CVE-2025-2306

CVE-2025-2306 concerns an Improper Access Control in LIVE CONTRACT’s file download feature. The vulnerability allows an unauthenticated attacker who knows a document UUIDv4 to download sensitive documents, with the attack vector described as network and requiring no privileges or user interaction...

CVE-2025-2305

CVE-2025-2305 is a local file inclusion/path-traversal vulnerability affecting LIVE CONTRACT. The files download function allows unauthenticated users to download arbitrary files from the Linux server. Documented details indicate no exploitation status and no confirmed fix across the sources; PT ...

CVE-2025-0020

Violation of Secure Design Principles, Hidden Functionality, Incorrect Provision of Specified Functionality vulnerability in ArcGIS Authentication allows Privilege Abuse, Manipulating Hidden Fields, Configuration/Environment Manipulation. The ArcGIS clientcredentials OAuth 2.0 API implementation...

PT-2025-21281 · Unknown · Phpgurukul Vehicle Record Management System

Name of the Vulnerable Software and Affected Versions: Phpgurukul Vehicle Record Management System version 1.0 Description: The issue allows attackers to execute arbitrary code via Cross Site Scripting XSS in the vehiclename, modelnumber, regnumber, vehiclesubtype, chasisnum, and enginenumber...

PT-2025-21327 · Ibm · Ibm Security Guardium

Name of the Vulnerable Software and Affected Versions: IBM Security Guardium version 11.5 Description: The issue allows a privileged user to embed arbitrary JavaScript code in the Web UI, potentially altering the intended functionality and leading to credentials disclosure within a trusted sessio...

PT-2025-21380 · WordPress · Wp-Reply Notify

Name of the Vulnerable Software and Affected Versions: WP-Reply Notify WordPress plugin versions 1.1 and earlier Description: The issue is related to the lack of a CSRF check when updating settings, which could allow attackers to make a logged-in admin change them via a CSRF attack...

PT-2025-21570 · Dumb Drop · Dumb Drop

Name of the Vulnerable Software and Affected Versions: DumbDrop versions prior to commit db27b25372eb9071e63583d8faed2111a2b79f1b Description: The issue is related to a DOM cross-site scripting vulnerability in the upload functionality. A user could be tricked into uploading a file with a malicio...

CVE-2025-0020

Rejected reason: “This CVE ID is Rejected and will not be used. As the CNA of record ESRI has rejected this CVE as it is not a vulnerability”...

CVE-2025-0020

...

CVE-2025-0020

CVE-2025-0020 is marked as rejected in the initial entry, but connected documents describe a vulnerability in ArcGIS’s client_credentials OAuth 2.0 API implementation: it allows undocumented, custom token expiration, enabling privilege abuse and manipulation of hidden fields/configuration. Affect...

PT-2025-21233 · Samsung · Samsung Modem +1

Name of the Vulnerable Software and Affected Versions: Samsung Mobile Processor and Wearable Processor Exynos versions 980 through 9825 Samsung Mobile Processor and Wearable Processor Exynos versions 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 9110 Samsung Mobile Processor and...

Improper Access Control

com.baidu.mapp:brcc-core is vulnerable to Improper Access Control. The vulnerability is due to insufficient authorization checks due to the /admin/ API accepting crafted requests that grant unauthorized access to admin functionality...

TeleMessage TM SGNL Hidden Functionality Vulnerability

TeleMessage TM SGNL contains a hidden functionality vulnerability in which the archiving backend holds cleartext copies of messages from TM SGNL application users...

CVE-2025-4547

A vulnerability was found in SourceCodester Web-based Pharmacy Product Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Add User Page. The manipulation leads to cross site scripting. The attack may be launched remotely...

CVE-2024-25652

In Delinea PAM Secret Server 11.4, it is possible for a user assigned "Administer Reports" permission and/or with access to Report functionality via UNLIMITED ADMIN MODE with access to the Report functionality to gain unauthorized access to remote sessions created by legitimate users through...

CVE-2025-4488

A vulnerability was found in itsourcecode Gym Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /ajax.php?action=deletepackage. The manipulation of the argument ID leads to sql injection. The attack can be launched...

CVE-2025-4470 SourceCodester Online Student Clearance System add-student.php cross site scripting

A vulnerability classified as problematic was found in SourceCodester Online Student Clearance System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/add-student.php. The manipulation of the argument Fullname leads to cross site scripting. The attack can be...

CVE-2025-4470

CVE-2025-4470 affects SourceCodester Online Student Clearance System 1.0, where the vulnerability is in the file /admin/add-student.php. The manipulation of the Fullname parameter enables cross-site scripting (XSS). Exploitation can be performed remotely, and public exploitation has been disclose...

CVE-2025-4464

A vulnerability has been found in itsourcecode Gym Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /ajax.php?action=saveplan. The manipulation of the argument plan leads to sql injection. The attack can be launched remotely...

Exploit for Missing Authorization in Oliverpos Oliver_Pos

Oliver POS – A WooCommerce Point of Sale POS = 2.4.2.3 - Se...