CyberAlerts

Microsoft unveils free EU cybersecurity program for governments

Description: Microsoft announced in Berlin today a new European Security Program that promises to bolster cybersecurity for European governments. [...]

Source: BleepingComputer

June 4th, 2025 (5 days ago)

CVE-2025-5607

Tenda AC18 setPptpUserList formSetPPTPUserList buffer overflow

Description: A vulnerability was found in Tenda AC18 15.03.05.05. It has been rated as critical. This issue affects the function formSetPPTPUserList of the file /goform/setPptpUserList. The manipulation of the argument list leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Eine Schwachstelle wurde in Tenda AC18 15.03.05.05 ausgemacht. Sie wurde als kritisch eingestuft. Betroffen davon ist die Funktion formSetPPTPUserList der Datei /goform/setPptpUserList. Mit der Manipulation des Arguments list mit unbekannten Daten kann eine buffer overflow-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.

CVSS: HIGH (8.7)

EPSS Score: 0.05%

Source: CVE

June 4th, 2025 (5 days ago)

CVE-2025-5606

Tenda AC18 SetIPTVCfg formSetIptv command injection

Description: A vulnerability was found in Tenda AC18 15.03.05.05. It has been declared as critical. This vulnerability affects the function formSetIptv of the file /goform/SetIPTVCfg. The manipulation of the argument list leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. In Tenda AC18 15.03.05.05 wurde eine Schwachstelle ausgemacht. Sie wurde als kritisch eingestuft. Betroffen ist die Funktion formSetIptv der Datei /goform/SetIPTVCfg. Dank Manipulation des Arguments list mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.

CVSS: MEDIUM (6.3)

EPSS Score: 2.94%

SSVC Exploitation: poc

Source: CVE

June 4th, 2025 (5 days ago)

CVE-2025-48935

Deno has --allow-read / --allow-write permission bypass in `node:sqlite`

Description: Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 2.2.0 and prior to versions 2.2.5, it is possible to bypass Deno's permission read/write db permission check by using `ATTACH DATABASE` statement. Version 2.2.5 contains a patch for the issue.

CVSS: MEDIUM (5.5)

EPSS Score: 0.04%

Source: CVE

June 4th, 2025 (5 days ago)

CVE-2025-48934

Deno.env.toObject() ignores the variables listed in --deny-env and returns all environment variables

Description: Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to versions 2.1.13 and 2.2.13, the `Deno.env.toObject` method ignores any variables listed in the `--deny-env` option of the `deno run` command. When looking at the documentation of the `--deny-env` option this might lead to a false impression that variables listed in the option are impossible to read. Software relying on the combination of both flags to allow access to most environment variables except a few sensitive ones will be vulnerable to malicious code trying to steal secrets using the `Deno.env.toObject()` method. Versions 2.1.13 and 2.2.13 contains a patch.

CVSS: MEDIUM (5.5)

EPSS Score: 0.05%

SSVC Exploitation: poc

Source: CVE

June 4th, 2025 (5 days ago)

CVE-2025-48888

Deno run with --allow-read and --deny-read flags results in allowed

Description: Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.41.3 and prior to versions 2.1.13, 2.2.13, and 2.3.2, `deno run --allow-read --deny-read main.ts` results in allowed, even though 'deny' should be stronger. The result is the same with all global unary permissions given as `--allow-* --deny-*`. This only affects a nonsensical combination of flags, so there shouldn't be a real impact on the userbase. Users may upgrade to version 2.1.13, 2.2.13, or 2.3.2 to receive a patch.

CVSS: MEDIUM (5.5)

EPSS Score: 0.04%

SSVC Exploitation: poc

Source: CVE

June 4th, 2025 (5 days ago)

CVE-2025-46204

An issue in Unifiedtransform v2.0 allows a remote attacker to escalate privileges via the /course/edit/{id} endpoint.

Description: An issue in Unifiedtransform v2.0 allows a remote attacker to escalate privileges via the /course/edit/{id} endpoint.

EPSS Score: 0.01%

Source: CVE

June 4th, 2025 (5 days ago)

CVE-2025-46203

An issue in Unifiedtransform v2.0 allows a remote attacker to escalate privileges via the /students/edit/{id} endpoint.

Description: An issue in Unifiedtransform v2.0 allows a remote attacker to escalate privileges via the /students/edit/{id} endpoint.

CVSS: MEDIUM (6.5)

EPSS Score: 0.01%

Source: CVE

June 4th, 2025 (5 days ago)

CVE-2025-46011

Listmonk v2.4.0 through v4.1.0 is vulnerable to SQL Injection in the QuerySubscribers function which allows attackers to escalate privileges.

Description: Listmonk v2.4.0 through v4.1.0 is vulnerable to SQL Injection in the QuerySubscribers function which allows attackers to escalate privileges.

EPSS Score: 0.03%

Source: CVE

June 4th, 2025 (5 days ago)

CVE-2025-31482

FreshRSS vulnerable to DoS by malicious feed entry loading logout URL

Description: FreshRSS is a self-hosted RSS feed aggregator. A vulnerability in versions prior to 1.26.2 causes a user to be repeatedly logged out after fetching a malicious feed entry, effectively causing that user to suffer denial of service. Version 1.26.2 contains a patch for the issue.

CVSS: MEDIUM (4.3)

EPSS Score: 0.02%

Source: CVE

June 4th, 2025 (5 days ago)

Threat and Vulnerability Intelligence Database

Example Searches: