Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-1795
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : python311 (SUSE-SU-2025:0982-1)
Description: Nessus Plugin ID 233211 with Low Severity Synopsis The remote SUSE host is missing a security update. Description The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2025:0982-1 advisory. - CVE-2025-1795: Fixed mishandling of comma during folding and unicode-encoding of email headers (bsc#1238450).Tenable has extracted the preceding description block directly from the SUSE security advisory.Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. Solution Update the affected packages. Read more at https://www.tenable.com/plugins/nessus/233211

CVSS: LOW (2.3)

EPSS Score: 0.07%

Source: Tenable Plugins
March 22nd, 2025 (28 days ago)

CVE-2025-1972
Export and Import Users and Customers <= 2.6.2 - Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Deletion via admin_lo...
Description: The Export and Import Users and Customers plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.6.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary log files on the server.

CVSS: LOW (2.7)

EPSS Score: 0.05%

Source: CVE
March 22nd, 2025 (28 days ago)

CVE-2025-27715
Auto-Enrollment of Team Admins into Private Channels without explicit consent
Description: Mattermost versions 9.11.x <= 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them.

CVSS: LOW (3.3)

EPSS Score: 0.03%

Source: CVE
March 21st, 2025 (29 days ago)

CVE-2025-2584
WebAssembly wabt binary-reader-interp.cc GetReturnCallDropKeepCount heap-based overflow
Description: A vulnerability was found in WebAssembly wabt 1.0.36. It has been declared as critical. This vulnerability affects the function BinaryReaderInterp::GetReturnCallDropKeepCount of the file wabt/src/interp/binary-reader-interp.cc. The manipulation leads to heap-based buffer overflow. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. In WebAssembly wabt 1.0.36 wurde eine Schwachstelle ausgemacht. Sie wurde als kritisch eingestuft. Hierbei betrifft es die Funktion BinaryReaderInterp::GetReturnCallDropKeepCount der Datei wabt/src/interp/binary-reader-interp.cc. Mit der Manipulation mit unbekannten Daten kann eine heap-based buffer overflow-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Die Komplexität eines Angriffs ist eher hoch. Das Ausnutzen gilt als schwierig. Der Exploit steht zur öffentlichen Verfügung.

CVSS: LOW (2.3)

EPSS Score: 0.04%

Source: CVE
March 21st, 2025 (29 days ago)

CVE-2025-30345
An issue was discovered in OpenSlides before 4.2.5. When creating new chats via the chat_group.create action, the user is able to specify the name...
Description: An issue was discovered in OpenSlides before 4.2.5. When creating new chats via the chat_group.create action, the user is able to specify the name of the chat. Some HTML elements such as SCRIPT are filtered, whereas others are not. In most cases, HTML entities are encoded properly, but not when deleting chats or deleting messages in these chats. This potentially allows attackers to interfere with the layout of the rendered website, but it is unlikely that victims would click on deleted chats or deleted messages.

CVSS: LOW (3.5)

EPSS Score: 0.03%

Source: CVE
March 21st, 2025 (29 days ago)

CVE-2025-30343
A directory traversal issue was discovered in OpenSlides before 4.2.5. Files can be uploaded to OpenSlides meetings and organized in folders. The...
Description: A directory traversal issue was discovered in OpenSlides before 4.2.5. Files can be uploaded to OpenSlides meetings and organized in folders. The interface allows users to download a ZIP archive that contains all files in a folder and its subfolders. If an attacker specifies the title of a file or folder as a relative or absolute path (e.g., ../../../etc/passwd), the ZIP archive generated for download converts that title into a path. Depending on the extraction tool used by the user, this might overwrite files locally outside of the chosen directory.

CVSS: LOW (3.0)

EPSS Score: 0.18%

Source: CVE
March 21st, 2025 (29 days ago)

CVE-2025-2574
Out-of-bounds array write in Xpdf 4.05 due to incorrect integer overflow checking
Description: Out-of-bounds array write in Xpdf 4.05 and earlier, due to incorrect integer overflow checking in the PostScript function interpreter code.

CVSS: LOW (2.1)

EPSS Score: 0.02%

Source: CVE
March 20th, 2025 (30 days ago)

CVE-2025-29923
go-redis allows potential out of order responses when `CLIENT SETINFO` times out during connection establishment
Description: go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit its identity, there are network connectivity issues, or the client was configured with aggressive timeouts. The problem occurs for multiple use cases. For sticky connections, you receive persistent out-of-order responses for the lifetime of the connection. All commands in the pipeline receive incorrect responses. When used with the default ConnPool once a connection is returned after use with ConnPool#Put the read buffer will be checked and the connection will be marked as bad due to the unread data. This means that at most one out-of-order response before the connection is discarded. This issue is fixed in 9.5.5, 9.6.3, and 9.7.3. You can prevent the vulnerability by setting the flag DisableIndentity to true when constructing the client instance.

CVSS: LOW (3.7)

EPSS Score: 0.06%

Source: CVE
March 20th, 2025 (30 days ago)

CVE-2025-2555
Audi Universal Traffic Recorder App FTP Credentials hard-coded password
Description: A vulnerability classified as problematic has been found in Audi Universal Traffic Recorder App 2.0. Affected is an unknown function of the component FTP Credentials. The manipulation leads to use of hard-coded password. Attacking locally is a requirement. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 2.89 and 2.90 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early about these issues and acted very professional. Version 2.89 is fixing this issue for new customers and 2.90 is going to fix it for existing customers. Es wurde eine problematische Schwachstelle in Audi Universal Traffic Recorder App 2.0 entdeckt. Dabei betrifft es einen unbekannter Codeteil der Komponente FTP Credentials. Dank der Manipulation mit unbekannten Daten kann eine use of hard-coded password-Schwachstelle ausgenutzt werden. Der Angriff hat dabei lokal zu erfolgen. Die Komplexität eines Angriffs ist eher hoch. Sie gilt als schwierig auszunutzen. Der Exploit steht zur öffentlichen Verfügung. Ein Aktualisieren auf die Version 2.89 and 2.90 vermag dieses Problem zu lösen. Als bestmögliche Massnahme wird das Einspielen eines Upgrades empfohlen.

CVSS: LOW (2.1)

EPSS Score: 0.02%

Source: CVE
March 20th, 2025 (30 days ago)
[github.com/redis/go-redis/v9] go-redis allows potential out of order responses when `CLIENT SETINFO` times out during connection establishment
Description: Impact The issue only occurs when the CLIENT SETINFO command times out during connection establishment. The following circumstances can cause such a timeout: The client is configured to transmit its identity. This can be disabled via the DisableIndentity flag. There are network connectivity issues The client was configured with aggressive timeouts The impact differs by use case: Sticky connections: Rather than using a connection from the pool on-demand, the caller can stick with a connection. Then you receive persistent out-of-order responses for the lifetime of the connection. Pipelines: All commands in the pipeline receive incorrect responses. Default connection pool usage without pipelining: When used with the default ConnPool once a connection is returned after use with ConnPool#Put the read buffer will be checked and the connection will be marked as bad due to the unread data. This means that at most one out-of-order response before the connection is discarded. Patches We prepared a fix in https://github.com/redis/go-redis/pull/3295 and plan to release patch versions soon. Workarounds You can prevent the vulnerability by setting the flag DisableIndentity (BTW: We also need to fix the spelling.) to true when constructing the client instance. Credit Akhass Wasti Ramin Ghorashi Anton Amlinger Syed Rahman Mahesh Venkateswaran Sergey Zavoloka Aditya Adarwal Abdulla Anam Abd-Alhameed Alex Vanlint Gaurav Choudhary Vedanta Jha Yll Kelani Ryan Picard References https://gi...

CVSS: LOW (3.7)

EPSS Score: 0.06%

Source: Github Advisory Database (Go)
March 20th, 2025 (30 days ago)