Search Results (8904 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-27819 1 Apache 1 Kafka 2025-07-11 7.5 High
In CVE-2023-25194, we announced the RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration in Kafka Connect API. But not only Kafka Connect API is vulnerable to this attack, the Apache Kafka brokers also have this vulnerability. To exploit this vulnerability, the attacker needs to be able to connect to the Kafka cluster and have the AlterConfigs permission on the cluster resource. Since Apache Kafka 3.4.0, we have added a system property ("-Dorg.apache.kafka.disallowed.login.modules") to disable the problematic login modules usage in SASL JAAS configuration. Also by default "com.sun.security.auth.module.JndiLoginModule" is disabled in Apache Kafka 3.4.0, and "com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule" is disabled by default in in Apache Kafka 3.9.1/4.0.0
CVE-2024-38291 1 Extremenetworks 1 Xiq-se 2025-07-11 8.8 High
In XIQ-SE before 24.2.11, a low-privileged user may be able to access admin passwords, which could lead to privilege escalation.
CVE-2025-26795 1 Apache 1 Iotdb 2025-07-11 7.5 High
Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in Apache IoTDB JDBC driver. This issue affects iotdb-jdbc: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2. Users are recommended to upgrade to version 2.0.2 and 1.3.4, which fix the issue.
CVE-2025-22246 1 Cloudfoundry 2 Cf-deployment, Uaa Release 2025-07-11 3 Low
Cloud Foundry UAA release versions from v77.21.0 to v7.31.0 are vulnerable to a private key exposure in logs.
CVE-2025-48389 1 Freescout 1 Freescout 2025-07-11 7.2 High
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.178, FreeScout is vulnerable to deserialization of untrusted data due to insufficient validation. Through the set function, a string with a serialized object can be passed, and when getting an option through the get method, deserialization will occur, which will allow arbitrary code execution This issue has been patched in version 1.8.178.
CVE-2020-9250 1 Huawei 2 Mate 20 Pro, Mate 20 Pro Firmware 2025-07-11 3.3 Low
There is an insufficient authentication vulnerability in some Huawei smart phone. An unauthenticated, local attacker can crafts software package to exploit this vulnerability. Due to insufficient verification, successful exploitation may impact the service. (Vulnerability ID: HWPSIRT-2019-12302) This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2020-9250.
CVE-2025-48908 1 Huawei 1 Harmonyos 2025-07-11 6.7 Medium
Ability Auto Startup service vulnerability in the foundation process Impact: Successful exploitation of this vulnerability may affect availability.
CVE-2024-41178 1 Apache 1 Arrow 2025-07-10 7.5 High
Exposure of temporary credentials in logs in Apache Arrow Rust Object Store (`object_store` crate), version 0.10.1 and earlier on all platforms using AWS WebIdentityTokens.  On certain error conditions, the logs may contain the OIDC token passed to AssumeRoleWithWebIdentity https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html . This allows someone with access to the logs to impersonate that identity, including performing their own calls to AssumeRoleWithWebIdentity, until the OIDC token expires. Typically OIDC tokens are valid for up to an hour, although this will vary depending on the issuer. Users are recommended to use a different AWS authentication mechanism, disable logging or upgrade to version 0.10.2, which fixes this issue. Details: When using AWS WebIdentityTokens with the object_store crate, in the event of a failure and automatic retry, the underlying reqwest error, including the full URL with the credentials, potentially in the parameters, is written to the logs.  Thanks to Paul Hatcherian for reporting this vulnerability
CVE-2012-4688 1 I-gen 1 Oplynx 2025-07-10 N/A
The Central application in i-GEN opLYNX before 2.01.9 allows remote attackers to bypass authentication via vectors involving the disabling of browser JavaScript support.
CVE-2023-24904 1 Microsoft 1 Windows Server 2008 2025-07-10 7.1 High
Windows Installer Elevation of Privilege Vulnerability
CVE-2023-29343 1 Microsoft 1 Windows Sysmon 2025-07-10 7.8 High
SysInternals Sysmon for Windows Elevation of Privilege Vulnerability
CVE-2023-24946 1 Microsoft 11 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 8 more 2025-07-10 7.8 High
Windows Backup Service Elevation of Privilege Vulnerability
CVE-2023-24899 1 Microsoft 3 Windows 11 21h2, Windows 11 22h2, Windows Server 2022 2025-07-10 7 High
Windows Graphics Component Elevation of Privilege Vulnerability
CVE-2023-28283 1 Microsoft 12 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 9 more 2025-07-10 8.1 High
Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
CVE-2024-38137 1 Microsoft 8 Windows 10 21h2, Windows 10 22h2, Windows 11 21h2 and 5 more 2025-07-10 7 High
Windows Resource Manager PSM Service Extension Elevation of Privilege Vulnerability
CVE-2024-38131 1 Microsoft 16 Remote Desktop Client, Windows 10 1507, Windows 10 1607 and 13 more 2025-07-10 8.8 High
Clipboard Virtual Channel Extension Remote Code Execution Vulnerability
CVE-2024-38098 1 Microsoft 1 Azure Connected Machine Agent 2025-07-10 7.8 High
Azure Connected Machine Agent Elevation of Privilege Vulnerability
CVE-2024-38084 1 Microsoft 1 Officeplus 2025-07-10 7.8 High
Microsoft OfficePlus Elevation of Privilege Vulnerability
CVE-2024-36755 2 D-link, Dlink 3 Dir-1950 Firmware, Dir-1950, Dir-1950 Firmware 2025-07-09 6.8 Medium
D-Link DIR-1950 up to v1.11B03 does not validate SSL certificates when requesting the latest firmware version and downloading URL. This can allow attackers to downgrade the firmware version or change the downloading URL via a man-in-the-middle attack.
CVE-2025-6624 1 Snyk 1 Snyk Cli 2025-07-09 7.2 High
Versions of the package snyk before 1.1297.3 are vulnerable to Insertion of Sensitive Information into Log File through local Snyk CLI debug logs. Container Registry credentials provided via environment variables or command line arguments can be exposed when executing Snyk CLI in DEBUG or DEBUG/TRACE mode. The issue affects the following Snyk commands: 1. When snyk container test or snyk container monitor commands are run against a container registry, with debug mode enabled, the container registry credentials may be written into the local Snyk CLI debug log. This only happens with credentials specified in environment variables (SNYK_REGISTRY_USERNAME and SNYK_REGISTRY_PASSWORD), or in the CLI (--password/-p and --username/-u). 2. When snyk auth command is executed with debug mode enabled AND the log level is set to TRACE, the Snyk access / refresh credential tokens used to connect the CLI to Snyk may be written into the local CLI debug logs. 3. When snyk iac test is executed with a Remote IAC Custom rules bundle, debug mode enabled, AND the log level is set to TRACE, the docker registry token may be written into the local CLI debug logs.