559 matches found
CVE-2025-59845 Apollo Embedded Sandbox and Explorer vulnerable to CSRF via window.postMessage origin-validation bypass
Apollo Studio Embeddable Explorer & Embeddable Sandbox are website embeddable software solutions from Apollo GraphQL. Prior to Apollo Sandbox version 2.7.2 and Apollo Explorer version 3.7.3, a cross-site request forgery CSRF vulnerability was identified. The vulnerability arises from missing orig...
Fedora: Security Advisory (FEDORA-2025-cc94888079)
The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Fedora 41 : mingw-expat (2025-cc94888079)
The remote Fedora 41 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-cc94888079 advisory. Update to expat-2.7.2, fixes CVE-2025-59375. Tenable has extracted the preceding description block directly from the Fedora security advisory. Note...
Fedora 41 : expat (2025-d936540ef5)
The remote Fedora 41 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2025-d936540ef5 advisory. Rebase to 2.7.2 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not tested for this...
[SECURITY] Fedora 43 Update: expat-2.7.2-1.fc43
This is expat, the C library for parsing XML, written by James Clark. Expat is a stream oriented XML parser. This means that you register handlers with the parser prior to starting the parse. These handlers are called when the parser discovers the associated structures in the document being parse...
OPENSUSE-SU-2025:15573-1 expat-2.7.2-1.1 on GA media
These are all security issues fixed in the expat-2.7.2-1.1 package on the GA media of openSUSE Tumbleweed...
CVE-2025-53570
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in DELUCKS DELUCKS SEO delucks-seo allows Stored XSS.This issue affects DELUCKS SEO: from n/a through = 2.7.2...
Fedora: Security Advisory (FEDORA-2025-639f53ea67)
The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
CVE-2025-10016
The Sparkle framework includes a helper tool Autoupdate. Due to lack of authentication of connecting clients a local unprivileged attacker can request installation of crafted malicious PKG file by racing to connect to the daemon when other app spawns it as root. This results in local privilege...
COMFAST CF-XR11 安全漏洞
COMFAST CF-XR11 is a wireless router from China Four Seas Zonglian COMFAST. A security vulnerability exists in COMFAST CF-XR11 version V2.7.2, which stems from an uncleaned phyinterface parameter in the multipppoe API, which could lead to a command injection attack...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the Downloader.xpc service. A local unprivileged attacker can access and copy files protected by TCC permissions by registering the service globally and exploiting the lack of client validation. Workaround Th...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the Downloader.xpc service. A local unprivileged attacker can access and copy files protected by TCC permissions by registering the service globally and exploiting the lack of client validation. Workaround Th...
CVE-2025-10015
The Sparkle framework includes an XPC service Downloader.xpc, by default this service is private to the application its bundled with. A local unprivileged attacker can register this XPC service globally which will inherit TCC permissions of the application. Lack of validation of connecting client...
CVE-2025-10015 TCC Bypass via Downloader XPC Service in Sparkle
The Sparkle framework includes an XPC service Downloader.xpc, by default this service is private to the application its bundled with. A local unprivileged attacker can register this XPC service globally which will inherit TCC permissions of the application. Lack of validation of connecting client...
CVE-2025-10015
The Sparkle framework’s Downloader.xpc XPC service can be registered globally by a local, unprivileged attacker, causing the service to inherit the app’s TCC permissions. The root cause is lack of validation of the connecting client, allowing copying of TCC-protected files to arbitrary locations;...
CVE-2025-10015 TCC Bypass via Downloader XPC Service in Sparkle
The Sparkle framework includes an XPC service Downloader.xpc, by default this service is private to the application its bundled with. A local unprivileged attacker can register this XPC service globally which will inherit TCC permissions of the application. Lack of validation of connecting client...
PT-2025-37917
Name of the Vulnerable Software and Affected Versions: Sparkle framework versions prior to 2.7.2 Description: The Sparkle framework includes an XPC service, Downloader.xpc, which is, by default, private to the application it is bundled with. A local, unprivileged attacker can register this XPC...
CVE-2025-59375
libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing...
AZL-67328 CVE-2025-59375 affecting package expat for versions less than 2.6.4-2
libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing...
AZL-67359 CVE-2025-59375 affecting package expat for versions less than 2.6.4-2
libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing...