| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| goframe v2.7.2 is configured to skip TLS certificate verification, possibly allowing attackers to execute a man-in-the-middle attack via the gclient component. |
| Westermo EDW-100 devices through 2024-05-03 allow an unauthenticated user to download a configuration file containing a cleartext password. NOTE: this is a serial-to-Ethernet converter that should not be placed at the edge of the network. |
| Due to an Information Disclosure vulnerability in Application Server ABAP, an authenticated attacker could read unmasked values displayed in ABAP Lists. Successful exploitation could lead to unauthorized disclosure of data, resulting in a high impact on confidentiality without affecting integrity or availability. |
| Deserialization of Untrusted Data vulnerability in PickPlugins Testimonial Slider testimonial allows Object Injection.This issue affects Testimonial Slider: from n/a through <= 2.0.13. |
| Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Logo Software Industry and Trade Inc. Logo j-Platform allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Logo j-Platform: from 3.29.6.4 before 3.34.8.9. |
| Maharashtra State Electricity Distribution Company Limited Mahavitran IOS Application 16.1 application till version 16.1 communicates using the GET method to process requests that contain sensitive information such as user account name and password, which can expose that information through the browser's history, referrers, web logs, and other sources. |
| Rox, the software running BeWelcome, contains a PHP object injection vulnerability resulting from deserialization of untrusted data. User-controlled input is passed to PHP's unserialize(): the POST parameter `formkit_memory_recovery` in \\RoxPostHandler::getCallbackAction and the 'memory cookie' read by \\RoxModelBase::getMemoryCookie (bwRemember). (1) If present, `formkit_memory_recovery` is processed and passed to unserialize(), and (2) restore-from-memory functionality calls unserialize() on the bwRemember cookie value. Gadget chains present in Rox and bundled libraries enable exploitation of object injection to write arbitrary files or achieve remote code execution. Successful exploitation can lead to full site compromise. This vulnerability was remediated with commit c60bf04 (2025-06-16). |
| Deserialization of Untrusted Data vulnerability in designthemes OneLife onelife allows Object Injection.This issue affects OneLife: from n/a through <= 3.9. |
| Deserialization of Untrusted Data vulnerability in Chouby Polylang polylang allows Object Injection.This issue affects Polylang: from n/a through <= 3.7.3. |
| Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Spencer Haws Link Whisper Free link-whisper.This issue affects Link Whisper Free: from n/a through <= 0.7.7. |
| Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Javier Carazo Import and export users and customers import-users-from-csv-with-meta allows Retrieve Embedded Sensitive Data.This issue affects Import and export users and customers: from n/a through <= 1.27.12. |
| Due to information disclosure vulnerability in anonymous API provided by SAP Business One (SLD), an attacker with normal user access could gain access to unauthorized information. As a result, it has a low impact on the confidentiality of the application but no impact on the integrity and availability. |
| Lack of file validation in do_update_vps in Avast Business Antivirus for Linux 4.5 on Linux allows local user to spoof or tamper with the update file via an unverified file write. |
| A vulnerability was determined in aizuda snail-job up to 1.7.0 on macOS. Affected by this vulnerability is the function FurySerializer.deserialize of the component API. This manipulation of the argument argsStr causes deserialization. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. |
| Deserialization of Untrusted Data vulnerability in themeton PIMP - Creative MultiPurpose allows Object Injection. This issue affects PIMP - Creative MultiPurpose: from n/a through 1.7. |
| Deserialization of Untrusted Data vulnerability in impleCode eCommerce Product Catalog ecommerce-product-catalog allows Object Injection.This issue affects eCommerce Product Catalog: from n/a through <= 3.4.3. |
| Deserialization of Untrusted Data vulnerability in Topal Solutions AG Topal Finanzbuchhaltung on Windows allows Remote Code Execution.This issue affects at least Topal Finanzbuchhaltung: 10.1.5.20 and is fixed in version 11.2.12.00 |
| Deserialization of Untrusted Data vulnerability in QuantumCloud WPBot Pro Wordpress Chatbot allows Object Injection.This issue affects WPBot Pro Wordpress Chatbot: from n/a through 12.7.0. |
| Brightpick Mission Control
discloses device telemetry, configuration, and credential information
via WebSocket traffic to unauthenticated users when they connect to a
specific URL. The unauthenticated URL can be discovered through basic
network scanning techniques. |
| Deserialization of Untrusted Data vulnerability in pebas CouponXxL couponxxl allows Object Injection.This issue affects CouponXxL: from n/a through <= 3.0.0. |
