Search criteria
3287 vulnerabilities
CVE-2025-11699 (GCVE-0-2025-11699)
Vulnerability from cvelistv5 – Published: 2025-12-01 15:17 – Updated: 2025-12-01 18:45
VLAI?
Summary
nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a
a valid session cookie access to privileged endpoints (such as /admin) even after the legitimate user has logged out, enabling session hijacking. Any version above 4.70 that is not 4.80.3 fixes the vulnerability.
Severity ?
7.1 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| nopSolutions | nopCommerce |
Affected:
4.80.3 , ≤ 4.80.4
(custom)
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-12-01T17:05:40.633Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/633103"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-11699",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-01T18:42:12.485040Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T18:45:07.246Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nopCommerce",
"vendor": "nopSolutions",
"versions": [
{
"lessThanOrEqual": "4.80.4",
"status": "affected",
"version": "4.80.3",
"versionType": "custom"
}
]
},
{
"product": "nopCommerce",
"vendor": "nopSolutions",
"versions": [
{
"lessThan": "4.70",
"status": "affected",
"version": "4.10",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a \r\na valid session cookie access to privileged endpoints (such as /admin) even after the legitimate user has logged out, enabling session hijacking. Any version above 4.70 that is not 4.80.3 fixes the vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T15:17:57.842Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://seclists.org/fulldisclosure/2025/Aug/14"
},
{
"url": "https://github.com/nopSolutions/nopCommerce/issues/7044"
},
{
"url": "https://www.nopcommerce.com/en/release-notes?srsltid=AfmBOoravPKjN19pm_XZbXZ7GvPhkt8cxlK6794BJRZlY5RxJU_yNoTT"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2025-11699",
"x_generator": {
"engine": "VINCE 3.0.29",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-11699"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-11699",
"datePublished": "2025-12-01T15:17:57.842Z",
"dateReserved": "2025-10-13T16:24:26.286Z",
"dateUpdated": "2025-12-01T18:45:07.246Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12816 (GCVE-0-2025-12816)
Vulnerability from cvelistv5 – Published: 2025-11-25 19:15 – Updated: 2025-11-25 21:04
VLAI?
Summary
An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Digital Bazaar | node-forge |
Affected:
0 , ≤ 1.3.1
(semver)
|
|||||||
|
|||||||||
Credits
This issue was reported by Hunter Wodzenski of Palo Alto Networks
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-12816",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-25T20:21:37.225634Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436 Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T20:24:22.734Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-25T21:04:09.432Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/521113"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "node-forge",
"vendor": "Digital Bazaar",
"versions": [
{
"lessThanOrEqual": "1.3.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"product": "forge",
"vendor": "Digital Bazaar",
"versions": [
{
"lessThanOrEqual": "1.3.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was reported by Hunter Wodzenski of Palo Alto Networks"
}
],
"descriptions": [
{
"lang": "en",
"value": "An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions."
}
],
"metrics": [
{
"other": {
"content": {
"schemaVersion": "2.0.0",
"selections": [
{
"definition": "The present state of exploitation of the vulnerability.",
"key": "E",
"name": "Exploitation",
"namespace": "ssvc",
"values": [
{
"key": "P",
"name": "Public PoC"
}
],
"version": "1.1.0"
},
{
"definition": "Can an attacker reliably automate creating exploitation events for this vulnerability?",
"key": "A",
"name": "Automatable",
"namespace": "ssvc",
"values": [
{
"key": "N",
"name": "No"
}
],
"version": "2.0.0"
},
{
"definition": "The technical impact of the vulnerability.",
"key": "TI",
"name": "Technical Impact",
"namespace": "ssvc",
"values": [
{
"key": "P",
"name": "Partial"
}
],
"version": "1.0.0"
}
],
"timestamp": "2025-11-07T15:47:01.238Z"
},
"type": "ssvcV2_0_0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-436 Interpretation Conflict",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T19:29:31.487Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.npmjs.com/package/node-forge"
},
{
"url": "https://github.com/digitalbazaar/forge/pull/1124"
},
{
"url": "https://github.com/digitalbazaar/forge"
},
{
"name": "CERT/CC Vulnerability Notice",
"tags": [
"third-party-advisory"
],
"url": "https://kb.cert.org/vuls/id/521113"
},
{
"name": "Github Security Advisory",
"tags": [
"third-party-advisory"
],
"url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-5gfm-wpxj-wjgq"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "CVE-2025-12816",
"x_generator": {
"engine": "VINCE 3.0.29",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-12816"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-12816",
"datePublished": "2025-11-25T19:15:50.243Z",
"dateReserved": "2025-11-06T17:11:38.255Z",
"dateUpdated": "2025-11-25T21:04:09.432Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12978 (GCVE-0-2025-12978)
Vulnerability from cvelistv5 – Published: 2025-11-24 14:42 – Updated: 2025-11-28 17:46
VLAI?
Summary
Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins contain a flaw in the tag_key validation logic that fails to enforce exact key-length matching. This allows crafted inputs where a tag prefix is incorrectly treated as a full match. A remote attacker with authenticated or exposed access to these input endpoints can exploit this behavior to manipulate tags and redirect records to unintended destinations. This compromises the authenticity of ingested logs and can allow injection of forged data, alert flooding and routing manipulation.
Severity ?
5.4 (Medium)
CWE
- CWE-187 - Partial String Comparison
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| FluentBit | Fluent Bit |
Affected:
4.0.14
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-12978",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-24T15:29:03.000953Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-24T15:29:06.000Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Fluent Bit",
"vendor": "FluentBit",
"versions": [
{
"status": "affected",
"version": "4.0.14"
}
]
},
{
"product": "Fluent Bit",
"vendor": "FluentBit",
"versions": [
{
"status": "affected",
"version": "4.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins contain a flaw in the tag_key validation logic that fails to enforce exact key-length matching. This allows crafted inputs where a tag prefix is incorrectly treated as a full match. A remote attacker with authenticated or exposed access to these input endpoints can exploit this behavior to manipulate tags and redirect records to unintended destinations. This compromises the authenticity of ingested logs and can allow injection of forged data, alert flooding and routing manipulation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-187: Partial String Comparison",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-28T17:46:39.028Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://fluentbit.io/announcements/v4.1.0/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2025-12978",
"x_generator": {
"engine": "VINCE 3.0.29",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-12978"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-12978",
"datePublished": "2025-11-24T14:42:06.305Z",
"dateReserved": "2025-11-10T18:57:32.141Z",
"dateUpdated": "2025-11-28T17:46:39.028Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12969 (GCVE-0-2025-12969)
Vulnerability from cvelistv5 – Published: 2025-11-24 14:41 – Updated: 2025-11-28 17:46
VLAI?
Summary
Fluent Bit in_forward input plugin does not properly enforce the security.users authentication mechanism under certain configuration conditions. This allows remote attackers with network access to the Fluent Bit instance exposing the forward input to send unauthenticated data. By bypassing authentication controls, attackers can inject forged log records, flood alerting systems, or manipulate routing decisions, compromising the authenticity and integrity of ingested logs.
Severity ?
6.5 (Medium)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| FluentBit | Fluent Bit |
Affected:
4.0.14
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-12969",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-24T18:02:22.489781Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-24T18:02:26.177Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Fluent Bit",
"vendor": "FluentBit",
"versions": [
{
"status": "affected",
"version": "4.0.14"
}
]
},
{
"product": "Fluent Bit",
"vendor": "FluentBit",
"versions": [
{
"status": "affected",
"version": "4.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fluent Bit in_forward input plugin does not properly enforce the security.users authentication mechanism under certain configuration conditions. This allows remote attackers with network access to the Fluent Bit instance exposing the forward input to send unauthenticated data. By bypassing authentication controls, attackers can inject forged log records, flood alerting systems, or manipulate routing decisions, compromising the authenticity and integrity of ingested logs."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-28T17:46:16.845Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://fluentbit.io/blog/2025/10/28/security-vulnerabilities-addressed-in-fluent-bit-v4.1-and-backported-to-v4.0/"
},
{
"url": "https://www.oligo.security/blog/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2025-12969",
"x_generator": {
"engine": "VINCE 3.0.29",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-12969"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-12969",
"datePublished": "2025-11-24T14:41:05.630Z",
"dateReserved": "2025-11-10T17:53:38.234Z",
"dateUpdated": "2025-11-28T17:46:16.845Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12972 (GCVE-0-2025-12972)
Vulnerability from cvelistv5 – Published: 2025-11-24 14:40 – Updated: 2025-11-28 17:45
VLAI?
Summary
Fluent Bit out_file plugin does not properly sanitize tag values when deriving output file names. When the File option is omitted, the plugin uses untrusted tag input to construct file paths. This allows attackers with network access to craft tags containing path traversal sequences that cause Fluent Bit to write files outside the intended output directory.
Severity ?
5.3 (Medium)
CWE
- CWE-35 - Path Traversal
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| FluentBit | Fluent Bit |
Affected:
4.0.14
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-12972",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-24T19:09:06.151697Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-24T19:09:14.319Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Fluent Bit",
"vendor": "FluentBit",
"versions": [
{
"status": "affected",
"version": "4.0.14"
}
]
},
{
"product": "Fluent Bit",
"vendor": "FluentBit",
"versions": [
{
"status": "affected",
"version": "4.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fluent Bit out_file plugin does not properly sanitize tag values when deriving output file names. When the File option is omitted, the plugin uses untrusted tag input to construct file paths. This allows attackers with network access to craft tags containing path traversal sequences that cause Fluent Bit to write files outside the intended output directory."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-35: Path Traversal",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-28T17:45:25.345Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.oligo.security/blog/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover"
},
{
"url": "https://fluentbit.io/blog/2025/10/28/security-vulnerabilities-addressed-in-fluent-bit-v4.1-and-backported-to-v4.0/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2025-12972",
"x_generator": {
"engine": "VINCE 3.0.29",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-12972"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-12972",
"datePublished": "2025-11-24T14:40:36.275Z",
"dateReserved": "2025-11-10T18:00:22.449Z",
"dateUpdated": "2025-11-28T17:45:25.345Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12977 (GCVE-0-2025-12977)
Vulnerability from cvelistv5 – Published: 2025-11-24 14:40 – Updated: 2025-11-28 17:45
VLAI?
Summary
Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins fail to sanitize tag_key inputs. An attacker with network access or the ability to write records into Splunk or Elasticsearch can supply tag_key values containing special characters such as newlines or ../ that are treated as valid tags. Because tags influence routing and some outputs derive filenames or contents from tags, this can allow newline injection, path traversal, forged record injection, or log misrouting, impacting data integrity and log routing.
Severity ?
9.1 (Critical)
CWE
- CWE-187 - Partial String Comparison
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| FluentBit | Fluent Bit |
Affected:
4.0.14
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-12977",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-24T19:12:43.890288Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1287",
"description": "CWE-1287 Improper Validation of Specified Type of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-24T19:14:10.912Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Fluent Bit",
"vendor": "FluentBit",
"versions": [
{
"status": "affected",
"version": "4.0.14"
}
]
},
{
"product": "Fluent Bit",
"vendor": "FluentBit",
"versions": [
{
"status": "affected",
"version": "4.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins fail to sanitize tag_key inputs. An attacker with network access or the ability to write records into Splunk or Elasticsearch can supply tag_key values containing special characters such as newlines or ../ that are treated as valid tags. Because tags influence routing and some outputs derive filenames or contents from tags, this can allow newline injection, path traversal, forged record injection, or log misrouting, impacting data integrity and log routing."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-187: Partial String Comparison",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-28T17:45:09.423Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://fluentbit.io/blog/2025/10/28/security-vulnerabilities-addressed-in-fluent-bit-v4.1-and-backported-to-v4.0/"
},
{
"url": "https://www.oligo.security/blog/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2025-12977",
"x_generator": {
"engine": "VINCE 3.0.29",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-12977"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-12977",
"datePublished": "2025-11-24T14:40:12.642Z",
"dateReserved": "2025-11-10T18:57:07.686Z",
"dateUpdated": "2025-11-28T17:45:09.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12970 (GCVE-0-2025-12970)
Vulnerability from cvelistv5 – Published: 2025-11-24 14:39 – Updated: 2025-11-28 17:45
VLAI?
Summary
The extract_name function in Fluent Bit in_docker input plugin copies container names into a fixed size stack buffer without validating length. An attacker who can create containers or control container names, can supply a long name that overflows the buffer, leading to process crash or arbitrary code execution.
Severity ?
8.8 (High)
CWE
- CWE-121 - Stack-based Buffer Overflow
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| FluentBit | Fluent Bit |
Affected:
4.0.14
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-12970",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-24T16:59:58.423891Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-24T17:00:03.177Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Fluent Bit",
"vendor": "FluentBit",
"versions": [
{
"status": "affected",
"version": "4.0.14"
}
]
},
{
"product": "Fluent Bit",
"vendor": "FluentBit",
"versions": [
{
"status": "affected",
"version": "4.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The extract_name function in Fluent Bit in_docker input plugin copies container names into a fixed size stack buffer without validating length. An attacker who can create containers or control container names, can supply a long name that overflows the buffer, leading to process crash or arbitrary code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-121: Stack-based Buffer Overflow",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-28T17:45:48.338Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://fluentbit.io/blog/2025/10/28/security-vulnerabilities-addressed-in-fluent-bit-v4.1-and-backported-to-v4.0/"
},
{
"url": "https://www.oligo.security/blog/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2025-12970",
"x_generator": {
"engine": "VINCE 3.0.29",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-12970"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-12970",
"datePublished": "2025-11-24T14:39:52.569Z",
"dateReserved": "2025-11-10T17:54:00.525Z",
"dateUpdated": "2025-11-28T17:45:48.338Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12121 (GCVE-0-2025-12121)
Vulnerability from cvelistv5 – Published: 2025-11-20 16:39 – Updated: 2025-11-20 18:10
VLAI?
Summary
Lite XL versions 2.1.8 and prior contain a vulnerability in the system.exec function, which allowed arbitrary command execution through unsanitized shell command construction. This function was used in project directory launching (core.lua), drag-and-drop file handling (rootview.lua), and the “open in system” command in the treeview plugin (treeview.lua). If an attacker could influence input to system.exec, they might execute arbitrary commands with the privileges of the Lite XL process.
Severity ?
7.3 (High)
CWE
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-12121",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-20T18:09:54.009033Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T18:10:14.597Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Lite XL",
"vendor": "Lite XL",
"versions": [
{
"status": "affected",
"version": "2.1.8 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lite XL versions 2.1.8 and prior contain a vulnerability in the system.exec function, which allowed arbitrary command execution through unsanitized shell command construction. This function was used in project directory launching (core.lua), drag-and-drop file handling (rootview.lua), and the \u201copen in system\u201d command in the treeview plugin (treeview.lua). If an attacker could influence input to system.exec, they might execute arbitrary commands with the privileges of the Lite XL process."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T17:05:35.524Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://github.com/lite-xl/lite-xl/pull/2163"
},
{
"url": "https://kb.cert.org/vuls/id/579478"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2025-12121",
"x_generator": {
"engine": "VINCE 3.0.29",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-12121"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-12121",
"datePublished": "2025-11-20T16:39:05.297Z",
"dateReserved": "2025-10-23T18:11:28.957Z",
"dateUpdated": "2025-11-20T18:10:14.597Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12120 (GCVE-0-2025-12120)
Vulnerability from cvelistv5 – Published: 2025-11-20 16:38 – Updated: 2025-11-20 18:09
VLAI?
Summary
Lite XL versions 2.1.8 and prior automatically execute the .lite_project.lua file when opening a project directory, without prompting the user for confirmation. The .lite_project.lua file is intended for project-specific configuration but can contain executable Lua logic. This behavior could allow execution of untrusted Lua code if a user opens a malicious project, potentially leading to arbitrary code execution with the privileges of the Lite XL process.
Severity ?
7.3 (High)
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-12120",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-20T18:09:43.235043Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T18:09:45.449Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Lite XL",
"vendor": "Lite XL",
"versions": [
{
"status": "affected",
"version": "2.1.8 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lite XL versions 2.1.8 and prior automatically execute the .lite_project.lua file when opening a project directory, without prompting the user for confirmation. The .lite_project.lua file is intended for project-specific configuration but can contain executable Lua logic. This behavior could allow execution of untrusted Lua code if a user opens a malicious project, potentially leading to arbitrary code execution with the privileges of the Lite XL process."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T16:52:31.931Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://github.com/lite-xl/lite-xl/pull/2164"
},
{
"url": "https://kb.cert.org/vuls/id/579478"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2025-12120",
"x_generator": {
"engine": "VINCE 3.0.29",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-12120"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-12120",
"datePublished": "2025-11-20T16:38:29.108Z",
"dateReserved": "2025-10-23T18:11:16.473Z",
"dateUpdated": "2025-11-20T18:09:45.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13204 (GCVE-0-2025-13204)
Vulnerability from cvelistv5 – Published: 2025-11-14 17:02 – Updated: 2025-11-14 20:41
VLAI?
Summary
npm package `expr-eval` is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based inheritance model to achieve arbitrary code execution. The npm expr-eval-fork package resolves this issue.
Severity ?
No CVSS data available.
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| silentmatt | expr-eval |
Affected:
0 , ≤ 2.0.2
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13204",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-14T20:36:54.382508Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-14T20:41:22.990Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "expr-eval",
"vendor": "silentmatt",
"versions": [
{
"lessThanOrEqual": "2.0.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "npm package `expr-eval` is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based inheritance model to achieve arbitrary code execution. The npm expr-eval-fork package resolves this issue."
}
],
"metrics": [
{
"other": {
"content": {
"schemaVersion": "2.0.0",
"selections": [
{
"definition": "The present state of exploitation of the vulnerability.",
"key": "E",
"name": "Exploitation",
"namespace": "ssvc",
"values": [
{
"key": "P",
"name": "Public PoC"
}
],
"version": "1.1.0"
},
{
"definition": "Can an attacker reliably automate creating exploitation events for this vulnerability?",
"key": "A",
"name": "Automatable",
"namespace": "ssvc",
"values": [
{
"key": "Y",
"name": "Yes"
}
],
"version": "2.0.0"
},
{
"definition": "The technical impact of the vulnerability.",
"key": "TI",
"name": "Technical Impact",
"namespace": "ssvc",
"values": [
{
"key": "T",
"name": "Total"
}
],
"version": "1.0.0"
}
],
"timestamp": "2025-11-07T15:47:01.238Z"
},
"type": "ssvcV2_0_0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-14T20:20:20.104Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.npmjs.com/package/expr-eval-fork"
},
{
"url": "https://github.com/silentmatt/expr-eval"
},
{
"url": "https://github.com/jorenbroekema/expr-eval"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.huntr.dev/bounties/1-npm-expr-eval/"
},
{
"url": "https://github.com/SECCON/SECCON2022_final_CTF/blob/main/jeopardy/web/babybox/solver/solver.py"
},
{
"tags": [
"patch"
],
"url": "https://github.com/silentmatt/expr-eval/pull/252/files"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/vladko312/extras/blob/f549d505af300fd74a01b46fab2102990ff1c14d/expr-eval.py"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "CVE-2025-13204",
"x_generator": {
"engine": "VINCE 3.0.28",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-13204"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-13204",
"datePublished": "2025-11-14T17:02:39.529Z",
"dateReserved": "2025-11-14T16:52:35.957Z",
"dateUpdated": "2025-11-14T20:41:22.990Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12735 (GCVE-0-2025-12735)
Vulnerability from cvelistv5 – Published: 2025-11-05 00:22 – Updated: 2025-11-22 23:45
VLAI?
Summary
The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted context object or use MEMBER of the context object into the evaluate() function and trigger arbitrary code execution.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| silentmatt | expr-eval |
Affected:
0 , ≤ 2.0.2
(semver)
|
|||||||
|
|||||||||
Credits
This issue was reported by Jangwoo Choe (UKO)
Patch validation assistance provided by GitHub user huydoppaz.
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-12735",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-10T14:06:48.027568Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T14:07:11.995Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/jorenbroekema/expr-eval/blob/460b820ba01c5aca6c5d84a7d4f1fa5d1913c67b/test/security.js"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-08T00:11:55.078Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/263614"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "expr-eval",
"vendor": "silentmatt",
"versions": [
{
"lessThanOrEqual": "2.0.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"product": "expr-eval-fork",
"vendor": "expr-eval-fork",
"versions": [
{
"lessThanOrEqual": "3.0.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was reported by Jangwoo Choe (UKO)"
},
{
"lang": "en",
"type": "remediation verifier",
"value": "Patch validation assistance provided by GitHub user huydoppaz."
}
],
"descriptions": [
{
"lang": "en",
"value": "The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted context object or use MEMBER of the context object into the evaluate() function and trigger arbitrary code execution."
}
],
"metrics": [
{
"other": {
"content": {
"schemaVersion": "2.0.0",
"selections": [
{
"definition": "The present state of exploitation of the vulnerability.",
"key": "E",
"name": "Exploitation",
"namespace": "ssvc",
"values": [
{
"key": "P",
"name": "Public PoC"
}
],
"version": "1.1.0"
},
{
"definition": "Can an attacker reliably automate creating exploitation events for this vulnerability?",
"key": "A",
"name": "Automatable",
"namespace": "ssvc",
"values": [
{
"key": "Y",
"name": "Yes"
}
],
"version": "2.0.0"
},
{
"definition": "The technical impact of the vulnerability.",
"key": "TI",
"name": "Technical Impact",
"namespace": "ssvc",
"values": [
{
"key": "T",
"name": "Total"
}
],
"version": "1.0.0"
}
],
"timestamp": "2025-11-07T15:47:01.238Z"
},
"type": "ssvcV2_0_0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-94: Improper Control of Generation of Code (\u2018Code Injection\u2019)",
"lang": "en"
}
]
},
{
"descriptions": [
{
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u2018Prototype Pollution\u2019)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-22T23:45:45.512Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://github.com/silentmatt/expr-eval"
},
{
"url": "https://github.com/jorenbroekema/expr-eval"
},
{
"url": "https://www.npmjs.com/package/expr-eval-fork"
},
{
"url": "https://www.npmjs.com/package/expr-eval"
},
{
"url": "https://github.com/silentmatt/expr-eval/pull/288"
},
{
"name": "Github Security Advisory",
"tags": [
"third-party-advisory"
],
"url": "https://github.com/advisories/GHSA-jc85-fpwf-qm7x"
},
{
"name": "CERT/CC Advisory",
"tags": [
"third-party-advisory"
],
"url": "https://kb.cert.org/vuls/id/263614"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "CVE-2025-12735",
"x_generator": {
"engine": "VINCE 3.0.28",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-12735"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-12735",
"datePublished": "2025-11-05T00:22:55.297Z",
"dateReserved": "2025-11-05T00:04:49.648Z",
"dateUpdated": "2025-11-22T23:45:45.512Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11577 (GCVE-0-2025-11577)
Vulnerability from cvelistv5 – Published: 2025-10-14 15:34 – Updated: 2025-10-15 13:17
VLAI?
Summary
Clevo’s UEFI firmware update packages, including B10717.exe, inadvertently contained private signing keys used for Boot Guard and Boot Policy Manifest verification. The exposure of these keys could allow attackers to sign malicious firmware that appears trusted by affected systems, undermining the integrity of the early boot process.
Severity ?
7.6 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Clevo | Notebook System Firmware |
Affected:
1.07.07TRO1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-11577",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-15T13:17:29.919651Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T13:17:44.736Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Notebook System Firmware",
"vendor": "Clevo",
"versions": [
{
"status": "affected",
"version": "1.07.07TRO1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Clevo\u2019s UEFI firmware update packages, including B10717.exe, inadvertently contained private signing keys used for Boot Guard and Boot Policy Manifest verification. The exposure of these keys could allow attackers to sign malicious firmware that appears trusted by affected systems, undermining the integrity of the early boot process."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-321 Use of Hard\u2011coded Cryptographic Key",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T15:34:09.651Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.binarly.io/advisories/brly-2025-002"
},
{
"url": "https://www.kb.cert.org/vuls/id/538470"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Clevo UEFI firmware exposed Boot Guard private keys, enabling potential abuse of the Boot Guard trust chain",
"x_generator": {
"engine": "VINCE 3.0.26",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-11577"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-11577",
"datePublished": "2025-10-14T15:34:09.651Z",
"dateReserved": "2025-10-10T02:08:14.733Z",
"dateUpdated": "2025-10-15T13:17:44.736Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-11190 (GCVE-0-2025-11190)
Vulnerability from cvelistv5 – Published: 2025-10-10 11:03 – Updated: 2025-11-03 17:31
VLAI?
Summary
The Kiwire Captive Portal contains an open redirection issue via the login-url parameter, allowing an attacker to redirect users to an attacker controlled website.
Severity ?
5.4 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synchroweb | Kiwire |
Affected:
3.6
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-11190",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-14T20:23:20.776154Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T20:23:53.615Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:31:41.247Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/887923"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Kiwire",
"vendor": "Synchroweb",
"versions": [
{
"status": "affected",
"version": "3.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Kiwire Captive Portal contains an open redirection issue via the login-url parameter, allowing an attacker to redirect users to an attacker controlled website."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T11:03:33.596Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.synchroweb.com/release-notes/kiwire/security"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2025-11190",
"x_generator": {
"engine": "VINCE 3.0.26",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-11190"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-11190",
"datePublished": "2025-10-10T11:03:33.596Z",
"dateReserved": "2025-09-30T12:21:52.881Z",
"dateUpdated": "2025-11-03T17:31:41.247Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11189 (GCVE-0-2025-11189)
Vulnerability from cvelistv5 – Published: 2025-10-10 11:03 – Updated: 2025-11-03 17:31
VLAI?
Summary
The Kiwire Captive Portal contains a reflected cross-site scripting (XSS) vulnerability within the login-url parameter, allowing for Javascript execution.
Severity ?
7.3 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synchroweb | Kiwire |
Affected:
3.6
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-11189",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-14T20:12:50.761473Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T20:12:55.658Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:31:40.304Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/887923"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Kiwire",
"vendor": "Synchroweb",
"versions": [
{
"status": "affected",
"version": "3.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Kiwire Captive Portal contains a reflected cross-site scripting (XSS) vulnerability within the login-url parameter, allowing for Javascript execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T11:03:08.401Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.synchroweb.com/release-notes/kiwire/security"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2025-11189",
"x_generator": {
"engine": "VINCE 3.0.26",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-11189"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-11189",
"datePublished": "2025-10-10T11:03:08.401Z",
"dateReserved": "2025-09-30T12:21:44.952Z",
"dateUpdated": "2025-11-03T17:31:40.304Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11188 (GCVE-0-2025-11188)
Vulnerability from cvelistv5 – Published: 2025-10-10 11:02 – Updated: 2025-11-03 17:31
VLAI?
Summary
The Kiwire Captive Portal contains a blind SQL injection in the nas-id parameter, allowing for SQL commands to be issued and to compromise the corresponding database.
Severity ?
7.3 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synchroweb | Kiwire |
Affected:
3.6
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-11188",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-14T20:10:49.759278Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T20:10:52.394Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:31:39.369Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/887923"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Kiwire",
"vendor": "Synchroweb",
"versions": [
{
"status": "affected",
"version": "3.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Kiwire Captive Portal contains a blind SQL injection in the nas-id parameter, allowing for SQL commands to be issued and to compromise the corresponding database."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T11:02:46.192Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.synchroweb.com/release-notes/kiwire/security"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2025-11188",
"x_generator": {
"engine": "VINCE 3.0.26",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-11188"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-11188",
"datePublished": "2025-10-10T11:02:46.192Z",
"dateReserved": "2025-09-30T12:21:36.240Z",
"dateUpdated": "2025-11-03T17:31:39.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10547 (GCVE-0-2025-10547)
Vulnerability from cvelistv5 – Published: 2025-10-03 11:35 – Updated: 2025-11-04 22:06
VLAI?
Summary
An uninitialized variable in the HTTP CGI request arguments processing component of Vigor Routers running DrayOS may allow an attacker the ability to perform RCE on the appliance through memory corruption.
Severity ?
9.8 (Critical)
CWE
- CWE-456 - Missing Initialization of a Variable
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| DrayTek Corporation | Vigor1000B |
Affected:
0 , < 4.4.5.1
(custom)
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-10547",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-03T14:33:21.692268Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T18:32:38.126Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T22:06:30.559Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/294418"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Vigor1000B",
"vendor": "DrayTek Corporation",
"versions": [
{
"lessThan": "4.4.5.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"product": "Vigor2962",
"vendor": "DrayTek Corporation",
"versions": [
{
"lessThan": "4.4.5.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"product": "Vigor3910",
"vendor": "DrayTek Corporation",
"versions": [
{
"lessThan": "4.4.3.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"product": "Vigor3912",
"vendor": "DrayTek Corporation",
"versions": [
{
"lessThan": "4.4.5.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"product": "Vigor2135",
"vendor": "DrayTek Corporation",
"versions": [
{
"lessThan": "4.5.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"product": "Vigor2763",
"vendor": "DrayTek Corporation",
"versions": [
{
"lessThan": "4.5.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"product": "Vigor2765",
"vendor": "DrayTek Corporation",
"versions": [
{
"lessThan": "4.5.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"product": "Vigor2766",
"vendor": "DrayTek Corporation",
"versions": [
{
"lessThan": "4.5.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"product": "Vigor2865",
"vendor": "DrayTek Corporation",
"versions": [
{
"lessThan": "4.5.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"product": "Vigor2865 LTE Series",
"vendor": "DrayTek Corporation",
"versions": [
{
"lessThan": "4.5.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"product": "Vigor2865L-5G Series",
"vendor": "DrayTek Corporation",
"versions": [
{
"lessThan": "4.5.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"product": "Vigor2866",
"vendor": "DrayTek Corporation",
"versions": [
{
"lessThan": "4.5.1",
"status": "affected",
"version": "1.0",
"versionType": "custom"
}
]
},
{
"product": "Vigor2866 LTE",
"vendor": "DrayTek Corporation",
"versions": [
{
"lessThan": "4.5.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"product": "Vigor2927",
"vendor": "DrayTek Corporation",
"versions": [
{
"lessThan": "4.5.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"product": "Vigor 2927 LTE",
"vendor": "DrayTek Corporation",
"versions": [
{
"lessThan": "4.5.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"product": "Vigor2927L-5G",
"vendor": "DrayTek Corporation",
"versions": [
{
"lessThan": "4.5.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"product": "Vigor2915",
"vendor": "DrayTek Corporation",
"versions": [
{
"lessThan": "4.4.6.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"product": "Vigor2862",
"vendor": "DrayTek Corporation",
"versions": [
{
"lessThan": "3.9.9.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"product": "Vigor2862 LTE",
"vendor": "DrayTek Corporation",
"versions": [
{
"lessThan": "3.9.9.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"product": "Vigor2926",
"vendor": "DrayTek Corporation",
"versions": [
{
"lessThan": "3.9.9.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An uninitialized variable in the HTTP CGI request arguments processing component of Vigor Routers running DrayOS may allow an attacker the ability to perform RCE on the appliance through memory corruption."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-456: Missing Initialization of a Variable",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T15:58:45.010Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.draytek.com/about/security-advisory/use-of-uninitialized-variable-vulnerabilities/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2025-10547",
"x_generator": {
"engine": "VINCE 3.0.26",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-10547"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-10547",
"datePublished": "2025-10-03T11:35:43.752Z",
"dateReserved": "2025-09-16T11:35:24.694Z",
"dateUpdated": "2025-11-04T22:06:30.559Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-9556 (GCVE-0-2025-9556)
Vulnerability from cvelistv5 – Published: 2025-09-12 13:45 – Updated: 2025-11-03 18:14
VLAI?
Summary
Langchaingo supports the use of jinja2 syntax when parsing prompts, which is in turn parsed using the gonja library v1.5.3.
Gonja supports include and extends syntax to read files, which leads to a server side template injection vulnerability within langchaingo, allowing an attacker to insert a statement into a prompt to read the "etc/passwd" file.
Severity ?
9.8 (Critical)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Langchaingo | Langchaingo |
Affected:
0.1.14
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-9556",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-12T14:00:53.431491Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-12T14:01:03.976Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T18:14:18.939Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/949137"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Langchaingo",
"vendor": "Langchaingo",
"versions": [
{
"status": "affected",
"version": "0.1.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Langchaingo supports the use of jinja2 syntax when parsing prompts, which is in turn parsed using the gonja library v1.5.3.\r\nGonja supports include and extends syntax to read files, which leads to a server side template injection vulnerability within langchaingo, allowing an attacker to insert a statement into a prompt to read the \"etc/passwd\" file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-12T13:45:14.684Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://github.com/tmc/langchaingo/security/advisories/GHSA-mgcj-g55g-rf6h"
},
{
"url": "https://github.com/tmc/langchaingo/pull/1348"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2025-9556",
"x_generator": {
"engine": "VINCE 3.0.25",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-9556"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-9556",
"datePublished": "2025-09-12T13:45:14.684Z",
"dateReserved": "2025-08-27T18:10:47.686Z",
"dateUpdated": "2025-11-03T18:14:18.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10199 (GCVE-0-2025-10199)
Vulnerability from cvelistv5 – Published: 2025-09-09 17:30 – Updated: 2025-11-03 18:08
VLAI?
Summary
A local privilege escalation vulnerability exists in Sunshine for Windows (version v2025.122.141614 and likely prior versions) due to an unquoted service path.
Severity ?
7.8 (High)
CWE
- CWE-428 - Unquoted Search Path or Element
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| LizardByte | Sunshine for Windows |
Affected:
v2025.122.141614
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-10199",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-10T13:16:49.041628Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-428",
"description": "CWE-428 Unquoted Search Path or Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-10T13:43:59.075Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T18:08:25.842Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/974249"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Sunshine for Windows",
"vendor": "LizardByte",
"versions": [
{
"status": "affected",
"version": "v2025.122.141614"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A local privilege escalation vulnerability exists in Sunshine for Windows (version v2025.122.141614 and likely prior versions) due to an unquoted service path."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-428: Unquoted Search Path or Element",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T17:30:50.158Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-r3rw-mx4q-7vfp"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "A local privilege escalation vulnerability exists in LizardBytes\u0027 Sunshine for Windows",
"x_generator": {
"engine": "VINCE 3.0.24",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-10199"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-10199",
"datePublished": "2025-09-09T17:30:19.958Z",
"dateReserved": "2025-09-09T17:28:39.083Z",
"dateUpdated": "2025-11-03T18:08:25.842Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10198 (GCVE-0-2025-10198)
Vulnerability from cvelistv5 – Published: 2025-09-09 17:28 – Updated: 2025-11-03 18:08
VLAI?
Summary
Sunshine for Windows, version v2025.122.141614, contains a DLL search-order hijacking vulnerability, allowing attackers to insert a malicious DLL in user-writeable PATH directories.
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| LizardByte | Sunshine for Windows |
Affected:
v2025.122.141614
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-10198",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-10T13:17:00.097504Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427 Uncontrolled Search Path Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-10T13:44:06.419Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T18:08:24.774Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/974249"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Sunshine for Windows",
"vendor": "LizardByte",
"versions": [
{
"status": "affected",
"version": "v2025.122.141614"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sunshine for Windows, version v2025.122.141614, contains a DLL search-order hijacking vulnerability, allowing attackers to insert a malicious DLL in user-writeable PATH directories."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-427 Uncontrolled Search Path Element",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T17:28:14.696Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://github.com/LizardByte/Sunshine/pull/3971"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "LizardBytes Sunshine for Windows contains a DLL search-order hijacking vulnerability",
"x_generator": {
"engine": "VINCE 3.0.24",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-10198"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-10198",
"datePublished": "2025-09-09T17:28:14.696Z",
"dateReserved": "2025-09-09T17:25:14.481Z",
"dateUpdated": "2025-11-03T18:08:24.774Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-9994 (GCVE-0-2025-9994)
Vulnerability from cvelistv5 – Published: 2025-09-09 13:01 – Updated: 2025-11-03 18:14
VLAI?
Summary
The Amp’ed RF BT-AP 111 Bluetooth access point's HTTP admin interface does not have an authentication feature, allowing unauthorized access to anyone with network access.
Severity ?
9.8 (Critical)
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-9994",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-10T13:17:17.857837Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-10T13:44:29.899Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T18:14:27.694Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/763183"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "BT-AP 111",
"vendor": "Amped RF",
"versions": [
{
"status": "affected",
"version": "*"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Amp\u2019ed RF BT-AP 111 Bluetooth access point\u0027s HTTP admin interface does not have an authentication feature, allowing unauthorized access to anyone with network access."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en"
}
]
},
{
"descriptions": [
{
"description": "CWE-287 Improper Authentication",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T13:01:05.384Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.ampedrftech.com/guides/BT-AP111_UserManual.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Amp\u2019ed RF BT-AP 111 Bluetooth access point\u0027s HTTP admin interface does not require authentication",
"x_generator": {
"engine": "VINCE 3.0.24",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-9994"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-9994",
"datePublished": "2025-09-09T13:01:05.384Z",
"dateReserved": "2025-09-04T15:31:44.614Z",
"dateUpdated": "2025-11-03T18:14:27.694Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-8671 (GCVE-0-2025-8671)
Vulnerability from cvelistv5 – Published: 2025-08-13 12:03 – Updated: 2025-11-04 21:15
VLAI?
Summary
A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource consumption leading to denial-of-service (DoS). By opening streams and then rapidly triggering the server to reset them—using malformed frames or flow control errors—an attacker can exploit incorrect stream accounting. Streams reset by the server are considered closed at the protocol level, even though backend processing continues. This allows a client to cause the server to handle an unbounded number of concurrent streams on a single connection. This CVE will be updated as affected product details are released.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| SUSE Linux | Enterprise Module for Development Tools |
Affected:
15 SP2 , < 15-SP5
(custom)
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-8671",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-13T18:34:19.913332Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-404",
"description": "CWE-404 Improper Resource Shutdown or Release",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T19:57:17.805Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://gitlab.isc.org/isc-projects/bind9/-/issues/5325"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:15:08.215Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://github.com/envoyproxy/envoy/issues/40739"
},
{
"url": "https://github.com/varnish/hitch/issues/397"
},
{
"url": "https://github.com/Kong/kong/discussions/14731"
},
{
"url": "https://deepness-lab.org/publications/madeyoureset/"
},
{
"url": "https://www.imperva.com/blog/madeyoureset-turning-http-2-server-against-itself/"
},
{
"url": "https://www.kb.cert.org/vuls/id/767506"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/18/1"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/08/13/6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Enterprise Module for Development Tools",
"vendor": "SUSE Linux",
"versions": [
{
"lessThan": "15-SP5",
"status": "affected",
"version": "15 SP2",
"versionType": "custom"
}
]
},
{
"product": "Enterprise High Performance Computing (HPC)",
"vendor": "SUSE Linux",
"versions": [
{
"lessThan": "15 SP5",
"status": "affected",
"version": "15",
"versionType": "custom"
}
]
},
{
"product": "Varnish Enterprise",
"vendor": "Varnish Software",
"versions": [
{
"lessThanOrEqual": "6.0.14r4",
"status": "affected",
"version": "6.0.x",
"versionType": "custom"
}
]
},
{
"product": "Varnish Cache",
"vendor": "Varnish Software",
"versions": [
{
"lessThanOrEqual": "6.014",
"status": "affected",
"version": "6.0LTS",
"versionType": "custom"
}
]
},
{
"product": "Varnish Cache",
"vendor": "Varnish Software",
"versions": [
{
"lessThanOrEqual": "7.71",
"status": "affected",
"version": "5.x",
"versionType": "custom"
}
]
},
{
"product": "H20",
"vendor": "Fastly",
"versions": [
{
"status": "affected",
"version": "579ecfa"
}
]
},
{
"product": "Linux",
"vendor": "Wind River",
"versions": [
{
"lessThanOrEqual": "TLS25",
"status": "affected",
"version": "LTS22",
"versionType": "custom"
}
]
},
{
"product": "Enterprise Desktop",
"vendor": "SUSE Linux",
"versions": [
{
"lessThan": "15 SP7",
"status": "affected",
"version": "15 SP6",
"versionType": "custom"
}
]
},
{
"product": "Enterprise High Performance Computing",
"vendor": "SUSE Linux",
"versions": [
{
"lessThan": "15 SP7",
"status": "affected",
"version": "15 SP3",
"versionType": "custom"
}
]
},
{
"product": "Enterprise Module for Dev Tools",
"vendor": "SUSE Linux",
"versions": [
{
"lessThan": "15 SP7",
"status": "affected",
"version": "15 SP3",
"versionType": "custom"
}
]
},
{
"product": "Enterprise Module for Package Hub",
"vendor": "SUSE Linux",
"versions": [
{
"lessThan": "15 SP7",
"status": "affected",
"version": "15 SP5",
"versionType": "custom"
}
]
},
{
"product": "Enterprise Server",
"vendor": "SUSE Linux",
"versions": [
{
"lessThan": "15 SP7",
"status": "affected",
"version": "12 SP5",
"versionType": "custom"
}
]
},
{
"product": "Enterprise Server for SAP Applications",
"vendor": "SUSE Linux",
"versions": [
{
"lessThan": "15 SP7",
"status": "affected",
"version": "15 SP6",
"versionType": "custom"
}
]
},
{
"product": "SUSE Manager Server",
"vendor": "SUSE Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
}
]
},
{
"product": "SUSE Manager Server LTS",
"vendor": "SUSE Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
}
]
},
{
"product": "SUSE Manager Proxy",
"vendor": "SUSE Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
}
]
},
{
"product": "SUSE Manager Retail Branch Server",
"vendor": "SUSE Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
}
]
},
{
"product": "openSUSE Leap",
"vendor": "SUSE Linux",
"versions": [
{
"status": "affected",
"version": "15.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource consumption leading to denial-of-service (DoS). By opening streams and then rapidly triggering the server to reset them\u2014using malformed frames or flow control errors\u2014an attacker can exploit incorrect stream accounting. Streams reset by the server are considered closed at the protocol level, even though backend processing continues. This allows a client to cause the server to handle an unbounded number of concurrent streams on a single connection. This CVE will be updated as affected product details are released."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-404 Improper Resource Shutdown or Release",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T18:19:45.844Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://galbarnahum.com/made-you-reset"
},
{
"url": "https://kb.cert.org/vuls/id/767506"
},
{
"url": "https://varnish-cache.org/security/VSV00017.html"
},
{
"url": "https://www.fastlystatus.com/incident/377810"
},
{
"url": "https://github.com/h2o/h2o/commit/4729b661e3c6654198d2cc62997e1af58bef4b80"
},
{
"url": "https://support2.windriver.com/index.php?page=security-notices"
},
{
"url": "https://www.suse.com/support/kb/doc/?id=000021980"
},
{
"url": "https://gitlab.isc.org/isc-projects/bind9/-/issues/5325"
},
{
"url": "https://github.com/h2o/h2o/security/advisories/GHSA-mrjm-qq9m-9mjq"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2025-8671",
"x_generator": {
"engine": "VINCE 3.0.22",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-8671"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-8671",
"datePublished": "2025-08-13T12:03:37.167Z",
"dateReserved": "2025-08-06T11:52:46.667Z",
"dateUpdated": "2025-11-04T21:15:08.215Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-6078 (GCVE-0-2025-6078)
Vulnerability from cvelistv5 – Published: 2025-08-02 02:15 – Updated: 2025-11-03 20:06
VLAI?
Summary
Partner Software's Partner Software application and Partner Web application allows an authenticated user to add notes on the 'Notes' page when viewing a job but does not completely sanitize input, making it possible to add notes with HTML tags and JavaScript, enabling an attacker to add a note containing malicious JavaScript, leading to stored XSS (cross-site scripting).
Severity ?
5.4 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Partner Software | Partner Web |
Affected:
4.32 , < 4.32.2
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-6078",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-04T14:15:49.200812Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-04T14:17:02.214Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:06:49.011Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/317469"
},
{
"url": "https://www.kb.cert.org/vuls/id/317469"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Partner Web",
"vendor": "Partner Software",
"versions": [
{
"lessThan": "4.32.2",
"status": "affected",
"version": "4.32",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Partner Software\u0027s Partner Software application and Partner Web application allows an authenticated user to add notes on the \u0027Notes\u0027 page when viewing a job but does not completely sanitize input, making it possible to add notes with HTML tags and JavaScript, enabling an attacker to add a note containing malicious JavaScript, leading to stored XSS (cross-site scripting)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-02T02:15:55.155Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://partnersoftware.com/resources/software-release-info-4-32/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2025-6078",
"x_generator": {
"engine": "VINCE 3.0.21",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-6078"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-6078",
"datePublished": "2025-08-02T02:15:55.155Z",
"dateReserved": "2025-06-13T15:20:26.334Z",
"dateUpdated": "2025-11-03T20:06:49.011Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-6077 (GCVE-0-2025-6077)
Vulnerability from cvelistv5 – Published: 2025-08-02 02:15 – Updated: 2025-11-03 20:06
VLAI?
Summary
Partner Software's Partner Software Product and corresponding Partner Web application use the same default username and password for the administrator account across all versions.
Severity ?
9.8 (Critical)
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Partner Software | Partner Web |
Affected:
4.32 , < 4.32.2
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-6077",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-05T14:47:31.685397Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1391",
"description": "CWE-1391 Use of Weak Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-05T14:48:27.457Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:06:47.643Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/317469"
},
{
"url": "https://www.kb.cert.org/vuls/id/317469"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Partner Web",
"vendor": "Partner Software",
"versions": [
{
"lessThan": "4.32.2",
"status": "affected",
"version": "4.32",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Partner Software\u0027s Partner Software Product and corresponding Partner Web application use the same default username and password for the administrator account across all versions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-1391",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-02T02:15:45.052Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://partnersoftware.com/resources/software-release-info-4-32/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2025-6077",
"x_generator": {
"engine": "VINCE 3.0.21",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-6077"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-6077",
"datePublished": "2025-08-02T02:15:45.052Z",
"dateReserved": "2025-06-13T15:18:43.511Z",
"dateUpdated": "2025-11-03T20:06:47.643Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-6076 (GCVE-0-2025-6076)
Vulnerability from cvelistv5 – Published: 2025-08-02 02:15 – Updated: 2025-11-03 20:06
VLAI?
Summary
Partner Software's Partner Software application and Partner Web application do not sanitize files uploaded on the "reports" tab, allowing an authenticated attacker to upload a malicious file and compromise the device. By default, the software runs as SYSTEM, heightening the severity of the vulnerability.
Severity ?
8.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Partner Software | Partner Web |
Affected:
4.32 , < 4.32.2
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-6076",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-04T14:00:45.636018Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-04T14:02:00.889Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:06:46.248Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/317469"
},
{
"url": "https://www.kb.cert.org/vuls/id/317469"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Partner Web",
"vendor": "Partner Software",
"versions": [
{
"lessThan": "4.32.2",
"status": "affected",
"version": "4.32",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Partner Software\u0027s Partner Software application and Partner Web application do not sanitize files uploaded on the \"reports\" tab, allowing an authenticated attacker to upload a malicious file and compromise the device. By default, the software runs as SYSTEM, heightening the severity of the vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-02T02:15:31.536Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://partnersoftware.com/resources/software-release-info-4-32/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2025-6076",
"x_generator": {
"engine": "VINCE 3.0.21",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-6076"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-6076",
"datePublished": "2025-08-02T02:15:31.536Z",
"dateReserved": "2025-06-13T15:17:17.314Z",
"dateUpdated": "2025-11-03T20:06:46.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-6241 (GCVE-0-2025-6241)
Vulnerability from cvelistv5 – Published: 2025-07-27 00:46 – Updated: 2025-11-03 20:06
VLAI?
Summary
LsiAgent.exe, a component of SysTrack from Lakeside Software, attempts to load several DLL files which are not present in the default installation. If a user-writable directory is present in the SYSTEM PATH environment variable, the user can write a malicious DLL to that directory with arbitrary code. This malicious DLL is executed in the context of NT AUTHORITY\SYSTEM upon service start or restart, due to the Windows default dynamic-link library search order, resulting in local elevation of privileges.
Severity ?
4.4 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Lakeside Software | SysTrack |
Affected:
10.05.0027 , < 10.10.0.42
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-6241",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-30T18:20:44.276812Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T18:20:50.800Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:06:53.132Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/335798"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SysTrack",
"vendor": "Lakeside Software",
"versions": [
{
"lessThan": "10.10.0.42",
"status": "affected",
"version": "10.05.0027",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LsiAgent.exe, a component of SysTrack from Lakeside Software, attempts to load several DLL files which are not present in the default installation. If a user-writable directory is present in the SYSTEM PATH environment variable, the user can write a malicious DLL to that directory with arbitrary code. This malicious DLL is executed in the context of NT AUTHORITY\\SYSTEM upon service start or restart, due to the Windows default dynamic-link library search order, resulting in local elevation of privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-427 Uncontrolled Search Path Element",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-29T12:12:06.276Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://documentation.lakesidesoftware.com/en/Content/Release%20Notes/Agent/10_10_0%20Hotfix%20Agent%20Release%20Notes%20On%20Premises.htm?tocpath=Release%20Notes%7CAgent%7C_____13"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2025-6241",
"x_generator": {
"engine": "VINCE 3.0.21",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-6241"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-6241",
"datePublished": "2025-07-27T00:46:41.118Z",
"dateReserved": "2025-06-18T15:18:17.582Z",
"dateUpdated": "2025-11-03T20:06:53.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-7026 (GCVE-0-2025-7026)
Vulnerability from cvelistv5 – Published: 2025-07-11 15:27 – Updated: 2025-11-03 20:07
VLAI?
Summary
A vulnerability in the Software SMI handler (SwSmiInputValue 0xB2) allows a local attacker to control the RBX register, which is used as an unchecked pointer in the CommandRcx0 function. If the contents at RBX match certain expected values (e.g., '$DB$' or '2DB$'), the function performs arbitrary writes to System Management RAM (SMRAM), leading to potential privilege escalation to System Management Mode (SMM) and persistent firmware compromise.
Severity ?
8.2 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GIGABYTE | UEFI-GenericComponentSmmEntry |
Affected:
1.0.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-7026",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-12T03:55:15.583Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:07:19.993Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/746790"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "UEFI-GenericComponentSmmEntry",
"vendor": "GIGABYTE",
"versions": [
{
"status": "affected",
"version": "1.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the Software SMI handler (SwSmiInputValue 0xB2) allows a local attacker to control the RBX register, which is used as an unchecked pointer in the CommandRcx0 function. If the contents at RBX match certain expected values (e.g., \u0027$DB$\u0027 or \u00272DB$\u0027), the function performs arbitrary writes to System Management RAM (SMRAM), leading to potential privilege escalation to System Management Mode (SMM) and persistent firmware compromise."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-822 Untrusted Pointer Dereference",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T15:27:34.960Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.gigabyte.com/Support/Security"
},
{
"url": "https://www.binarly.io/advisories/brly-dva-2025-008"
},
{
"url": "https://kb.cert.org/vuls/id/746790"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SMM Arbitrary Write via Unchecked RBX Pointer in CommandRcx0",
"x_generator": {
"engine": "VINCE 3.0.21",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-7026"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-7026",
"datePublished": "2025-07-11T15:27:34.960Z",
"dateReserved": "2025-07-02T15:42:52.209Z",
"dateUpdated": "2025-11-03T20:07:19.993Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-7028 (GCVE-0-2025-7028)
Vulnerability from cvelistv5 – Published: 2025-07-11 15:26 – Updated: 2025-11-03 20:07
VLAI?
Summary
A vulnerability in the Software SMI handler (SwSmiInputValue 0x20) allows a local attacker to supply a crafted pointer (FuncBlock) through RBX and RCX register values. This pointer is passed unchecked into multiple flash management functions (ReadFlash, WriteFlash, EraseFlash, and GetFlashInfo) that dereference both the structure and its nested members, such as BufAddr. This enables arbitrary read/write access to System Management RAM (SMRAM), allowing an attacker to corrupt firmware memory, exfiltrate SMRAM content via flash, or install persistent implants.
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GIGABYTE | UEFI-SmiFlash |
Affected:
1.0.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-7028",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-14T16:45:13.338112Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T19:54:56.492Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:07:22.755Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/746790"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "UEFI-SmiFlash",
"vendor": "GIGABYTE",
"versions": [
{
"status": "affected",
"version": "1.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the Software SMI handler (SwSmiInputValue 0x20) allows a local attacker to supply a crafted pointer (FuncBlock) through RBX and RCX register values. This pointer is passed unchecked into multiple flash management functions (ReadFlash, WriteFlash, EraseFlash, and GetFlashInfo) that dereference both the structure and its nested members, such as BufAddr. This enables arbitrary read/write access to System Management RAM (SMRAM), allowing an attacker to corrupt firmware memory, exfiltrate SMRAM content via flash, or install persistent implants."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-822 Untrusted Pointer Dereference",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T15:26:11.382Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.gigabyte.com/Support/Security"
},
{
"url": "https://www.binarly.io/advisories/brly-dva-2025-010"
},
{
"url": "https://kb.cert.org/vuls/id/746790"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SMM Arbitrary Memory Access via Flash Handler with Unchecked FuncBlock Pointer",
"x_generator": {
"engine": "VINCE 3.0.21",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-7028"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-7028",
"datePublished": "2025-07-11T15:26:11.382Z",
"dateReserved": "2025-07-02T15:43:20.928Z",
"dateUpdated": "2025-11-03T20:07:22.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-7027 (GCVE-0-2025-7027)
Vulnerability from cvelistv5 – Published: 2025-07-11 15:24 – Updated: 2025-11-03 20:07
VLAI?
Summary
A vulnerability in the Software SMI handler (SwSmiInputValue 0xB2) allows a local attacker to control both the read and write addresses used by the CommandRcx1 function. The write target is derived from an unvalidated UEFI NVRAM variable (SetupXtuBufferAddress), while the write content is read from an attacker-controlled pointer based on the RBX register. This dual-pointer dereference enables arbitrary memory writes within System Management RAM (SMRAM), leading to potential SMM privilege escalation and firmware compromise.
Severity ?
8.2 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GIGABYTE | UEFI-GenericComponentSmmEntry |
Affected:
1.0.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-7027",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-12T03:55:16.831604Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T14:44:51.936Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:07:21.390Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/746790"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "UEFI-GenericComponentSmmEntry",
"vendor": "GIGABYTE",
"versions": [
{
"status": "affected",
"version": "1.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the Software SMI handler (SwSmiInputValue 0xB2) allows a local attacker to control both the read and write addresses used by the CommandRcx1 function. The write target is derived from an unvalidated UEFI NVRAM variable (SetupXtuBufferAddress), while the write content is read from an attacker-controlled pointer based on the RBX register. This dual-pointer dereference enables arbitrary memory writes within System Management RAM (SMRAM), leading to potential SMM privilege escalation and firmware compromise."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-822 Untrusted Pointer Dereference",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T15:24:26.568Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.gigabyte.com/Support/Security"
},
{
"url": "https://www.binarly.io/advisories/brly-2025-009"
},
{
"url": "https://kb.cert.org/vuls/id/746790"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SMM Arbitrary Write via Dual-Controlled Pointers in CommandRcx1",
"x_generator": {
"engine": "VINCE 3.0.21",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-7027"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-7027",
"datePublished": "2025-07-11T15:24:26.568Z",
"dateReserved": "2025-07-02T15:43:08.076Z",
"dateUpdated": "2025-11-03T20:07:21.390Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-7029 (GCVE-0-2025-7029)
Vulnerability from cvelistv5 – Published: 2025-07-11 15:22 – Updated: 2025-11-03 20:07
VLAI?
Summary
A vulnerability in the Software SMI handler (SwSmiInputValue 0xB2) allows a local attacker to control the RBX register, which is used to derive pointers (OcHeader, OcData) passed into power and thermal configuration logic. These buffers are not validated before performing multiple structured memory writes based on OcSetup NVRAM values, enabling arbitrary SMRAM corruption and potential SMM privilege escalation.
Severity ?
8.2 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GIGABYTE | UEFI-OverClockSmiHandler |
Affected:
1.0.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-7029",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-12T03:55:17.650535Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T14:43:47.539Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:07:24.142Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/746790"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "UEFI-OverClockSmiHandler",
"vendor": "GIGABYTE",
"versions": [
{
"status": "affected",
"version": "1.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the Software SMI handler (SwSmiInputValue 0xB2) allows a local attacker to control the RBX register, which is used to derive pointers (OcHeader, OcData) passed into power and thermal configuration logic. These buffers are not validated before performing multiple structured memory writes based on OcSetup NVRAM values, enabling arbitrary SMRAM corruption and potential SMM privilege escalation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-822 uncontrolled pointer deference",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T15:22:12.577Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.gigabyte.com/Support/Security"
},
{
"url": "https://www.binarly.io/advisories/brly-dva-2025-011"
},
{
"url": "https://kb.cert.org/vuls/id/746790"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SMM Arbitrary Write via Unchecked OcHeader Buffer in Platform Configuration Handler",
"x_generator": {
"engine": "VINCE 3.0.21",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-7029"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-7029",
"datePublished": "2025-07-11T15:22:12.577Z",
"dateReserved": "2025-07-02T15:43:34.209Z",
"dateUpdated": "2025-11-03T20:07:24.142Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-3052 (GCVE-0-2025-3052)
Vulnerability from cvelistv5 – Published: 2025-06-10 19:19 – Updated: 2025-06-10 21:03
VLAI?
Summary
An arbitrary write vulnerability in Microsoft signed UEFI firmware allows for code execution of untrusted software. This allows an attacker to control its value, leading to arbitrary memory writes, including modification of critical firmware settings stored in NVRAM. Exploiting this vulnerability could enable security bypasses, persistence mechanisms, or full system compromise.
Severity ?
8.2 (High)
CWE
- CWE-123 - Write-what-where Condition
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| DT Research | BiosFlashShell |
Affected:
80.02
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-3052",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-10T19:51:42.494987Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T19:53:46.010Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-06-10T21:03:04.250Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/806555"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "BiosFlashShell",
"vendor": "DT Research",
"versions": [
{
"status": "affected",
"version": "80.02"
}
]
},
{
"product": "BiosFlashShell",
"vendor": "DT Research",
"versions": [
{
"status": "affected",
"version": "81.02"
}
]
},
{
"product": "Dtbios",
"vendor": "DT Research",
"versions": [
{
"status": "affected",
"version": "70.17"
}
]
},
{
"product": "Dtbios",
"vendor": "DT Research",
"versions": [
{
"status": "affected",
"version": "70.18"
}
]
},
{
"product": "Dtbios",
"vendor": "DT Research",
"versions": [
{
"status": "affected",
"version": "70.19"
}
]
},
{
"product": "Dtbios",
"vendor": "DT Research",
"versions": [
{
"status": "affected",
"version": "70.20"
}
]
},
{
"product": "Dtbios",
"vendor": "DT Research",
"versions": [
{
"status": "affected",
"version": "70.21"
}
]
},
{
"product": "Dtbios",
"vendor": "DT Research",
"versions": [
{
"status": "affected",
"version": "70.22"
}
]
},
{
"product": "Dtbios",
"vendor": "DT Research",
"versions": [
{
"status": "affected",
"version": "71.17"
}
]
},
{
"product": "Dtbios",
"vendor": "DT Research",
"versions": [
{
"status": "affected",
"version": "71.18"
}
]
},
{
"product": "Dtbios",
"vendor": "DT Research",
"versions": [
{
"status": "affected",
"version": "71.19"
}
]
},
{
"product": "Dtbios",
"vendor": "DT Research",
"versions": [
{
"status": "affected",
"version": "71.20"
}
]
},
{
"product": "Dtbios",
"vendor": "DT Research",
"versions": [
{
"status": "affected",
"version": "71.21"
}
]
},
{
"product": "Dtbios",
"vendor": "DT Research",
"versions": [
{
"status": "affected",
"version": "71.22"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An arbitrary write vulnerability in Microsoft signed UEFI firmware allows for code execution of untrusted software. This allows an attacker to control its value, leading to arbitrary memory writes, including modification of critical firmware settings stored in NVRAM. Exploiting this vulnerability could enable security bypasses, persistence mechanisms, or full system compromise."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-123: Write-what-where Condition",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T19:19:54.775Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://uefi.org/specs/UEFI/2.10/32_Secure_Boot_and_Driver_Signing.html"
},
{
"url": "https://www.binarly.io/advisories/brly-dva-2025-001"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "An arbitrary write vulnerability in Microsoft signed UEFI firmware from DT Research Inc.",
"x_generator": {
"engine": "VINCE 3.0.19",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-3052"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-3052",
"datePublished": "2025-06-10T19:19:54.775Z",
"dateReserved": "2025-03-31T16:26:00.858Z",
"dateUpdated": "2025-06-10T21:03:04.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}