Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
Description: Microsoft has released an out-of-band Office update to fix a known issue that caused Word, Excel, and Outlook to crash after installing the KB5002700 security update for Office 2016. [...]
April 10th, 2025 (7 days ago)
|
|
Description: Threat actors are continuing to upload malicious packages to the npm registry so as to tamper with already-installed local versions of legitimate libraries and execute malicious code in what's seen as a sneakier attempt to stage a software supply chain attack.
The newly discovered package, named pdf-to-office, masquerades as a utility for converting PDF files to Microsoft Word documents. But, in
April 10th, 2025 (7 days ago)
|
CVE-2025-0539 |
Description: In affected Microsoft Windows versions of Octopus Deploy, the server can be coerced into sending server-side requests that contain authentication material allowing a suitably positioned attacker to compromise the account running Octopus Server and potentially the host infrastructure itself.
CVSS: MEDIUM (5.9) EPSS Score: 0.05%
April 10th, 2025 (8 days ago)
|
|
Description: Microsoft's April 2025 Patch Tuesday updates are strangely creating an empty "inetpub" folder in the root of the C:\ drive, even on systems that do not have Internet Information Services (IIS) installed. [...]
April 9th, 2025 (8 days ago)
|
|
Description: Impact
What kind of vulnerability is it? Who is impacted?
Description: This vulnerability affects confidential client applications, including daemons, web apps, and web APIs. Under specific circumstances, sensitive information such as client secrets or certificate details may be exposed in the service logs of these applications. Service logs are intended to be handled securely.
Impact: The vulnerability impacts service logs that meet the following criteria:
Logging Level: Logs are generated at the information level.
Credential Descriptions: containing:
Local file paths with passwords.
Base64 encoded values.
Client secret.
Additionally, logs of services using Base64 encoded certificates or certificate paths with password credential descriptions are also affected if the certificates are invalid or expired, regardless of the log level. Note that these credentials are not usable due to their invalid or expired status.
If your service logs are handled securely, you are not impacted.
Otherwise, the following table shows when you can be impacted
| Log Level Information for Microsoft.Identity.Web | Invalid Certificate
-- | -- | --
One of the ClientCredentials credential description has a CredentialSource = Base64Encoded or (CredentialSource = Path) | Impacted | Impacted
One of the ClientCredentials credential description is a Client secret (CredentialSource = ClientSecret) | Impacted | Not impacted
Other credential descriptions | Not Impacted | Not Impacted
Patches
Has the...
CVSS: MEDIUM (4.7) EPSS Score: 0.01%
April 9th, 2025 (8 days ago)
|
|
|
Description: Impact
What kind of vulnerability is it? Who is impacted?
Description: This vulnerability affects confidential client applications, including daemons, web apps, and web APIs. Under specific circumstances, sensitive information such as client secrets or certificate details may be exposed in the service logs of these applications. Service logs are intended to be handled securely.
Impact: The vulnerability impacts service logs that meet the following criteria:
Logging Level: Logs are generated at the information level.
Credential Descriptions: containing:
Local file paths with passwords.
Base64 encoded values.
Client secret.
Additionally, logs of services using Base64 encoded certificates or certificate paths with password credential descriptions are also affected if the certificates are invalid or expired, regardless of the log level. Note that these credentials are not usable due to their invalid or expired status.
If your service logs are handled securely, you are not impacted.
Otherwise, the following table shows when you can be impacted
| Log Level Information for Microsoft.Identity.Web | Invalid Certificate
-- | -- | --
One of the ClientCredentials credential description has a CredentialSource = Base64Encoded or (CredentialSource = Path) | Impacted | Impacted
One of the ClientCredentials credential description is a Client secret (CredentialSource = ClientSecret) | Impacted | Not impacted
Other credential descriptions | Not Impacted | Not Impacted
Patches
Has the...
CVSS: MEDIUM (4.7) EPSS Score: 0.01%
April 9th, 2025 (8 days ago)
|
|
CVE-2025-32374 |
Description: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Possible denial of service with specially crafted information in the public registration form. This vulnerability is fixed in 9.13.8.
CVSS: MEDIUM (5.9) EPSS Score: 0.05% SSVC Exploitation: none
April 9th, 2025 (8 days ago)
|
|
CVE-2025-32373 |
Description: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In limited configurations, registered users may be able to craft a request to enumerate/access some portal files they should not have access to. This vulnerability is fixed in 9.13.8.
CVSS: MEDIUM (6.5) EPSS Score: 0.03% SSVC Exploitation: none
April 9th, 2025 (8 days ago)
|
|
CVE-2025-32372 |
Description: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. A bypass has been identified for the previously known vulnerability CVE-2017-0929, allowing unauthenticated attackers to execute arbitrary GET requests against target systems, including internal or adjacent networks. This vulnerability facilitates a semi-blind SSRF attack, allowing attackers to make the target server send requests to internal or external URLs without viewing the full responses. Potential impacts include internal network reconnaissance, bypassing firewalls. This vulnerability is fixed in 9.13.8.
CVSS: MEDIUM (6.5) EPSS Score: 0.08% SSVC Exploitation: none
April 9th, 2025 (8 days ago)
|
|
CVE-2025-32371 |
Description: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. A url could be crafted to the DNN ImageHandler to render text from a querystring parameter. This text would display in the resulting image and a user that trusts the domain might think that the information is legitimate. This vulnerability is fixed in 9.13.4.
CVSS: MEDIUM (4.3) EPSS Score: 0.03% SSVC Exploitation: none
April 9th, 2025 (8 days ago)
|