Total
12031 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-13798 | 2025-02-22 | 5.3 Medium | ||
| The Post Grid and Gutenberg Blocks – ComboBlocks plugin for WordPress is vulnerable to unauthorized order creation in all versions up to, and including, 2.3.5. This is due to insufficient verification on form fields. This makes it possible for unauthenticated attackers to create new orders for products and mark them as paid without actually completing a payment. | ||||
| CVE-2025-1556 | 2025-02-22 | 4.7 Medium | ||
| A vulnerability, which was classified as problematic, has been found in westboy CicadasCMS 1.0. This issue affects some unknown processing of the file /system of the component Template Management. The manipulation leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-21370 | 1 Microsoft | 3 Windows 11 22h2, Windows 11 23h2, Windows 11 24h2 | 2025-02-21 | 7.8 High |
| Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability | ||||
| CVE-2025-21230 | 1 Microsoft | 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more | 2025-02-21 | 7.5 High |
| Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability | ||||
| CVE-2025-21344 | 1 Microsoft | 1 Sharepoint Server | 2025-02-21 | 7.8 High |
| Microsoft SharePoint Server Remote Code Execution Vulnerability | ||||
| CVE-2025-21284 | 1 Microsoft | 13 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 10 more | 2025-02-21 | 5.5 Medium |
| Windows Virtual Trusted Platform Module Denial of Service Vulnerability | ||||
| CVE-2025-21280 | 1 Microsoft | 13 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 10 more | 2025-02-21 | 5.5 Medium |
| Windows Virtual Trusted Platform Module Denial of Service Vulnerability | ||||
| CVE-2025-21235 | 1 Microsoft | 8 Windows 10 21h2, Windows 10 22h2, Windows 11 22h2 and 5 more | 2025-02-21 | 7.8 High |
| Windows PrintWorkflowUserSvc Elevation of Privilege Vulnerability | ||||
| CVE-2025-21234 | 1 Microsoft | 8 Windows 10 21h2, Windows 10 22h2, Windows 11 22h2 and 5 more | 2025-02-21 | 7.8 High |
| Windows PrintWorkflowUserSvc Elevation of Privilege Vulnerability | ||||
| CVE-2025-21350 | 2025-02-21 | 5.9 Medium | ||
| Windows Kerberos Denial of Service Vulnerability | ||||
| CVE-2025-21194 | 2025-02-21 | 7.1 High | ||
| Microsoft Surface Security Feature Bypass Vulnerability | ||||
| CVE-2025-21375 | 2025-02-21 | 7.8 High | ||
| Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability | ||||
| CVE-2025-24970 | 2025-02-21 | 7.5 High | ||
| Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually. | ||||
| CVE-2024-34693 | 1 Apache | 1 Superset | 2025-02-21 | 6.8 Medium |
| Improper Input Validation vulnerability in Apache Superset, allows for an authenticated attacker to create a MariaDB connection with local_infile enabled. If both the MariaDB server (off by default) and the local mysql client on the web server are set to allow for local infile, it's possible for the attacker to execute a specific MySQL/MariaDB SQL command that is able to read files from the server and insert their content on a MariaDB database table.This issue affects Apache Superset: before 3.1.3 and version 4.0.0 Users are recommended to upgrade to version 4.0.1 or 3.1.3, which fixes the issue. | ||||
| CVE-2023-6937 | 1 Wolfssl | 1 Wolfssl | 2025-02-21 | 5.3 Medium |
| wolfSSL prior to 5.6.6 did not check that messages in one (D)TLS record do not span key boundaries. As a result, it was possible to combine (D)TLS messages using different keys into one (D)TLS record. The most extreme edge case is that, in (D)TLS 1.3, it was possible that an unencrypted (D)TLS 1.3 record from the server containing first a ServerHello message and then the rest of the first server flight would be accepted by a wolfSSL client. In (D)TLS 1.3 the handshake is encrypted after the ServerHello but a wolfSSL client would accept an unencrypted flight from the server. This does not compromise key negotiation and authentication so it is assigned a low severity rating. | ||||
| CVE-2024-13681 | 1 Undsgn | 1 Uncode | 2025-02-21 | 7.5 High |
| The Uncode theme for WordPress is vulnerable to arbitrary file read due to insufficient input validation in the 'uncode_admin_get_oembed' function in all versions up to, and including, 2.9.1.6. This makes it possible for unauthenticated attackers to read arbitrary files on the server. | ||||
| CVE-2024-13691 | 1 Undsgn | 1 Uncode | 2025-02-21 | 6.5 Medium |
| The Uncode theme for WordPress is vulnerable to arbitrary file read due to insufficient input validation in the 'uncode_recordMedia' function in all versions up to, and including, 2.9.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary files on the server. | ||||
| CVE-2016-4825 | 1 Welcart | 1 Welcart E-commerce | 2025-02-20 | 5.6 Medium |
| The Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via crafted serialized data. | ||||
| CVE-2019-1003030 | 2 Jenkins, Redhat | 3 Pipeline\, Openshift, Openshift Container Platform | 2025-02-20 | 9.9 Critical |
| A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java that allows attackers able to control pipeline scripts to execute arbitrary code on the Jenkins master JVM. | ||||
| CVE-2024-55952 | 1 Dataease | 1 Dataease | 2025-02-20 | 8.8 High |
| DataEase is an open source business analytics tool. Authenticated users can remotely execute code through the backend JDBC connection. When constructing the jdbc connection string, the parameters are not filtered. Constructing the host as ip:5432/test/?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://ip:5432/1.xml&a= can trigger the ClassPathXmlApplicationContext construction method. The vulnerability has been fixed in v1.18.27. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||