Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE-2025-5522

Description: A vulnerability was found in jack0240 魏 bskms 蓝天幼儿园管理系统 up to dffe6640b5b54d8e29da6f060e0493fea74b3fad. It has been rated as critical. Affected by this issue is some unknown functionality of the file /sa/addUser of the component User Creation Handler. The manipulation leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. Eine kritische Schwachstelle wurde in jack0240 魏 bskms 蓝天幼儿园管理系统 bis dffe6640b5b54d8e29da6f060e0493fea74b3fad ausgemacht. Betroffen davon ist ein unbekannter Prozess der Datei /sa/addUser der Komponente User Creation Handler. Durch Beeinflussen mit unbekannten Daten kann eine improper authorization-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung. Dieses Produkt verzichtet auf eine Versionierung und verwendet stattdessen Rolling Releases. Deshalb sind keine Details zu betroffenen oder zu aktualisierende Versionen vorhanden.

CVSS: HIGH (7.3)

EPSS Score: 0.04%

SSVC Exploitation: poc

Source: CVE
June 3rd, 2025 (4 days ago)

CVE-2025-35036

Description: Hibernate Validator before 6.2.0 and 7.0.0, by default and depending how it is used, may interpolate user-supplied input in a constraint violation message with Expression Language. This could allow an attacker to access sensitive information or execute arbitrary Java code. Hibernate Validator as of 6.2.0 and 7.0.0 no longer interpolates custom constraint violation messages with Expression Language and strongly recommends not allowing user-supplied input in constraint violation messages. CVE-2020-5245 and CVE-2025-4428 are examples of related, downstream vulnerabilities involving Expression Language intepolation of user-supplied data.

CVSS: HIGH (7.3)

EPSS Score: 0.06%

Source: CVE
June 3rd, 2025 (4 days ago)

CVE-2025-23100

Description: An issue was discovered in Samsung Mobile Processor Exynos 1280, 2200, 1380, 1480, 2400. The absence of a NULL check leads to a Denial of Service.

CVSS: HIGH (7.5)

EPSS Score: 0.05%

Source: CVE
June 3rd, 2025 (4 days ago)

CVE-2025-23098

Description: An issue was discovered in Samsung Mobile Processor Exynos 980, 990, 1080, 2100, 1280, 2200, 1380. A Use-After-Free in the mobile processor leads to privilege escalation.

CVSS: HIGH (7.8)

EPSS Score: 0.01%

Source: CVE
June 3rd, 2025 (4 days ago)

CVE-2025-48998

Description: DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.6, a bypass of the patch for CVE-2025-27103 allows authenticated users to read and deserialize arbitrary files through the background JDBC connection. The vulnerability has been fixed in v2.10.10. No known workarounds are available.

CVSS: HIGH (7.3)

EPSS Score: 0.04%

Source: CVE
June 3rd, 2025 (4 days ago)

CVE-2025-48997

Description: Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to `2.0.1` to receive a patch. No known workarounds are available.

CVSS: HIGH (8.7)

EPSS Score: 0.04%

SSVC Exploitation: none

Source: CVE
June 3rd, 2025 (4 days ago)

CVE-2025-23102

Description: An issue was discovered in Samsung Mobile Processor Exynos 9820, 9825, 980, 990, 1080, 2100, 1280, 2200, and 1380. A Double Free in the mobile processor leads to privilege escalation.

CVSS: HIGH (8.8)

EPSS Score: 0.04%

Source: CVE
June 3rd, 2025 (4 days ago)

CVE-2024-23656

Description: Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. `cmd/dex/serve.go` line 425 seemingly sets TLS 1.2 as minimum version, but the whole `tlsConfig` is ignored after `TLS cert reloader` was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.

CVSS: HIGH (7.5)

EPSS Score: 0.13%

SSVC Exploitation: poc

Source: CVE
June 3rd, 2025 (4 days ago)

CVE-2024-22022

Description: Vulnerability CVE-2024-22022 allows a Veeam Recovery Orchestrator user that has been assigned a low-privileged role to access the NTLM hash of the service account used by the Veeam Orchestrator Server Service.

CVSS: HIGH (8.8)

EPSS Score: 0.47%

SSVC Exploitation: none

Source: CVE
June 3rd, 2025 (4 days ago)

CVE-2024-21888

Description: A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator.

CVSS: HIGH (8.8)

EPSS Score: 64.8%

SSVC Exploitation: none

Source: CVE
June 3rd, 2025 (4 days ago)