CyberAlerts

CVE-2025-49462

Description: Cross-site scripting in certain Zoom Clients before version 6.4.5 may allow an authenticated user to conduct a disclosure of information via network access.

CVSS: LOW (3.5)

Source: CVE

July 10th, 2025 (about 6 hours ago)

CVE-2025-27889

Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint, allowing injection of an...

Description: Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint, allowing injection of an arbitrary link. If a user clicks a crafted link, this discloses a cleartext password to the attacker.

CVSS: LOW (3.4)

Source: CVE

July 10th, 2025 (about 6 hours ago)

CVE-2025-27613

Gitk can create and truncate files in the user's home directory

Description: Gitk is a Tcl/Tk based Git history browser. Starting with 1.7.0, when a user clones an untrusted repository and runs gitk without additional command arguments, files for which the user has write permission can be created and truncated. The option Support per-file encoding must have been enabled before in Gitk's Preferences. This option is disabled by default. The same happens when Show origin of this line is used in the main window (regardless of whether Support per-file encoding is enabled or not). This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.

CVSS: LOW (3.6)

Source: CVE

July 10th, 2025 (about 8 hours ago)

CVE-2025-6168

Incorrect Authorization in GitLab

Description: An issue has been discovered in GitLab EE affecting all versions from 18.0 before 18.0.4 and 18.1 before 18.1.2 that could have allowed authenticated maintainers to bypass group-level user invitation restrictions by sending crafted API requests.

CVSS: LOW (2.7)

Source: CVE

July 10th, 2025 (about 14 hours ago)

CVE-2025-4972

Incorrect Authorization in GitLab

Description: An issue has been discovered in GitLab EE affecting all versions from 18.0 before 18.0.4 and 18.1 before 18.1.2 that could have allowed authenticated users with invitation privileges to bypass group-level user invitation restrictions by manipulating group invitation functionality.

CVSS: LOW (2.7)

Source: CVE

July 10th, 2025 (about 14 hours ago)

CVE-2025-7215

FNKvision FNK-GU2 wpa_supplicant.conf cleartext storage

Description: A vulnerability, which was classified as problematic, has been found in FNKvision FNK-GU2 up to 40.1.7. Affected by this issue is some unknown functionality of the file /rom/wpa_supplicant.conf. The manipulation leads to cleartext storage of sensitive information. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Eine problematische Schwachstelle wurde in FNKvision FNK-GU2 bis 40.1.7 entdeckt. Hierbei geht es um eine nicht exakt ausgemachte Funktion der Datei /rom/wpa_supplicant.conf. Durch die Manipulation mit unbekannten Daten kann eine cleartext storage of sensitive information-Schwachstelle ausgenutzt werden. Ein Angriff setzt physischen Zugriff auf dem Zielobjekt voraus. Die Komplexität eines Angriffs ist eher hoch. Sie ist schwierig ausnutzbar. Der Exploit steht zur öffentlichen Verfügung.

CVSS: LOW (1.0)

EPSS Score: 0.01%

Source: CVE

July 9th, 2025 (2 days ago)

CVE-2025-7214

FNKvision FNK-GU2 MD5 shadow risky encryption

Description: A vulnerability classified as problematic was found in FNKvision FNK-GU2 up to 40.1.7. Affected by this vulnerability is an unknown functionality of the file /etc/shadow of the component MD5. The manipulation leads to risky cryptographic algorithm. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. In FNKvision FNK-GU2 bis 40.1.7 wurde eine problematische Schwachstelle entdeckt. Dabei geht es um eine nicht genauer bekannte Funktion der Datei /etc/shadow der Komponente MD5. Mit der Manipulation mit unbekannten Daten kann eine risky cryptographic algorithm-Schwachstelle ausgenutzt werden. Ein Angriff setzt physischen Zugriff auf dem Zielobjekt voraus. Die Komplexität eines Angriffs ist eher hoch. Sie gilt als schwierig ausnutzbar. Der Exploit steht zur öffentlichen Verfügung.

CVSS: LOW (1.0)

EPSS Score: 0.01%

Source: CVE

July 9th, 2025 (2 days ago)

CVE-2025-49546

ColdFusion | Improper Access Control (CWE-284)

Description: ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Access Control vulnerability that could lead to application denial-of-service. A high-privileged attacker could exploit this vulnerability to disrupt the availability of the application. Exploitation of this issue does not require user interaction and scope is unchanged. The vulnerable component is restricted to internal IP addresses.

CVSS: LOW (2.4)

EPSS Score: 0.03%

Source: CVE

July 8th, 2025 (2 days ago)

CVE-2025-49760

Windows Storage Spoofing Vulnerability

Description: External control of file name or path in Windows Storage allows an authorized attacker to perform spoofing over a network.

CVSS: LOW (3.5)

EPSS Score: 0.05%

Source: CVE

July 8th, 2025 (2 days ago)

CVE-2025-49756

Office Developer Platform Security Feature Bypass Vulnerability

Description: Use of a broken or risky cryptographic algorithm in Office Developer Platform allows an authorized attacker to bypass a security feature locally.

CVSS: LOW (3.3)

EPSS Score: 0.02%

Source: CVE

July 8th, 2025 (2 days ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2025-49462	Zoom Clients - Cross-site Scripting Description: Cross-site scripting in certain Zoom Clients before version 6.4.5 may allow an authenticated user to conduct a disclosure of information via network access. CVSS: LOW (3.5) Source: CVE July 10th, 2025 (about 6 hours ago)
CVE-2025-27889	Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint, allowing injection of an... Description: Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint, allowing injection of an arbitrary link. If a user clicks a crafted link, this discloses a cleartext password to the attacker. CVSS: LOW (3.4) Source: CVE July 10th, 2025 (about 6 hours ago)
CVE-2025-27613	Gitk can create and truncate files in the user's home directory Description: Gitk is a Tcl/Tk based Git history browser. Starting with 1.7.0, when a user clones an untrusted repository and runs gitk without additional command arguments, files for which the user has write permission can be created and truncated. The option Support per-file encoding must have been enabled before in Gitk's Preferences. This option is disabled by default. The same happens when Show origin of this line is used in the main window (regardless of whether Support per-file encoding is enabled or not). This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1. CVSS: LOW (3.6) Source: CVE July 10th, 2025 (about 8 hours ago)
CVE-2025-6168	Incorrect Authorization in GitLab Description: An issue has been discovered in GitLab EE affecting all versions from 18.0 before 18.0.4 and 18.1 before 18.1.2 that could have allowed authenticated maintainers to bypass group-level user invitation restrictions by sending crafted API requests. CVSS: LOW (2.7) Source: CVE July 10th, 2025 (about 14 hours ago)
CVE-2025-4972	Incorrect Authorization in GitLab Description: An issue has been discovered in GitLab EE affecting all versions from 18.0 before 18.0.4 and 18.1 before 18.1.2 that could have allowed authenticated users with invitation privileges to bypass group-level user invitation restrictions by manipulating group invitation functionality. CVSS: LOW (2.7) Source: CVE July 10th, 2025 (about 14 hours ago)
CVE-2025-7215	FNKvision FNK-GU2 wpa_supplicant.conf cleartext storage Description: A vulnerability, which was classified as problematic, has been found in FNKvision FNK-GU2 up to 40.1.7. Affected by this issue is some unknown functionality of the file /rom/wpa_supplicant.conf. The manipulation leads to cleartext storage of sensitive information. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Eine problematische Schwachstelle wurde in FNKvision FNK-GU2 bis 40.1.7 entdeckt. Hierbei geht es um eine nicht exakt ausgemachte Funktion der Datei /rom/wpa_supplicant.conf. Durch die Manipulation mit unbekannten Daten kann eine cleartext storage of sensitive information-Schwachstelle ausgenutzt werden. Ein Angriff setzt physischen Zugriff auf dem Zielobjekt voraus. Die Komplexität eines Angriffs ist eher hoch. Sie ist schwierig ausnutzbar. Der Exploit steht zur öffentlichen Verfügung. CVSS: LOW (1.0) EPSS Score: 0.01% Source: CVE July 9th, 2025 (2 days ago)
CVE-2025-7214	FNKvision FNK-GU2 MD5 shadow risky encryption Description: A vulnerability classified as problematic was found in FNKvision FNK-GU2 up to 40.1.7. Affected by this vulnerability is an unknown functionality of the file /etc/shadow of the component MD5. The manipulation leads to risky cryptographic algorithm. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. In FNKvision FNK-GU2 bis 40.1.7 wurde eine problematische Schwachstelle entdeckt. Dabei geht es um eine nicht genauer bekannte Funktion der Datei /etc/shadow der Komponente MD5. Mit der Manipulation mit unbekannten Daten kann eine risky cryptographic algorithm-Schwachstelle ausgenutzt werden. Ein Angriff setzt physischen Zugriff auf dem Zielobjekt voraus. Die Komplexität eines Angriffs ist eher hoch. Sie gilt als schwierig ausnutzbar. Der Exploit steht zur öffentlichen Verfügung. CVSS: LOW (1.0) EPSS Score: 0.01% Source: CVE July 9th, 2025 (2 days ago)
CVE-2025-49546	ColdFusion \| Improper Access Control (CWE-284) Description: ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Access Control vulnerability that could lead to application denial-of-service. A high-privileged attacker could exploit this vulnerability to disrupt the availability of the application. Exploitation of this issue does not require user interaction and scope is unchanged. The vulnerable component is restricted to internal IP addresses. CVSS: LOW (2.4) EPSS Score: 0.03% Source: CVE July 8th, 2025 (2 days ago)
CVE-2025-49760	Windows Storage Spoofing Vulnerability Description: External control of file name or path in Windows Storage allows an authorized attacker to perform spoofing over a network. CVSS: LOW (3.5) EPSS Score: 0.05% Source: CVE July 8th, 2025 (2 days ago)
CVE-2025-49756	Office Developer Platform Security Feature Bypass Vulnerability Description: Use of a broken or risky cryptographic algorithm in Office Developer Platform allows an authorized attacker to bypass a security feature locally. CVSS: LOW (3.3) EPSS Score: 0.02% Source: CVE July 8th, 2025 (2 days ago)