CVE Feeds
CVE News Feed
Updates on the latest vulnerabilities detected.
-
CVE-2025-13187 - Intelbras ICIP acessodeusuario.xml credentials storage
CVE ID :CVE-2025-13187
Published : Nov. 14, 2025, 10:15 p.m. | 55 minutes ago
Description :A security vulnerability has been detected in Intelbras ICIP 2.0.20. Affected is an unknown function of the file /xml/sistema/acessodeusuario.xml. Such manipulation of the argument NomeUsuario/SenhaAcess leads to unprotected storage of credentials. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-13186 - Bdtask/CodeCanyon Isshue Multi Store eCommerce Shopping Cart Solution manage_customer cross site scripting
CVE ID :CVE-2025-13186
Published : Nov. 14, 2025, 10:15 p.m. | 55 minutes ago
Description :A weakness has been identified in Bdtask/CodeCanyon Isshue Multi Store eCommerce Shopping Cart Solution up to 4.0. This impacts an unknown function of the file /dashboard/Ccustomer/manage_customer. This manipulation of the argument Search causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-64084 - Cloudlog SQL Injection
CVE ID :CVE-2025-64084
Published : Nov. 14, 2025, 9:15 p.m. | 1 hour, 55 minutes ago
Description :An authenticated SQL injection vulnerability exists in Cloudlog 2.7.5 and earlier. The vucc_details_ajax function in application/controllers/Awards.php does not properly sanitize the user-supplied Gridsquare POST parameter. This allows a remote, authenticated attacker to execute arbitrary SQL commands by injecting a malicious payload, which is then concatenated directly into a raw SQL query in the vucc_qso_details function.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-63891 - SourceCodester Simple Online Book Store System Database Disclosure
CVE ID :CVE-2025-63891
Published : Nov. 14, 2025, 9:15 p.m. | 1 hour, 55 minutes ago
Description :Information Disclosure in web-accessible backup file in SourceCodester Simple Online Book Store System allows a remote unauthenticated attacker to disclose full database contents (including schema and credential hashes) via an unauthenticated HTTP GET request to /obs/database/obs_db.sql.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-63745 - Radare2 NULL Pointer Dereference Vulnerability
CVE ID :CVE-2025-63745
Published : Nov. 14, 2025, 9:15 p.m. | 1 hour, 55 minutes ago
Description :A NULL pointer dereference vulnerability was discovered in radare2 6.0.5 and earlier within the info() function of bin_ne.c. A crafted binary input can trigger a segmentation fault, leading to a denial of service when the tool processes malformed data.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-63744 - Radare2 NULL Pointer Dereference Vulnerability
CVE ID :CVE-2025-63744
Published : Nov. 14, 2025, 9:15 p.m. | 1 hour, 55 minutes ago
Description :A NULL pointer dereference vulnerability was discovered in radare2 6.0.5 and earlier within the load() function of bin_dyldcache.c. Processing a crafted file can cause a segmentation fault and crash the program.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-13185 - Bdtask/CodeCanyon News365 profile unrestricted upload
CVE ID :CVE-2025-13185
Published : Nov. 14, 2025, 9:15 p.m. | 1 hour, 55 minutes ago
Description :A security flaw has been discovered in Bdtask/CodeCanyon News365 up to 7.0.3. This affects an unknown function of the file /admin/dashboard/profile. The manipulation of the argument profile_image/banner_image results in unrestricted upload. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-13182 - pojoin h3blog addtitle cross site scripting
CVE ID :CVE-2025-13182
Published : Nov. 14, 2025, 9:15 p.m. | 1 hour, 55 minutes ago
Description :A vulnerability was identified in pojoin h3blog 1.0. The impacted element is an unknown function of the file /admin/cms/category/addtitle. The manipulation of the argument Title leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-63701 - Advantech TP-3250 Printer Driver Heap Corruption Vulnerability
CVE ID :CVE-2025-63701
Published : Nov. 14, 2025, 8:15 p.m. | 2 hours, 55 minutes ago
Description :A heap corruption vulnerability exists in the Advantech TP-3250 printer driver's DrvUI_x64_ADVANTECH.dll (v0.3.9200.20789) when DocumentPropertiesW() is called with a valid dmDriverExtra value but an undersized output buffer. The driver incorrectly assumes the output buffer size matches the input buffer size, leading to invalid memory operations and heap corruption. This vulnerability can cause denial of service through application crashes and potentially lead to code execution in user space. Local access is required to exploit this vulnerability.
Severity: 6.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-13181 - pojoin h3blog add cross site scripting
CVE ID :CVE-2025-13181
Published : Nov. 14, 2025, 8:15 p.m. | 2 hours, 55 minutes ago
Description :A vulnerability was determined in pojoin h3blog 1.0. The affected element is an unknown function of the file /admin/cms/material/add. Executing manipulation of the argument Name can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-13180 - Bdtask/CodeCanyon Wholesale Inventory Control and Inventory Management System edit_profile cross site scripting
CVE ID :CVE-2025-13180
Published : Nov. 14, 2025, 8:15 p.m. | 2 hours, 55 minutes ago
Description :A vulnerability was found in Bdtask/CodeCanyon Wholesale Inventory Control and Inventory Management System up to 20250320. Impacted is an unknown function of the file /edit_profile. Performing manipulation of the argument first_name/last_name results in basic cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-13179 - Bdtask/CodeCanyon Wholesale Inventory Control and Inventory Management System cross-site request forgery
CVE ID :CVE-2025-13179
Published : Nov. 14, 2025, 8:15 p.m. | 2 hours, 55 minutes ago
Description :A vulnerability has been found in Bdtask/CodeCanyon Wholesale Inventory Control and Inventory Management System up to 20250320. This issue affects some unknown processing. Such manipulation leads to cross-site request forgery. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-13033 - Nodemailer: nodemailer: email to an unintended domain can occur due to interpretation conflict
CVE ID :CVE-2025-13033
Published : Nov. 14, 2025, 8:15 p.m. | 2 hours, 55 minutes ago
Description :A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker's external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-63680 - Nero BackItUp ShellExecuteW Path Traversal Vulnerability
CVE ID :CVE-2025-63680
Published : Nov. 14, 2025, 7:16 p.m. | 3 hours, 55 minutes ago
Description :Nero BackItUp in the Nero Productline is vulnerable to a path parsing/UI rendering flaw (CWE-22) that, in combination with Windows ShellExecuteW fallback extension resolution, leads to arbitrary code execution when a user clicks a crafted entry. By creating a trailing-dot folder and placing a same-basename script, Nero BackItUp renders the file as a folder icon and then invokes ShellExecuteW, which executes the script via PATHEXT fallback (.COM/.EXE/.BAT/.CMD). The issue affects recent Nero BackItUp product lines (2019-2025 and earlier) and has been acknowledged by the vendor.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-63291 - Alteryx MongoDB Object ID Authorization Bypass
CVE ID :CVE-2025-63291
Published : Nov. 14, 2025, 7:16 p.m. | 3 hours, 55 minutes ago
Description :When processing API requests, the Alteryx server 2022.1.1.42654 and 2024.1 used MongoDB object IDs to uniquely identify the data being requested by the caller. The Alteryx server did not check whether the authenticated user had permission to access the specified MongoDB object ID. By specifying particlar MongoDB object IDs, callers could obtain records for other users without proper authorization. Records retrievable using this attack included administrative API keys and private studio api keys.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-13178 - Bdtask/CodeCanyon SalesERP User Profile edit_profile cross site scripting
CVE ID :CVE-2025-13178
Published : Nov. 14, 2025, 7:15 p.m. | 3 hours, 55 minutes ago
Description :A flaw has been found in Bdtask/CodeCanyon SalesERP up to 20250728. This vulnerability affects unknown code of the file /edit_profile of the component User Profile Handler. This manipulation of the argument first_name/last_name causes basic cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-13177 - Bdtask/CodeCanyon SalesERP cross-site request forgery
CVE ID :CVE-2025-13177
Published : Nov. 14, 2025, 7:15 p.m. | 3 hours, 55 minutes ago
Description :A vulnerability was detected in Bdtask/CodeCanyon SalesERP up to 20250728. This affects an unknown part. The manipulation results in cross-site request forgery. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-13174 - rachelos WeRSS we-mp-rss Webhook mps.py do_job server-side request forgery
CVE ID :CVE-2025-13174
Published : Nov. 14, 2025, 7:15 p.m. | 3 hours, 55 minutes ago
Description :A weakness has been identified in rachelos WeRSS we-mp-rss up to 1.4.7. Affected by this vulnerability is the function do_job of the file /rachelos/we-mp-rss/blob/main/jobs/mps.py of the component Webhook Module. Executing manipulation of the argument web_hook_url can lead to server-side request forgery. The attack may be launched remotely. The exploit has been made available to the public and could be exploited.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-12187 - Apache HTTP Server Remote Code Execution Vulnerability
CVE ID :CVE-2025-12187
Published : Nov. 14, 2025, 7:15 p.m. | 3 hours, 55 minutes ago
Description :Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-63830 - CKFinder SVG XSS
CVE ID :CVE-2025-63830
Published : Nov. 14, 2025, 6:15 p.m. | 4 hours, 55 minutes ago
Description :CKFinder 1.4.3 is vulnerable to Cross Site Scripting (XSS) in the File Upload function. An attacker can upload a crafted SVG containing active content.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
Information
Vortech Consulting is a network security and design consulting firm originally founded in 1997. Over our nearly 30 year history we have provided security services and products for a wide variety of companies around the globe.
Company
Who's Online
We have 50419 guests and no members online