Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
[github.com/mattermost/mattermost/server/v8] Mattermost Missing Authentication for Critical Function
Description: Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to enforce MFA checks in PUT /api/v4/users/user-id/mfa when the requesting user differs from the target user ID, which allows users with edit_other_users permission to activate or deactivate MFA for other users, even if those users have not set up MFA.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-27538
https://mattermost.com/security-updates
https://github.com/advisories/GHSA-j5jw-m2ph-3jjf
CVSS: LOW (2.2) EPSS Score: 0.02%
April 16th, 2025 (1 day ago)
|
CVE-2024-58248 |
Description: nopCommerce before 4.80.0 does not offer locking for order placement. Thus there is a race condition with duplicate redeeming of gift cards.
CVSS: LOW (3.5) SSVC Exploitation: none
April 16th, 2025 (1 day ago)
|
|
CVE-2025-31363 |
Description: Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.9 fail to restrict domains the LLM can request to contact upstream which allows an authenticated user to exfiltrate data from an arbitrary server accessible to the victim via performing a prompt injection in the AI plugin's Jira tool.
CVSS: LOW (3.0) EPSS Score: 0.03%
April 16th, 2025 (1 day ago)
|
|
CVE-2025-27538 |
Description: Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to enforce MFA checks in PUT /api/v4/users/user-id/mfa when the requesting user differs from the target user ID, which allows users with edit_other_users permission to activate or deactivate MFA for other users, even if those users have not set up MFA.
CVSS: LOW (2.2) EPSS Score: 0.02%
April 16th, 2025 (1 day ago)
|
|
CVE-2025-24839 |
Description: Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to prevent Wrangler posts from triggering AI responses. This vulnerability allows users without access to the AI bot to activate it by attaching the activate_ai override property to a post via the Wrangler plugin, provided both the AI and Wrangler plugins are enabled.
CVSS: LOW (3.1) EPSS Score: 0.03%
April 16th, 2025 (1 day ago)
|
|
CVE-2025-32435 |
Description: Hydra is a Continuous Integration service for Nix based projects. Evaluation of untrusted non-flake nix code could potentially access secrets that are accessible by the hydra user/group. This should not affect the signing keys, that are owned by the hydra-queue-runner and hydra-www users respectively.
CVSS: LOW (2.6) EPSS Score: 0.03%
April 15th, 2025 (2 days ago)
|
|
CVE-2025-32021 |
Description: Weblate is a web based localization tool. Prior to version 5.11, when creating a new component from an existing component that has a source code repository URL specified in settings, this URL is included in the client's URL parameters during the creation process. If, for example, the source code repository URL contains GitHub credentials, the confidential PAT and username are shown in plaintext and get saved into browser history. Moreover, if the request URL is logged, the credentials are written to logs in plaintext. If using Weblate official Docker image, nginx logs the URL and the token in plaintext. This issue is patched in version 5.11.
CVSS: LOW (2.2) EPSS Score: 0.03%
April 15th, 2025 (2 days ago)
|
|
CVE-2025-30731 |
Description: Vulnerability in the Oracle Applications Technology Stack product of Oracle E-Business Suite (component: Configuration). Supported versions that are affected are 12.2.3-12.2.14. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Applications Technology Stack executes to compromise Oracle Applications Technology Stack. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Applications Technology Stack accessible data as well as unauthorized read access to a subset of Oracle Applications Technology Stack accessible data. CVSS 3.1 Base Score 3.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N).
CVSS: LOW (3.6) EPSS Score: 0.01%
April 15th, 2025 (2 days ago)
|
|
CVE-2025-30703 |
Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).
CVSS: LOW (2.7) EPSS Score: 0.03%
April 15th, 2025 (2 days ago)
|
|
CVE-2025-30700 |
Description: Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module). The supported version that is affected is 11. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Solaris accessible data. CVSS 3.1 Base Score 3.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N).
CVSS: LOW (3.5) EPSS Score: 0.03%
April 15th, 2025 (2 days ago)
|