CVE-2025-20366 - Improper Access Control in Background Job Submission in Splunk Enterprise
CVE ID : CVE-2025-20366
Published : Oct. 1, 2025, 4:07 p.m. | 1 hour, 5 minutes ago
Description : In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.111, 9.3.2408.119, and 9.2.2406.122, a low-privileged user that does not hold the admin or power Splunk roles could access sensitive search results if Splunk Enterprise runs an administrative search job in the background. If the low privileged user guesses the search job’s unique Search ID (SID), the user could retrieve the results of that job, potentially exposing sensitive search results. For more information see https://help.splunk.com/en/splunk-enterprise/search/search-manual/10.0/manage-jobs/about-jobs-and-job-management and https://help.splunk.com/en/splunk-enterprise/search/search-manual/10.0/manage-jobs/manage-search-jobs.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-20366
Published : Oct. 1, 2025, 4:07 p.m. | 1 hour, 5 minutes ago
Description : In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.111, 9.3.2408.119, and 9.2.2406.122, a low-privileged user that does not hold the admin or power Splunk roles could access sensitive search results if Splunk Enterprise runs an administrative search job in the background. If the low privileged user guesses the search job’s unique Search ID (SID), the user could retrieve the results of that job, potentially exposing sensitive search results. For more information see https://help.splunk.com/en/splunk-enterprise/search/search-manual/10.0/manage-jobs/about-jobs-and-job-management and https://help.splunk.com/en/splunk-enterprise/search/search-manual/10.0/manage-jobs/manage-search-jobs.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-20370 - Denial of Service (DoS) through Multiple LDAP Bind Requests in Splunk Enterprise
CVE ID : CVE-2025-20370
Published : Oct. 1, 2025, 4:07 p.m. | 1 hour, 5 minutes ago
Description : In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a user who holds a role that contains the high-privilege capability `change_authentication`, could send multiple LDAP bind requests to a specific internal endpoint, resulting in high server CPU usage, which could potentially lead to a denial of service (DoS) until the Splunk Enterprise instance is restarted. See https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/10.0/manage-splunk-platform-users-and-roles/define-roles-on-the-splunk-platform-with-capabilities and https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/10.0/use-ldap-as-an-authentication-scheme/configure-ldap-with-splunk-web#cfe47e31_007f_460d_8b3d_8505ffc3f0dd__Configure_LDAP_with_Splunk_Web for more information.
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-20370
Published : Oct. 1, 2025, 4:07 p.m. | 1 hour, 5 minutes ago
Description : In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a user who holds a role that contains the high-privilege capability `change_authentication`, could send multiple LDAP bind requests to a specific internal endpoint, resulting in high server CPU usage, which could potentially lead to a denial of service (DoS) until the Splunk Enterprise instance is restarted. See https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/10.0/manage-splunk-platform-users-and-roles/define-roles-on-the-splunk-platform-with-capabilities and https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/10.0/use-ldap-as-an-authentication-scheme/configure-ldap-with-splunk-web#cfe47e31_007f_460d_8b3d_8505ffc3f0dd__Configure_LDAP_with_Splunk_Web for more information.
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-20367 - Reflected Cross-site Scripting (XSS) in '/app/search/table' endpoint through the 'dataset.command' parameter on Splunk Enterprise
CVE ID : CVE-2025-20367
Published : Oct. 1, 2025, 4:08 p.m. | 1 hour, 5 minutes ago
Description : In Splunk Enterprise versions below 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.109, 9.3.2408.119 and 9.2.2406.122, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could craft a malicious payload through the `dataset.command` parameter of the `/app/search/table` endpoint, which could result in execution of unauthorized JavaScript code in the browser of a user.
Severity: 5.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-20367
Published : Oct. 1, 2025, 4:08 p.m. | 1 hour, 5 minutes ago
Description : In Splunk Enterprise versions below 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.109, 9.3.2408.119 and 9.2.2406.122, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could craft a malicious payload through the `dataset.command` parameter of the `/app/search/table` endpoint, which could result in execution of unauthorized JavaScript code in the browser of a user.
Severity: 5.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-20371 - Unauthenticated Blind Server Side Request Forgery (SSRF) in Splunk Enterprise
CVE ID : CVE-2025-20371
Published : Oct. 1, 2025, 4:08 p.m. | 1 hour, 5 minutes ago
Description : In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.109, 9.3.2408.119 and 9.2.2406.122, an unauthenticated attacker could trigger a blind server-side request forgery (SSRF) potentially letting an attacker perform REST API calls on behalf of an authenticated high-privileged user.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-20371
Published : Oct. 1, 2025, 4:08 p.m. | 1 hour, 5 minutes ago
Description : In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.109, 9.3.2408.119 and 9.2.2406.122, an unauthenticated attacker could trigger a blind server-side request forgery (SSRF) potentially letting an attacker perform REST API calls on behalf of an authenticated high-privileged user.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-20368 - Stored Cross-Site Scripting (XSS) through missing field warning messages in Saved Search and Job Inspector on Splunk Enterprise
CVE ID : CVE-2025-20368
Published : Oct. 1, 2025, 4:08 p.m. | 1 hour, 5 minutes ago
Description : In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a low privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through the error messages and job inspection details of a saved search. This could result in execution of unauthorized JavaScript code in the browser of a user.
Severity: 5.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-20368
Published : Oct. 1, 2025, 4:08 p.m. | 1 hour, 5 minutes ago
Description : In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a low privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through the error messages and job inspection details of a saved search. This could result in execution of unauthorized JavaScript code in the browser of a user.
Severity: 5.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-20361 - Cisco Unified Communications Manager Stored Cross-Site Scripting Vulnerability
CVE ID : CVE-2025-20361
Published : Oct. 1, 2025, 4:12 p.m. | 1 hour ago
Description : A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-20361
Published : Oct. 1, 2025, 4:12 p.m. | 1 hour ago
Description : A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-20356 - Cisco CyberVision Center Sensor Explorer Stored Cross-Site Scripting Vulnerability
CVE ID : CVE-2025-20356
Published : Oct. 1, 2025, 4:12 p.m. | 1 hour ago
Description : A vulnerability in the web-based management interface of Cisco Cyber Vision Center could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials that allow access to the Sensor Explorer page. By default, Admin and Product user roles have this access, as do any custom users that are configued to allow access to the Sensors page.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-20356
Published : Oct. 1, 2025, 4:12 p.m. | 1 hour ago
Description : A vulnerability in the web-based management interface of Cisco Cyber Vision Center could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials that allow access to the Sensor Explorer page. By default, Admin and Product user roles have this access, as do any custom users that are configued to allow access to the Sensors page.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-20357 - Cisco CyberVision Center Reports Stored Cross-Site Scripting Vulnerability
CVE ID : CVE-2025-20357
Published : Oct. 1, 2025, 4:12 p.m. | 1 hour ago
Description : A vulnerability in the web-based management interface of Cisco Cyber Vision Center could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials that allow access to the Reports page. By default, all pre-defined users have this access, as do any custom users that are configured to allow access to the Reports page.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-20357
Published : Oct. 1, 2025, 4:12 p.m. | 1 hour ago
Description : A vulnerability in the web-based management interface of Cisco Cyber Vision Center could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials that allow access to the Reports page. By default, all pre-defined users have this access, as do any custom users that are configured to allow access to the Reports page.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2023-50301 - IBM Transformation Extender Advanced information disclosure
CVE ID : CVE-2023-50301
Published : Oct. 1, 2025, 4:15 p.m. | 57 minutes ago
Description : IBM Transformation Extender Advanced 10.0.1 stores potentially sensitive information in log files that could be read by a local user.
Severity: 1.9 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2023-50301
Published : Oct. 1, 2025, 4:15 p.m. | 57 minutes ago
Description : IBM Transformation Extender Advanced 10.0.1 stores potentially sensitive information in log files that could be read by a local user.
Severity: 1.9 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-56514 - Fiora Chat Application SVG File XSS Vulnerability
CVE ID : CVE-2025-56514
Published : Oct. 1, 2025, 4:15 p.m. | 57 minutes ago
Description : Cross Site Scripting (XSS) vulnerability in Fiora chat application 1.0.0 allows executes arbitrary JavaScript when malicious SVG files are rendered by other users.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-56514
Published : Oct. 1, 2025, 4:15 p.m. | 57 minutes ago
Description : Cross Site Scripting (XSS) vulnerability in Fiora chat application 1.0.0 allows executes arbitrary JavaScript when malicious SVG files are rendered by other users.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-56515 - Fiora Chat Application SVG File Upload Code Execution Vulnerability
CVE ID : CVE-2025-56515
Published : Oct. 1, 2025, 4:15 p.m. | 57 minutes ago
Description : File upload vulnerability in Fiora chat application 1.0.0 through user avatar upload functionality. The application fails to validate SVG file content, allowing malicious SVG files with embedded foreignObject elements containing iframe tags and JavaScript event handlers (onmouseover) to be uploaded and stored. When rendered, these SVG files execute arbitrary JavaScript, enabling attackers to steal user sessions, cookies, and perform unauthorized actions in the context of users viewing affected profiles.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-56515
Published : Oct. 1, 2025, 4:15 p.m. | 57 minutes ago
Description : File upload vulnerability in Fiora chat application 1.0.0 through user avatar upload functionality. The application fails to validate SVG file content, allowing malicious SVG files with embedded foreignObject elements containing iframe tags and JavaScript event handlers (onmouseover) to be uploaded and stored. When rendered, these SVG files execute arbitrary JavaScript, enabling attackers to steal user sessions, cookies, and perform unauthorized actions in the context of users viewing affected profiles.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-11233 - Rust standard library didn't detect all path separators on Cygwin
CVE ID : CVE-2025-11233
Published : Oct. 1, 2025, 4:49 p.m. | 23 minutes ago
Description : Starting from Rust 1.87.0 and before Rust 1.89.0, the tier 3 Cygwin target (`x86_64-pc-cygwin`) didn't correctly handle path separators, causing the standard library's Path API to ignore path components separated by backslashes. Due to this, programs compiled for Cygwin that validate paths could misbehave, potentially allowing path traversal attacks or malicious filesystem operations. Rust 1.89.0 fixes the issue by handling both Win32 and Unix style paths in the standard library for the Cygwin target. While we assess the severity of this vulnerability as "medium", please note that the tier 3 Cygwin compilation target is only available when building it from source: no pre-built binaries are distributed by the Rust project, and it cannot be installed through Rustup. Unless you manually compiled the `x86_64-pc-cygwin` target you are not affected by this vulnerability. Users of the tier 1 MinGW target (`x86_64-pc-windows-gnu`) are also explicitly not affected.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-11233
Published : Oct. 1, 2025, 4:49 p.m. | 23 minutes ago
Description : Starting from Rust 1.87.0 and before Rust 1.89.0, the tier 3 Cygwin target (`x86_64-pc-cygwin`) didn't correctly handle path separators, causing the standard library's Path API to ignore path components separated by backslashes. Due to this, programs compiled for Cygwin that validate paths could misbehave, potentially allowing path traversal attacks or malicious filesystem operations. Rust 1.89.0 fixes the issue by handling both Win32 and Unix style paths in the standard library for the Cygwin target. While we assess the severity of this vulnerability as "medium", please note that the tier 3 Cygwin compilation target is only available when building it from source: no pre-built binaries are distributed by the Rust project, and it cannot be installed through Rustup. Unless you manually compiled the `x86_64-pc-cygwin` target you are not affected by this vulnerability. Users of the tier 1 MinGW target (`x86_64-pc-windows-gnu`) are also explicitly not affected.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-34182 - Deciso OPNsense < 25.7.4 /interfaces_ppps_edit.php ptpid Stored XSS
CVE ID : CVE-2025-34182
Published : Oct. 1, 2025, 5:15 p.m. | 3 hours, 57 minutes ago
Description : In Deciso OPNsense before 25.7.4, when creating an "Interfaces: Devices: Point-to-Point" entry, the value of the parameter ptpid is not sanitized of HTML-related characters/strings. This value is directly displayed when visiting the page/interfaces_assign.php, which can result in stored cross-site scripting. The attacker must be authenticated with at-least "Interfaces: PPPs: Edit" permission. This vulnerability has been addressed by the vendor in the product release notes as "ui: legacy_html_escape_form_data() was not escaping keys only data elements."
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-34182
Published : Oct. 1, 2025, 5:15 p.m. | 3 hours, 57 minutes ago
Description : In Deciso OPNsense before 25.7.4, when creating an "Interfaces: Devices: Point-to-Point" entry, the value of the parameter ptpid is not sanitized of HTML-related characters/strings. This value is directly displayed when visiting the page/interfaces_assign.php, which can result in stored cross-site scripting. The attacker must be authenticated with at-least "Interfaces: PPPs: Edit" permission. This vulnerability has been addressed by the vendor in the product release notes as "ui: legacy_html_escape_form_data() was not escaping keys only data elements."
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-61596 - Apache Kafka Deserialization RCE
CVE ID : CVE-2025-61596
Published : Oct. 1, 2025, 5:15 p.m. | 3 hours, 57 minutes ago
Description : Rejected reason: This is a fork and is not in the Rust registry.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-61596
Published : Oct. 1, 2025, 5:15 p.m. | 3 hours, 57 minutes ago
Description : Rejected reason: This is a fork and is not in the Rust registry.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-57494 - Neto E-Commerce CMS Cross-Site Scripting Privilege Escalation
CVE ID : CVE-2024-57494
Published : Oct. 1, 2025, 6:15 p.m. | 2 hours, 57 minutes ago
Description : Cross Site Scripting vulnerability in Neto E-Commerce CMS v.6.313.0 through v.6.3115 allows a remote attacker to escalate privileges via the kw parameter.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-57494
Published : Oct. 1, 2025, 6:15 p.m. | 2 hours, 57 minutes ago
Description : Cross Site Scripting vulnerability in Neto E-Commerce CMS v.6.313.0 through v.6.3115 allows a remote attacker to escalate privileges via the kw parameter.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-28357 - Neto CMS CRLF Injection Vulnerability
CVE ID : CVE-2025-28357
Published : Oct. 1, 2025, 6:15 p.m. | 2 hours, 57 minutes ago
Description : A CRLF injection vulnerability in Neto CMS v6.313.0 through v6.314.0 allows attackers to execute arbitrary code via supplying a crafted HTTP request.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-28357
Published : Oct. 1, 2025, 6:15 p.m. | 2 hours, 57 minutes ago
Description : A CRLF injection vulnerability in Neto CMS v6.313.0 through v6.314.0 allows attackers to execute arbitrary code via supplying a crafted HTTP request.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-57393 - Kissflow Work Platform Stored Cross-Site Scripting Vulnerability
CVE ID : CVE-2025-57393
Published : Oct. 1, 2025, 6:15 p.m. | 2 hours, 57 minutes ago
Description : A stored cross-site scripting (XSS) in Kissflow Work Platform Kissflow Application Versions 7337 Account v2.0 to v4.2vallows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-57393
Published : Oct. 1, 2025, 6:15 p.m. | 2 hours, 57 minutes ago
Description : A stored cross-site scripting (XSS) in Kissflow Work Platform Kissflow Application Versions 7337 Account v2.0 to v4.2vallows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-60991 - Codazon Magento Themes Reflected Cross-Site Scripting (XSS)
CVE ID : CVE-2025-60991
Published : Oct. 1, 2025, 6:15 p.m. | 2 hours, 57 minutes ago
Description : A reflected cross-site scripted (XSS) vulnerability in Codazon Magento Themes v1.1.0.0 to v2.4.7 allows attackers to execute arbitrary Javascript in the context of a user's browser via a crafted payload injected into the cat parameter.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-60991
Published : Oct. 1, 2025, 6:15 p.m. | 2 hours, 57 minutes ago
Description : A reflected cross-site scripted (XSS) vulnerability in Codazon Magento Themes v1.1.0.0 to v2.4.7 allows attackers to execute arbitrary Javascript in the context of a user's browser via a crafted payload injected into the cat parameter.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-8679 - ExtremeGuest Essentials Captive Portal Unauthenticated Brute Force
CVE ID : CVE-2025-8679
Published : Oct. 1, 2025, 6:15 p.m. | 2 hours, 57 minutes ago
Description : In ExtremeGuest Essentials before 25.5.0, captive-portal may permit unauthorized access via manual brute-force procedure. Under certain ExtremeGuest Essentials captive-portal SSID configurations, repeated manual login attempts may allow an unauthenticated device to be marked as authenticated and obtain network access. Client360 logs may display the client MAC as the username despite no MAC-authentication being enabled.
Severity: 7.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-8679
Published : Oct. 1, 2025, 6:15 p.m. | 2 hours, 57 minutes ago
Description : In ExtremeGuest Essentials before 25.5.0, captive-portal may permit unauthorized access via manual brute-force procedure. Under certain ExtremeGuest Essentials captive-portal SSID configurations, repeated manual login attempts may allow an unauthenticated device to be marked as authenticated and obtain network access. Client360 logs may display the client MAC as the username despite no MAC-authentication being enabled.
Severity: 7.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-10578 - HP Support Assistant - Potential Escalation of Privilege
CVE ID : CVE-2025-10578
Published : Oct. 1, 2025, 7:15 p.m. | 1 hour, 57 minutes ago
Description : A potential security vulnerability has been identified in the HP Support Assistant for versions prior to 9.47.41.0. The vulnerability could potentially allow a local attacker to escalate privileges via an arbitrary file write.
Severity: 5.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-10578
Published : Oct. 1, 2025, 7:15 p.m. | 1 hour, 57 minutes ago
Description : A potential security vulnerability has been identified in the HP Support Assistant for versions prior to 9.47.41.0. The vulnerability could potentially allow a local attacker to escalate privileges via an arbitrary file write.
Severity: 5.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-43718 - Poppler PDF Stack Overflow Vulnerability
CVE ID : CVE-2025-43718
Published : Oct. 1, 2025, 7:15 p.m. | 1 hour, 57 minutes ago
Description : Poppler 24.06.1 through 25.x before 25.04.0 allows stack consumption and a SIGSEGV via deeply nested structures within the metadata (such as GTS_PDFEVersion) of a PDF document, e.g., a regular expression for a long pdfsubver string. This occurs in Dict::lookup, Catalog::getMetadata, and associated functions in PDFDoc, with deep recursion in the regex executor (std::__detail::_Executor).
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-43718
Published : Oct. 1, 2025, 7:15 p.m. | 1 hour, 57 minutes ago
Description : Poppler 24.06.1 through 25.x before 25.04.0 allows stack consumption and a SIGSEGV via deeply nested structures within the metadata (such as GTS_PDFEVersion) of a PDF document, e.g., a regular expression for a long pdfsubver string. This occurs in Dict::lookup, Catalog::getMetadata, and associated functions in PDFDoc, with deep recursion in the regex executor (std::__detail::_Executor).
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...