CVE-2025-63334 - PocketVJ CP Shell Command Injection
Published: Wed, 05 Nov 2025 20:15:36 +0000
CVE ID : CVE-2025-63334
Published : Nov. 5, 2025, 8:15 p.m. | 19 minutes ago
Description : PocketVJ CP PocketVJ-CP-v3 pvj version 3.9.1 contains an unauthenticated remote code execution vulnerability in the submit_opacity.php component. The application fails to sanitize user input in the opacityValue POST parameter before passing it to a shell command, allowing remote attackers to execute arbitrary commands with root privileges on the underlying system.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-10853 - Reflected Cross-Site Scripting (XSS) in Management Console of Multiple WSO2 Products Due to Improper Output Encoding
Published: Wed, 05 Nov 2025 20:15:32 +0000
CVE ID : CVE-2025-10853
Published : Nov. 5, 2025, 8:15 p.m. | 19 minutes ago
Description : A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS.
Successful exploitation could result in UI manipulation, redirection to malicious websites, or data theft from the browser. However, session-related sensitive cookies are protected with the httpOnly flag, which mitigates the risk of session hijacking.
Severity: 5.2 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63418 - A DOM-based Cross-Site Scripting (XSS) vulnerabili
Published: Wed, 05 Nov 2025 19:16:04 +0000
CVE ID : CVE-2025-63418
Published : Nov. 5, 2025, 7:16 p.m. | 1 hour, 18 minutes ago
Description : A DOM-based Cross-Site Scripting (XSS) vulnerability in the SelfBest platform 2023.3 allows attackers to execute arbitrary JavaScript in the context of a logged-in user's session by injecting payloads via the browser's developer console. The vulnerability arises from the application's client-side code being susceptible to direct DOM manipulation without adequate sanitization or a Content Security Policy (CSP), potentially leading to account takeover and data theft.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63417 - SelfBest Stored Cross-Site Scripting (XSS)
Published: Wed, 05 Nov 2025 19:16:04 +0000
CVE ID : CVE-2025-63417
Published : Nov. 5, 2025, 7:16 p.m. | 1 hour, 18 minutes ago
Description : A Stored Cross-Site Scripting (XSS) vulnerability in the chat functionality of the SelfBest platform 2023.3 allows authenticated attackers to inject arbitrary web scripts or HTML via the chat message input field. This malicious content is stored and then executed in the context of other users' browsers when they view the malicious message, potentially leading to session hijacking, account takeover, or other client-side attacks.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63416 - SelfBest Stored Cross-Site Scripting (XSS)
Published: Wed, 05 Nov 2025 19:16:02 +0000
CVE ID : CVE-2025-63416
Published : Nov. 5, 2025, 7:16 p.m. | 1 hour, 19 minutes ago
Description : ** exclusively-hosted-service ** A Stored Cross-Site Scripting (XSS) vulnerability in the chat functionality of the SelfBest platform 2023.3 allows authenticated low-privileged attackers to execute arbitrary JavaScript in the context of other users' sessions. This can be exploited to access administrative data and functions, leading to privilege escalation and full compromise of sensitive user data, as demonstrated by the ability to fetch and exfiltrate the contents of the /admin/users endpoint.
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-5770 - Reflected Cross-Site Scripting (XSS) in Authentication Endpoints of Multiple WSO2 Products
Published: Wed, 05 Nov 2025 19:16:01 +0000
CVE ID : CVE-2025-5770
Published : Nov. 5, 2025, 7:16 p.m. | 1 hour, 19 minutes ago
Description : A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoints of multiple WSO2 products due to a lack of output encoding. A malicious actor can inject arbitrary JavaScript payloads into the authentication endpoint, which are reflected back in the response, enabling browser-based attacks.
Exploitation may result in redirection to malicious websites, UI manipulation, or unauthorized data access from the victim’s browser. However, session-related cookies are protected with the httpOnly flag, which mitigates session hijacking via this vector.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-56232 - GOG Galaxy Missing SSL Certificate Validation
Published: Wed, 05 Nov 2025 19:16:01 +0000
CVE ID : CVE-2025-56232
Published : Nov. 5, 2025, 7:16 p.m. | 1 hour, 19 minutes ago
Description : GOG Galaxy 2.0.0.2 suffers from Missing SSL Certificate Validation. An attacker who controls the local network, DNS, or a proxy can perform a man-in-the-middle (MitM) attack to intercept update requests and replace installer or update packages with malicious files.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55343 - Quipux SQL Injection Vulnerability
Published: Wed, 05 Nov 2025 19:16:01 +0000
CVE ID : CVE-2025-55343
Published : Nov. 5, 2025, 7:16 p.m. | 1 hour, 19 minutes ago
Description : Quipux 4.0.1 through e1774ac allows authenticated users to conduct SQL injection attacks via busqueda/busqueda.php txt_depe_codi, busqueda/busqueda.php txt_usua_codi, anexos_lista.php radi_temp, Administracion/listas/formArea_ajax.php codDepe, Administracion/listas/formDepeHijo_ajax.php codDepe, Administracion/listas/formDepePadre_ajax.php codInst, asociar_documentos/asociar_borrar_referencia.php radi_nume, asociar_documentos/asociar_documento_buscar_query.php radi_nume, asociar_documentos/asociar_documento_grabar.php txt_radi_nume, asociar_documentos/asociar_documento radi_nume, radicacion/buscar_usuario.php buscar_tipo, radicacion/formArea_ajax.php codDepe, radicacion/formDepeHijo_ajax.php codDepe, radicacion/formDepePadre_ajax.php codInst, radicacion/ver_datos_usuario.php destinatorio, reportes/reporte_TraspasoDocFisico.php verrad, tx/datos_imprimir_sobre.php txt_usua_codi, tx/datos_imprimir_sobre.php nume_radi_temp, tx/revertir_firma_digital_grabar.php txt_radi_nume, tx/tx_borrar_opcion_imp.php codigo_opc, tx/tx_realizar_tx.php txt_radicados, tx/tx_seguridad_documentos.php txt_radicados, or uploadFiles/cargar_doc_digitalizado_paginador.php txt_depe_codi.
Severity: 9.9 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55342 - Quipux 4.0.1 through e1774ac allows enumeration of
Published: Wed, 05 Nov 2025 19:16:01 +0000
CVE ID : CVE-2025-55342
Published : Nov. 5, 2025, 7:16 p.m. | 1 hour, 19 minutes ago
Description : Quipux 4.0.1 through e1774ac allows enumeration of usernames, and accessing the Ecuadorean identification number for all registered users via the Administracion/usuarios/cambiar_password_olvido_validar.php txt_login parameter.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55341 - Quipux Cross Site Scripting (XSS)
Published: Wed, 05 Nov 2025 19:16:01 +0000
CVE ID : CVE-2025-55341
Published : Nov. 5, 2025, 7:16 p.m. | 1 hour, 19 minutes ago
Description : Cross Site Scripting vulnerability in Quipux 4.0.1 through e1774ac allows anexos/anexos_nuevo.php asocImgRad.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-43418 - Apple iOS Locked Device Information Disclosure Vulnerability
Published: Wed, 05 Nov 2025 19:15:53 +0000
CVE ID : CVE-2025-43418
Published : Nov. 5, 2025, 7:15 p.m. | 1 hour, 19 minutes ago
Description : This issue was addressed by restricting options offered on a locked device. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. An attacker with physical access to a locked device may be able to view sensitive user information.
Severity: 4.6 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-31954 - HCL iAutomate is susceptible to a sensitive information disclosure
Published: Wed, 05 Nov 2025 19:15:51 +0000
CVE ID : CVE-2025-31954
Published : Nov. 5, 2025, 7:15 p.m. | 1 hour, 19 minutes ago
Description : HCL iAutomate v6.5.1 and v6.5.2 is susceptible to a sensitive information disclosure. An HTTP GET method is used to process a request and includes sensitive information in the query string of that request. An attacker could potentially access information or resources they were not intended to see.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12745 - QuickJS quickjs.c js_array_buffer_slice buffer over-read
Published: Wed, 05 Nov 2025 19:15:50 +0000
CVE ID : CVE-2025-12745
Published : Nov. 5, 2025, 7:15 p.m. | 1 hour, 19 minutes ago
Description : A weakness has been identified in QuickJS up to eb2c89087def1829ed99630cb14b549d7a98408c. This affects the function js_array_buffer_slice of the file quickjs.c. This manipulation causes buffer over-read. The attack is restricted to local execution. The exploit has been made available to the public and could be exploited. This product adopts a rolling release strategy to maintain continuous delivery Patch name: c6fe5a98fd3ef3b7064e6e0145dfebfe12449fea. To fix this issue, it is recommended to deploy a patch.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-11093 - Arbitrary Code Execution with higher privileged users in Multiple WSO2 Products via Script Mediator Engines (GraalJS and NashornJS)
Published: Wed, 05 Nov 2025 19:15:49 +0000
CVE ID : CVE-2025-11093
Published : Nov. 5, 2025, 7:15 p.m. | 1 hour, 19 minutes ago
Description : An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS Script Mediator engines. Authenticated users with elevated privileges can execute arbitrary code within the integration runtime environment.
By default, access to these scripting engines is limited to administrators in WSO2 Micro Integrator and WSO2 Enterprise Integrator, while in WSO2 API Manager, access extends to both administrators and API creators. This may allow trusted-but-privileged users to perform unauthorized actions or compromise the execution environment.
Severity: 8.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2023-43000 - Safari Use-After-Free Vulnerability
Published: Wed, 05 Nov 2025 19:15:47 +0000
CVE ID : CVE-2023-43000
Published : Nov. 5, 2025, 7:15 p.m. | 1 hour, 19 minutes ago
Description : A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Ventura 13.5, iOS 16.6 and iPadOS 16.6, Safari 16.6. Processing maliciously crafted web content may lead to memory corruption.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-56231 - Tonec Internet Download Manager SSL Certificate Validation Bypass
Published: Wed, 05 Nov 2025 18:15:33 +0000
CVE ID : CVE-2025-56231
Published : Nov. 5, 2025, 6:15 p.m. | 2 hours, 19 minutes ago
Description : Tonec Internet Download Manager 6.42.41.1 and earlier suffers from Missing SSL Certificate Validation, which allows attackers to bypass update protections.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-10907 - Authenticated Arbitrary File Upload in Multiple WSO2 Products via SOAP Admin Services Leading to Remote Code Execution
Published: Wed, 05 Nov 2025 18:15:33 +0000
CVE ID : CVE-2025-10907
Published : Nov. 5, 2025, 6:15 p.m. | 2 hours, 19 minutes ago
Description : An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin services. A malicious actor with administrative privileges can upload a specially crafted file to a user-controlled location within the deployment.
Successful exploitation may lead to remote code execution (RCE) on the server, depending on how the uploaded file is processed. By default, this vulnerability is only exploitable by users with administrative access to the affected SOAP services.
Severity: 8.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-10713 - XML External Entity (XXE) Vulnerability in Multiple WSO2 Products Due to Improper XML Parser Configuration
Published: Wed, 05 Nov 2025 18:15:32 +0000
CVE ID : CVE-2025-10713
Published : Nov. 5, 2025, 6:15 p.m. | 2 hours, 19 minutes ago
Description : An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-supplied XML without applying sufficient restrictions, allowing resolution of external entities.
A successful attack could enable a remote, unauthenticated attacker to read sensitive files from the server's filesystem or perform denial-of-service (DoS) attacks that render affected services unavailable.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63248 - DWSurvey IDOR (Insufficient Access Control)
Published: Wed, 05 Nov 2025 17:15:45 +0000
CVE ID : CVE-2025-63248
Published : Nov. 5, 2025, 5:15 p.m. | 3 hours, 19 minutes ago
Description : DWSurvey 6.14.0 is vulnerable to Incorrect Access Control. When deleting a questionnaire, replacing the questionnaire ID with the ID of another questionnaire can enable the deletion of other questionnaires.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59716 - ownCloud Guests Unauthenticated User Enumeration
Published: Wed, 05 Nov 2025 17:15:44 +0000
CVE ID : CVE-2025-59716
Published : Nov. 5, 2025, 5:15 p.m. | 3 hours, 19 minutes ago
Description : ownCloud Guests before 0.12.5 allows unauthenticated user enumeration via the /apps/guests/register/{email}/{token} endpoint. Because of insufficient validation of the supplied token in showPasswordForm, the server responds differently when an e-mail address corresponds to a valid pending guest user rather than a non-existent user.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-57244 - OpenKM Community Edition Stored Cross-Site Scripting (XSS)
Published: Wed, 05 Nov 2025 17:15:44 +0000
CVE ID : CVE-2025-57244
Published : Nov. 5, 2025, 5:15 p.m. | 3 hours, 19 minutes ago
Description : OpenKM Community Edition 6.3.12 is vulnerable to stored cross-site scripting (XSS) in the user account creation interface. The Name field accepts script tags and the Email field is vulnerable when the POST request is modified to include encoded script tags, by passing frontend validation.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-46424 - Dell CloudLink Cryptographic Primitive with Risky Implementation Vulnerability
Published: Wed, 05 Nov 2025 17:15:42 +0000
CVE ID : CVE-2025-46424
Published : Nov. 5, 2025, 5:15 p.m. | 3 hours, 19 minutes ago
Description : Dell CloudLink, versions prior to 8.2, contain use of a Cryptographic Primitive with a Risky Implementation vulnerability. A high privileged attacker could potentially exploit this vulnerability leading to Denial of service.
Severity: 6.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-46366 - Dell CloudLink Privilege Escalation and Database Access Vulnerability
Published: Wed, 05 Nov 2025 17:15:42 +0000
CVE ID : CVE-2025-46366
Published : Nov. 5, 2025, 5:15 p.m. | 3 hours, 19 minutes ago
Description : Dell CloudLink, versions prior to 8.1.1, contain a vulnerability where a privileged user may exploit and gain parallel privilege escalation or access to the database to obtain confidential information.
Severity: 6.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-46365 - Dell CloudLink Command Injection Vulnerability
Published: Wed, 05 Nov 2025 17:15:42 +0000
CVE ID : CVE-2025-46365
Published : Nov. 5, 2025, 5:15 p.m. | 3 hours, 19 minutes ago
Description : Dell CloudLink, versions prior 8.1.1, contain a Command Injection vulnerability which can be exploited by an Authenticated attacker to cause Command Injection on an affected Dell CloudLink.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-46364 - Dell CloudLink, versions prior to 8.1.1, contain a
Published: Wed, 05 Nov 2025 17:15:41 +0000
CVE ID : CVE-2025-46364
Published : Nov. 5, 2025, 5:15 p.m. | 3 hours, 19 minutes ago
Description : Dell CloudLink, versions prior to 8.1.1, contain a vulnerability where a privileged user with known password can run CLI Escape Vulnerability to gain control of system.
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
