Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-24909 |
Description: Overview
The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. (CWE-79)
Description
Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.2, including 9.3.x and 8.3.x, allow a malicious URL to inject content into the Analyzer plugin interface.
Impact
Once the malicious script is injected, the attacker can perform a variety of malicious activities. The attacker could transfer private information, such as cookies that may include session information, from the victim's machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site.
CVSS: MEDIUM (4.4) EPSS Score: 0.03%
April 16th, 2025 (5 days ago)
|
|
CVE-2025-24908 |
Description: Overview
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory. (CWE-35)
Description
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.2, including 9.3.x and 8.3.x, do not sanitize a user input used as a file path through the UploadFile service.
Impact
This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.
CVSS: MEDIUM (6.8) EPSS Score: 0.04%
April 16th, 2025 (5 days ago)
|
|
CVE-2025-24907 |
Description: Overview
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory. (CWE-35)
Description
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.2, including 9.3.x and 8.3.x, do not sanitize a user input used as a file path through the CGG Draw API.
Impact
This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.
CVSS: MEDIUM (6.8) EPSS Score: 0.03%
April 16th, 2025 (5 days ago)
|
|
CVE-2025-0758 |
Description: Overview
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. (CWE-732)
Description
Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.2, including 9.3.x and 8.3.x, is installed with Karaf JMX beans enabled and accessible by default.
Impact
When the vulnerability is leveraged, a user with local execution privileges can access functionality exposed by Karaf beans contained in the product.
CVSS: MEDIUM (6.1) EPSS Score: 0.01%
April 16th, 2025 (5 days ago)
|
|
CVE-2025-0757 |
Description: Overview
The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. (CWE-79)
Description
Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.2, including 9.3.x and 8.3.x, allow a malicious URL to inject content into the Analyzer plugin interface.
Impact
Once the malicious script is injected, the attacker can perform a variety of malicious activities. The attacker could transfer private information, such as cookies that may include session information, from the victim's machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site.
CVSS: MEDIUM (4.4) EPSS Score: 0.03%
April 16th, 2025 (5 days ago)
|
|
CVE-2025-0756 |
Description: Overview
The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. (CWE-99)
Description
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.2, including 9.3.x and 8.3.x, do not restrict JNDI identifiers during the creation of platform data sources.
Impact
An attacker could gain access to or modify sensitive data or system resources. This could allow access to protected files or directories including configuration files and files containing sensitive information, which can lead to remote code execution by unauthorized users.
CVSS: CRITICAL (9.1) EPSS Score: 0.23%
April 16th, 2025 (5 days ago)
|
|
CVE-2025-43703 |
Description: An issue was discovered in Ankitects Anki through 25.02. A crafted shared deck can result in attacker-controlled access to the internal API (even though the attacker has no knowledge of an API key) through approaches such as scripts or the SRC attribute of an IMG element. NOTE: this issue exists because of an incomplete fix for CVE-2024-32484.
CVSS: MEDIUM (6.1) EPSS Score: 0.03%
April 16th, 2025 (5 days ago)
|
|
CVE-2025-3730 |
Description: A vulnerability, which was classified as problematic, was found in PyTorch 2.6.0. Affected is the function torch.nn.functional.ctc_loss of the file aten/src/ATen/native/LossCTC.cpp. The manipulation leads to denial of service. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The name of the patch is 46fc5d8e360127361211cb237d5f9eef0223e567. It is recommended to apply a patch to fix this issue. Es wurde eine Schwachstelle in PyTorch 2.6.0 gefunden. Sie wurde als problematisch eingestuft. Hiervon betroffen ist die Funktion torch.nn.functional.ctc_loss der Datei aten/src/ATen/native/LossCTC.cpp. Mit der Manipulation mit unbekannten Daten kann eine denial of service-Schwachstelle ausgenutzt werden. Der Angriff hat dabei lokal zu erfolgen. Der Exploit steht zur öffentlichen Verfügung. Der Patch wird als 46fc5d8e360127361211cb237d5f9eef0223e567 bezeichnet. Als bestmögliche Massnahme wird Patching empfohlen.
CVSS: MEDIUM (4.8) EPSS Score: 0.01%
April 16th, 2025 (5 days ago)
|
|
CVE-2025-3729 |
Description: A vulnerability, which was classified as critical, has been found in SourceCodester Web-based Pharmacy Product Management System 1.0. This issue affects some unknown processing of the file backup.php of the component Database Backup Handler. The manipulation of the argument txtdbname leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Eine Schwachstelle wurde in SourceCodester Web-based Pharmacy Product Management System 1.0 entdeckt. Sie wurde als kritisch eingestuft. Davon betroffen ist unbekannter Code der Datei backup.php der Komponente Database Backup Handler. Dank Manipulation des Arguments txtdbname mit unbekannten Daten kann eine os command injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.
CVSS: MEDIUM (6.9) EPSS Score: 1.31%
April 16th, 2025 (5 days ago)
|
|
CVE-2025-32791 |
Description: The Backstage Scaffolder plugin houses types and utilities for building scaffolder-related modules. A vulnerability in the Backstage permission plugin backend allows callers to extract some information about the conditional decisions returned by the permission policy installed in the permission backend. If the permission system is not in use or if the installed permission policy does not use conditional decisions, there is no impact. This issue has been patched in version 0.6.0 of the permissions backend. A workaround includes having administrators of the permission policies ensure that they are crafted in such a way that conditional decisions do not contain any sensitive information.
CVSS: MEDIUM (4.3) EPSS Score: 0.02%
April 16th, 2025 (5 days ago)
|