You are viewing this page in an unauthorized frame window.

This is a potential security issue, you are being redirected to https://nvd.nist.gov

You have JavaScript disabled. This site requires JavaScript to be enabled for complete site functionality.

U.S. flag An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

NVD Dashboard

CVEs Received and Processed

CVEs Received and Processed

Please Wait

CVE Status Count

Please Wait

CVSS Score Spread

Please Wait

CVSS V3 Score Distribution

Severity Number of Vulns

CVSS V2 Score Distribution

Severity Number of Vulns


For information on how to the cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2025-35053 - Newforma Info Exchange (NIX) accepts requests to '/UserWeb/Common/MarkupServices.ashx' specifying the 'DownloadExportedPDF' command that allow an authenticated user to read and delete arbitrary files with 'NT AUTHORITY\NetworkService' privileges. ... read CVE-2025-35053
    Published: October 09, 2025; 5:15:36 PM -0400

    V3.1: 6.4 MEDIUM

  • CVE-2025-35054 - Newforma Info Exchange (NIX) stores credentials used to configure NPCS in 'HKLM\Software\WOW6432Node\Newforma\<version>\Credentials'. The credentials are encrypted but the encryption key is stored in the same registry location. Authenticated user... read CVE-2025-35054
    Published: October 09, 2025; 5:15:36 PM -0400

    V3.1: 5.3 MEDIUM

  • CVE-2025-35055 - Newforma Info Exchange (NIX) '/UserWeb/Common/UploadBlueimp.ashx' allows an authenticated attacker to upload an arbitrary file to any location writable by the NIX application. An attacker can upload and run a web shell or other content executable ... read CVE-2025-35055
    Published: October 09, 2025; 5:15:36 PM -0400

  • CVE-2025-35056 - Newforma Info Exchange (NIX) '/UserWeb/Common/MarkupServices.ashx' 'StreamStampImage' accepts an encrypted file path and returns an image of the specified file. An authenticated attacker can read arbitrary files subject to the privileges of NIX, t... read CVE-2025-35056
    Published: October 09, 2025; 5:15:36 PM -0400

    V3.1: 5.0 MEDIUM

  • CVE-2025-48925 - The TeleMessage service through 2025年05月05日 relies on the client side (e.g., the TM SGNL app) to do MD5 hashing, and then accepts the hash as the authentication credential.
    Published: May 28, 2025; 1:15:24 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2025-35057 - Newforma Info Exchange (NIX) '/RemoteWeb/IntegrationServices.ashx' allows a remote, unauthenticated attacker to cause NIX to make an SMB connection to an attacker-controlled system. The attacker can capture the NTLMv2 hash of the NIX service account.
    Published: October 09, 2025; 5:15:36 PM -0400

  • CVE-2024-32499 - Newforma Project Center Server through 202330.32259 allows remote code execution because .NET Remoting is exposed.
    Published: April 28, 2025; 1:15:47 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2025-48926 - The admin panel in the TeleMessage service through 2025年05月05日 allows attackers to discover usernames, e-mail addresses, passwords, and telephone numbers.
    Published: May 28, 2025; 1:15:24 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2025-48929 - The TeleMessage service through 2025年05月05日 implements authentication through a long-lived credential (e.g., not a token with a short expiration time) that can be reused at a later date if discovered by an adversary.
    Published: May 28, 2025; 1:15:25 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2025-47730 - The TeleMessage archiving backend through 2025年05月05日 accepts API calls (to request an authentication token) from the TM SGNL (aka Archive Signal) app with the credentials of logfile for the user and enRR8UVVywXYbFkqU#QDPRkO for the password.
    Published: May 08, 2025; 10:15:27 AM -0400

    V3.1: 7.5 HIGH

  • CVE-2025-61999 - OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to upload JavaScript or other content embedded in an SVG image used as a logo. Injected content is executed in the context of other users when they view affected pages. Successful ex... read CVE-2025-61999
    Published: October 07, 2025; 8:15:34 PM -0400

    V3.1: 4.8 MEDIUM

  • CVE-2025-61997 - OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content within the Annual Report Enterprise Banner image upload field. Injected content is executed in the context of other users when they generate an ... read CVE-2025-61997
    Published: October 07, 2025; 8:15:34 PM -0400

    V3.1: 4.8 MEDIUM

  • CVE-2025-61996 - OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content within the Annual Report Template. Injected content is executed in the context of other users when they generate an Annual Report. Successful ex... read CVE-2025-61996
    Published: October 07, 2025; 8:15:33 PM -0400

    V3.1: 4.8 MEDIUM

  • CVE-2025-61998 - OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content as a URL within the Technical Support Hyperlink Manager. Injected content is executed in the context of other users when they click the maliciou... read CVE-2025-61998
    Published: October 07, 2025; 8:15:34 PM -0400

    V3.1: 4.8 MEDIUM

  • CVE-2025-48930 - The TeleMessage service through 2025年05月05日 stores certain cleartext information in memory, even though memory content may be accessible to an adversary through various avenues.
    Published: May 28, 2025; 1:15:25 PM -0400

    V3.1: 5.3 MEDIUM

  • CVE-2025-62598 - WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Prior to version 3.5.1, a reflected cross-site scripting (XSS) vulnerability was identified in the editar_info_pessoal.php endpoint of the WeGIA applic... read CVE-2025-62598
    Published: October 21, 2025; 1:15:41 PM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2025-58277 - Permission verification bypass vulnerability in the Camera app. Successful exploitation of this vulnerability may affect service confidentiality.
    Published: October 11, 2025; 12:16:06 AM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2025-4646 - Incorrect Authorization vulnerability in Centreon web (API Token creation form modules) allows Privilege Escalation.This issue affects web: from 24.04.0 before 24.04.10, from 24.10.0 before 24.10.4.
    Published: May 13, 2025; 6:15:29 AM -0400

  • CVE-2025-4647 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon web allows Reflected XSS. A user with elevated privileges can bypass sanitization measures by replacing the content of an existi... read CVE-2025-4647
    Published: May 13, 2025; 6:15:29 AM -0400

    V3.1: 4.8 MEDIUM

  • CVE-2025-4648 - The content of a SVG file, received as input in Centreon web, was not properly checked. Allows Reflected XSS. A user with elevated privileges can inject JS script by altering the content of a SVG media, during the submit request. This issue affe... read CVE-2025-4648
    Published: May 13, 2025; 6:15:29 AM -0400

    V3.1: 5.9 MEDIUM

AltStyle によって変換されたページ (->オリジナル) /