{
"Source": "CVE FEED",
"Title": "CVE-2025-59146 - New API has Authenticated Server-Side Request Forgery (SSRF) issue",
"Content": "CVE ID : CVE-2025-59146
Published : Oct. 9, 2025, 7:15 p.m. | 1 hour, 12 minutes ago
Description : New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. An authenticated Server-Side Request Forgery (SSRF) vulnerability exists in versions prior to 0.9.0.5. A feature within the application allows authenticated users to submit a URL for the server to process its content. The application fails to properly validate this user-supplied URL before making a server-side request. This vulnerability is not limited to image URLs and can be triggered with any link provided to the vulnerable endpoint. Since user registration is often enabled by default, any registered user can exploit this. By crafting a malicious URL, an attacker can coerce the server to send requests to arbitrary internal or external services. The vulnerability has been patched in version 0.9.0.5. The patch introduces a comprehensive, user-configurable SSRF protection module, which is enabled by default to protect server security. This new feature provides administrators with granular control over outbound requests made by the server. For users who cannot upgrade immediately, some temporary mitigation options are available. Enable new-api image processing worker (new-api-worker) and/or configure egress firewall rules.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "09 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-59146 - New API has Authenticated Server-Side Request Forgery (SSRF) issue",
"Content": "CVE ID : CVE-2025-59146
Published : Oct. 9, 2025, 7:15 p.m. | 1 hour, 12 minutes ago
Description : New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. An authenticated Server-Side Request Forgery (SSRF) vulnerability exists in versions prior to 0.9.0.5. A feature within the application allows authenticated users to submit a URL for the server to process its content. The application fails to properly validate this user-supplied URL before making a server-side request. This vulnerability is not limited to image URLs and can be triggered with any link provided to the vulnerable endpoint. Since user registration is often enabled by default, any registered user can exploit this. By crafting a malicious URL, an attacker can coerce the server to send requests to arbitrary internal or external services. The vulnerability has been patched in version 0.9.0.5. The patch introduces a comprehensive, user-configurable SSRF protection module, which is enabled by default to protect server security. This new feature provides administrators with granular control over outbound requests made by the server. For users who cannot upgrade immediately, some temporary mitigation options are available. Enable new-api image processing worker (new-api-worker) and/or configure egress firewall rules.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "09 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-11552 - code-projects Online Complaint Site category.php sql injection",
"Content": "CVE ID : CVE-2025-11552
Published : Oct. 9, 2025, 7:15 p.m. | 1 hour, 12 minutes ago
Description : A vulnerability was identified in code-projects Online Complaint Site 1.0. This impacts an unknown function of the file /admin/category.php. Such manipulation of the argument Category leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "09 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-11552 - code-projects Online Complaint Site category.php sql injection",
"Content": "CVE ID : CVE-2025-11552
Published : Oct. 9, 2025, 7:15 p.m. | 1 hour, 12 minutes ago
Description : A vulnerability was identified in code-projects Online Complaint Site 1.0. This impacts an unknown function of the file /admin/category.php. Such manipulation of the argument Category leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "09 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-60267 - Apache xckk SQL Injection Vulnerability",
"Content": "CVE ID : CVE-2025-60267
Published : Oct. 9, 2025, 6:15 p.m. | 2 hours, 11 minutes ago
Description : In xckk v9.6, there is a SQL injection vulnerability in which the cond parameter in notice/list is not securely filtered, resulting in a SQL injection vulnerability.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "09 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-60267 - Apache xckk SQL Injection Vulnerability",
"Content": "CVE ID : CVE-2025-60267
Published : Oct. 9, 2025, 6:15 p.m. | 2 hours, 11 minutes ago
Description : In xckk v9.6, there is a SQL injection vulnerability in which the cond parameter in notice/list is not securely filtered, resulting in a SQL injection vulnerability.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "09 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-61928 - Better Auth: Unauthenticated API key creation through api-key plugin",
"Content": "CVE ID : CVE-2025-61928
Published : Oct. 9, 2025, 9:24 p.m. | 1 hour, 5 minutes ago
Description : Better Auth is an authentication and authorization library for TypeScript. In versions prior to 1.3.26, unauthenticated attackers can create or modify API keys for any user by passing that user's id in the request body to the `api/auth/api-key/create` route. `session?.user ?? (authRequired ? null : { id: ctx.body.userId })`. When no session exists but `userId` is present in the request body, `authRequired` becomes false and the user object is set to the attacker-controlled ID. Server-only field validation only executes when `authRequired` is true (lines 280-295), allowing attackers to set privileged fields. No additional authentication occurs before the database operation, so the malicious payload is accepted. The same pattern exists in the update endpoint. This is a critical authentication bypass enabling full an unauthenticated attacker can generate an API key for any user and immediately gain complete authenticated access. This allows the attacker to perform any action as the victim user using the api key, potentially compromise the user data and the application depending on the victim's privileges. Version 1.3.26 contains a patch for the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-61928 - Better Auth: Unauthenticated API key creation through api-key plugin",
"Content": "CVE ID : CVE-2025-61928
Published : Oct. 9, 2025, 9:24 p.m. | 1 hour, 5 minutes ago
Description : Better Auth is an authentication and authorization library for TypeScript. In versions prior to 1.3.26, unauthenticated attackers can create or modify API keys for any user by passing that user's id in the request body to the `api/auth/api-key/create` route. `session?.user ?? (authRequired ? null : { id: ctx.body.userId })`. When no session exists but `userId` is present in the request body, `authRequired` becomes false and the user object is set to the attacker-controlled ID. Server-only field validation only executes when `authRequired` is true (lines 280-295), allowing attackers to set privileged fields. No additional authentication occurs before the database operation, so the malicious payload is accepted. The same pattern exists in the update endpoint. This is a critical authentication bypass enabling full an unauthenticated attacker can generate an API key for any user and immediately gain complete authenticated access. This allows the attacker to perform any action as the victim user using the api key, potentially compromise the user data and the application depending on the victim's privileges. Version 1.3.26 contains a patch for the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-61926 - Allstar Reviewbot has Authentication Bypass via Hard-coded Webhook Secret",
"Content": "CVE ID : CVE-2025-61926
Published : Oct. 9, 2025, 9:20 p.m. | 1 hour, 9 minutes ago
Description : Allstar is a GitHub App to set and enforce security policies. In versions prior to 4.5, a vulnerability in Allstarโs Reviewbot component caused inbound webhook requests to be validated against a hard-coded, shared secret. The value used for the secret token was compiled into the Allstar binary and could not be configured at runtime. In practice, this meant that every deployment using Reviewbot would validate requests with the same secret unless the operator modified source code and rebuilt the component - an expectation that is not documented and is easy to miss. All Allstar releases prior to v4.5 that include the Reviewbot code path are affected. Deployments on v4.5 and later are not affected. Those who have not enabled or exposed the Reviewbot endpoint are not exposed to this issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-61926 - Allstar Reviewbot has Authentication Bypass via Hard-coded Webhook Secret",
"Content": "CVE ID : CVE-2025-61926
Published : Oct. 9, 2025, 9:20 p.m. | 1 hour, 9 minutes ago
Description : Allstar is a GitHub App to set and enforce security policies. In versions prior to 4.5, a vulnerability in Allstarโs Reviewbot component caused inbound webhook requests to be validated against a hard-coded, shared secret. The value used for the secret token was compiled into the Allstar binary and could not be configured at runtime. In practice, this meant that every deployment using Reviewbot would validate requests with the same secret unless the operator modified source code and rebuilt the component - an expectation that is not documented and is easy to miss. All Allstar releases prior to v4.5 that include the Reviewbot code path are affected. Deployments on v4.5 and later are not affected. Those who have not enabled or exposed the Reviewbot endpoint are not exposed to this issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-61783 - Python Social Auth - Django has unsafe account association",
"Content": "CVE ID : CVE-2025-61783
Published : Oct. 9, 2025, 9:15 p.m. | 1 hour, 14 minutes ago
Description : Python Social Auth is a social authentication/registration mechanism. In versions prior to 5.6.0, upon authentication, the user could be associated by e-mail even if the `associate_by_email` pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn't require unique e-mail addresses. Version 5.6.0 contains a patch. As a workaround, review the authentication service policy on e-mail addresses; many will not allow exploiting this vulnerability.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-61783 - Python Social Auth - Django has unsafe account association",
"Content": "CVE ID : CVE-2025-61783
Published : Oct. 9, 2025, 9:15 p.m. | 1 hour, 14 minutes ago
Description : Python Social Auth is a social authentication/registration mechanism. In versions prior to 5.6.0, upon authentication, the user could be associated by e-mail even if the `associate_by_email` pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn't require unique e-mail addresses. Version 5.6.0 contains a patch. As a workaround, review the authentication service policy on e-mail addresses; many will not allow exploiting this vulnerability.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-62240 - Liferay Portal Liferay DXP Calendar XSS Vulnerability",
"Content": "CVE ID : CVE-2025-62240
Published : Oct. 9, 2025, 9:15 p.m. | 1 hour, 14 minutes ago
Description : Multiple cross-site scripting (XSS) vulnerabilities with Calendar events in Liferay Portal 7.4.3.35 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.7, 7.4 update 35 through update 92, and 7.3 update 25 through update 36 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a userโs (1) First Name, (2) Middle Name or (3) Last Name text field.
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-62240 - Liferay Portal Liferay DXP Calendar XSS Vulnerability",
"Content": "CVE ID : CVE-2025-62240
Published : Oct. 9, 2025, 9:15 p.m. | 1 hour, 14 minutes ago
Description : Multiple cross-site scripting (XSS) vulnerabilities with Calendar events in Liferay Portal 7.4.3.35 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.7, 7.4 update 35 through update 92, and 7.3 update 25 through update 36 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a userโs (1) First Name, (2) Middle Name or (3) Last Name text field.
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-59286 - Copilot Spoofing Vulnerability",
"Content": "CVE ID : CVE-2025-59286
Published : Oct. 9, 2025, 9:15 p.m. | 1 hour, 14 minutes ago
Description : Copilot Spoofing Vulnerability
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-59286 - Copilot Spoofing Vulnerability",
"Content": "CVE ID : CVE-2025-59286
Published : Oct. 9, 2025, 9:15 p.m. | 1 hour, 14 minutes ago
Description : Copilot Spoofing Vulnerability
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-60375 - Perfex CRM Authentication Bypass Vulnerability",
"Content": "CVE ID : CVE-2025-60375
Published : Oct. 9, 2025, 9:15 p.m. | 1 hour, 14 minutes ago
Description : The authentication mechanism in Perfex CRM before 3.3.1 allows attackers to bypass login credentials due to insufficient server-side validation. By sending empty username and password parameters in the login request, an attacker can gain unauthorized access to user accounts, including administrative accounts, without providing valid credentials.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-60375 - Perfex CRM Authentication Bypass Vulnerability",
"Content": "CVE ID : CVE-2025-60375
Published : Oct. 9, 2025, 9:15 p.m. | 1 hour, 14 minutes ago
Description : The authentication mechanism in Perfex CRM before 3.3.1 allows attackers to bypass login credentials due to insufficient server-side validation. By sending empty username and password parameters in the login request, an attacker can gain unauthorized access to user accounts, including administrative accounts, without providing valid credentials.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-61601 - BigBlueButton vulnerable to DoS via PollSubmitVote GraphQL mutation",
"Content": "CVE ID : CVE-2025-61601
Published : Oct. 9, 2025, 9:15 p.m. | 1 hour, 14 minutes ago
Description : BigBlueButton is an open-source virtual classroom. A Denial of Service (DoS) vulnerability in versions prior to 3.0.13 allows any authenticated user to freeze or crash the entire server by abusing the polling feature's `Choices` response type. By submitting a malicious payload with a massive array in the `answerIds` field, the attacker can cause the current meeting โ and potentially all meetings on the server โ to become unresponsive. Version 3.0.13 contains a patch. No known workarounds are available.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-61601 - BigBlueButton vulnerable to DoS via PollSubmitVote GraphQL mutation",
"Content": "CVE ID : CVE-2025-61601
Published : Oct. 9, 2025, 9:15 p.m. | 1 hour, 14 minutes ago
Description : BigBlueButton is an open-source virtual classroom. A Denial of Service (DoS) vulnerability in versions prior to 3.0.13 allows any authenticated user to freeze or crash the entire server by abusing the polling feature's `Choices` response type. By submitting a malicious payload with a massive array in the `answerIds` field, the attacker can cause the current meeting โ and potentially all meetings on the server โ to become unresponsive. Version 3.0.13 contains a patch. No known workarounds are available.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-61602 - BigBlueButton vulnerable to Chat DoS via invalid reactionEmojiId",
"Content": "CVE ID : CVE-2025-61602
Published : Oct. 9, 2025, 9:15 p.m. | 1 hour, 14 minutes ago
Description : BigBlueButton is an open-source virtual classroom. A denial-of-service (DoS) vulnerability in versions prior to 3.0.13 allows any authenticated user to crash the chat functionality for all participants in a meeting by sending a malformed `reactionEmojiId` in the GraphQL mutation `chatSendMessageReaction`. Version 3.0.13 contains a patch. No known workarounds are available.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-61602 - BigBlueButton vulnerable to Chat DoS via invalid reactionEmojiId",
"Content": "CVE ID : CVE-2025-61602
Published : Oct. 9, 2025, 9:15 p.m. | 1 hour, 14 minutes ago
Description : BigBlueButton is an open-source virtual classroom. A denial-of-service (DoS) vulnerability in versions prior to 3.0.13 allows any authenticated user to crash the chat functionality for all participants in a meeting by sending a malformed `reactionEmojiId` in the GraphQL mutation `chatSendMessageReaction`. Version 3.0.13 contains a patch. No known workarounds are available.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-61773 - pyLoad CNL and captcha handlers allow code Injection via unsanitized parameters",
"Content": "CVE ID : CVE-2025-61773
Published : Oct. 9, 2025, 9:15 p.m. | 1 hour, 14 minutes ago
Description : pyLoad is a free and open-source download manager written in Python. In versions prior to 0.5.0b3.dev91, pyLoad web interface contained insufficient input validation in both the Captcha script endpoint and the Click'N'Load (CNL) Blueprint. This flaw allowed untrusted user input to be processed unsafely, which could be exploited by an attacker to inject arbitrary content into the web UI or manipulate request handling. The vulnerability could lead to client-side code execution (XSS) or other unintended behaviors when a malicious payload is submitted. user-supplied parameters from HTTP requests were not adequately validated or sanitized before being passed into the application logic and response generation. This allowed crafted input to alter the expected execution flow. CNL (Click'N'Load) blueprint exposed unsafe handling of untrusted parameters in HTTP requests. The application did not consistently enforce input validation or encoding, making it possible for an attacker to craft malicious requests. Version 0.5.0b3.dev91 contains a patch for the issue.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-61773 - pyLoad CNL and captcha handlers allow code Injection via unsanitized parameters",
"Content": "CVE ID : CVE-2025-61773
Published : Oct. 9, 2025, 9:15 p.m. | 1 hour, 14 minutes ago
Description : pyLoad is a free and open-source download manager written in Python. In versions prior to 0.5.0b3.dev91, pyLoad web interface contained insufficient input validation in both the Captcha script endpoint and the Click'N'Load (CNL) Blueprint. This flaw allowed untrusted user input to be processed unsafely, which could be exploited by an attacker to inject arbitrary content into the web UI or manipulate request handling. The vulnerability could lead to client-side code execution (XSS) or other unintended behaviors when a malicious payload is submitted. user-supplied parameters from HTTP requests were not adequately validated or sanitized before being passed into the application logic and response generation. This allowed crafted input to alter the expected execution flow. CNL (Click'N'Load) blueprint exposed unsafe handling of untrusted parameters in HTTP requests. The application did not consistently enforce input validation or encoding, making it possible for an attacker to craft malicious requests. Version 0.5.0b3.dev91 contains a patch for the issue.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-61779 - Trustee's attestation-policy endpoint is not protected by admin autentication",
"Content": "CVE ID : CVE-2025-61779
Published : Oct. 9, 2025, 9:15 p.m. | 1 hour, 14 minutes ago
Description : Confidential Containers's Trustee project contains tools and components for attesting confidential guests and providing secrets to them. In versions prior to 0.15.0, the attestation-policy endpoint didn't check if the kbs-client submitting the request was actually authenticated (had the right key). This allowed any kbs-client to actually change the attestation policy. Version 0.15.0 fixes the issue.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-61779 - Trustee's attestation-policy endpoint is not protected by admin autentication",
"Content": "CVE ID : CVE-2025-61779
Published : Oct. 9, 2025, 9:15 p.m. | 1 hour, 14 minutes ago
Description : Confidential Containers's Trustee project contains tools and components for attesting confidential guests and providing secrets to them. In versions prior to 0.15.0, the attestation-policy endpoint didn't check if the kbs-client submitting the request was actually authenticated (had the right key). This allowed any kbs-client to actually change the attestation policy. Version 0.15.0 fixes the issue.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-59246 - Azure Entra ID Elevation of Privilege Vulnerability",
"Content": "CVE ID : CVE-2025-59246
Published : Oct. 9, 2025, 9:15 p.m. | 1 hour, 14 minutes ago
Description : Azure Entra ID Elevation of Privilege Vulnerability
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-59246 - Azure Entra ID Elevation of Privilege Vulnerability",
"Content": "CVE ID : CVE-2025-59246
Published : Oct. 9, 2025, 9:15 p.m. | 1 hour, 14 minutes ago
Description : Azure Entra ID Elevation of Privilege Vulnerability
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-59247 - Azure PlayFab Elevation of Privilege Vulnerability",
"Content": "CVE ID : CVE-2025-59247
Published : Oct. 9, 2025, 9:15 p.m. | 1 hour, 14 minutes ago
Description : Azure PlayFab Elevation of Privilege Vulnerability
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-59247 - Azure PlayFab Elevation of Privilege Vulnerability",
"Content": "CVE ID : CVE-2025-59247
Published : Oct. 9, 2025, 9:15 p.m. | 1 hour, 14 minutes ago
Description : Azure PlayFab Elevation of Privilege Vulnerability
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-59271 - Redis Enterprise Elevation of Privilege Vulnerability",
"Content": "CVE ID : CVE-2025-59271
Published : Oct. 9, 2025, 9:15 p.m. | 1 hour, 14 minutes ago
Description : Redis Enterprise Elevation of Privilege Vulnerability
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-59271 - Redis Enterprise Elevation of Privilege Vulnerability",
"Content": "CVE ID : CVE-2025-59271
Published : Oct. 9, 2025, 9:15 p.m. | 1 hour, 14 minutes ago
Description : Redis Enterprise Elevation of Privilege Vulnerability
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-59272 - Copilot Spoofing Vulnerability",
"Content": "CVE ID : CVE-2025-59272
Published : Oct. 9, 2025, 9:15 p.m. | 1 hour, 14 minutes ago
Description : Copilot Spoofing Vulnerability
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-59272 - Copilot Spoofing Vulnerability",
"Content": "CVE ID : CVE-2025-59272
Published : Oct. 9, 2025, 9:15 p.m. | 1 hour, 14 minutes ago
Description : Copilot Spoofing Vulnerability
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-59218 - Azure Entra ID Elevation of Privilege Vulnerability",
"Content": "CVE ID : CVE-2025-59218
Published : Oct. 9, 2025, 9:15 p.m. | 1 hour, 14 minutes ago
Description : Azure Entra ID Elevation of Privilege Vulnerability
Severity: 9.6 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-59218 - Azure Entra ID Elevation of Privilege Vulnerability",
"Content": "CVE ID : CVE-2025-59218
Published : Oct. 9, 2025, 9:15 p.m. | 1 hour, 14 minutes ago
Description : Azure Entra ID Elevation of Privilege Vulnerability
Severity: 9.6 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-59252 - M365 Copilot Spoofing Vulnerability",
"Content": "CVE ID : CVE-2025-59252
Published : Oct. 9, 2025, 9:15 p.m. | 1 hour, 14 minutes ago
Description : M365 Copilot Spoofing Vulnerability
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-59252 - M365 Copilot Spoofing Vulnerability",
"Content": "CVE ID : CVE-2025-59252
Published : Oct. 9, 2025, 9:15 p.m. | 1 hour, 14 minutes ago
Description : M365 Copilot Spoofing Vulnerability
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-35059 - Newforma Info Exchange (NIX) open URL redirect via /DownloadWeb/hyperlinkredirect.aspx",
"Content": "CVE ID : CVE-2025-35059
Published : Oct. 9, 2025, 9:15 p.m. | 1 hour, 14 minutes ago
Description : Newforma Info Exchange (NIX) '/DownloadWeb/hyperlinkredirect.aspx' provides an unauthenticated URL redirect via the 'nhl' parameter.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-35059 - Newforma Info Exchange (NIX) open URL redirect via /DownloadWeb/hyperlinkredirect.aspx",
"Content": "CVE ID : CVE-2025-35059
Published : Oct. 9, 2025, 9:15 p.m. | 1 hour, 14 minutes ago
Description : Newforma Info Exchange (NIX) '/DownloadWeb/hyperlinkredirect.aspx' provides an unauthenticated URL redirect via the 'nhl' parameter.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-35060 - Newforma Info Exchange (NIX) stored XSS via SVG file upload",
"Content": "CVE ID : CVE-2025-35060
Published : Oct. 9, 2025, 9:15 p.m. | 1 hour, 14 minutes ago
Description : Newforma Info Exchange (NIX) provides a 'Send a File Transfer' feature that allows a remote, authenticated attacker to upload SVG files that contain JavaScript or other content that may be executed or rendered by a web browser using a mobile user agent.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-35060 - Newforma Info Exchange (NIX) stored XSS via SVG file upload",
"Content": "CVE ID : CVE-2025-35060
Published : Oct. 9, 2025, 9:15 p.m. | 1 hour, 14 minutes ago
Description : Newforma Info Exchange (NIX) provides a 'Send a File Transfer' feature that allows a remote, authenticated attacker to upload SVG files that contain JavaScript or other content that may be executed or rendered by a web browser using a mobile user agent.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "10 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น