Vulnerability ID: CVE-2025-29814
Published: 2025-03-21T01:15:17.253
Last Modified: 2025-03-21T01:15:17.253
Description: Improper authorization in Microsoft Partner Center allows an authorized attacker to elevate privileges over a network.
Base Score: 9.3
Severity: CRITICAL
built in admin account.
Base Score: 9.8
Severity: CRITICAL
Vulnerability ID: CVE-2025-2538
Published: 2025-03-20T21:15:23.730
Last Modified: 2025-03-20T21:15:23.730
Description: A specific type of ArcGIS Enterprise deployment, is vulnerable to a Password Recovery Exploitation vulnerability in Portal, that could allow an attacker to reset the password on the
rent MS SQL server account. It is recommended that the CRM feature is turned off while on eTRAKiT.net release 3.2.1.77. eTRAKiT.Net is no longer supported, and users are recommended to migrate to the latest version of CentralSquare Community Development.
Base Score: 9.8
Severity: CRITICAL
Vulnerability ID: CVE-2025-29980
Published: 2025-03-20T19:15:38.080
Last Modified: 2025-03-20T20:15:33.233
Description: A SQL injection issue has been discovered in eTRAKiT.net release 3.2.1.77. Due to improper input validation, a remote unauthenticated attacker can run arbitrary commands as the cur
.26.3 and 0.27.0.
Base Score: 9.6
Severity: CRITICAL
er to create and delete objects even if none of these requirements are satisfied, i.e. even if there is no APIBinding in that workspace at all or the workspace owner has created an APIBinding, but rejected a permission claim. A fix for this issue has been identified and has been published with kcp 0
21.03.2025 11:00 — 👍 0 🔁 0 💬 1 📌 0leting an object via the APIExport VirtualWorkspace in any arbitrary target workspace for pre-existing resources. By design, this should only be allowed when the workspace owner decides to give access to an API provider by creating an APIBinding. With this vulnerability, it is possible for an attack
21.03.2025 11:00 — 👍 0 🔁 0 💬 1 📌 0
Vulnerability ID: CVE-2025-29922
Published: 2025-03-20T18:15:19.063
Last Modified: 2025-03-20T18:15:19.063
Description: kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.26.3, the identified vulnerability allows creating or de
ows Authentication Bypass, Interface Manipulation, Authentication Abuse, Harvesting Information via API Event Monitoring.This issue affects SecHard: before 3.3.0.20220411.
Base Score: 9.0
Severity: CRITICAL
Vulnerability ID: CVE-2025-2311
Published: 2025-03-20T12:15:14.750
Last Modified: 2025-03-21T07:15:36.820
Description: Incorrect Use of Privileged APIs, Cleartext Transmission of Sensitive Information, Insufficiently Protected Credentials vulnerability in Sechard Information Technologies SecHard all
Score: 9.8
Severity: CRITICAL
ticated attackers to include and execute arbitrary PHP files on the server, allowing the execution of code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Base
Vulnerability ID: CVE-2025-2505
Published: 2025-03-20T08:15:11.873
Last Modified: 2025-03-20T08:15:11.873
Description: The Age Gate plugin for WordPress is vulnerable to Local PHP File Inclusion in all versions up to, and including, 3.5.3 via the 'lang' parameter. This makes it possible for unauthen
h 6.0.
NOTE: The vendor was contacted and it was learned that the product is not supported.
Base Score: 9.8
Severity: CRITICAL
Vulnerability ID: CVE-2024-12016
Published: 2025-03-20T08:15:11.547
Last Modified: 2025-03-20T08:15:11.547
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CM Informatics CM News allows SQL Injection.This issue affects CM News: throug
tion Bypass, Interface Manipulation, Authentication Abuse, Harvesting Information via API Event Monitoring.This issue affects SecHard: before 3.3.0.20220411.
Base Score: 9.0
Severity: CRITICAL
Vulnerability ID: CVE-2025-2311
Published: 2025-03-20T12:15:14.750
Last Modified: 2025-03-20T12:15:14.750
Description: Incorrect Use of Privileged APIs, Cleartext Transmission of Sensitive Information, Insufficiently Protected Credentials vulnerability in Nebula Informatics SecHard allows Authentica
Score: 9.8
Severity: CRITICAL
ticated attackers to include and execute arbitrary PHP files on the server, allowing the execution of code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Base
Vulnerability ID: CVE-2025-2505
Published: 2025-03-20T08:15:11.873
Last Modified: 2025-03-20T08:15:11.873
Description: The Age Gate plugin for WordPress is vulnerable to Local PHP File Inclusion in all versions up to, and including, 3.5.3 via the 'lang' parameter. This makes it possible for unauthen
h 6.0.
NOTE: The vendor was contacted and it was learned that the product is not supported.
Base Score: 9.8
Severity: CRITICAL
Vulnerability ID: CVE-2024-12016
Published: 2025-03-20T08:15:11.547
Last Modified: 2025-03-20T08:15:11.547
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CM Informatics CM News allows SQL Injection.This issue affects CM News: throug
on all network interfaces will allow attackers to execute remote code on distributed hosts. This is a remote code execution vulnerability impacting any deployments using Mooncake to distribute KV across distributed hosts. This vulnerability is fixed in 0.8.0.
Base Score: 10.0
Severity: CRITICAL
Vulnerability ID: CVE-2025-29783
Published: 2025-03-19T16:15:32.477
Last Modified: 2025-03-19T16:15:32.477
Description: vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. When vLLM is configured to use Mooncake, unsafe deserialization exposed directly over ZMQ/TCP
ICAL
20.03.2025 11:00 — 👍 0 🔁 0 💬 0 📌 0
Vulnerability ID: CVE-2025-29137
Published: 2025-03-19T16:15:31.677
Last Modified: 2025-03-19T21:15:41.063
Description: Tenda AC7 V1.0 V15.03.06.44 found a buffer overflow caused by the timeZone parameter in the form_fast_setting_wifi_set function, which can cause RCE.
Base Score: 9.8
Severity: CRIT
s up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Base Score: 9.8
Severity: CRITICAL
Vulnerability ID: CVE-2025-2512
Published: 2025-03-19T12:15:14.463
Last Modified: 2025-03-19T12:15:14.463
Description: The File Away plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check and missing file type validation in the upload() function in all version
sword, including administrators, and leverage that to gain access to their account.
Base Score: 9.8
Severity: CRITICAL
