CVE ID : CVE-2025-37730
Published : May 6, 2025, 6:15 p.m. | 1 hour, 19 minutes ago
Description : Improper certificate validation in Logstash’s TCP output could lead to a man-in-the-middle (MitM) attack in “client” mode, as hostname verification in TCP output was not being performed when the ssl_verification_mode => full was set.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-44900
Published : May 6, 2025, 6:15 p.m. | 1 hour, 19 minutes ago
Description : In Tenda RX3 V1.0br_V16.03.13.11 in the GetParentControlInfo function of the web url /goform/GetParentControlInfo, the manipulation of the parameter mac leads to stack overflow.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-46815
Published : May 6, 2025, 6:15 p.m. | 1 hour, 19 minutes ago
Description : The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a predefined URI. These id and token can then be used to authenticate the user or their session. However, prior to versions 3.0.0, 2.71.9, and 2.70.10, it was possible to exploit this feature by repeatedly using intents. This allowed an attacker with access to the application’s URI to retrieve the id and token, enabling them to authenticate on behalf of the user. It’s important to note that the use of additional factors (MFA) prevents a complete authentication process and, consequently, access to the ZITADEL API. Versions 3.0.0, 2.71.9, and 2.70.10 contain a fix for the issue. No known workarounds other than upgrading are available.
Severity: 8.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-4388
Published : May 6, 2025, 6:15 p.m. | 1 hour, 19 minutes ago
Description : A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the modules/apps/marketplace/marketplace-app-manager-web.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-46816
Published : May 6, 2025, 7:16 p.m. | 19 minutes ago
Description : goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue.
Severity: 9.4 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-46820
Published : May 6, 2025, 7:16 p.m. | 19 minutes ago
Description : phpgt/Dom provides access to modern DOM APIs. Versions of phpgt/Dom prior to 4.1.8 expose the GITHUB_TOKEN in the Dom workflow run artifact. The ci.yml workflow file uses actions/upload-artifact@v4 to upload the build artifact. This artifact is a zip of the current directory, which includes the automatically generated .git/config file containing the run’s GITHUB_TOKEN. Seeing as the artifact can be downloaded prior to the end of the workflow, there is a few seconds where an attacker can extract the token from the artifact and use it with the GitHub API to push malicious code or rewrite release commits in your repository. Any downstream user of the repository may be affected, but the token should only be valid for the duration of the workflow run, limiting the time during which exploitation could occur. Version 4.1.8 fixes the issue.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-45607
Published : May 5, 2025, 8:15 p.m. | 18 hours, 44 minutes ago
Description : An issue in the component /manage/ of itranswarp v2.19 allows attackers to bypass authentication via a crafted request.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-45611
Published : May 5, 2025, 8:15 p.m. | 18 hours, 44 minutes ago
Description : Incorrect access control in the /user/edit/ component of hope-boot v1.0.0 allows attackers to bypass authentication via a crafted GET request.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-0984
Published : May 6, 2025, 12:15 p.m. | 2 hours, 44 minutes ago
Description : Unrestricted Upload of File with Dangerous Type, Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Netoloji Software E-Flow allows Accessing Functionality Not Properly Constrained by ACLs, Stored XSS, File Content Injection.This issue affects E-Flow: before 3.23.00.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-45612
Published : May 5, 2025, 8:15 p.m. | 18 hours, 44 minutes ago
Description : Incorrect access control in xmall v1.1 allows attackers to bypass authentication via a crafted GET request to /index.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-4349
Published : May 6, 2025, 12:15 p.m. | 2 hours, 44 minutes ago
Description : A vulnerability classified as critical has been found in D-Link DIR-600L up to 2.07B01. This affects the function formSysCmd. The manipulation of the argument host leads to command injection. It is possible to initiate the attack remotely. This vulnerability only affects products that are no longer supported by the maintainer.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-4350
Published : May 6, 2025, 12:15 p.m. | 2 hours, 44 minutes ago
Description : A vulnerability classified as critical was found in D-Link DIR-600L up to 2.07B01. This vulnerability affects the function wake_on_lan. The manipulation of the argument host leads to command injection. The attack can be initiated remotely. This vulnerability only affects products that are no longer supported by the maintainer.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-4352
Published : May 6, 2025, 12:15 p.m. | 3 hours, 19 minutes ago
Description : A vulnerability, which was classified as critical, has been found in Golden Link Secondary System up to 20250424. This issue affects some unknown processing of the file /reprotframework/tcEntrFlowSelect.htm. The manipulation of the argument custTradeId leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-4353
Published : May 6, 2025, 12:15 p.m. | 3 hours, 19 minutes ago
Description : A vulnerability, which was classified as critical, was found in Golden Link Secondary System up to 20250424. Affected is an unknown function of the file /paraframework/queryTsDictionaryType.htm. The manipulation of the argument dictCn1 leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-4355
Published : May 6, 2025, 1:15 p.m. | 1 hour, 44 minutes ago
Description : A vulnerability was found in Tenda DAP-1520 1.10B04_BETA02. It has been classified as critical. This affects the function set_ws_action of the file /dws/api/. The manipulation leads to heap-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2018-1359
Published : May 6, 2025, 1:15 p.m. | 2 hours, 19 minutes ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-4354
Published : May 6, 2025, 1:15 p.m. | 2 hours, 19 minutes ago
Description : A vulnerability was found in Tenda DAP-1520 1.10B04_BETA02 and classified as critical. Affected by this issue is the function check_dws_cookie of the file /storage. The manipulation leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-4356
Published : May 6, 2025, 2:15 p.m. | 44 minutes ago
Description : A vulnerability was found in Tenda DAP-1520 1.10B04_BETA02. It has been declared as critical. This vulnerability affects the function mod_graph_auth_uri_handler of the file /storage of the component Authentication Handler. The manipulation leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-4357
Published : May 6, 2025, 2:15 p.m. | 1 hour, 19 minutes ago
Description : A vulnerability was found in Tenda RX3 16.03.13.11_multi. It has been rated as critical. This issue affects some unknown processing of the file /goform/telnet. The manipulation leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity: 4.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-4358
Published : May 6, 2025, 2:15 p.m. | 1 hour, 19 minutes ago
Description : A vulnerability classified as critical has been found in PHPGurukul Company Visitor Management System 2.0. Affected is an unknown function of the file /admin-profile.php. The manipulation of the argument adminname leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…