Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
Description: Overview
Session cookies of applications using the laravel-auth0 SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access.
Am I Affected?
You are affected by this vulnerability if you meet the following pre-conditions:
Applications using laravel-auth0 SDK with version <=7.16.0
laravel-auth0 SDK uses the Auth0-PHP SDK with version 8.0.0-BETA1 or higher and below 8.14.0.
Session storage configured with CookieStore.
Fix
Upgrade Auth0/laravel-auth0 to v7.17.0. As an additional precautionary measure, we recommend rotating your cookie encryption keys. Note that once updated, any previous session cookies will be rejected.
Acknowledgement
Okta would like to thank Félix Charette for discovering this vulnerability.
References
https://github.com/auth0/laravel-auth0/security/advisories/GHSA-9fwj-9mjf-rhj3
https://nvd.nist.gov/vuln/detail/CVE-2025-47275
https://github.com/auth0/laravel-auth0/commit/be2c59adb476c49945dcc55741a54c7a68c1741d
https://github.com/auth0/laravel-auth0/releases/tag/7.17.0
https://github.com/advisories/GHSA-9fwj-9mjf-rhj3
CVSS: CRITICAL (9.1) EPSS Score: 0.04%
May 17th, 2025 (21 days ago)
|
CVE-2025-48187 |
Description: RAGFlow through 0.18.1 allows account takeover because it is possible to conduct successful brute-force attacks against email verification codes to perform arbitrary account registration, login, and password reset. Codes are six digits and there is no rate limiting.
CVSS: CRITICAL (9.1) EPSS Score: 0.04%
May 17th, 2025 (21 days ago)
|
|
CVE-2025-4391 |
Description: The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the echo_generate_featured_image() function in all versions up to, and including, 5.4.8.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS: CRITICAL (9.8) EPSS Score: 0.2%
May 17th, 2025 (21 days ago)
|
|
CVE-2025-4389 |
Description: The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the crawlomatic_generate_featured_image() function in all versions up to, and including, 2.6.8.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS: CRITICAL (9.8) EPSS Score: 0.2%
May 17th, 2025 (21 days ago)
|
|
|
Description: Overview
Session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access.
Am I Affected?
You are affected by this vulnerability if you meet the following pre-conditions:
Applications using the Auth0-PHP SDK, or the following SDKs that rely on the Auth0-PHP SDK:
a. Auth0/symfony,
b. Auth0/laravel-auth0,
c. Auth0/wordpress,
Session storage configured with CookieStore.
Fix
Upgrade Auth0/Auth0-PHP to v8.14.0. As an additional precautionary measure, we recommend rotating your cookie encryption keys. Note that once updated, any previous session cookies will be rejected.
Acknowledgement
Okta would like to thank Félix Charette for discovering this vulnerability.
References
https://github.com/auth0/auth0-PHP/security/advisories/GHSA-g98g-r7gf-2r25
https://github.com/auth0/laravel-auth0/security/advisories/GHSA-9fwj-9mjf-rhj3
https://github.com/auth0/symfony/security/advisories/GHSA-9wg9-93h9-j8ch
https://github.com/auth0/wordpress/security/advisories/GHSA-2f4r-34m4-3w8q
https://nvd.nist.gov/vuln/detail/CVE-2025-47275
https://github.com/auth0/auth0-PHP/commit/52a79480fdb246f59dbc089b81a784ae049bd389
https://github.com/auth0/auth0-PHP/releases/tag/8.14.0
https://github.com/advisories/GHSA-g98g-r7gf-2r25
CVSS: CRITICAL (9.1) EPSS Score: 0.04%
May 16th, 2025 (22 days ago)
|
|
CVE-2025-40906 |
Description: BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities.
Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755.
BSON-XS was the official Perl XS implementation of MongoDB's BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported.
CVSS: CRITICAL (9.8) EPSS Score: 0.06%
May 16th, 2025 (22 days ago)
|
|
CVE-2025-39481 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in imithemes Eventer allows Blind SQL Injection. This issue affects Eventer: from n/a through 3.9.6.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
May 16th, 2025 (22 days ago)
|
|
CVE-2025-32643 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPGYM allows Blind SQL Injection. This issue affects WPGYM: from n/a through 65.0.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
May 16th, 2025 (22 days ago)
|
|
CVE-2024-0321 |
Description: Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.3-DEV.
CVSS: CRITICAL (9.8) EPSS Score: 0.07% SSVC Exploitation: poc
May 16th, 2025 (22 days ago)
|
|
CVE-2025-47916 |
Description: Invision Community 5.0.0 before 5.0.7 allows remote code execution via crafted template strings to themeeditor.php. The issue lies within the themeeditor controller (file: /applications/core/modules/front/system/themeeditor.php), where a protected method named customCss can be invoked by unauthenticated users. This method passes the value of the content parameter to the Theme::makeProcessFunction() method; hence it is evaluated by the template engine. Accordingly, this can be exploited by unauthenticated attackers to inject and execute arbitrary PHP code by providing crafted template strings.
CVSS: CRITICAL (10.0) EPSS Score: 75.59%
May 16th, 2025 (22 days ago)
|