6
CVE-2025-24961 - Insecure path traversal in filesystem and filesystem-nio2 storage backends in org.gaul S3Proxy
org.gaul S3Proxy implements the S3 API and proxies requests. Users of the filesystem and filesystem-nio2 storage backends could unintentionally expose local files to users. This issue has been addressed in version 2.6.0. Users are advised to upgrade. There are no known workarounds for this vulnerabβ¦
7.6
CVE-2024-12511 - SMB/FTP Address Book Scan Pass-back attack
With address book access, SMB/FTP settings could be modified, redirecting scans and possibly capturing credentials. This requires enabled scan functions and printer access.
8.8
CVE-2024-12859 - BoomBox Theme Extensions <= 1.8.0 - Authenticated (Contributor+) Local File Inclusion via Shortcode
The BoomBox Theme Extensions plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.8.0 via the 'boombox_listing' shortcode 'type' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and β¦
4.3
CVE-2024-11134 - Eventer <= 3.9.9 - Missing Authorization to Authenticated (Subscriber+) Bookings Export
The Eventer plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'eventer_export_bookings_csv' function in all versions up to, and including, 3.9.9. This makes it possible for authenticated attackers with subscriber-level permissions or above, tβ¦
6.4
CVE-2024-11132 - Eventer <= 3.9.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The Eventer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.9.9.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level anβ¦
5.3
CVE-2024-11133 - Eventer <= 3.9.9.5 - Missing Authorization to Unauthenticated Event Ticket Download
The Eventer plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'handle_pdf_download_request' function in all versions up to, and including, 3.9.9.5. This makes it possible for unauthenticated attackers to download event tickets.
6.7
CVE-2024-12510 - LDAP Authentication Sever Pass-back attack
If LDAP settings are accessed, authentication could be redirected to another server, potentially exposing credentials. This requires admin access and an active LDAP setup.
6.3
CVE-2025-24898 - rust openssl ssl::select_next_proto use after free
rust-openssl is a set of OpenSSL bindings for the Rust programming language. In affected versions `ssl::select_next_proto` can return a slice pointing into the `server` argument's buffer but with a lifetime bound to the `client` argument. In situations where the `sever` buffer's lifetime is shorterβ¦
7.2
CVE-2024-56161 - kernel: hw:amd: Vulnerability in guest VM protected by SEV when loading malicious firmware
Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local administrator privilege to load malicious CPU microcode resulting in loss of confidentiality and integrity of a confidential guest running under AMD SEV-SNP.
7.8
CVE-2024-49843 - Improper Validation of Array Index in Graphics_Linux
Memory corruption while processing IOCTL from user space to handle GPU AHB bus error.