/a through 2.2.4. | -- | Mar 11, 2025 | n/a |
| CVE-2025-28940 | Cross-Site Request Forgery (CSRF) vulnerability in arkapravamajumder Back To Top allows Cross Site Request Forgery. This issue affects Back To Top: from n/a through 2.0. | -- | Mar 11, 2025 | n/a |
| CVE-2025-28938 | Missing Authorization vulnerability in Bjoern WP Performance Pack allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Performance Pack: from n/a through 2.5.3. | -- | Mar 11, 2025 | n/a |
| CVE-2025-28937 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in lavacode Lava Ajax Search allows Stored XSS. This issue affects Lava Ajax Search: from n/a through 1.1.9. | -- | Mar 11, 2025 | n/a |
| CVE-2025-28936 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in sakurapixel Lunar allows Stored XSS. This issue affects Lunar: from n/a through 1.3.0. | -- | Mar 11, 2025 | n/a |
| CVE-2025-28933 | Cross-Site Request Forgery (CSRF) vulnerability in maxfoundry MaxA/B allows Stored XSS. This issue affects MaxA/B: from n/a through 2.2.2. | -- | Mar 11, 2025 | n/a |
| CVE-2025-28932 | Cross-Site Request Forgery (CSRF) vulnerability in BCS Website Solutions Insert Code allows Stored XSS. This issue affects Insert Code: from n/a through 2.4. | -- | Mar 11, 2025 | n/a |
| CVE-2025-28931 | Cross-Site Request Forgery (CSRF) vulnerability in DevriX Hashtags allows Stored XSS. This issue affects Hashtags: from n/a through 0.3.2. | -- | Mar 11, 2025 | n/a |
| CVE-2025-28930 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Rodolphe MOULIN List Mixcloud allows Stored XSS. This issue affects List Mixcloud: from n/a through 1.4. | -- | Mar 11, 2025 | n/a |
| CVE-2025-28929 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Vivek Marakana Tabbed Login Widget allows Stored XSS. This issue affects Tabbed Login Widget: from n/a through 1.1.2. | -- | Mar 11, 2025 | n/a |
| CVE-2025-28927 | Cross-Site Request Forgery (CSRF) vulnerability in A. Chappard Display Template Name allows Cross Site Request Forgery. This issue affects Display Template Name: from n/a through 1.7.1. | -- | Mar 11, 2025 | n/a |
| CVE-2025-28926 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in popeating Post Read Time allows Stored XSS. This issue affects Post Read Time: from n/a through 1.2.6. | -- | Mar 11, 2025 | n/a |
| CVE-2025-28925 | Cross-Site Request Forgery (CSRF) vulnerability in Hieu Nguyen WATI Chat and Notification allows Stored XSS. This issue affects WATI Chat and Notification: from n/a through 1.1.2. | -- | Mar 11, 2025 | n/a |
| CVE-2025-28923 | Cross-Site Request Forgery (CSRF) vulnerability in philippe No Disposable Email allows Stored XSS. This issue affects No Disposable Email: from n/a through 2.5.1. | -- | Mar 11, 2025 | n/a |
| CVE-2025-28922 | Cross-Site Request Forgery (CSRF) vulnerability in Terence D. Go To Top allows Stored XSS. This issue affects Go To Top: from n/a through 0.0.8. | -- | Mar 11, 2025 | n/a |
| CVE-2025-28920 | Missing Authorization vulnerability in Jogesh Responsive Google Map allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Responsive Google Map: from n/a through 3.1.5. | -- | Mar 11, 2025 | n/a |
| CVE-2025-28919 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Shellbot Easy Image Display allows Stored XSS. This issue affects Easy Image Display: from n/a through 1.2.5. | -- | Mar 11, 2025 | n/a |
| CVE-2025-28918 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in A. Jones Featured Image Thumbnail Grid allows Stored XSS. This issue affects Featured Image Thumbnail Grid: from n/a through 6.6.1. | -- | Mar 11, 2025 | n/a |
| CVE-2025-28915 | Unrestricted Upload of File with Dangerous Type vulnerability in Theme Egg ThemeEgg ToolKit allows Upload a Web Shell to a Web Server. This issue affects ThemeEgg ToolKit: from n/a through 1.2.9. | -- | Mar 11, 2025 | n/a |
| CVE-2025-28914 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Ajay Sharma wordpress login form to anywhere allows Stored XSS. This issue affects wordpress login form to anywhere: from n/a through 0.2. | -- | Mar 11, 2025 | n/a |
| CVE-2025-28913 | Cross-Site Request Forgery (CSRF) vulnerability in Aftab Ali Muni WP Add Active Class To Menu Item allows Cross Site Request Forgery. This issue affects WP Add Active Class To Menu Item: from n/a through 1.0. | -- | Mar 11, 2025 | n/a |
| CVE-2025-28912 | Cross-Site Request Forgery (CSRF) vulnerability in Muntasir Rahman Custom Dashboard Page allows Cross Site Request Forgery. This issue affects Custom Dashboard Page: from n/a through 1.0. | -- | Mar 11, 2025 | n/a |
| CVE-2025-28910 | Cross-Site Request Forgery (CSRF) vulnerability in Ravinder Khurana WP Hide Admin Bar allows Cross Site Request Forgery. This issue affects WP Hide Admin Bar: from n/a through 2.0. | -- | Mar 11, 2025 | n/a |
| CVE-2025-28909 | Cross-Site Request Forgery (CSRF) vulnerability in edwardw WP No-Bot Question allows Cross Site Request Forgery. This issue affects WP No-Bot Question: from n/a through 0.1.7. | -- | Mar 11, 2025 | n/a |
| CVE-2025-28908 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in pipdig pipDisqus allows Stored XSS. This issue affects pipDisqus: from n/a through 1.6. | -- | Mar 11, 2025 | n/a |
| CVE-2025-28907 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Rahul Arora WP Last Modified allows Stored XSS. This issue affects WP Last Modified: from n/a through 0.1. | -- | Mar 11, 2025 | n/a |
| CVE-2025-28906 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Thiago S.F. Skitter Slideshow allows Stored XSS. This issue affects Skitter Slideshow: from n/a through 2.5.2. | -- | Mar 11, 2025 | n/a |
| CVE-2025-28905 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Chaser324 Featured Posts Grid allows Stored XSS. This issue affects Featured Posts Grid: from n/a through 1.7. | -- | Mar 11, 2025 | n/a |
| CVE-2025-28902 | Cross-Site Request Forgery (CSRF) vulnerability in Benjamin Pick Contact Form 7 Select Box Editor Button allows Cross Site Request Forgery. This issue affects Contact Form 7 Select Box Editor Button: from n/a through 0.6. | -- | Mar 11, 2025 | n/a |
| CVE-2025-28901 | Cross-Site Request Forgery (CSRF) vulnerability in Naren Members page only for logged in users allows Stored XSS. This issue affects Members page only for logged in users: from n/a through 1.4.2. | -- | Mar 11, 2025 | n/a |
| CVE-2025-28900 | Cross-Site Request Forgery (CSRF) vulnerability in webgarb TabGarb Pro allows Stored XSS. This issue affects TabGarb Pro: from n/a through 2.6. | -- | Mar 11, 2025 | n/a |
