Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-30647 |
Description: A Missing Release of Memory after Effective Lifetime vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on MX Series allows an unauthenticated adjacent attacker to cause a Denial-of-Service (DoS).
In a subscriber management scenario, login/logout activity triggers a memory leak, and the leaked memory gradually increments and eventually results in a crash.
user@host> show chassis fpc
Temp CPU Utilization (%) CPU Utilization (%) Memory Utilization (%)
Slot State (C) Total Interrupt 1min 5min 15min DRAM (MB) Heap Buffer
2 Online 36 10 0 9 8 9 32768 26 0
This issue affects Junos OS on MX Series:
* All versions before 21.2R3-S9
* from 21.4 before 21.4R3-S10
* from 22.2 before 22.2R3-S6
* from 22.4 before 22.4R3-S5
* from 23.2 before 23.2R2-S3
* from 23.4 before 23.4R2-S3
* from 24.2 before 24.2R2.
CVSS: MEDIUM (6.5) EPSS Score: 0.02%
April 9th, 2025 (12 days ago)
|
|
CVE-2025-30646 |
Description: A Signed to Unsigned Conversion Error vulnerability in the Layer 2 Control Protocol daemon (l2cpd) of Juniper Networks Junos OS and Juniper Networks Junos OS Evolved allows an unauthenticated adjacent attacker sending a specifically malformed LLDP TLV to cause the l2cpd process to crash and restart, causing a Denial of Service (DoS). Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.
When an LLDP telemetry subscription is active, receipt of a specifically malformed LLDP TLV causes the l2cpd process to crash and restart.
This issue affects:
Junos OS:
* All versions before 21.2R3-S9,
* from 21.4 before 21.4R3-S10,
* from 22.2 before 22.2R3-S6,
* from 22.4 before 22.4R3-S6,
* from 23.2 before 23.2R2-S3,
* from 23.4 before 23.4R2-S4,
* from 24.2 before 24.2R2;
Junos OS Evolved:
* All versions before 21.4R3-S10-EVO,
* from 22.2-EVO before 22.2R3-S6-EVO,
* from 22.4-EVO before 22.4R3-S6-EVO,
* from 23.2-EVO before 23.2R2-S3-EVO,
* from 23.4-EVO before 23.4R2-S4-EVO,
* from 24.2-EVO before 24.2R2-EVO.
CVSS: MEDIUM (6.5) EPSS Score: 0.02%
April 9th, 2025 (12 days ago)
|
|
CVE-2025-26902 |
Description: Cross-Site Request Forgery (CSRF) vulnerability in Brizy Brizy Pro allows Cross Site Request Forgery.This issue affects Brizy Pro: from n/a through 2.6.1.
CVSS: MEDIUM (4.3) EPSS Score: 0.02% SSVC Exploitation: none
April 9th, 2025 (12 days ago)
|
|
CVE-2025-26901 |
Description: Missing Authorization vulnerability in Brizy Brizy Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Brizy Pro: from n/a through 2.6.1.
CVSS: MEDIUM (4.3) EPSS Score: 0.04% SSVC Exploitation: none
April 9th, 2025 (12 days ago)
|
|
CVE-2025-26888 |
Description: Missing Authorization vulnerability in OnTheGoSystems WooCommerce Multilingual & Multicurrency allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Multilingual & Multicurrency: from n/a through 5.3.8.
CVSS: MEDIUM (5.3) EPSS Score: 0.04% SSVC Exploitation: none
April 9th, 2025 (12 days ago)
|
|
CVE-2025-21597 |
Description: An Improper Check for Unusual or Exceptional Conditions vulnerability in routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, logically adjacent BGP peer to cause Denial of Service (DoS).
On all Junos OS and Junos OS Evolved platforms, when BGP rib-sharding and update-threading are configured, and a BGP peer flap is done with specific timing, rpd crashes and restarts. Continuous peer flapping at specific time intervals will result in a sustained Denial of Service (DoS) condition.
This issue affects eBGP and iBGP, in both IPv4 and IPv6 implementations. This issue requires a remote attacker to have at least one established BGP session. The issue can occur with or without logical-systems enabled.
This issue affects:
Junos OS:
* All versions before 20.4R3-S8,
* 21.2 versions before 21.2R3-S6,
* 21.3 versions before 21.3R3-S5,
* 21.4 versions before 21.4R3-S4,
* 22.1 versions before 22.1R3-S3,
* 22.2 versions before 22.2R3-S1,
* 22.3 versions before 22.3R3,
* 22.4 versions before 22.4R3.
Junos OS Evolved:
* All versions before 21.2R3-S6-EVO,
* 21.3-EVO versions before 21.3R3-S5-EVO,
* 21.4-EVO versions before 21.4R3-S4-EVO,
* 22.1-EVO versions before 22.1R3-S3-EVO,
* 22.2-EVO versions before :22.2R3-S1-EVO,
* 22.3-EVO versions before 22.3R3-EVO,
* 22.4-EVO versions before 22.4R3-EVO.
CVSS: MEDIUM (5.3) EPSS Score: 0.06%
April 9th, 2025 (12 days ago)
|
|
CVE-2025-21595 |
Description: A Missing Release of Memory after Effective Lifetime vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS and Junos OS Evolved allows an adjacent, unauthenticated attacker to cause an FPC to crash, leading to Denial of Service (DoS).
On all Junos OS and Junos OS Evolved platforms, in an EVPN-VXLAN scenario, when specific ARP packets are received on an IPv4 network, or specific NDP packets are received on an IPv6 network, kernel heap memory leaks, which eventually leads to an FPC crash and restart.
This issue does not affect MX Series platforms.
Heap size growth on FPC can be seen using below command.
user@host> show chassis fpc
Temp CPU Utilization (%) CPU Utilization (%) Memory Utilization (%)
Slot State (C) Total Interrupt 1min 5min 15min DRAM (MB) Heap Buffer
0 Online 45 3 0 2 2 2 32768 19 0 <<<<<<< Heap increase in all fPCs
This issue affects Junos OS:
* All versions before 21.2R3-S7,
* 21.4 versions before 21.4R3-S4,
* 22.2 versions before 22.2R3-S1,
* 22.3 versions before 22.3R3-S1,
* 22.4 versions before 22.4R2-S2, 22.4R3.
and Junos OS Evolved:
* All versions before 21.2R3-S7-EVO,
* 21.4-EVO versions before 21.4R3-S4-EVO,
* 22.2-EVO versions before 22.2R3-S1-EVO,
* 22.3-EVO versions before 22.3R3-S1-EVO,
* 22.4-EVO versions before 22.4R3-EVO.
CVSS: MEDIUM (6.5) EPSS Score: 0.02%
April 9th, 2025 (12 days ago)
|
|
Description: Impact
What kind of vulnerability is it? Who is impacted?
Description: This vulnerability affects confidential client applications, including daemons, web apps, and web APIs. Under specific circumstances, sensitive information such as client secrets or certificate details may be exposed in the service logs of these applications. Service logs are intended to be handled securely.
Impact: The vulnerability impacts service logs that meet the following criteria:
Logging Level: Logs are generated at the information level.
Credential Descriptions: containing:
Local file paths with passwords.
Base64 encoded values.
Client secret.
Additionally, logs of services using Base64 encoded certificates or certificate paths with password credential descriptions are also affected if the certificates are invalid or expired, regardless of the log level. Note that these credentials are not usable due to their invalid or expired status.
If your service logs are handled securely, you are not impacted.
Otherwise, the following table shows when you can be impacted
| Log Level Information for Microsoft.Identity.Web | Invalid Certificate
-- | -- | --
One of the ClientCredentials credential description has a CredentialSource = Base64Encoded or (CredentialSource = Path) | Impacted | Impacted
One of the ClientCredentials credential description is a Client secret (CredentialSource = ClientSecret) | Impacted | Not impacted
Other credential descriptions | Not Impacted | Not Impacted
Patches
Has the...
CVSS: MEDIUM (4.7) EPSS Score: 0.01%
April 9th, 2025 (13 days ago)
|
|
|
Description: Impact
What kind of vulnerability is it? Who is impacted?
Description: This vulnerability affects confidential client applications, including daemons, web apps, and web APIs. Under specific circumstances, sensitive information such as client secrets or certificate details may be exposed in the service logs of these applications. Service logs are intended to be handled securely.
Impact: The vulnerability impacts service logs that meet the following criteria:
Logging Level: Logs are generated at the information level.
Credential Descriptions: containing:
Local file paths with passwords.
Base64 encoded values.
Client secret.
Additionally, logs of services using Base64 encoded certificates or certificate paths with password credential descriptions are also affected if the certificates are invalid or expired, regardless of the log level. Note that these credentials are not usable due to their invalid or expired status.
If your service logs are handled securely, you are not impacted.
Otherwise, the following table shows when you can be impacted
| Log Level Information for Microsoft.Identity.Web | Invalid Certificate
-- | -- | --
One of the ClientCredentials credential description has a CredentialSource = Base64Encoded or (CredentialSource = Path) | Impacted | Impacted
One of the ClientCredentials credential description is a Client secret (CredentialSource = ClientSecret) | Impacted | Not impacted
Other credential descriptions | Not Impacted | Not Impacted
Patches
Has the...
CVSS: MEDIUM (4.7) EPSS Score: 0.01%
April 9th, 2025 (13 days ago)
|
|
CVE-2025-32694 |
Description: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Rustaurius Ultimate WP Mail allows Phishing. This issue affects Ultimate WP Mail: from n/a through 1.3.2.
CVSS: MEDIUM (4.7) EPSS Score: 0.03%
April 9th, 2025 (13 days ago)
|