Les dernières vulnérabilités Hacking, Cybersécurité, Pentest, Failles

CVE-2025-4441 - A vulnerability was found in D-Link DIR-605L 2.13B01. It has been classified as critical. This affects the function formSetWAN_Wizard534. The manipulation of the argument curTime leads to buffer overflow. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure. This vulnerability only affects products that are no longer supported by the maintainer.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-4441
Partager : LinkedIn / Twitter / Facebook

CVE-2025-4440 - A vulnerability was found in H3C GR-1800AX up to 100R008 and classified as critical. Affected by this issue is the function EnableIpv6 of the file /goform/aspForm. The manipulation of the argument param leads to buffer overflow. Access to the local network is required for this attack to succeed. The exploit has been disclosed to the public and may be used.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-4440
Partager : LinkedIn / Twitter / Facebook

CVE-2025-4107 - Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-4107
Partager : LinkedIn / Twitter / Facebook

CVE-2025-47733 - Server-Side Request Forgery (SSRF) in Microsoft Power Apps allows an unauthorized attacker to disclose information over a network
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-47733
Partager : LinkedIn / Twitter / Facebook

CVE-2025-47732 - Microsoft Dataverse Remote Code Execution Vulnerability
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-47732
Partager : LinkedIn / Twitter / Facebook

CVE-2025-33072 - Improper access control in Azure allows an unauthorized attacker to disclose information over a network.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-33072
Partager : LinkedIn / Twitter / Facebook

CVE-2025-31946 - Pixmeo OsiriX MD is vulnerable to a local use after free scenario, which could allow an attacker to locally import a crafted DICOM file and cause memory corruption or a system crash.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-31946
Partager : LinkedIn / Twitter / Facebook

CVE-2025-29972 - Server-Side Request Forgery (SSRF) in Azure allows an authorized attacker to perform spoofing over a network.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-29972
Partager : LinkedIn / Twitter / Facebook

CVE-2025-29827 - Improper Authorization in Azure Automation allows an authorized attacker to elevate privileges over a network.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-29827
Partager : LinkedIn / Twitter / Facebook

CVE-2025-29813 - An elevation of privilege vulnerability exists when Visual Studio improperly handles pipeline job tokens. An attacker who successfully exploited this vulnerability could extend their access to a project. To exploit this vulnerability, an attacker would first have to have access to the project and swap the short-term token for a long-term one. The update addresses the vulnerability by correcting how the Visual Studio updater handles these tokens.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-29813
Partager : LinkedIn / Twitter / Facebook

CVE-2025-27720 - The Pixmeo Osirix MD Web Portal sends credential information without encryption, which could allow an attacker to steal credentials.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-27720
Partager : LinkedIn / Twitter / Facebook

CVE-2025-27578 - Pixmeo OsiriX MD is vulnerable to a use after free scenario, which could allow an attacker to upload a crafted DICOM file and cause memory corruption leading to a denial-of-service condition.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-27578
Partager : LinkedIn / Twitter / Facebook

CVE-2025-1331 - IBM CICS TX Standard 11.1 and IBM CICS TX Advanced 10.1 and 11.1 could allow a local user to execute arbitrary code on the system due to the use of unsafe use of the gets function.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-1331
Partager : LinkedIn / Twitter / Facebook

CVE-2025-1330 - IBM CICS TX Standard 11.1 and IBM CICS TX Advanced 10.1 and 11.1  could allow a local user to execute arbitrary code on the system due to failure to handle DNS return requests by the gethostbyname function.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-1330
Partager : LinkedIn / Twitter / Facebook

CVE-2025-1329 - IBM CICS TX Standard 11.1 and IBM CICS TX Advanced 10.1 and 11.1 could allow a local user to execute arbitrary code on the system due to failure to handle DNS return requests by the gethostbyaddr function.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-1329
Partager : LinkedIn / Twitter / Facebook

CVE-2025-28074 - phpList prior to 3.6.3 is vulnerable to Cross-Site Scripting (XSS) due to improper input sanitization in lt.php. The vulnerability is exploitable when the application dynamically references internal paths and processes untrusted input without escaping, allowing an attacker to inject malicious JavaScript.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-28074
Partager : LinkedIn / Twitter / Facebook

CVE-2023-31585 - Grocery-CMS-PHP-Restful-API v1.3 is vulnerable to File Upload via /admin/add-category.php.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2023-31585
Partager : LinkedIn / Twitter / Facebook

CVE-2025-4475 - Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-4475
Partager : LinkedIn / Twitter / Facebook

CVE-2025-46833 - Programs/P73_SimplePythonEncryption.py illustrates a simple Python encryption example using the RSA Algorithm. In versions prior to commit 6ce60b1, an attacker may be able to decrypt the data using brute force attacks and because of this the whole application can be impacted. This issue has been patched in commit 6ce60b1. A workaround involves increasing the key size, for RSA or DSA this is at least 2048 bits, for ECC this is at least 256 bits.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-46833
Partager : LinkedIn / Twitter / Facebook

CVE-2025-46812 - Trix is a what-you-see-is-what-you-get rich text editor for everyday writing. Versions prior to 2.1.15 are vulnerable to XSS attacks when pasting malicious code. An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. This issue has been patched in version 2.1.15.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-46812
Partager : LinkedIn / Twitter / Facebook

CVE-2025-46712 - Erlang/OTP is a set of libraries for the Erlang programming language. In versions prior to OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and OTP-25.3.2.21 (for OTP-25), Erlang/OTP SSH fails to enforce strict KEX handshake hardening measures by allowing optional messages to be exchanged. This allows a Man-in-the-Middle attacker to inject these messages in a connection during the handshake. This issue has been patched in versions OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and OTP-25.3.2.21 (for OTP-25).
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-46712
Partager : LinkedIn / Twitter / Facebook

CVE-2025-46336 - Rack::Session is a session management implementation for Rack. In versions starting from 2.0.0 to before 2.1.1, when using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout. This issue has been patched in version 2.1.1.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-46336
Partager : LinkedIn / Twitter / Facebook

CVE-2025-45798 - A command execution vulnerability exists in the TOTOLINK A950RG V4.1.2cu.5204_B20210112. The vulnerability is located in the setNoticeCfg interface within the /lib/cste_modules/system.so library, specifically in the processing of the IpTo parameter.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-45798
Partager : LinkedIn / Twitter / Facebook

CVE-2025-45797 - TOTOlink A950RG V4.1.2cu.5204_B20210112 contains a buffer overflow vulnerability. The vulnerability arises from the improper input validation of the NoticeUrl parameter in the setNoticeCfg interface of /lib/cste_modules/system.so.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-45797
Partager : LinkedIn / Twitter / Facebook

CVE-2025-45790 - TOTOLINK A3100R V5.9c.1527 is vulnerable to Buffer Overflow via the priority parameter in the setMacQos interface of /lib/cste_modules/firewall.so.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-45790
Partager : LinkedIn / Twitter / Facebook

CVE-2025-45789 - TOTOLINK A3100R V5.9c.1527 is vulnerable to buffer overflow via the urlKeyword parameter in setParentalRules.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-45789
Partager : LinkedIn / Twitter / Facebook

CVE-2025-45788 - TOTOLINK A3100R V5.9c.1527 is vulnerable to Buffer Overflow via the comment parameter in setMacFilterRules.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-45788
Partager : LinkedIn / Twitter / Facebook

CVE-2025-45787 - TOTOLINK A3100R V5.9c.1527 is vulnerable to Buffer Overflow viathe comment parameter in setIpPortFilterRules.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-45787
Partager : LinkedIn / Twitter / Facebook

CVE-2025-44023 - An issue in dlink DNS-320 v.1.00 and DNS-320LW v.1.01.0914.20212 allows an attacker to execute arbitrary via the account_mgr.cgi->cgi_chg_admin_pw components.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-44023
Partager : LinkedIn / Twitter / Facebook

CVE-2025-28073 - phpList 3.6.3 is vulnerable to Reflected Cross-Site Scripting (XSS) via the /lists/dl.php endpoint. An attacker can inject arbitrary JavaScript code by manipulating the id parameter, which is improperly sanitized.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-28073
Partager : LinkedIn / Twitter / Facebook

CVE-2024-9448 - On affected platforms running Arista EOS with Traffic Policies configured the vulnerability will cause received untagged packets not to hit Traffic Policy rules that they are expected to hit. If the rule was to drop the packet, the packet will not be dropped and instead will be forwarded as if the rule was not in place. This could lead to packets being delivered to unexpected destinations.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2024-9448
Partager : LinkedIn / Twitter / Facebook

CVE-2025-27695 - Dell Wyse Management Suite, versions prior to WMS 5.1 contain an Authentication Bypass by Spoofing vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Information Disclosure.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-27695
Partager : LinkedIn / Twitter / Facebook

CVE-2025-0505 - On Arista CloudVision systems (virtual or physical on-premise deployments), Zero Touch Provisioning can be used to gain admin privileges on the CloudVision system, with more permissions than necessary, which can be used to query or manipulate system state for devices under management. Note that CloudVision as-a-Service is not affected.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-0505
Partager : LinkedIn / Twitter / Facebook

CVE-2024-8100 - On affected versions of the Arista CloudVision Portal (CVP on-prem), the time-bound device onboarding token can be used to gain admin privileges on CloudVision.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2024-8100
Partager : LinkedIn / Twitter / Facebook

CVE-2024-12378 - On affected platforms running Arista EOS with secure Vxlan configured, restarting the Tunnelsec agent will result in packets being sent over the secure Vxlan tunnels in the clear.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2024-12378
Partager : LinkedIn / Twitter / Facebook

CVE-2024-11186 - On affected versions of the CloudVision Portal, improper access controls could enable a malicious authenticated user to take broader actions on managed EOS devices than intended. This advisory impacts the Arista CloudVision Portal products when run on-premise. It does not impact CloudVision as-a-Service.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2024-11186
Partager : LinkedIn / Twitter / Facebook

CVE-2025-4098 - Horner Automation Cscape version 10.0 (10.0.415.2) SP1 is vulnerable to an out-of-bounds read vulnerability that could allow an attacker to disclose information and execute arbitrary code on affected installations of Cscape.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-4098
Partager : LinkedIn / Twitter / Facebook

CVE-2025-30102 - Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.1.0, contains an out-of-bounds write vulnerability. A local low privileged attacker could potentially exploit this vulnerability, leading to denial of service.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-30102
Partager : LinkedIn / Twitter / Facebook

CVE-2025-30101 - Dell PowerScale OneFS, versions 9.8.0.0 through 9.10.1.0, contain a time-of-check time-of-use (TOCTOU) race condition vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading to denial of service and information tampering.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-30101
Partager : LinkedIn / Twitter / Facebook

CVE-2025-1948 - In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-1948
Partager : LinkedIn / Twitter / Facebook

CVE-2024-13009 - In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2024-13009
Partager : LinkedIn / Twitter / Facebook

CVE-2025-44021 - OpenStack Ironic before 29.0.1 can write unintended files to a target node disk during image handling (if a deployment was performed via the API). A malicious project assigned as a node owner can provide a path to any local file (readable by ironic-conductor), which may then be written to the target node disk. This is difficult to exploit in practice, because a node deployed in this manner should never reach the ACTIVE state, but it still represents a danger in environments running with non-default, insecure configurations such as with automated cleaning disabled. The fixed versions are 24.1.3, 26.1.1, and 29.0.1.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-44021
Partager : LinkedIn / Twitter / Facebook

CVE-2025-26847 - An issue was discovered in Znuny before 7.1.5. When generating a support bundle, not all passwords are masked.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-26847
Partager : LinkedIn / Twitter / Facebook

CVE-2025-26845 - An Eval Injection issue was discovered in Znuny through 7.1.3. A user with write access to the configuration file can use this to execute a command executed by the user running the backup.pl script.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-26845
Partager : LinkedIn / Twitter / Facebook

CVE-2025-4132 - Rapid7 Corporate Website prior to May 2nd 2025, suffered from a URL Redirection to Untrusted Site ('Open Redirect') vulnerability whereby, due to misconfigured headers, an attacker could successfully redirect users to a malicious site of their control. This vulnerability has been fixed as of May 2nd 2025.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-4132
Partager : LinkedIn / Twitter / Facebook

CVE-2025-45847 - ALFA AIP-W512 v3.2.2.2.3 was discovered to contain an authenticated stack overflow via the targetAPMac parameter in the formWsc function.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-45847
Partager : LinkedIn / Twitter / Facebook

CVE-2025-45846 - ALFA AIP-W512 v3.2.2.2.3 was discovered to contain an authenticated stack overflow via the torrentsindex parameter in the formBTClinetSetting function.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-45846
Partager : LinkedIn / Twitter / Facebook

CVE-2025-45845 - TOTOLINK NR1800X V9.1.0u.6681_B20230703 was discovered to contain an authenticated stack overflow via the ssid5g parameter in the setWiFiEasyGuestCfg function.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-45845
Partager : LinkedIn / Twitter / Facebook

CVE-2025-45844 - TOTOLINK NR1800X V9.1.0u.6681_B20230703 was discovered to contain an authenticated stack overflow via the ssid parameter in the setWiFiBasicCfg function.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-45844
Partager : LinkedIn / Twitter / Facebook

CVE-2025-45843 - TOTOLINK NR1800X V9.1.0u.6681_B20230703 was discovered to contain an authenticated stack overflow via the ssid parameter in the setWiFiGuestCfg function.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-45843
Partager : LinkedIn / Twitter / Facebook

CVE-2025-45842 - TOTOLINK NR1800X V9.1.0u.6681_B20230703 was discovered to contain an authenticated stack overflow via the ssid5g parameter in the setWiFiEasyCfg function.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-45842
Partager : LinkedIn / Twitter / Facebook

CVE-2025-45841 - TOTOLINK NR1800X V9.1.0u.6681_B20230703 was discovered to contain an authenticated stack overflow via the text parameter in the setSmsCfg function.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-45841
Partager : LinkedIn / Twitter / Facebook

CVE-2025-43926 - An issue was discovered in Znuny through 6.5.14 and 7.x through 7.1.6. Custom AJAX calls to the AgentPreferences UpdateAJAX subaction can be used to set user preferences with arbitrary keys. When fetching user data via GetUserData, these keys and values are retrieved and given as a whole to other function calls, which then might use these keys/values to affect permissions or other settings.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-43926
Partager : LinkedIn / Twitter / Facebook

CVE-2025-26844 - An issue was discovered in Znuny through 7.1.3. A cookie is set without the HttpOnly flag.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-26844
Partager : LinkedIn / Twitter / Facebook

CVE-2025-26842 - An issue was discovered in Znuny through 7.1.3. If access to a ticket is not given, the content of S/MIME encrypted e-mail messages is visible to users with access to the CommunicationLog.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-26842
Partager : LinkedIn / Twitter / Facebook

CVE-2023-51328 - PHPJabbers Cleaning Business Software v1.0 is vulnerable to Multiple Stored Cross-Site Scripting (XSS) in the "c_name, name" parameters.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2023-51328
Partager : LinkedIn / Twitter / Facebook

CVE-2023-51295 - PHPJabbers Event Booking Calendar v4.0 is vulnerable to Multiple HTML Injection in the "name, plugin_sms_api_key, plugin_sms_country_code, title, plugin_sms_api_key, title" parameters.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2023-51295
Partager : LinkedIn / Twitter / Facebook

CVE-2025-4207 - Buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit process termination. This affects the database server and also libpq. Versions before PostgreSQL 17.5, 16.9, 15.13, 14.18, and 13.21 are affected.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-4207
Partager : LinkedIn / Twitter / Facebook

CVE-2025-45820 - Slims (Senayan Library Management Systems) 9 Bulian 9.6.1 is vulnerable to SQL Injection in admin/modules/bibliography/pop_author_edit.php.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-45820
Partager : LinkedIn / Twitter / Facebook

CVE-2025-45819 - Slims (Senayan Library Management Systems) 9 Bulian 9.6.1 is vulnerable to SQL Injection in admin/modules/master_file/author.php.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-45819
Partager : LinkedIn / Twitter / Facebook

CVE-2025-45818 - Slims (Senayan Library Management Systems) 9 Bulian 9.6.1 is vulnerable to SQL Injection in admin/modules/master_file/item_status.php.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-45818
Partager : LinkedIn / Twitter / Facebook

CVE-2025-47730 - The TeleMessage archiving backend through 2025-05-05 accepts API calls (to request an authentication token) from the TM SGNL (aka Archive Signal) app with the credentials of logfile for the user and enRR8UVVywXYbFkqU#QDPRkO for the password.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-47730
Partager : LinkedIn / Twitter / Facebook

CVE-2025-47729 - The TeleMessage archiving backend through 2025-05-05 holds cleartext copies of messages from TM SGNL (aka Archive Signal) app users, which is different functionality than described in the TeleMessage "End-to-End encryption from the mobile phone through to the corporate archive" documentation, as exploited in the wild in May 2025.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-47729
Partager : LinkedIn / Twitter / Facebook

CVE-2024-6648 - Absolute Path Traversal vulnerability in AP Page Builder versions prior to 4.0.0 could allow an unauthenticated remote user to modify the 'product_item_path' within the 'config' JSON file, allowing them to read any file on the system.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2024-6648
Partager : LinkedIn / Twitter / Facebook

CVE-2025-4208 - The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Limited Code Execution in all versions up to, and including, 8.9.1 via the get_table_records function. This is due to the unsanitized use of user-supplied input in call_user_func(). This makes it possible for authenticated attackers, with Custom-level access, to execute arbitrary PHP functions that meet specific constraints (static methods or global functions accepting a single array parameter).
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-4208
Partager : LinkedIn / Twitter / Facebook

CVE-2025-3862 - Contest Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id' parameter in all versions up to, and including, 26.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-3862
Partager : LinkedIn / Twitter / Facebook

CVE-2025-3506 - Files to be deployed with agents are accessible without authentication in Checkmk 2.1.0, Checkmk 2.2.0, Checkmk 2.3.0 and
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-3506
Partager : LinkedIn / Twitter / Facebook

CVE-2025-3468 - The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the clean_html and form_fields parameters in all versions up to, and including, 8.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-3468
Partager : LinkedIn / Twitter / Facebook

CVE-2025-2806 - The tagDiv Composer plugin for WordPress, used by the Newspaper theme, is vulnerable to Reflected Cross-Site Scripting via the ‘data' parameter in all versions up to, and including, 5.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-2806
Partager : LinkedIn / Twitter / Facebook

CVE-2025-41450 - Improper Authentication vulnerability in Danfoss AKSM8xxA Series.This issue affects Danfoss AK-SM 8xxA Series prior to version 4.2
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-41450
Partager : LinkedIn / Twitter / Facebook

CVE-2025-3759 - Endpoint /cgi-bin-igd/netcore_set.cgi which is used for changing device configuration is accessible without authentication. This poses a significant security threat allowing for e.g: administrator account hijacking or AP password changing. The vendor was contacted early about this disclosure but did not respond in any way.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-3759
Partager : LinkedIn / Twitter / Facebook

CVE-2025-3758 - WF2220 exposes endpoint /cgi-bin-igd/netcore_get.cgi that returns configuration of the device to unauthorized users. Returned configuration includes cleartext password. The vendor was contacted early about this disclosure but did not respond in any way.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-3758
Partager : LinkedIn / Twitter / Facebook

CVE-2025-40846 - Improper Input Validation, the returnUrl parameter in Account Security Settings lacks proper input validation, allowing attackers to redirect users to malicious websites (Open Redirect) and inject JavaScript code to perform cross site scripting attack. The vulnerability affects Halo versions up to 2.174.101 and all versions between 2.175.1 and 2.184.21
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-40846
Partager : LinkedIn / Twitter / Facebook

CVE-2025-1254 - Out-of-bounds Read, Out-of-bounds Write vulnerability in RTI Connext Professional (Core Libraries) allows Overread Buffers, Overflow Buffers.This issue affects Connext Professional: from 7.4.0 before 7.5.0, from 7.0.0 before 7.3.0.7, from 6.0.0 before 6.1.2.23.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-1254
Partager : LinkedIn / Twitter / Facebook

CVE-2025-1253 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in RTI Connext Professional (Core Libraries) allows Overflow Variables and Tags.This issue affects Connext Professional: from 7.4.0 before 7.5.0, from 7.0.0 before 7.3.0.7, from 4.5 before 6.1.2.23.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-1253
Partager : LinkedIn / Twitter / Facebook

CVE-2025-1252 - Heap-based Buffer Overflow vulnerability in RTI Connext Professional (Core Libraries) allows Overflow Variables and Tags.This issue affects Connext Professional: from 7.4.0 before 7.5.0, from 7.0.0 before 7.3.0.7, from 4.4 before 6.1.2.23.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-1252
Partager : LinkedIn / Twitter / Facebook

CVE-2025-4127 - The WP SEO Structured Data Schema plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Price Range' parameter in all versions up to, and including, 2.7.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts that will execute whenever an administrator accesses the plugin settings page.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-4127
Partager : LinkedIn / Twitter / Facebook

CVE-2025-37834 - In the Linux kernel, the following vulnerability has been resolved: mm/vmscan: don't try to reclaim hwpoison folio Syzkaller reports a bug as follows: Injecting memory failure for pfn 0x18b00e at process virtual address 0x20ffd000 Memory failure: 0x18b00e: dirty swapcache page still referenced by 2 users Memory failure: 0x18b00e: recovery action for dirty swapcache page: Failed page: refcount:2 mapcount:0 mapping:0000000000000000 index:0x20ffd pfn:0x18b00e memcg:ffff0000dd6d9000 anon flags: 0x5ffffe00482011(locked|dirty|arch_1|swapbacked|hwpoison|node=0|zone=2|lastcpupid=0xfffff) raw: 005ffffe00482011 dead000000000100 dead000000000122 ffff0000e232a7c9 raw: 0000000000020ffd 0000000000000000 00000002ffffffff ffff0000dd6d9000 page dumped because: VM_BUG_ON_FOLIO(!folio_test_uptodate(folio)) ------------[ cut here ]------------ kernel BUG at mm/swap_state.c:184! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP Modules linked in: CPU: 0 PID: 60 Comm: kswapd0 Not tainted 6.6.0-gcb097e7de84e #3 Hardware name: linux,dummy-virt (DT) pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : add_to_swap+0xbc/0x158 lr : add_to_swap+0xbc/0x158 sp : ffff800087f37340 x29: ffff800087f37340 x28: fffffc00052c0380 x27: ffff800087f37780 x26: ffff800087f37490 x25: ffff800087f37c78 x24: ffff800087f377a0 x23: ffff800087f37c50 x22: 0000000000000000 x21: fffffc00052c03b4 x20: 0000000000000000 x19: fffffc00052c0380 x18: 0000000000000000 x17: 296f696c6f662865 x16: 7461646f7470755f x15: 747365745f6f696c x14: 6f6621284f494c4f x13: 0000000000000001 x12: ffff600036d8b97b x11: 1fffe00036d8b97a x10: ffff600036d8b97a x9 : dfff800000000000 x8 : 00009fffc9274686 x7 : ffff0001b6c5cbd3 x6 : 0000000000000001 x5 : ffff0000c25896c0 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000000 x1 : ffff0000c25896c0 x0 : 0000000000000000 Call trace: add_to_swap+0xbc/0x158 shrink_folio_list+0x12ac/0x2648 shrink_inactive_list+0x318/0x948 shrink_lruvec+0x450/0x720 shrink_node_memcgs+0x280/0x4a8 shrink_node+0x128/0x978 balance_pgdat+0x4f0/0xb20 kswapd+0x228/0x438 kthread+0x214/0x230 ret_from_fork+0x10/0x20 I can reproduce this issue with the following steps: 1) When a dirty swapcache page is isolated by reclaim process and the page isn't locked, inject memory failure for the page. me_swapcache_dirty() clears uptodate flag and tries to delete from lru, but fails. Reclaim process will put the hwpoisoned page back to lru. 2) The process that maps the hwpoisoned page exits, the page is deleted the page will never be freed and will be in the lru forever. 3) If we trigger a reclaim again and tries to reclaim the page, add_to_swap() will trigger VM_BUG_ON_FOLIO due to the uptodate flag is cleared. To fix it, skip the hwpoisoned page in shrink_folio_list(). Besides, the hwpoison folio may not be unmapped by hwpoison_user_mappings() yet, unmap it in shrink_folio_list(), otherwise the folio will fail to be unmaped by hwpoison_user_mappings() since the folio isn't in lru list.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-37834
Partager : LinkedIn / Twitter / Facebook

CVE-2025-37833 - In the Linux kernel, the following vulnerability has been resolved: net/niu: Niu requires MSIX ENTRY_DATA fields touch before entry reads Fix niu_try_msix() to not cause a fatal trap on sparc systems. Set PCI_DEV_FLAGS_MSIX_TOUCH_ENTRY_DATA_FIRST on the struct pci_dev to work around a bug in the hardware or firmware. For each vector entry in the msix table, niu chips will cause a fatal trap if any registers in that entry are read before that entries' ENTRY_DATA register is written to. Testing indicates writes to other registers are not sufficient to prevent the fatal trap, however the value does not appear to matter. This only needs to happen once after power up, so simply rebooting into a kernel lacking this fix will NOT cause the trap. NON-RESUMABLE ERROR: Reporting on cpu 64 NON-RESUMABLE ERROR: TPC [0x00000000005f6900] NON-RESUMABLE ERROR: RAW [4010000000000016:00000e37f93e32ff:0000000202000080:ffffffffffffffff NON-RESUMABLE ERROR: 0000000800000000:0000000000000000:0000000000000000:0000000000000000] NON-RESUMABLE ERROR: handle [0x4010000000000016] stick [0x00000e37f93e32ff] NON-RESUMABLE ERROR: type [precise nonresumable] NON-RESUMABLE ERROR: attrs [0x02000080] < ASI sp-faulted priv > NON-RESUMABLE ERROR: raddr [0xffffffffffffffff] NON-RESUMABLE ERROR: insn effective address [0x000000c50020000c] NON-RESUMABLE ERROR: size [0x8] NON-RESUMABLE ERROR: asi [0x00] CPU: 64 UID: 0 PID: 745 Comm: kworker/64:1 Not tainted 6.11.5 #63 Workqueue: events work_for_cpu_fn TSTATE: 0000000011001602 TPC: 00000000005f6900 TNPC: 00000000005f6904 Y: 00000000 Not tainted TPC: g0: 00000000000002e9 g1: 000000000000000c g2: 000000c50020000c g3: 0000000000000100 g4: ffff8000470307c0 g5: ffff800fec5be000 g6: ffff800047a08000 g7: 0000000000000000 o0: ffff800014feb000 o1: ffff800047a0b620 o2: 0000000000000011 o3: ffff800047a0b620 o4: 0000000000000080 o5: 0000000000000011 sp: ffff800047a0ad51 ret_pc: 00000000005f7128 RPC: l0: 000000000000000d l1: 000000000000c01f l2: ffff800014feb0a8 l3: 0000000000000020 l4: 000000000000c000 l5: 0000000000000001 l6: 0000000020000000 l7: ffff800047a0b734 i0: ffff800014feb000 i1: ffff800047a0b730 i2: 0000000000000001 i3: 000000000000000d i4: 0000000000000000 i5: 0000000000000000 i6: ffff800047a0ae81 i7: 00000000101888b0 I7: Call Trace: [] niu_try_msix.constprop.0+0xc0/0x130 [niu] [] niu_get_invariants+0x183c/0x207c [niu] [] niu_pci_init_one+0x27c/0x2fc [niu] [] local_pci_probe+0x28/0x74 [] work_for_cpu_fn+0x8/0x1c [] process_scheduled_works+0x144/0x210 [] worker_thread+0x13c/0x1c0 [] kthread+0xb8/0xc8 [] ret_from_fork+0x1c/0x2c [] 0x0 Kernel panic - not syncing: Non-resumable error.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-37833
Partager : LinkedIn / Twitter / Facebook

CVE-2025-37832 - In the Linux kernel, the following vulnerability has been resolved: cpufreq: sun50i: prevent out-of-bounds access A KASAN enabled kernel reports an out-of-bounds access when handling the nvmem cell in the sun50i cpufreq driver: ================================================================== BUG: KASAN: slab-out-of-bounds in sun50i_cpufreq_nvmem_probe+0x180/0x3d4 Read of size 4 at addr ffff000006bf31e0 by task kworker/u16:1/38 This is because the DT specifies the nvmem cell as covering only two bytes, but we use a u32 pointer to read the value. DTs for other SoCs indeed specify 4 bytes, so we cannot just shorten the variable to a u16. Fortunately nvmem_cell_read() allows to return the length of the nvmem cell, in bytes, so we can use that information to only access the valid portion of the data. To cover multiple cell sizes, use memcpy() to copy the information into a zeroed u32 buffer, then also make sure we always read the data in little endian fashion, as this is how the data is stored in the SID efuses.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-37832
Partager : LinkedIn / Twitter / Facebook

CVE-2025-37831 - In the Linux kernel, the following vulnerability has been resolved: cpufreq: apple-soc: Fix null-ptr-deref in apple_soc_cpufreq_get_rate() cpufreq_cpu_get_raw() can return NULL when the target CPU is not present in the policy->cpus mask. apple_soc_cpufreq_get_rate() does not check for this case, which results in a NULL pointer dereference.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-37831
Partager : LinkedIn / Twitter / Facebook

CVE-2025-37830 - In the Linux kernel, the following vulnerability has been resolved: cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate() cpufreq_cpu_get_raw() can return NULL when the target CPU is not present in the policy->cpus mask. scmi_cpufreq_get_rate() does not check for this case, which results in a NULL pointer dereference. Add NULL check after cpufreq_cpu_get_raw() to prevent this issue.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-37830
Partager : LinkedIn / Twitter / Facebook

CVE-2025-37829 - In the Linux kernel, the following vulnerability has been resolved: cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate() cpufreq_cpu_get_raw() can return NULL when the target CPU is not present in the policy->cpus mask. scpi_cpufreq_get_rate() does not check for this case, which results in a NULL pointer dereference.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-37829
Partager : LinkedIn / Twitter / Facebook

CVE-2025-37828 - In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: mcq: Add NULL check in ufshcd_mcq_abort() A race can occur between the MCQ completion path and the abort handler: once a request completes, __blk_mq_free_request() sets rq->mq_hctx to NULL, meaning the subsequent ufshcd_mcq_req_to_hwq() call in ufshcd_mcq_abort() can return a NULL pointer. If this NULL pointer is dereferenced, the kernel will crash. Add a NULL check for the returned hwq pointer. If hwq is NULL, log an error and return FAILED, preventing a potential NULL-pointer dereference. As suggested by Bart, the ufshcd_cmd_inflight() check is removed. This is similar to the fix in commit 74736103fb41 ("scsi: ufs: core: Fix ufshcd_abort_one racing issue"). This is found by our static analysis tool KNighter.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-37828
Partager : LinkedIn / Twitter / Facebook

CVE-2025-37827 - In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: return EIO on RAID1 block group write pointer mismatch There was a bug report about a NULL pointer dereference in __btrfs_add_free_space_zoned() that ultimately happens because a conversion from the default metadata profile DUP to a RAID1 profile on two disks. The stack trace has the following signature: BTRFS error (device sdc): zoned: write pointer offset mismatch of zones in raid1 profile BUG: kernel NULL pointer dereference, address: 0000000000000058 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:__btrfs_add_free_space_zoned.isra.0+0x61/0x1a0 RSP: 0018:ffffa236b6f3f6d0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff96c8132f3400 RCX: 0000000000000001 RDX: 0000000010000000 RSI: 0000000000000000 RDI: ffff96c8132f3410 RBP: 0000000010000000 R08: 0000000000000003 R09: 0000000000000000 R10: 0000000000000000 R11: 00000000ffffffff R12: 0000000000000000 R13: ffff96c758f65a40 R14: 0000000000000001 R15: 000011aac0000000 FS: 00007fdab1cb2900(0000) GS:ffff96e60ca00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000058 CR3: 00000001a05ae000 CR4: 0000000000350ef0 Call Trace: ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15c/0x2f0 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? __btrfs_add_free_space_zoned.isra.0+0x61/0x1a0 btrfs_add_free_space_async_trimmed+0x34/0x40 btrfs_add_new_free_space+0x107/0x120 btrfs_make_block_group+0x104/0x2b0 btrfs_create_chunk+0x977/0xf20 btrfs_chunk_alloc+0x174/0x510 ? srso_return_thunk+0x5/0x5f btrfs_inc_block_group_ro+0x1b1/0x230 btrfs_relocate_block_group+0x9e/0x410 btrfs_relocate_chunk+0x3f/0x130 btrfs_balance+0x8ac/0x12b0 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? __kmalloc_cache_noprof+0x14c/0x3e0 btrfs_ioctl+0x2686/0x2a80 ? srso_return_thunk+0x5/0x5f ? ioctl_has_perm.constprop.0.isra.0+0xd2/0x120 __x64_sys_ioctl+0x97/0xc0 do_syscall_64+0x82/0x160 ? srso_return_thunk+0x5/0x5f ? __memcg_slab_free_hook+0x11a/0x170 ? srso_return_thunk+0x5/0x5f ? kmem_cache_free+0x3f0/0x450 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? syscall_exit_to_user_mode+0x10/0x210 ? srso_return_thunk+0x5/0x5f ? do_syscall_64+0x8e/0x160 ? sysfs_emit+0xaf/0xc0 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? seq_read_iter+0x207/0x460 ? srso_return_thunk+0x5/0x5f ? vfs_read+0x29c/0x370 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? syscall_exit_to_user_mode+0x10/0x210 ? srso_return_thunk+0x5/0x5f ? do_syscall_64+0x8e/0x160 ? srso_return_thunk+0x5/0x5f ? exc_page_fault+0x7e/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fdab1e0ca6d RSP: 002b:00007ffeb2b60c80 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdab1e0ca6d RDX: 00007ffeb2b60d80 RSI: 00000000c4009420 RDI: 0000000000000003 RBP: 00007ffeb2b60cd0 R08: 0000000000000000 R09: 0000000000000013 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffeb2b6343b R14: 00007ffeb2b60d80 R15: 0000000000000001 CR2: 0000000000000058 ---[ end trace 0000000000000000 ]--- The 1st line is the most interesting here: BTRFS error (device sdc): zoned: write pointer offset mismatch of zones in raid1 profile When a RAID1 block-group is created and a write pointer mismatch between the disks in the RAID set is detected, btrfs sets the alloc_offset to the length of the block group marking it as full. Afterwards the code expects that a balance operation will evacuate the data in this block-group and repair the problems. But before this is possible, the new space of this block-group will be accounted in the free space cache. But in __btrfs_ ---truncated---
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-37827
Partager : LinkedIn / Twitter / Facebook

CVE-2025-37826 - In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Add NULL check in ufshcd_mcq_compl_pending_transfer() Add a NULL check for the returned hwq pointer by ufshcd_mcq_req_to_hwq(). This is similar to the fix in commit 74736103fb41 ("scsi: ufs: core: Fix ufshcd_abort_one racing issue").
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-37826
Partager : LinkedIn / Twitter / Facebook

CVE-2025-37825 - In the Linux kernel, the following vulnerability has been resolved: nvmet: fix out-of-bounds access in nvmet_enable_port When trying to enable a port that has no transport configured yet, nvmet_enable_port() uses NVMF_TRTYPE_MAX (255) to query the transports array, causing an out-of-bounds access: [ 106.058694] BUG: KASAN: global-out-of-bounds in nvmet_enable_port+0x42/0x1da [ 106.058719] Read of size 8 at addr ffffffff89dafa58 by task ln/632 [...] [ 106.076026] nvmet: transport type 255 not supported Since commit 200adac75888, NVMF_TRTYPE_MAX is the default state as configured by nvmet_ports_make(). Avoid this by checking for NVMF_TRTYPE_MAX before proceeding.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-37825
Partager : LinkedIn / Twitter / Facebook

CVE-2025-37824 - In the Linux kernel, the following vulnerability has been resolved: tipc: fix NULL pointer dereference in tipc_mon_reinit_self() syzbot reported: tipc: Node number set to 1055423674 Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 3 UID: 0 PID: 6017 Comm: kworker/3:5 Not tainted 6.15.0-rc1-syzkaller-00246-g900241a5cc15 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: events tipc_net_finalize_work RIP: 0010:tipc_mon_reinit_self+0x11c/0x210 net/tipc/monitor.c:719 ... RSP: 0018:ffffc9000356fb68 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000003ee87cba RDX: 0000000000000000 RSI: ffffffff8dbc56a7 RDI: ffff88804c2cc010 RBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000007 R13: fffffbfff2111097 R14: ffff88804ead8000 R15: ffff88804ead9010 FS: 0000000000000000(0000) GS:ffff888097ab9000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000f720eb00 CR3: 000000000e182000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: tipc_net_finalize+0x10b/0x180 net/tipc/net.c:140 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3319 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 kthread+0x3c2/0x780 kernel/kthread.c:464 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 ... RIP: 0010:tipc_mon_reinit_self+0x11c/0x210 net/tipc/monitor.c:719 ... RSP: 0018:ffffc9000356fb68 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000003ee87cba RDX: 0000000000000000 RSI: ffffffff8dbc56a7 RDI: ffff88804c2cc010 RBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000007 R13: fffffbfff2111097 R14: ffff88804ead8000 R15: ffff88804ead9010 FS: 0000000000000000(0000) GS:ffff888097ab9000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000f720eb00 CR3: 000000000e182000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 There is a racing condition between workqueue created when enabling bearer and another thread created when disabling bearer right after that as follow: enabling_bearer | disabling_bearer --------------- | ---------------- tipc_disc_timeout() | { | bearer_disable() ... | { schedule_work(&tn->work); | tipc_mon_delete() ... | { } | ... | write_lock_bh(&mon->lock); | mon->self = NULL; | write_unlock_bh(&mon->lock); | ... | } tipc_net_finalize_work() | } { | ... | tipc_net_finalize() | { | ... | tipc_mon_reinit_self() | { | ... | write_lock_bh(&mon->lock); | mon->self->addr = tipc_own_addr(net); | write_unlock_bh(&mon->lock); | ... ---truncated---
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-37824
Partager : LinkedIn / Twitter / Facebook

CVE-2025-37823 - In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too Similarly to the previous patch, we need to safe guard hfsc_dequeue() too. But for this one, we don't have a reliable reproducer.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-37823
Partager : LinkedIn / Twitter / Facebook

CVE-2025-37822 - In the Linux kernel, the following vulnerability has been resolved: riscv: uprobes: Add missing fence.i after building the XOL buffer The XOL (execute out-of-line) buffer is used to single-step the replaced instruction(s) for uprobes. The RISC-V port was missing a proper fence.i (i$ flushing) after constructing the XOL buffer, which can result in incorrect execution of stale/broken instructions. This was found running the BPF selftests "test_progs: uprobe_autoattach, attach_probe" on the Spacemit K1/X60, where the uprobes tests randomly blew up.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-37822
Partager : LinkedIn / Twitter / Facebook

CVE-2025-37821 - In the Linux kernel, the following vulnerability has been resolved: sched/eevdf: Fix se->slice being set to U64_MAX and resulting crash There is a code path in dequeue_entities() that can set the slice of a sched_entity to U64_MAX, which sometimes results in a crash. The offending case is when dequeue_entities() is called to dequeue a delayed group entity, and then the entity's parent's dequeue is delayed. In that case: 1. In the if (entity_is_task(se)) else block at the beginning of dequeue_entities(), slice is set to cfs_rq_min_slice(group_cfs_rq(se)). If the entity was delayed, then it has no queued tasks, so cfs_rq_min_slice() returns U64_MAX. 2. The first for_each_sched_entity() loop dequeues the entity. 3. If the entity was its parent's only child, then the next iteration tries to dequeue the parent. 4. If the parent's dequeue needs to be delayed, then it breaks from the first for_each_sched_entity() loop _without updating slice_. 5. The second for_each_sched_entity() loop sets the parent's ->slice to the saved slice, which is still U64_MAX. This throws off subsequent calculations with potentially catastrophic results. A manifestation we saw in production was: 6. In update_entity_lag(), se->slice is used to calculate limit, which ends up as a huge negative number. 7. limit is used in se->vlag = clamp(vlag, -limit, limit). Because limit is negative, vlag > limit, so se->vlag is set to the same huge negative number. 8. In place_entity(), se->vlag is scaled, which overflows and results in another huge (positive or negative) number. 9. The adjusted lag is subtracted from se->vruntime, which increases or decreases se->vruntime by a huge number. 10. pick_eevdf() calls entity_eligible()/vruntime_eligible(), which incorrectly returns false because the vruntime is so far from the other vruntimes on the queue, causing the (vruntime - cfs_rq->min_vruntime) * load calulation to overflow. 11. Nothing appears to be eligible, so pick_eevdf() returns NULL. 12. pick_next_entity() tries to dereference the return value of pick_eevdf() and crashes. Dumping the cfs_rq states from the core dumps with drgn showed tell-tale huge vruntime ranges and bogus vlag values, and I also traced se->slice being set to U64_MAX on live systems (which was usually "benign" since the rest of the runqueue needed to be in a particular state to crash). Fix it in dequeue_entities() by always setting slice from the first non-empty cfs_rq.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-37821
Partager : LinkedIn / Twitter / Facebook

CVE-2025-37820 - In the Linux kernel, the following vulnerability has been resolved: xen-netfront: handle NULL returned by xdp_convert_buff_to_frame() The function xdp_convert_buff_to_frame() may return NULL if it fails to correctly convert the XDP buffer into an XDP frame due to memory constraints, internal errors, or invalid data. Failing to check for NULL may lead to a NULL pointer dereference if the result is used later in processing, potentially causing crashes, data corruption, or undefined behavior. On XDP redirect failure, the associated page must be released explicitly if it was previously retained via get_page(). Failing to do so may result in a memory leak, as the pages reference count is not decremented.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-37820
Partager : LinkedIn / Twitter / Facebook

CVE-2025-37819 - In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() With ACPI in place, gicv2m_get_fwnode() is registered with the pci subsystem as pci_msi_get_fwnode_cb(), which may get invoked at runtime during a PCI host bridge probe. But, the call back is wrongly marked as __init, causing it to be freed, while being registered with the PCI subsystem and could trigger: Unable to handle kernel paging request at virtual address ffff8000816c0400 gicv2m_get_fwnode+0x0/0x58 (P) pci_set_bus_msi_domain+0x74/0x88 pci_register_host_bridge+0x194/0x548 This is easily reproducible on a Juno board with ACPI boot. Retain the function for later use.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-37819
Partager : LinkedIn / Twitter / Facebook

CVE-2025-37818 - In the Linux kernel, the following vulnerability has been resolved: LoongArch: Return NULL from huge_pte_offset() for invalid PMD LoongArch's huge_pte_offset() currently returns a pointer to a PMD slot even if the underlying entry points to invalid_pte_table (indicating no mapping). Callers like smaps_hugetlb_range() fetch this invalid entry value (the address of invalid_pte_table) via this pointer. The generic is_swap_pte() check then incorrectly identifies this address as a swap entry on LoongArch, because it satisfies the "!pte_present() && !pte_none()" conditions. This misinterpretation, combined with a coincidental match by is_migration_entry() on the address bits, leads to kernel crashes in pfn_swap_entry_to_page(). Fix this at the architecture level by modifying huge_pte_offset() to check the PMD entry's content using pmd_none() before returning. If the entry is invalid (i.e., it points to invalid_pte_table), return NULL instead of the pointer to the slot.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-37818
Partager : LinkedIn / Twitter / Facebook

CVE-2025-37817 - In the Linux kernel, the following vulnerability has been resolved: mcb: fix a double free bug in chameleon_parse_gdd() In chameleon_parse_gdd(), if mcb_device_register() fails, 'mdev' would be released in mcb_device_register() via put_device(). Thus, goto 'err' label and free 'mdev' again causes a double free. Just return if mcb_device_register() fails.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-37817
Partager : LinkedIn / Twitter / Facebook

CVE-2025-37816 - In the Linux kernel, the following vulnerability has been resolved: mei: vsc: Fix fortify-panic caused by invalid counted_by() use gcc 15 honors the __counted_by(len) attribute on vsc_tp_packet.buf[] and the vsc-tp.c code is using this in a wrong way. len does not contain the available size in the buffer, it contains the actual packet length *without* the crc. So as soon as vsc_tp_xfer() tries to add the crc to buf[] the fortify-panic handler gets triggered: [ 80.842193] memcpy: detected buffer overflow: 4 byte write of buffer size 0 [ 80.842243] WARNING: CPU: 4 PID: 272 at lib/string_helpers.c:1032 __fortify_report+0x45/0x50 ... [ 80.843175] __fortify_panic+0x9/0xb [ 80.843186] vsc_tp_xfer.cold+0x67/0x67 [mei_vsc_hw] [ 80.843210] ? seqcount_lockdep_reader_access.constprop.0+0x82/0x90 [ 80.843229] ? lockdep_hardirqs_on+0x7c/0x110 [ 80.843250] mei_vsc_hw_start+0x98/0x120 [mei_vsc] [ 80.843270] mei_reset+0x11d/0x420 [mei] The easiest fix would be to just drop the counted-by but with the exception of the ack buffer in vsc_tp_xfer_helper() which only contains enough room for the packet-header, all other uses of vsc_tp_packet always use a buffer of VSC_TP_MAX_XFER_SIZE bytes for the packet. Instead of just dropping the counted-by, split the vsc_tp_packet struct definition into a header and a full-packet definition and use a fixed size buf[] in the packet definition, this way fortify-source buffer overrun checking still works when enabled.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-37816
Partager : LinkedIn / Twitter / Facebook

CVE-2025-37815 - In the Linux kernel, the following vulnerability has been resolved: misc: microchip: pci1xxxx: Fix Kernel panic during IRQ handler registration Resolve kernel panic while accessing IRQ handler associated with the generated IRQ. This is done by acquiring the spinlock and storing the current interrupt state before handling the interrupt request using generic_handle_irq. A previous fix patch was submitted where 'generic_handle_irq' was replaced with 'handle_nested_irq'. However, this change also causes the kernel panic where after determining which GPIO triggered the interrupt and attempting to call handle_nested_irq with the mapped IRQ number, leads to a failure in locating the registered handler.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-37815
Partager : LinkedIn / Twitter / Facebook

CVE-2025-37814 - In the Linux kernel, the following vulnerability has been resolved: tty: Require CAP_SYS_ADMIN for all usages of TIOCL_SELMOUSEREPORT This requirement was overeagerly loosened in commit 2f83e38a095f ("tty: Permit some TIOCL_SETSEL modes without CAP_SYS_ADMIN"), but as it turns out, (1) the logic I implemented there was inconsistent (apologies!), (2) TIOCL_SELMOUSEREPORT might actually be a small security risk after all, and (3) TIOCL_SELMOUSEREPORT is only meant to be used by the mouse daemon (GPM or Consolation), which runs as CAP_SYS_ADMIN already. In more detail: 1. The previous patch has inconsistent logic: In commit 2f83e38a095f ("tty: Permit some TIOCL_SETSEL modes without CAP_SYS_ADMIN"), we checked for sel_mode == TIOCL_SELMOUSEREPORT, but overlooked that the lower four bits of this "mode" parameter were actually used as an additional way to pass an argument. So the patch did actually still require CAP_SYS_ADMIN, if any of the mouse button bits are set, but did not require it if none of the mouse buttons bits are set. This logic is inconsistent and was not intentional. We should have the same policies for using TIOCL_SELMOUSEREPORT independent of the value of the "hidden" mouse button argument. I sent a separate documentation patch to the man page list with more details on TIOCL_SELMOUSEREPORT: https://lore.kernel.org/all/20250223091342.35523-2-gnoack3000@gmail.com/ 2. TIOCL_SELMOUSEREPORT is indeed a potential security risk which can let an attacker simulate "keyboard" input to command line applications on the same terminal, like TIOCSTI and some other TIOCLINUX "selection mode" IOCTLs. By enabling mouse reporting on a terminal and then injecting mouse reports through TIOCL_SELMOUSEREPORT, an attacker can simulate mouse movements on the same terminal, similar to the TIOCSTI keystroke injection attacks that were previously possible with TIOCSTI and other TIOCL_SETSEL selection modes. Many programs (including libreadline/bash) are then prone to misinterpret these mouse reports as normal keyboard input because they do not expect input in the X11 mouse protocol form. The attacker does not have complete control over the escape sequence, but they can at least control the values of two consecutive bytes in the binary mouse reporting escape sequence. I went into more detail on that in the discussion at https://lore.kernel.org/all/20250221.0a947528d8f3@gnoack.org/ It is not equally trivial to simulate arbitrary keystrokes as it was with TIOCSTI (commit 83efeeeb3d04 ("tty: Allow TIOCSTI to be disabled")), but the general mechanism is there, and together with the small number of existing legit use cases (see below), it would be better to revert back to requiring CAP_SYS_ADMIN for TIOCL_SELMOUSEREPORT, as it was already the case before commit 2f83e38a095f ("tty: Permit some TIOCL_SETSEL modes without CAP_SYS_ADMIN"). 3. TIOCL_SELMOUSEREPORT is only used by the mouse daemons (GPM or Consolation), and they are the only legit use case: To quote console_codes(4): The mouse tracking facility is intended to return xterm(1)-compatible mouse status reports. Because the console driver has no way to know the device or type of the mouse, these reports are returned in the console input stream only when the virtual terminal driver receives a mouse update ioctl. These ioctls must be generated by a mouse-aware user-mode application such as the gpm(8) daemon. Jared Finder has also confirmed in https://lore.kernel.org/all/491f3df9de6593df8e70dbe77614b026@finder.org/ that Emacs does not call TIOCL_SELMOUSEREPORT directly, and it would be difficult to find good reasons for doing that, given that it would interfere with the reports that GPM is sending. More information on the interaction between GPM, terminals and th ---truncated---
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-37814
Partager : LinkedIn / Twitter / Facebook

CVE-2025-37813 - In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Fix invalid pointer dereference in Etron workaround This check is performed before prepare_transfer() and prepare_ring(), so enqueue can already point at the final link TRB of a segment. And indeed it will, some 0.4% of times this code is called. Then enqueue + 1 is an invalid pointer. It will crash the kernel right away or load some junk which may look like a link TRB and cause the real link TRB to be replaced with a NOOP. This wouldn't end well. Use a functionally equivalent test which doesn't dereference the pointer and always gives correct result. Something has crashed my machine twice in recent days while playing with an Etron HC, and a control transfer stress test ran for confirmation has just crashed it again. The same test passes with this patch applied.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-37813
Partager : LinkedIn / Twitter / Facebook

CVE-2025-37812 - In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: Fix deadlock when using NCM gadget The cdns3 driver has the same NCM deadlock as fixed in cdnsp by commit 58f2fcb3a845 ("usb: cdnsp: Fix deadlock issue during using NCM gadget"). Under PREEMPT_RT the deadlock can be readily triggered by heavy network traffic, for example using "iperf --bidir" over NCM ethernet link. The deadlock occurs because the threaded interrupt handler gets preempted by a softirq, but both are protected by the same spinlock. Prevent deadlock by disabling softirq during threaded irq handler.
08/05/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-37812
Partager : LinkedIn / Twitter / Facebook

Soutenez No Hack Me sur Tipeee

Les annonces ayant été modifiées dernièrement

CVE-2025-0936 - On affected platforms running Arista EOS with a gNMI transport enabled, running the gNOI File TransferToRemote RPC with credentials for a remote server may cause these remote-server credentials to be logged or accounted on the local EOS device or possibly on other remote accounting servers (i.e. TACACS, RADIUS, etc).
08/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-0936
Partager : LinkedIn / Twitter / Facebook

CVE-2025-4043 - An admin user can gain unauthorized write access to the /etc/rc.local file on the device, which is executed on a system boot.
08/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-4043
Partager : LinkedIn / Twitter / Facebook

CVE-2025-45388 - Wagtail CMS 6.4.1 is vulnerable to a Stored Cross-Site Scripting (XSS) in the document upload functionality. Attackers can inject malicious code inside a PDF file. When a user clicks the document in the CMS interface, the payload executes.
08/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-45388
Partager : LinkedIn / Twitter / Facebook

CVE-2025-29746 - Cross Site Scripting vulnerability in Koillection v.1.6.10 allows a remote attacker to escalate privileges via the collection, Wishlist and album components
08/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-29746
Partager : LinkedIn / Twitter / Facebook

CVE-2025-29448 - Booking logic flaw in Easy!Appointments v1.5.1 allows unauthenticated attackers to create appointments with excessively long durations, causing a denial of service by blocking all future booking availability.
08/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-29448
Partager : LinkedIn / Twitter / Facebook

CVE-2025-29602 - flatpress 1.3.1 is vulnerable to Cross Site Scripting (XSS) in Administration area via Manage categories.
08/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-29602
Partager : LinkedIn / Twitter / Facebook

CVE-2025-29154 - HTML injection vulnerability in lemeconsultoria HCM galera.app v.4.58.0 allows an attacker to execute arbitrary code via the .galera.app/ted/solicitacao_treinamento/, .galera.app/rh/metas/perspectiva_estrategica/edicao/, .galera.app/rh/cadastros/perspectivas/listagem/adc/, .galera.app/escolaridade/listagem/, .galera.app/estados_civis/cadastro/, .galera.app/nivel_hierarquico/listagem/, .galera.app/nivel_decisorio/cadastro/, .galera.app/escolaridade/cadastro/, .galera.app/nivel_decisorio/listagem/, .galera.app/rh/cadastros/perspectivas/listagem/, .galera.app/empresas_grupo/cadastro/, .galera.app/empresas/edicao/, .galera.app/liais/listagem/, .galera.app/noticias/listagem/, .galera.app/gerenciamento-de-ciclo/abertura/cadastrar, .galera.app/colaborador/cadastro/cursos/adc/edicao/, .galera.app/colaborador/cadastro/adc/, .galera.app/cads_aux/escalact/, .galera.app/ncf/tec/cadastro/ct/ .galera.app/rh/metas/painel/, .galera.app/rh/metas/equipe/edicao/, .galera.app/rh/pdi/tipo_recursos/edicao/, .galera.app/rh/pdi/familia_recursos/cadastro/, .galera.app/rh/pdi/fornecedores/edicao/, and .galera.app/rh/pdi/recursos/cadastro/ components.
08/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-29154
Partager : LinkedIn / Twitter / Facebook

CVE-2023-33770 - Real Estate Management System v1.0 was discovered to contain a SQL injection vulnerability via the message parameter at /contact.php.
08/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2023-33770
Partager : LinkedIn / Twitter / Facebook

CVE-2025-4303 - A vulnerability, which was classified as critical, has been found in PHPGurukul Human Metapneumovirus Testing Management System 1.0. Affected by this issue is some unknown functionality of the file /add-phlebotomist.php. The manipulation of the argument empid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
08/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-4303
Partager : LinkedIn / Twitter / Facebook

CVE-2025-28168 - The Multiple File Upload add-on component 3.1.0 for OutSystems is vulnerable to Unrestricted File Upload. This occurs because file extension and size validations are enforced solely on the client side. An attacker can intercept the upload request and modify a parameter to bypass extension restrictions and upload arbitrary files. NOTE: this is a third-party component that is not supplied or supported by OutSystems.
08/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-28168
Partager : LinkedIn / Twitter / Facebook

CVE-2025-20666 - In Modem, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY00650610; Issue ID: MSV-2933.
08/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-20666
Partager : LinkedIn / Twitter / Facebook

CVE-2023-53130 - Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
08/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2023-53130
Partager : LinkedIn / Twitter / Facebook

CVE-2023-53129 - Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
08/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2023-53129
Partager : LinkedIn / Twitter / Facebook

CVE-2023-53122 - Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
08/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2023-53122
Partager : LinkedIn / Twitter / Facebook

CVE-2023-53104 - Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
08/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2023-53104
Partager : LinkedIn / Twitter / Facebook

CVE-2022-49897 - Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
08/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2022-49897
Partager : LinkedIn / Twitter / Facebook

CVE-2022-49856 - Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
08/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2022-49856
Partager : LinkedIn / Twitter / Facebook

CVE-2022-49843 - Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
08/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2022-49843
Partager : LinkedIn / Twitter / Facebook

CVE-2025-23139 - Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
08/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-23139
Partager : LinkedIn / Twitter / Facebook

CVE-2025-4372 - Use after free in WebAudio in Google Chrome prior to 136.0.7103.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
07/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-4372
Partager : LinkedIn / Twitter / Facebook

CVE-2025-46573 - passport-wsfed-saml2 provides passport strategy for both WS-fed and SAML2 protocol. A vulnerability present starting in version 3.0.5 up to and including version 4.6.3 allows an attacker to impersonate any user during SAML authentication by tampering with a valid SAML response. This can be done by adding attributes to the response. Users are affected specifically when the service provider is using `passport-wsfed-saml2` and a valid SAML Response signed by the Identity Provider can be obtained. Version 4.6.4 contains a fix for the vulnerability.
07/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-46573
Partager : LinkedIn / Twitter / Facebook

CVE-2025-46572 - passport-wsfed-saml2 provides passport strategy for both WS-fed and SAML2 protocol. A vulnerability present starting in version 3.0.5 up to and including version 4.6.3 allows an attacker to impersonate any user during SAML authentication by crafting a SAMLResponse. This can be done by using a valid SAML object that was signed by the configured IdP. Users are affected specifically when the service provider is using passport-wsfed-saml2 and a valid SAML document signed by the Identity Provider can be obtained. Version 4.6.4 contains a fix for the vulnerability.
07/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-46572
Partager : LinkedIn / Twitter / Facebook

CVE-2025-44899 - There is a stack overflow vulnerability in Tenda RX3 V1.0br_V16.03.13.11 In the fromSetWifiGusetBasic function of the web url /goform/ WifiGuestSet, the manipulation of the parameter shareSpeed leads to stack overflow.
07/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-44899
Partager : LinkedIn / Twitter / Facebook

CVE-2025-44073 - SeaCMS v13.3 was discovered to contain a SQL injection vulnerability via the component admin_comment_news.php.
07/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-44073
Partager : LinkedIn / Twitter / Facebook

CVE-2025-45491 - Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.ddnsStatus DynDNS function via the username parameter.
07/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-45491
Partager : LinkedIn / Twitter / Facebook

CVE-2025-40625 - Unrestricted file upload in TCMAN's GIM v11. This vulnerability allows an unauthenticated attacker to upload any file within the server, even a malicious file to obtain a Remote Code Execution (RCE).
07/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-40625
Partager : LinkedIn / Twitter / Facebook

CVE-2025-2011 - The Slider & Popup Builder by Depicter plugin for WordPress is vulnerable to generic SQL Injection via the ‘s' parameter in all versions up to, and including, 3.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
07/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-2011
Partager : LinkedIn / Twitter / Facebook

CVE-2024-57235 - NETGEAR RAX5 (AX1600 WiFi Router) V1.0.2.26 was discovered to contain a command injection vulnerability via the iface parameter in the vif_enable function.
07/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2024-57235
Partager : LinkedIn / Twitter / Facebook

CVE-2024-57234 - NETGEAR RAX5 (AX1600 WiFi Router) V1.0.2.26 was discovered to contain a command injection vulnerability via the ifname parameter in the apcli_cancel_wps function.
07/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2024-57234
Partager : LinkedIn / Twitter / Facebook

CVE-2024-57233 - NETGEAR RAX5 (AX1600 WiFi Router) v1.0.2.26 was discovered to contain a command injection vulnerability via the iface parameter in the vif_disable function.
07/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2024-57233
Partager : LinkedIn / Twitter / Facebook

CVE-2024-57232 - NETGEAR RAX5 (AX1600 WiFi Router) V1.0.2.26 was discovered to contain a command injection vulnerability via the ifname parameter in the apcli_wps_gen_pincode function.
07/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2024-57232
Partager : LinkedIn / Twitter / Facebook

CVE-2024-57231 - NETGEAR RAX5 (AX1600 WiFi Router) V1.0.2.26 was discovered to contain a command injection vulnerability via the ifname parameter in the apcli_do_enr_pbc_wps function.
07/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2024-57231
Partager : LinkedIn / Twitter / Facebook

CVE-2024-57230 - NETGEAR RAX5 (AX1600 WiFi Router) V1.0.2.26 was discovered to contain a command injection vulnerability via the ifname parameter in the apcli_do_enr_pin_wps function.
07/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2024-57230
Partager : LinkedIn / Twitter / Facebook

CVE-2024-57229 - NETGEAR RAX5 (AX1600 WiFi Router) V1.0.2.26 was discovered to contain a command injection vulnerability via the devname parameter in the reset_wifi function.
07/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2024-57229
Partager : LinkedIn / Twitter / Facebook

CVE-2025-45322 - kashipara Online Service Management Portal V1.0 is vulnerable to SQL Injection in osms/Requester/CheckStatus.php via the checkid parameter.
07/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-45322
Partager : LinkedIn / Twitter / Facebook

CVE-2025-45321 - kashipara Online Service Management Portal V1.0 is vulnerable to SQL Injection in /osms/Requester/Requesterchangepass.php via the parameter: rPassword.
07/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-45321
Partager : LinkedIn / Twitter / Facebook

CVE-2025-45320 - A Directory Listing Vulnerability was found in the /osms/Requester/ directory of the Kashipara Online Service Management Portal V1.0.
07/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-45320
Partager : LinkedIn / Twitter / Facebook

CVE-2025-45042 - Tenda AC9 v15.03.05.14 was discovered to contain a command injection vulnerability via the Telnet function.
07/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-45042
Partager : LinkedIn / Twitter / Facebook

CVE-2025-4316 - Improper access control in PAM feature in Devolutions Server 2025.1.6.0 and earlier allows a PAM user to self approve their PAM requests even if disallowed by the configured policy via specific user interface actions.
07/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-4316
Partager : LinkedIn / Twitter / Facebook

CVE-2025-45751 - SourceCodester Web Based Pharmacy Product Management System 1.0 is vulnerable to Cross Site Scripting (XSS) in add-admin.php via the Fullname text field.
07/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-45751
Partager : LinkedIn / Twitter / Facebook

CVE-2025-4271 - A vulnerability was found in TOTOLINK A720R 4.1.5cu.374. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument topicurl with the input showSyslog leads to information disclosure. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
07/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-4271
Partager : LinkedIn / Twitter / Facebook

CVE-2025-4270 - A vulnerability was found in TOTOLINK A720R 4.1.5cu.374. It has been classified as problematic. Affected is an unknown function of the file /cgi-bin/cstecgi.cgi of the component Config Handler. The manipulation of the argument topicurl with the input getInitCfg/getSysStatusCfg leads to information disclosure. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
07/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-4270
Partager : LinkedIn / Twitter / Facebook

CVE-2025-4269 - A vulnerability was found in TOTOLINK A720R 4.1.5cu.374 and classified as critical. This issue affects some unknown processing of the file /cgi-bin/cstecgi.cgi of the component Log Handler. The manipulation of the argument topicurl with the input clearDiagnosisLog/clearSyslog/clearTracerouteLog leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
07/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-4269
Partager : LinkedIn / Twitter / Facebook

CVE-2025-4268 - A vulnerability has been found in TOTOLINK A720R 4.1.5cu.374 and classified as critical. This vulnerability affects unknown code of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument topicurl with the input RebootSystem leads to missing authentication. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
07/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-4268
Partager : LinkedIn / Twitter / Facebook

CVE-2025-4267 - A vulnerability, which was classified as critical, was found in SourceCodester/oretnom23 Stock Management System 1.0. This affects an unknown part of the file /admin/?page=purchase_order/view_po of the component Purchase Order Details Page. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
07/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-4267
Partager : LinkedIn / Twitter / Facebook

CVE-2025-4266 - A vulnerability, which was classified as critical, has been found in PHPGurukul Notice Board System 1.0. Affected by this issue is some unknown functionality of the file /bwdates-reports-details.php?vid=2. The manipulation of the argument fromdate/tomdate leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
07/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-4266
Partager : LinkedIn / Twitter / Facebook

CVE-2025-3583 - The Newsletter WordPress plugin before 8.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
07/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-3583
Partager : LinkedIn / Twitter / Facebook

CVE-2025-39363 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AlphaEfficiencyTeam Custom Login and Registration allows Stored XSS.This issue affects Custom Login and Registration: from n/a through 1.0.0.
07/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-39363
Partager : LinkedIn / Twitter / Facebook

CVE-2025-4265 - A vulnerability classified as critical was found in PHPGurukul Emergency Ambulance Hiring Portal 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/contact-us.php. The manipulation of the argument mobnum leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
07/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-4265
Partager : LinkedIn / Twitter / Facebook

CVE-2025-4264 - A vulnerability classified as critical has been found in PHPGurukul Emergency Ambulance Hiring Portal 1.0. Affected is an unknown function of the file /admin/edit-ambulance.php. The manipulation of the argument dconnum leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
07/05/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-4264
Partager : LinkedIn / Twitter / Facebook