Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-22445 |
Description: Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting.
CVSS: LOW (3.5) EPSS Score: 0.04%
January 10th, 2025 (3 months ago)
|
|
CVE-2025-22151 |
Description: Strawberry GraphQL is a library for creating GraphQL APIs. Starting in 0.182.0 and prior to version 0.257.0, a type confusion vulnerability exists in Strawberry GraphQL's relay integration that affects multiple ORM integrations (Django, SQLAlchemy, Pydantic). The vulnerability occurs when multiple GraphQL types are mapped to the same underlying model while using the relay node interface. When querying for a specific type using the global node field (e.g., FruitType:some-id), the resolver may incorrectly return an instance of a different type mapped to the same model (e.g., SpecialFruitType). This can lead to information disclosure if the alternate type exposes sensitive fields and potential privilege escalation if the alternate type contains data intended for restricted access. This vulnerability is fixed in 0.257.0.
CVSS: LOW (3.7) EPSS Score: 0.04%
January 10th, 2025 (3 months ago)
|
|
CVE-2025-22149 |
Description: JWK Set (JSON Web Key Set) is a JWK and JWK Set Go implementation. Prior to 0.6.0, the project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation. The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value).
CVSS: LOW (2.1) EPSS Score: 0.05%
January 10th, 2025 (3 months ago)
|
|
CVE-2024-5469 |
Description: DoS in KAS in GitLab CE/EE affecting all versions from 16.10.0 prior to 16.10.6 and 16.11.0 prior to 16.11.3 allows an attacker to crash KAS via crafted gRPC requests.
CVSS: LOW (3.1) EPSS Score: 0.04%
January 10th, 2025 (3 months ago)
|
|
CVE-2024-53564 |
Description: A vulnerability was discovered in FreePBX 17.0.19.17. It does not verify the type of uploaded (valid FreePBX module) files, allowing high-privilege administrators to insert unwanted files. NOTE: the Supplier's position is that there is no risk beyond what high-privilege administrators are intentionally allowed to do.
CVSS: LOW (2.2) EPSS Score: 0.04%
January 10th, 2025 (3 months ago)
|
|
CVE-2024-52286 |
Description: Stirling-PDF is a locally hosted web application that allows you to perform various operations on PDF files. In affected versions the Merge functionality takes untrusted user input (file name) and uses it directly in the creation of HTML pages allowing any unauthenticated to execute JavaScript code in the context of the user. The issue stems to the code starting at `Line 24` in `src/main/resources/static/js/merge.js`. The file name is directly being input into InnerHTML with no sanitization on the file name, allowing a malicious user to be able to upload files with names containing HTML tags. As HTML tags can include JavaScript code, this can be used to execute JavaScript code in the context of the user. This is a self-injection style attack and relies on a user uploading the malicious file themselves and it impact only them, not other users. A user might be social engineered into running this to launch a phishing attack. Nevertheless, this breaks the expected security restrictions in place by the application. This issue has been addressed in version 0.32.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS: LOW (2.0) EPSS Score: 0.04%
January 10th, 2025 (3 months ago)
|
|
CVE-2024-4011 |
Description: An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows non-project member to promote key results to objectives.
CVSS: LOW (3.1) EPSS Score: 0.05%
January 10th, 2025 (3 months ago)
|
|
CVE-2024-37372 |
Description: The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases.
CVSS: LOW (3.6) EPSS Score: 0.04%
January 10th, 2025 (3 months ago)
|
|
CVE-2024-10106 |
Description: A buffer overflow vulnerability in the packet handoff plugin allows an attacker to overwrite memory outside the plugin's buffer.
CVSS: LOW (3.7) EPSS Score: 0.04%
January 10th, 2025 (3 months ago)
|
|
CVE-2025-22449 |
Description: Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-22449
https://mattermost.com/security-updates
https://github.com/advisories/GHSA-q8fg-cp3q-5jwm
CVSS: LOW (3.8) EPSS Score: 0.04%
January 9th, 2025 (3 months ago)
|