CyberAlerts

CVE-2025-32943

Description: The vulnerability allows any authenticated user to leak the contents of arbitrary “.m3u8” files from the PeerTube server due to a path traversal in the HLS endpoint.

CVSS: LOW (3.7)

Source: CVE

April 15th, 2025 (21 minutes ago)

CVE-2024-45712

SolarWinds Serv-U Client-Side Cross-Site Scripting Vulnerability

Description: SolarWinds Serv-U is vulnerable to a client-side cross-site scripting (XSS) vulnerability. The vulnerability can only be performed by an authenticated account, on the local machine, from the local browser session. Therefore the risk is very low.

CVSS: LOW (2.6)

Source: CVE

April 15th, 2025 (about 2 hours ago)

CVE-2025-31494

AutoGPT allows cross-user sharing of node execution results through WebSockets API

Description: AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. The AutoGPT Platform's WebSocket API transmitted node execution updates to subscribers based on the graph_id+graph_version. Additionally, there was no check prohibiting users from subscribing with another user's graph_id+graph_version. As a result, node execution updates from one user's graph execution could be received by another user within the same instance. This vulnerability does not occur between different instances or between users and non-users of the platform. Single-user instances are not affected. In private instances with a user white-list, the impact is limited by the fact that all potential unintended recipients of these node execution updates must have been admitted by the administrator. This vulnerability is fixed in 0.6.1.

CVSS: LOW (3.5)

Source: CVE

April 15th, 2025 (about 11 hours ago)

CVE-2025-2424

Leaked Metadata of Deleted Files via Bookmark Creation

Description: Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to check if a file has been deleted when creating a bookmark which allows an attacker who knows the IDs of deleted files to obtain metadata of the files via bookmark creation.

CVSS: LOW (3.1)

Source: CVE

April 14th, 2025 (about 20 hours ago)

CVE-2024-49709

XSS in iKSORIS

Description: Internet Starter, one of SoftCOM iKSORIS system modules, allows for setting an arbitrary session cookie value. An attacker with an access to user's browser might set such a cookie, wait until the user logs in and then use the same cookie to take over the account. Moreover, the system does not destroy the old sessions when creating new ones, what expands the time frame in which an attack might be performed. This vulnerability has been patched in version 79.0

CVSS: LOW (2.3)

SSVC Exploitation: none

Source: CVE

April 14th, 2025 (about 22 hours ago)

CVE-2025-30516

Unauthorized Notification Exposure in Mobile App Under Specific Conditions

Description: Mattermost Mobile Apps versions <=2.25.0 fail to terminate sessions during logout under certain conditions (e.g. poor connectivity), allowing unauthorized users on shared devices to access sensitive notification content via continued mobile notifications

CVSS: LOW (2.0)

EPSS Score: 0.01%

Source: CVE

April 14th, 2025 (1 day ago)

CVE-2024-46901

Azure Linux 3.0 Security Update: subversion (CVE-2024-46901)

Description: Nessus Plugin ID 234250 with Low Severity Synopsis The remote Azure Linux host is missing one or more security updates. Description The version of subversion installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-46901 advisory. - Insufficient validation of filenames against control characters in Apache Subversion repositories served via mod_dav_svn allows authenticated users with commit access to commit a corrupted revision, leading to disruption for users of the repository. All versions of Subversion up to and including Subversion 1.14.4 are affected if serving repositories via mod_dav_svn. Users are recommended to upgrade to version 1.14.5, which fixes this issue. Repositories served via other access methods are not affected. (CVE-2024-46901)Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. Solution Update the affected packages. Read more at https://www.tenable.com/plugins/nessus/234250

CVSS: LOW (3.1)

Source: Tenable Plugins

April 14th, 2025 (1 day ago)

CVE-2025-1795

CBL Mariner 2.0 Security Update: python3 (CVE-2025-1795)

Description: Nessus Plugin ID 234295 with Low Severity Synopsis The remote CBL Mariner host is missing one or more security updates. Description The version of python3 installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-1795 advisory. - During an address list folding when a separating comma ends up on a folded line and that line is to be unicode-encoded then the separator itself is also unicode-encoded. Expected behavior is that the separating comma remains a plan comma. This can result in the address header being misinterpreted by some mail servers. (CVE-2025-1795)Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. Solution Update the affected packages. Read more at https://www.tenable.com/plugins/nessus/234295

CVSS: LOW (2.3)

Source: Tenable Plugins

April 14th, 2025 (1 day ago)

CVE-2024-2313

Azure Linux 3.0 Security Update: bpftrace (CVE-2024-2313)

Description: Nessus Plugin ID 234296 with Low Severity Synopsis The remote Azure Linux host is missing one or more security updates. Description The version of bpftrace installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-2313 advisory. - If kernel headers need to be extracted, bpftrace will attempt to load them from a temporary directory. An unprivileged attacker could use this to force bcc to load compromised linux headers. Linux distributions which provide kernel headers by default are not affected by default. (CVE-2024-2313)Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. Solution Update the affected packages. Read more at https://www.tenable.com/plugins/nessus/234296

CVSS: LOW (2.8)

Source: Tenable Plugins

April 14th, 2025 (1 day ago)

CVE-2025-24912

CBL Mariner 2.0 Security Update: wpa_supplicant (CVE-2025-24912)

Description: Nessus Plugin ID 234297 with Low Severity Synopsis The remote CBL Mariner host is missing one or more security updates. Description The version of wpa_supplicant installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-24912 advisory. - hostapd fails to process crafted RADIUS packets properly. When hostapd authenticates wi-fi devices with RADIUS authentication, an attacker in the position between the hostapd and the RADIUS server May inject crafted RADIUS packets and force RADIUS authentications to fail. (CVE-2025-24912)Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. Solution Update the affected packages. Read more at https://www.tenable.com/plugins/nessus/234297

CVSS: LOW (3.7)

Source: Tenable Plugins

April 14th, 2025 (1 day ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2025-32943	PeerTube HLS Video Files Path Traversal Description: The vulnerability allows any authenticated user to leak the contents of arbitrary “.m3u8” files from the PeerTube server due to a path traversal in the HLS endpoint. CVSS: LOW (3.7) Source: CVE April 15th, 2025 (21 minutes ago)
CVE-2024-45712	SolarWinds Serv-U Client-Side Cross-Site Scripting Vulnerability Description: SolarWinds Serv-U is vulnerable to a client-side cross-site scripting (XSS) vulnerability. The vulnerability can only be performed by an authenticated account, on the local machine, from the local browser session. Therefore the risk is very low. CVSS: LOW (2.6) Source: CVE April 15th, 2025 (about 2 hours ago)
CVE-2025-31494	AutoGPT allows cross-user sharing of node execution results through WebSockets API Description: AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. The AutoGPT Platform's WebSocket API transmitted node execution updates to subscribers based on the graph_id+graph_version. Additionally, there was no check prohibiting users from subscribing with another user's graph_id+graph_version. As a result, node execution updates from one user's graph execution could be received by another user within the same instance. This vulnerability does not occur between different instances or between users and non-users of the platform. Single-user instances are not affected. In private instances with a user white-list, the impact is limited by the fact that all potential unintended recipients of these node execution updates must have been admitted by the administrator. This vulnerability is fixed in 0.6.1. CVSS: LOW (3.5) Source: CVE April 15th, 2025 (about 11 hours ago)
CVE-2025-2424	Leaked Metadata of Deleted Files via Bookmark Creation Description: Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to check if a file has been deleted when creating a bookmark which allows an attacker who knows the IDs of deleted files to obtain metadata of the files via bookmark creation. CVSS: LOW (3.1) Source: CVE April 14th, 2025 (about 20 hours ago)
CVE-2024-49709	XSS in iKSORIS Description: Internet Starter, one of SoftCOM iKSORIS system modules, allows for setting an arbitrary session cookie value. An attacker with an access to user's browser might set such a cookie, wait until the user logs in and then use the same cookie to take over the account. Moreover, the system does not destroy the old sessions when creating new ones, what expands the time frame in which an attack might be performed. This vulnerability has been patched in version 79.0 CVSS: LOW (2.3) SSVC Exploitation: none Source: CVE April 14th, 2025 (about 22 hours ago)
CVE-2025-30516	Unauthorized Notification Exposure in Mobile App Under Specific Conditions Description: Mattermost Mobile Apps versions <=2.25.0 fail to terminate sessions during logout under certain conditions (e.g. poor connectivity), allowing unauthorized users on shared devices to access sensitive notification content via continued mobile notifications CVSS: LOW (2.0) EPSS Score: 0.01% Source: CVE April 14th, 2025 (1 day ago)
CVE-2024-46901	Azure Linux 3.0 Security Update: subversion (CVE-2024-46901) Description: Nessus Plugin ID 234250 with Low Severity Synopsis The remote Azure Linux host is missing one or more security updates. Description The version of subversion installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-46901 advisory. - Insufficient validation of filenames against control characters in Apache Subversion repositories served via mod_dav_svn allows authenticated users with commit access to commit a corrupted revision, leading to disruption for users of the repository. All versions of Subversion up to and including Subversion 1.14.4 are affected if serving repositories via mod_dav_svn. Users are recommended to upgrade to version 1.14.5, which fixes this issue. Repositories served via other access methods are not affected. (CVE-2024-46901)Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. Solution Update the affected packages. Read more at https://www.tenable.com/plugins/nessus/234250 CVSS: LOW (3.1) Source: Tenable Plugins April 14th, 2025 (1 day ago)
CVE-2025-1795	CBL Mariner 2.0 Security Update: python3 (CVE-2025-1795) Description: Nessus Plugin ID 234295 with Low Severity Synopsis The remote CBL Mariner host is missing one or more security updates. Description The version of python3 installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-1795 advisory. - During an address list folding when a separating comma ends up on a folded line and that line is to be unicode-encoded then the separator itself is also unicode-encoded. Expected behavior is that the separating comma remains a plan comma. This can result in the address header being misinterpreted by some mail servers. (CVE-2025-1795)Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. Solution Update the affected packages. Read more at https://www.tenable.com/plugins/nessus/234295 CVSS: LOW (2.3) Source: Tenable Plugins April 14th, 2025 (1 day ago)
CVE-2024-2313	Azure Linux 3.0 Security Update: bpftrace (CVE-2024-2313) Description: Nessus Plugin ID 234296 with Low Severity Synopsis The remote Azure Linux host is missing one or more security updates. Description The version of bpftrace installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-2313 advisory. - If kernel headers need to be extracted, bpftrace will attempt to load them from a temporary directory. An unprivileged attacker could use this to force bcc to load compromised linux headers. Linux distributions which provide kernel headers by default are not affected by default. (CVE-2024-2313)Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. Solution Update the affected packages. Read more at https://www.tenable.com/plugins/nessus/234296 CVSS: LOW (2.8) Source: Tenable Plugins April 14th, 2025 (1 day ago)
CVE-2025-24912	CBL Mariner 2.0 Security Update: wpa_supplicant (CVE-2025-24912) Description: Nessus Plugin ID 234297 with Low Severity Synopsis The remote CBL Mariner host is missing one or more security updates. Description The version of wpa_supplicant installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-24912 advisory. - hostapd fails to process crafted RADIUS packets properly. When hostapd authenticates wi-fi devices with RADIUS authentication, an attacker in the position between the hostapd and the RADIUS server May inject crafted RADIUS packets and force RADIUS authentications to fail. (CVE-2025-24912)Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. Solution Update the affected packages. Read more at https://www.tenable.com/plugins/nessus/234297 CVSS: LOW (3.7) Source: Tenable Plugins April 14th, 2025 (1 day ago)