CVE-2025-3611 |
Description: Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not have access to via direct API requests to team endpoints, even when explicitly configured with 'No access' to Teams in the System Console.
CVSS: LOW (3.1) SSVC Exploitation: none
May 30th, 2025 (about 2 hours ago)
|
CVE-2025-1792 |
Description: Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members API endpoint.
CVSS: LOW (3.1) SSVC Exploitation: none
May 30th, 2025 (about 2 hours ago)
|
CVE-2024-0773 |
Description: A vulnerability classified as problematic was found in CodeAstro Internet Banking System 1.0. Affected by this vulnerability is an unknown functionality of the file pages_client_signup.php. The manipulation of the argument Client Full Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-251677 was assigned to this vulnerability. In CodeAstro Internet Banking System 1.0 wurde eine problematische Schwachstelle entdeckt. Betroffen ist eine unbekannte Verarbeitung der Datei pages_client_signup.php. Durch Manipulieren des Arguments Client Full Name mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.
CVSS: LOW (3.5) SSVC Exploitation: poc
May 30th, 2025 (about 2 hours ago)
|
CVE-2025-48491 |
Description: Project AI is a platform designed to create AI agents. Prior to the pre-beta version, a hardcoded API key was present in the source code. This issue has been patched in the pre-beta version.
CVSS: LOW (2.7)
May 30th, 2025 (about 13 hours ago)
|
CVE-2025-48068 |
Description: Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active. This issue has been patched in version 15.2.2.
CVSS: LOW (2.3)
May 30th, 2025 (about 13 hours ago)
|
CVE-2025-47952 |
Description: Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Prior to versions 2.11.25 and 3.4.1, there is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain. This issue has been patched in versions 2.11.25 and 3.4.1.
CVSS: LOW (2.9)
May 30th, 2025 (about 13 hours ago)
|
CVE-2025-47288 |
Description: Discourse Policy plugin gives the ability to confirm users have seen or done something. Prior to version 0.1.1, if there was a policy posted to a public topic that was tied to a private group then the group members could be shown to non-group members. This issue has been patched in version 0.1.1. A workaround involves moving any policy topics with private groups to restricted categories.
CVSS: LOW (3.5)
May 29th, 2025 (about 21 hours ago)
|
CVE-2025-46570 |
Description: vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.9.0, when a new prompt is processed, if the PageAttention mechanism finds a matching prefix chunk, the prefill process speeds up, which is reflected in the TTFT (Time to First Token). These timing differences caused by matching chunks are significant enough to be recognized and exploited. This issue has been patched in version 0.9.0.
CVSS: LOW (2.6)
May 29th, 2025 (1 day ago)
|
CVE-2024-23825 |
Description: TablePress is a table plugin for Wordpress. For importing tables, TablePress makes external HTTP requests based on a URL that is provided by the user. That user input is filtered insufficiently, which makes it is possible to send requests to unintended network locations and receive responses. On sites in a cloud environment like AWS, an attacker can potentially make GET requests to the instance's metadata REST API. If the instance's configuration is insecure, this can lead to the exposure of internal data, including credentials. This vulnerability is fixed in 2.2.5.
CVSS: LOW (3.0) EPSS Score: 0.29% SSVC Exploitation: poc
May 29th, 2025 (1 day ago)
|
CVE-2024-22200 |
Description: vantage6-UI is the User Interface for vantage6. The docker image used to run the UI leaks the nginx version. To mitigate the vulnerability, users can run the UI as an angular application. This vulnerability was patched in 4.2.0.
CVSS: LOW (3.3) EPSS Score: 0.13% SSVC Exploitation: none
May 29th, 2025 (1 day ago)
|