4.8

CVSS4.0

CVE-2025-2308 - HDF5 Scale-Offset Filter H5Z__scaleoffset_decompress_one_byte heap-based overflow

A vulnerability, which was classified as critical, was found in HDF5 1.14.6. This affects the function H5Z__scaleoffset_decompress_one_byte of the component Scale-Offset Filter. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclo…

📅 Published: March 14, 2025, 8:31 p.m. 🔄 Last Modified: March 14, 2025, 9:15 p.m.

6.4

CVSS4.0

CVE-2025-29782 - WeGIA Cross-Site Scripting (XSS) Stored in endpoint `adicionar_tipo_docs_atendido.php` parameter `t…

WeGIA is Web manager for charitable institutions A Stored Cross-Site Scripting (XSS) vulnerability was identified in the `adicionar_tipo_docs_atendido.php` endpoint in versions of the WeGIA application prior to 3.2.17. This vulnerability allows attackers to inject malicious scripts into the `tipo` …

📅 Published: March 14, 2025, 7:05 p.m. 🔄 Last Modified: March 14, 2025, 7:15 p.m.

5.3

CVSS4.0

CVE-2025-29771 - HtmlSanitizer vulnerable to XSS when used with contentEditable

HtmlSanitizer is a client-side HTML Sanitizer. Versions prior to 2.0.3 have a cross-site scripting vulnerability when the sanitizer is used with a `contentEditable` element to set the elements `innerHTML` to a sanitized string produced by the package. If the code is particularly crafted to abuse th…

📅 Published: March 14, 2025, 6:56 p.m. 🔄 Last Modified: March 14, 2025, 7:15 p.m.

8.7

CVSS4.0

CVE-2024-12245 - Blind SQL Injection in Logout

Logout functionality contains a blind SQL injection that can be exploited by unauthenticated attackers. Using a time-based blind SQLi technique the attacker can disclose all database contents. Account takeover is a potential outcome depending on the presence or lack thereof entries in certain datab…

📅 Published: March 14, 2025, 6:11 p.m. 🔄 Last Modified: March 14, 2025, 6:15 p.m.

6.4

CVSS4.0

CVE-2024-12020 - Reflected Cross-Site Scripting (XSS)

There is a reflected cross-site scripting (XSS) within JSP files used to control application appearance. An unauthenticated attacker could deceive a user into clicking a crafted link to trigger the vulnerability. Stealing the session cookie is not possible due to cookie security flags, however the …

📅 Published: March 14, 2025, 6:09 p.m. 🔄 Last Modified: March 14, 2025, 6:15 p.m.

7.1

CVSS4.0

CVE-2024-12019 - Arbitrary File Read via Document API

The API used to interact with documents in the application contains a flaw that allows an authenticated attacker to read the contents of files on the underlying operating system. An account with ‘read’ and ‘download’ privileges on at least one existing document in the application is required to exp…

📅 Published: March 14, 2025, 6:07 p.m. 🔄 Last Modified: March 14, 2025, 6:15 p.m.

8.7

CVSS4.0

CVE-2024-54449 - Remote Code Execution (RCE) via Arbitrary File Write In Document API

The API used to interact with documents in the application contains two endpoints with a flaw that allows an authenticated attacker to write a file with controlled contents to an arbitrary location on the underlying file system. This can be used to facilitate RCE. An account with ‘read’ and ‘write’…

📅 Published: March 14, 2025, 6:04 p.m. 🔄 Last Modified: March 14, 2025, 6:15 p.m.

8.6

CVSS4.0

CVE-2024-54448 - Remote Code Execution (RCE) via Automation Scripting

The Automation Scripting functionality can be exploited by attackers to run arbitrary system commands on the underlying operating system. An account with administrator privileges or that has been explicitly granted access to use Automation Scripting is needed to carry out the attack. Exploitation o…

📅 Published: March 14, 2025, 6:01 p.m. 🔄 Last Modified: March 14, 2025, 6:15 p.m.

7.1

CVSS4.0

CVE-2024-54447 - Blind SQLi in Saved Search

Saved search functionality contains a blind SQL injection that can be exploited by authenticated attackers. Using a time-based blind SQLi technique the attacker can disclose all database contents. Account takeover is a potential outcome depending on the presence or lack thereof entries in certain d…

📅 Published: March 14, 2025, 5:57 p.m. 🔄 Last Modified: March 14, 2025, 6:15 p.m.

7.1

CVSS4.0

CVE-2024-54446 - Blind SQLi in Document History

Document history functionality contains a blind SQL injection that can be exploited by authenticated attackers. Using a time-based blind SQLi technique the attacker can disclose all database contents. Account takeover is a potential outcome depending on the presence or lack thereof entries in certa…

📅 Published: March 14, 2025, 5:53 p.m. 🔄 Last Modified: March 14, 2025, 6:15 p.m.
Total resulsts: 285486
Page 19 of 28,549
« previous page » next page
Filters