Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-32379 |
Description: Koa is expressive middleware for Node.js using ES2017 async functions. In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript code on the user who use the app. This issue is patched in 2.16.1 and 3.0.0-alpha.5.
CVSS: MEDIUM (5.0) EPSS Score: 0.04%
April 9th, 2025 (13 days ago)
|
|
CVE-2025-32378 |
Description: Shopware is an open source e-commerce software platform. Prior to 6.6.10.3 or 6.5.8.17, the default settings for double-opt-in allow for mass unsolicited newsletter sign-ups without confirmation. Default settings are Newsletter: Double Opt-in set to active, Newsletter: Double opt-in for registered customers set to disabled, and Log-in & sign-up: Double opt-in on sign-up set to disabled. With these settings, anyone can register an account on the shop using any e-mail-address and then check the check-box in the account page to sign up for the newsletter. The recipient will receive two mails confirming registering and signing up for the newsletter, no confirmation link needed to be clicked for either. In the backend the recipient is set to “instantly active”. This vulnerability is fixed in 6.6.10.3 or 6.5.8.17.
CVSS: MEDIUM (6.9) EPSS Score: 0.06%
April 9th, 2025 (13 days ago)
|
|
CVE-2025-32374 |
Description: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Possible denial of service with specially crafted information in the public registration form. This vulnerability is fixed in 9.13.8.
CVSS: MEDIUM (5.9) EPSS Score: 0.05% SSVC Exploitation: none
April 9th, 2025 (13 days ago)
|
|
CVE-2025-32373 |
Description: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In limited configurations, registered users may be able to craft a request to enumerate/access some portal files they should not have access to. This vulnerability is fixed in 9.13.8.
CVSS: MEDIUM (6.5) EPSS Score: 0.03% SSVC Exploitation: none
April 9th, 2025 (13 days ago)
|
|
CVE-2025-32372 |
Description: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. A bypass has been identified for the previously known vulnerability CVE-2017-0929, allowing unauthenticated attackers to execute arbitrary GET requests against target systems, including internal or adjacent networks. This vulnerability facilitates a semi-blind SSRF attack, allowing attackers to make the target server send requests to internal or external URLs without viewing the full responses. Potential impacts include internal network reconnaissance, bypassing firewalls. This vulnerability is fixed in 9.13.8.
CVSS: MEDIUM (6.5) EPSS Score: 0.08% SSVC Exploitation: none
April 9th, 2025 (13 days ago)
|
|
CVE-2025-32371 |
Description: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. A url could be crafted to the DNN ImageHandler to render text from a querystring parameter. This text would display in the resulting image and a user that trusts the domain might think that the information is legitimate. This vulnerability is fixed in 9.13.4.
CVSS: MEDIUM (4.3) EPSS Score: 0.03% SSVC Exploitation: none
April 9th, 2025 (13 days ago)
|
|
CVE-2025-32016 |
Description: Microsoft Identity Web is a library which contains a set of reusable classes used in conjunction with ASP.NET Core for integrating with the Microsoft identity platform (formerly Azure AD v2.0 endpoint) and AAD B2C. This vulnerability affects confidential client applications, including daemons, web apps, and web APIs. Under specific circumstances, sensitive information such as client secrets or certificate details may be exposed in the service logs of these applications. Service logs are intended to be handled securely. Service logs generated at the information level or credential descriptions containing local file paths with passwords, Base64 encoded values, or Client secret. Additionally, logs of services using Base64 encoded certificates or certificate paths with password credential descriptions are also affected if the certificates are invalid or expired, regardless of the log level. Note that these credentials are not usable due to their invalid or expired status. To mitigate this vulnerability, update to Microsoft.Identity.Web 3.8.2 or Microsoft.Identity.Abstractions 9.0.0.
CVSS: MEDIUM (4.7) EPSS Score: 0.01%
April 9th, 2025 (13 days ago)
|
|
CVE-2025-27391 |
Description: Insertion of Sensitive Information into Log File vulnerability in Apache ActiveMQ Artemis. All the values of the broker properties are logged when the org.apache.activemq.artemis.core.config.impl.ConfigurationImpl logger has the debug level enabled.
This issue affects Apache ActiveMQ Artemis: from 1.5.1 before 2.40.0. It can be mitigated by restricting log access to only trusted users.
Users are recommended to upgrade to version 2.40.0, which fixes the issue.
CVSS: MEDIUM (6.8) EPSS Score: 0.02%
April 9th, 2025 (13 days ago)
|
|
CVE-2025-25023 |
Description: IBM Security Guardium 11.4 and 12.1 could allow a privileged user to read any file on the system due to incorrect privilege assignment.
CVSS: MEDIUM (4.9) EPSS Score: 0.03% SSVC Exploitation: none
April 9th, 2025 (13 days ago)
|
|
CVE-2024-44160 |
Description: A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.7, macOS Sonoma 14.7, macOS Sequoia 15. Processing a maliciously crafted texture may lead to unexpected app termination.
CVSS: MEDIUM (5.5) EPSS Score: 0.02% SSVC Exploitation: none
April 9th, 2025 (13 days ago)
|