4617 matches found
CVE-2025-12677
The KiotViet Sync plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.5 via the registerapiroute function in kiotvietsync/includes/publicactions/WebHookAction.php. This makes it possible for unauthenticated attackers to extract the webhoo...
Unity Linux 20.1070a Security Update: kernel (UTSA-2025-990580)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-990580 advisory. In the Linux kernel, the following vulnerability has been resolved: crypto: qat - Fix ADFDEVRESETSYNC memory leak Using completiondone to determine whether the calle...
Unity Linux 20.1070a Security Update: kernel (UTSA-2025-990555)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-990555 advisory. In the Linux kernel, the following vulnerability has been resolved: drivers: staging: rtl8192u: Fix deadlock in ieee80211beaconsstop There is a deadlock in...
Unity Linux 20.1070a Security Update: kernel (UTSA-2025-990399)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-990399 advisory. In the Linux kernel, the following vulnerability has been resolved: drivers: usb: host: Fix deadlock in oxubussuspend There is a deadlock in oxubussuspend, which is...
CVE-2025-12675
The KiotViet Sync plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveConfig function in all versions up to, and including, 1.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update...
CVE-2025-12677
The KiotViet Sync plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.5 via the registerapiroute function in kiotvietsync/includes/publicactions/WebHookAction.php. This makes it possible for unauthenticated attackers to extract the webhoo...
CVE-2025-12674
The KiotViet Sync plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the createmedia function in all versions up to, and including, 1.8.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server...
CVE-2025-12676
The KiotViet Sync plugin for WordPress is vulnerable to authorizarion bypass in all versions up to, and including, 1.8.5. This is due to the plugin using a hardcoded password for authentication in the QueryControllerAdmin::authenticated function. This makes it possible for unauthenticated attacke...
CVE-2025-12675
CVE-2025-12675 concerns the KiotViet Sync WordPress plugin (versions up to and including 1.8.5). The vulnerability arises from a missing capability check in saveConfig(), allowing authenticated attackers with Subscriber-level access or higher to modify the plugin configuration. Multiple sources c...
CVE-2025-12674 KiotViet Sync <= 1.8.5 - Unauthenticated Arbitrary File Upload
The KiotViet Sync plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the createmedia function in all versions up to, and including, 1.8.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server...
CVE-2025-12676 KiotViet Sync <= 1.8.5 - Use of Hard-coded Password to Authorization Bypass
The KiotViet Sync plugin for WordPress is vulnerable to authorizarion bypass in all versions up to, and including, 1.8.5. This is due to the plugin using a hardcoded password for authentication in the QueryControllerAdmin::authenticated function. This makes it possible for unauthenticated attacke...
CVE-2025-12675 KiotViet Sync <= 1.8.5 - Missing Authorization to Authenticated (Subscriber+) Settings Update
The KiotViet Sync plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveConfig function in all versions up to, and including, 1.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update...
CVE-2025-12674 KiotViet Sync <= 1.8.5 - Unauthenticated Arbitrary File Upload
The KiotViet Sync plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the createmedia function in all versions up to, and including, 1.8.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server...
CVE-2025-12675 KiotViet Sync <= 1.8.5 - Missing Authorization to Authenticated (Subscriber+) Settings Update
The KiotViet Sync plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveConfig function in all versions up to, and including, 1.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update...
CVE-2025-12676
CVE-2025-12676 concerns KiotViet Sync for WordPress (versions up to 1.8.5). According to multiple sources, the root cause is a hard-coded password used for authentication inside QueryControllerAdmin::authenticated, enabling unauthenticated attackers to create and sync products. Public details con...
CVE-2025-12674
KiotViet Sync plugin for WordPress (versions <= 1.8.5) is vulnerable to unauthenticated arbitrary file uploads due to missing file type validation in create_media(). This can allow uploading arbitrary files to the server and may enable remote code execution. A GitHub exploit exists (CVE-2025-1...
CVE-2025-12676 KiotViet Sync <= 1.8.5 - Use of Hard-coded Password to Authorization Bypass
The KiotViet Sync plugin for WordPress is vulnerable to authorizarion bypass in all versions up to, and including, 1.8.5. This is due to the plugin using a hardcoded password for authentication in the QueryControllerAdmin::authenticated function. This makes it possible for unauthenticated attacke...
CVE-2025-12677 KiotViet Sync <= 1.8.5 - Unauthenticated Webhook Key Exposure
The KiotViet Sync plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.5 via the registerapiroute function in kiotvietsync/includes/publicactions/WebHookAction.php. This makes it possible for unauthenticated attackers to extract the webhoo...
CVE-2025-12677 KiotViet Sync <= 1.8.5 - Unauthenticated Webhook Key Exposure
The KiotViet Sync plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.5 via the registerapiroute function in kiotvietsync/includes/publicactions/WebHookAction.php. This makes it possible for unauthenticated attackers to extract the webhoo...
CVE-2025-12677
The KiotViet Sync WordPress plugin (versions up to and including 1.8.5) is vulnerable to Sensitive Information Exposure through register_api_route() in kiotvietsync/includes/public_actions/WebHookAction.php. Unauthenticated attackers can extract the webhook token value when configured. Public rep...