Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
Description: Impact
The EXIF data format allows for defining excessively large data structures in relatively small payloads. Before v0.10.0, If you didn't trust the input images, this could be abused to construct denial-of-service attacks.
Patches
v0.10.0 added LimitNumTags (default 5000) and LimitTagSize (default 10000) options.
References
https://github.com/bep/imagemeta/security/advisories/GHSA-q7rw-w4cq-2j6w
https://nvd.nist.gov/vuln/detail/CVE-2025-32024
https://github.com/bep/imagemeta/commit/4fd89616d8bf7f9bb892360d3fb19080ec2b4602
https://github.com/advisories/GHSA-q7rw-w4cq-2j6w
CVSS: MEDIUM (6.9) EPSS Score: 0.02%
April 9th, 2025 (13 days ago)
|
|
|
Description: Impact
The buffer created for parsing metadata for PNG and WebP images was only bounded by their input data type, which could lead to potentially large memory allocation, and unreasonably high for image metadata. Before v0.11.0, If you didn't trust the input images, this could be abused to construct denial-of-service attacks.
Patches
v0.11.0 added a 10 MB upper limit.
References
https://github.com/bep/imagemeta/security/advisories/GHSA-fmhh-rw3h-785m
https://nvd.nist.gov/vuln/detail/CVE-2025-32025
https://github.com/bep/imagemeta/commit/ee0de9b029f4e82106729f69559f27c9a404229d
https://github.com/advisories/GHSA-fmhh-rw3h-785m
CVSS: MEDIUM (6.9) EPSS Score: 0.02%
April 9th, 2025 (13 days ago)
|
|
|
Description: Impact
Authenticated users to the Umbraco backoffice are able to craft management API request that exploit a path traversal vulnerability to upload files into a incorrect location.
Patches
The issue affects Umbraco 14+ and is patched in 14.3.4 and 15.3.1.
Workarounds
Umbraco supports the configuration of allowed and disallowed file extensions. Using these options to allow only necessary file extensions significantly reduces the scope of the vulnerability.
References
https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-q62r-8ppj-xvf4
https://nvd.nist.gov/vuln/detail/CVE-2025-32017
https://github.com/umbraco/Umbraco-CMS/commit/06a2a500b358ce15b1e228391eb60bd517c6e833
https://github.com/umbraco/Umbraco-CMS/commit/d3c1443b14b1076faf13d1bcecc42860fdf5fad8
https://github.com/advisories/GHSA-q62r-8ppj-xvf4
CVSS: MEDIUM (4.3) EPSS Score: 0.06%
April 9th, 2025 (13 days ago)
|
|
|
Description: A flaw was discovered in Elasticsearch, where a large recursion using the innerForbidCircularReferences function of the PatternBank class could cause the Elasticsearch node to crash.
A successful attack requires a malicious user to have read_pipeline Elasticsearch cluster privilege assigned to them.
References
https://nvd.nist.gov/vuln/detail/CVE-2024-52980
https://discuss.elastic.co/t/elasticsearch-8-15-1-security-update-esa-2024-34/376919
https://github.com/advisories/GHSA-ghfh-p92w-j4mg
CVSS: MEDIUM (6.5) EPSS Score: 0.04%
April 9th, 2025 (13 days ago)
|
|
|
Description: An issue was discovered in Elasticsearch, where a large recursion using the Well-KnownText formatted string with nested GeometryCollection objects could cause a stackoverflow.
References
https://nvd.nist.gov/vuln/detail/CVE-2024-52981
https://discuss.elastic.co/t/elasticsearch-7-17-24-and-8-15-1-security-update-esa-2024-37/376924
https://github.com/advisories/GHSA-5xm9-x7x4-4j5x
CVSS: MEDIUM (4.9) EPSS Score: 0.05%
April 9th, 2025 (13 days ago)
|
CVE-2025-30677 |
Description: Apache Pulsar contains multiple connectors for integrating with Apache Kafka. The Pulsar IO Apache Kafka Source Connector, Sink Connector, and Kafka Connect Adaptor Sink Connector log sensitive configuration properties in plain text in application logs.
This vulnerability can lead to unintended exposure of credentials in log files, potentially allowing attackers with access to these logs to obtain Apache Kafka credentials. The vulnerability's impact is limited by the fact that an attacker would need access to the application logs to exploit this issue.
This issue affects Apache Pulsar IO's Apache Kafka connectors in all versions before 3.0.11, 3.3.6, and 4.0.4.
3.0.x version users should upgrade to at least 3.0.11.
3.3.x version users should upgrade to at least 3.3.6.
4.0.x version users should upgrade to at least 4.0.4.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
CVSS: MEDIUM (6.3) EPSS Score: 0.04%
April 9th, 2025 (13 days ago)
|
|
CVE-2025-2442 |
Description: CWE-1188: Initialization of a Resource with an Insecure Default vulnerability exists that could potentially lead to
unauthorized access which could result in the loss of confidentially, integrity and availability when a malicious
user, having physical access, sets the radio to the factory default mode.
CVSS: MEDIUM (5.4) EPSS Score: 0.03%
April 9th, 2025 (13 days ago)
|
|
CVE-2025-2441 |
Description: CWE-1188: Initialization of a Resource with an Insecure Default vulnerability exists that could lead to loss of
confidentiality when a malicious user, having physical access, sets the radio in factory default mode where the
product does not correctly initialize all data.
CVSS: MEDIUM (4.1) EPSS Score: 0.02%
April 9th, 2025 (13 days ago)
|
|
CVE-2025-2440 |
Description: CWE-922: Insecure Storage of Sensitive Information vulnerability exists that could potentially lead to unauthorized
access of confidential data when a malicious user, having physical access and advanced information on the file
system, sets the radio in factory default mode.
CVSS: MEDIUM (4.1) EPSS Score: 0.02%
April 9th, 2025 (13 days ago)
|
|
CVE-2025-27722 |
Description: Cleartext transmission of sensitive information issue exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. If exploited, a man-in-the-middle attack may allow a remote unauthenticated attacker to eavesdrop the communication and obtain the authentication information.
CVSS: MEDIUM (5.9) EPSS Score: 0.02%
April 9th, 2025 (13 days ago)
|