CyberAlerts

CVE-2025-21618

Description: NiceGUI is an easy-to-use, Python-based UI framework. Prior to 2.9.1, authenticating with NiceGUI logged in the user for all browsers, including browsers in incognito mode. This vulnerability is fixed in 2.9.1.

CVSS: HIGH (7.5)

EPSS Score: 0.04%

Source: CVE

January 7th, 2025 (6 months ago)

CVE-2025-21617

Guzzle OAuth Subscriber has insufficient nonce entropy

Description: Guzzle OAuth Subscriber signs Guzzle requests using OAuth 1.0. Prior to 0.8.1, Nonce generation does not use sufficient entropy nor a cryptographically secure pseudorandom source. This can leave servers vulnerable to replay attacks when TLS is not used. This vulnerability is fixed in 0.8.1.

CVSS: MEDIUM (6.3)

EPSS Score: 0.05%

Source: CVE

January 7th, 2025 (6 months ago)

CVE-2025-21616

Plane has a Cross-site scripting (XSS) via SVG image upload

Description: Plane is an open-source project management tool. A cross-site scripting (XSS) vulnerability has been identified in Plane versions prior to 0.23. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image.

CVSS: MEDIUM (5.4)

EPSS Score: 0.04%

Source: CVE

January 7th, 2025 (6 months ago)

CVE-2025-21615

AAT allows data exfiltration by other apps installed on the same device

Description: AAT (Another Activity Tracker) is a GPS-tracking application for tracking sportive activities, with emphasis on cycling. Versions lower than v1.26 of AAT are vulnerable to data exfiltration from malicious apps installed on the same device.

CVSS: MEDIUM (5.5)

EPSS Score: 0.04%

Source: CVE

January 7th, 2025 (6 months ago)

CVE-2025-21614

go-git clients vulnerable to DoS via maliciously crafted Git server replies

Description: go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.

CVSS: HIGH (7.5)

EPSS Score: 0.04%

Source: CVE

January 7th, 2025 (6 months ago)

CVE-2025-21613

go-git has an Argument Injection via the URL field

Description: go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.

CVSS: CRITICAL (9.2)

EPSS Score: 0.04%

Source: CVE

January 7th, 2025 (6 months ago)

CVE-2025-21612

Cross-site Scripting in TabberTransclude in Extension:TabberNeue

Description: TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Prior to 2.7.2, TabberTransclude.php doesn't escape the user-supplied page name when outputting, so an XSS payload as the page name can be used here. This vulnerability is fixed in 2.7.2.

CVSS: HIGH (8.6)

EPSS Score: 0.05%

Source: CVE

January 7th, 2025 (6 months ago)

CVE-2025-21611

tgstation-server's role authorization incorrectly OR'd with user's enabled status

Description: tgstation-server is a production scale tool for BYOND server management. Prior to 6.12.3, roles used to authorize API methods were incorrectly OR'd instead of AND'ed with the role used to determine if a user was enabled. This allows enabled users access to most, but not all, authorized actions regardless of their permissions. Notably, the WriteUsers right is unaffected so users may not use this bug to permanently elevate their account permissions. The fix is release in tgstation-server-v6.12.3.

CVSS: HIGH (8.8)

EPSS Score: 0.05%

Source: CVE

January 7th, 2025 (6 months ago)

CVE-2025-21604

LangChain4j-AIDeepin Using MD5 to Hash files may cause file upload conflicts

Description: LangChain4j-AIDeepin is a Retrieval enhancement generation (RAG) project. Prior to 3.5.0, LangChain4j-AIDeepin uses MD5 to hash files, which may cause file upload conflicts. This issue is fixed in 3.5.0.

CVSS: MEDIUM (6.9)

EPSS Score: 0.04%

Source: CVE

January 7th, 2025 (6 months ago)

CVE-2024-8474

OpenVPN Connect before version 3.5.0 can contain the configuration profile's clear-text private key which is logged in the application log, which...

Description: OpenVPN Connect before version 3.5.0 can contain the configuration profile's clear-text private key which is logged in the application log, which an unauthorized actor can use to decrypt the VPN traffic

EPSS Score: 0.04%

Source: CVE

January 7th, 2025 (6 months ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2025-21618	NiceGUI On Air authentication issue Description: NiceGUI is an easy-to-use, Python-based UI framework. Prior to 2.9.1, authenticating with NiceGUI logged in the user for all browsers, including browsers in incognito mode. This vulnerability is fixed in 2.9.1. CVSS: HIGH (7.5) EPSS Score: 0.04% Source: CVE January 7th, 2025 (6 months ago)
CVE-2025-21617	Guzzle OAuth Subscriber has insufficient nonce entropy Description: Guzzle OAuth Subscriber signs Guzzle requests using OAuth 1.0. Prior to 0.8.1, Nonce generation does not use sufficient entropy nor a cryptographically secure pseudorandom source. This can leave servers vulnerable to replay attacks when TLS is not used. This vulnerability is fixed in 0.8.1. CVSS: MEDIUM (6.3) EPSS Score: 0.05% Source: CVE January 7th, 2025 (6 months ago)
CVE-2025-21616	Plane has a Cross-site scripting (XSS) via SVG image upload Description: Plane is an open-source project management tool. A cross-site scripting (XSS) vulnerability has been identified in Plane versions prior to 0.23. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image. CVSS: MEDIUM (5.4) EPSS Score: 0.04% Source: CVE January 7th, 2025 (6 months ago)
CVE-2025-21615	AAT allows data exfiltration by other apps installed on the same device Description: AAT (Another Activity Tracker) is a GPS-tracking application for tracking sportive activities, with emphasis on cycling. Versions lower than v1.26 of AAT are vulnerable to data exfiltration from malicious apps installed on the same device. CVSS: MEDIUM (5.5) EPSS Score: 0.04% Source: CVE January 7th, 2025 (6 months ago)
CVE-2025-21614	go-git clients vulnerable to DoS via maliciously crafted Git server replies Description: go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability. CVSS: HIGH (7.5) EPSS Score: 0.04% Source: CVE January 7th, 2025 (6 months ago)
CVE-2025-21613	go-git has an Argument Injection via the URL field Description: go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0. CVSS: CRITICAL (9.2) EPSS Score: 0.04% Source: CVE January 7th, 2025 (6 months ago)
CVE-2025-21612	Cross-site Scripting in TabberTransclude in Extension:TabberNeue Description: TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Prior to 2.7.2, TabberTransclude.php doesn't escape the user-supplied page name when outputting, so an XSS payload as the page name can be used here. This vulnerability is fixed in 2.7.2. CVSS: HIGH (8.6) EPSS Score: 0.05% Source: CVE January 7th, 2025 (6 months ago)
CVE-2025-21611	tgstation-server's role authorization incorrectly OR'd with user's enabled status Description: tgstation-server is a production scale tool for BYOND server management. Prior to 6.12.3, roles used to authorize API methods were incorrectly OR'd instead of AND'ed with the role used to determine if a user was enabled. This allows enabled users access to most, but not all, authorized actions regardless of their permissions. Notably, the WriteUsers right is unaffected so users may not use this bug to permanently elevate their account permissions. The fix is release in tgstation-server-v6.12.3. CVSS: HIGH (8.8) EPSS Score: 0.05% Source: CVE January 7th, 2025 (6 months ago)
CVE-2025-21604	LangChain4j-AIDeepin Using MD5 to Hash files may cause file upload conflicts Description: LangChain4j-AIDeepin is a Retrieval enhancement generation (RAG) project. Prior to 3.5.0, LangChain4j-AIDeepin uses MD5 to hash files, which may cause file upload conflicts. This issue is fixed in 3.5.0. CVSS: MEDIUM (6.9) EPSS Score: 0.04% Source: CVE January 7th, 2025 (6 months ago)
CVE-2024-8474	OpenVPN Connect before version 3.5.0 can contain the configuration profile's clear-text private key which is logged in the application log, which... Description: OpenVPN Connect before version 3.5.0 can contain the configuration profile's clear-text private key which is logged in the application log, which an unauthorized actor can use to decrypt the VPN traffic EPSS Score: 0.04% Source: CVE January 7th, 2025 (6 months ago)