Search Results (15954 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-34192 4 Apple, Linux, Printerlogic and 1 more 6 Macos, Linux Kernel, Vasion Print and 3 more 2025-11-17 9.8 Critical
Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.893 and Application versions prior to 20.0.2140 (macOS/Linux client deployments) are built against OpenSSL 1.0.2h-fips (released May 2016), which has been end-of-life since 2019 and is no longer supported by the OpenSSL project. Continued use of this outdated cryptographic library exposes deployments to known vulnerabilities that are no longer patched, weakening the overall security posture. Affected daemons may emit deprecation warnings and rely on cryptographic components with unresolved security flaws, potentially enabling attackers to exploit weaknesses in TLS/SSL processing or cryptographic operations. This vulnerability has been identified by the vendor as: V-2023-021 — Out-of-Date OpenSSL Library.
CVE-2024-38475 4 Apache, Netapp, Redhat and 1 more 19 Http Server, Ontap 9, Enterprise Linux and 16 more 2025-11-17 9.1 Critical
Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.
CVE-2021-47694 1 Nagios 2 Nagios Xi, Xi 2025-11-17 6.1 Medium
The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.4 / Nagios XI 5.8.6 contains a reflected cross-site scripting (XSS) vulnerability via the Test Command functionality. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
CVE-2024-10441 1 Synology 2 Beestation Os, Diskstation Manager 2025-11-17 9.8 Critical
Improper encoding or escaping of output vulnerability in the system plugin daemon in Synology BeeStation OS (BSM) before 1.1-65374 and Synology DiskStation Manager (DSM) before 7.2-64570-4, 7.2.1-69057-6 and 7.2.2-72806-1 allows remote attackers to execute arbitrary code via unspecified vectors.
CVE-2024-50629 1 Synology 2 Beestation Os, Diskstation Manager 2025-11-17 5.3 Medium
Improper encoding or escaping of output vulnerability in the webapi component in Synology BeeStation OS (BSM) before 1.1-65374 and Synology DiskStation Manager (DSM) before 7.1.1-42962-7, 7.2-64570-4, 7.2.1-69057-6 and 7.2.2-72806-1 allow remote attackers to read limited files via unspecified vectors.
CVE-2025-46370 1 Dell 1 Alienware Command Center 2025-11-17 3.3 Low
Dell Alienware Command Center 6.x (AWCC), versions prior to 6.10.15.0, contain a Process Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information Disclosure.
CVE-2021-33624 2 Debian, Linux 2 Debian Linux, Linux Kernel 2025-11-11 4.7 Medium
In kernel/bpf/verifier.c in the Linux kernel before 5.12.13, a branch can be mispredicted (e.g., because of type confusion) and consequently an unprivileged BPF program can read arbitrary memory locations via a side-channel attack, aka CID-9183671af6db.
CVE-2025-12114 2 Azure-access, Azure Access Technology 6 Blu-ic2, Blu-ic2 Firmware, Blu-ic4 and 3 more 2025-11-10 5.5 Medium
Enabled serial console could potentially leak information that might help attacker to find vulnerabilities.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
CVE-2020-29557 1 Dlink 6 Dir-825, Dir-825\/a, Dir-825\/ac and 3 more 2025-11-07 9.8 Critical
An issue was discovered on D-Link DIR-825 R1 devices through 3.0.1 before 2020-11-20. A buffer overflow in the web interface allows attackers to achieve pre-authentication remote code execution.
CVE-2025-12104 2 Azure-access, Azure Access Technology 6 Blu-ic2, Blu-ic2 Firmware, Blu-ic4 and 3 more 2025-11-07 9.8 Critical
Outdated and Vulnerable UI Dependencies might potentially lead to exploitation.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
CVE-2019-16928 4 Canonical, Debian, Exim and 1 more 4 Ubuntu Linux, Debian Linux, Exim and 1 more 2025-11-07 9.8 Critical
Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.
CVE-2018-7445 1 Mikrotik 1 Routeros 2025-11-07 9.8 Critical
A buffer overflow was found in the MikroTik RouterOS SMB service when processing NetBIOS session request messages. Remote attackers with access to the service can exploit this vulnerability and gain code execution on the system. The overflow occurs before authentication takes place, so it is possible for an unauthenticated remote attacker to exploit it. All architectures and all devices running RouterOS before versions 6.41.3/6.42rc27 are vulnerable.
CVE-2025-2915 1 Hdfgroup 1 Hdf5 2025-11-07 3.3 Low
A vulnerability classified as problematic was found in HDF5 up to 1.14.6. This vulnerability affects the function H5F__accum_free of the file src/H5Faccum.c. The manipulation of the argument overlap_size leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used.
CVE-2023-40661 2 Opensc Project, Redhat 2 Opensc, Enterprise Linux 2025-11-06 5.4 Medium
Several memory vulnerabilities were identified within the OpenSC packages, particularly in the card enrollment process using pkcs15-init when a user or administrator enrolls cards. To take advantage of these flaws, an attacker must have physical access to the computer system and employ a custom-crafted USB device or smart card to manipulate responses to APDUs. This manipulation can potentially allow compromise key generation, certificate loading, and other card management operations during enrollment.
CVE-2024-0690 2 Fedoraproject, Redhat 8 Fedora, Ansible, Ansible Automation Platform and 5 more 2025-11-06 5 Medium
An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.
CVE-2025-59476 1 Jenkins 1 Jenkins 2025-11-04 5.3 Medium
Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not restrict or transform the characters that can be inserted from user-specified content in log messages, allowing attackers able to control log message contents to insert line break characters, followed by forged log messages that may mislead administrators reviewing log output.
CVE-2025-54813 1 Apache 1 Log4cxx 2025-11-04 7.5 High
Improper Output Neutralization for Logs vulnerability in Apache Log4cxx. When using JSONLayout, not all payload bytes are properly escaped. If an attacker-supplied message contains certain non-printable characters, these will be passed along in the message and written out as part of the JSON message. This may prevent applications that consume these logs from correctly interpreting the information within them. This issue affects Apache Log4cxx: before 1.5.0. Users are recommended to upgrade to version 1.5.0, which fixes the issue.
CVE-2025-54812 1 Apache 1 Log4cxx 2025-11-04 5.4 Medium
Improper Output Neutralization for Logs vulnerability in Apache Log4cxx. When using HTMLLayout, logger names are not properly escaped when writing out to the HTML file. If untrusted data is used to retrieve the name of a logger, an attacker could theoretically inject HTML or Javascript in order to hide information from logs or steal data from the user. In order to activate this, the following sequence must occur: * Log4cxx is configured to use HTMLLayout. * Logger name comes from an untrusted string * Logger with compromised name logs a message * User opens the generated HTML log file in their browser, leading to potential XSS Because logger names are generally constant strings, we assess the impact to users as LOW This issue affects Apache Log4cxx: before 1.5.0. Users are recommended to upgrade to version 1.5.0, which fixes the issue.
CVE-2025-54656 1 Apache 2 Struts, Struts Extras 2025-11-04 6.5 Medium
** UNSUPPORTED WHEN ASSIGNED ** Improper Output Neutralization for Logs vulnerability in Apache Struts. This issue affects Apache Struts Extras: before 2. When using LookupDispatchAction, in some cases, Struts may print untrusted input to the logs without any filtering. Specially-crafted input may lead to log output where part of the message masquerades as a separate log line, confusing consumers of the logs (either human or automated).  As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2025-54389 2 Advanced Intrusion Detection Environment Project, Aide Project 2 Advanced Intrusion Detection Environment, Aide 2025-11-04 6.2 Medium
AIDE is an advanced intrusion detection environment. Prior to version 0.19.2, there is an improper output neutralization vulnerability in AIDE. An attacker can craft a malicious filename by including terminal escape sequences to hide the addition or removal of the file from the report and/or tamper with the log output. A local user might exploit this to bypass the AIDE detection of malicious files. Additionally the output of extended attribute key names and symbolic links targets are also not properly neutralized. This issue has been patched in version 0.19.2. A workaround involves configuring AIDE to write the report output to a regular file, redirecting stdout to a regular file, or redirecting the log output written to stderr to a regular file.