Privileged OpenBao Operator May Execute Code on the Underlying Host

Impact Under certain threat models, OpenBao operators with privileged API access may not be system administrators and thus normally lack the ability to update binaries or execute code on the system. Additionally, privileged API operators should be unable to perform TCP connections to arbitrary...

Linux Distros Unpatched Vulnerability : CVE-2021-35197

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access. When a bot account has a...

XORUX XorMon-NG 安全漏洞

XORUX XorMon-NG is an infrastructure performance monitoring platform from the Czech company XORUX. A security vulnerability exists in XORUX XorMon-NG, which stems from improper access control of API endpoints and could lead to the disclosure of sensitive information...

CVE-2025-7001

An issue has been discovered in GitLab CE/EE affecting all versions from 15.0 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed priviledged users to access certain resourcegroup information through the API which should have been unavailable...

UBUNTU-CVE-2025-7001

An issue has been discovered in GitLab CE/EE affecting all versions from 15.0 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed priviledged users to access certain resourcegroup information through the API which should have been unavailable...

CVE-2025-7001 Insufficient Granularity of Access Control in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions from 15.0 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed priviledged users to access certain resourcegroup information through the API which should have been unavailable...

Vulnerabilities fixed in Schneider Electric EcoStruxture IT Datacenter Expert

Schneider Electric has fixed vulnerabilities in EcoStruxture IT Datacenter Expert. The vulnerabilities include insufficient control over special elements in OS commands, which can result in unauthenticated external code execution. In addition, there is an issue with insufficient entropy in passwo...

PT-2025-28345 · Phoenix Contact · Charx Sec-3000 +7

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. Description: An unauthenticated adjacent attacker can modify configuration by sending specific requests to an "API-endpoint" resulting in read and write access due to missing authentication...

Fortinet Fortigate PKI via API: Authentication granted with an invalid certificate (FG-IR-24-511)

The version of Fortigate installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the FG-IR-24-511 advisory. - A missing critical step in authentication vulnerability CWE-304 in Fortinet FortiOS version 7.6.0 through 7.6.1, 7.4.0...

CVE-2025-52492

In Paxton Paxton10 firmware (versions before 4.6 SR6), the rootfs.tar.gz payload contains hard-coded Twilio API credentials. A remote attacker who obtains a firmware copy can extract these credentials, potentially gaining unauthorized access to the associated Twilio account, leading to informatio...

CVE-2025-32878

An issue was discovered on COROS PACE 3 devices through 3.0808.0. It implements a function to connect the watch to a WLAN. This function is mainly for downloading firmware files. Before downloading firmware files, the watch requests some information about the firmware via HTTPS from the back-end...

CVE-2023-47298

An issue in NCR Terminal Handler 1.5.1 allows a low-level privileged authenticated attacker to query the SOAP API endpoint to obtain information about all of the users of the application including their usernames, roles, security groups and account statuses...

CVE-2025-32878

An issue was discovered on COROS PACE 3 devices through 3.0808.0. It implements a function to connect the watch to a WLAN. This function is mainly for downloading firmware files. Before downloading firmware files, the watch requests some information about the firmware via HTTPS from the back-end...

PT-2025-26314 · Coros · Coros Pace 3

Name of the Vulnerable Software and Affected Versions: COROS PACE 3 versions through 3.0808.0 Description: An issue was discovered that allows an attacker to eavesdrop and manipulate HTTPS communication. The device does not validate the X.509 server certificate within the TLS handshake, enabling ...

CVE-2025-32878

An issue was discovered on COROS PACE 3 devices through 3.0808.0. It implements a function to connect the watch to a WLAN. This function is mainly for downloading firmware files. Before downloading firmware files, the watch requests some information about the firmware via HTTPS from the back-end...

TencentOS Server 4: zabbix (TSSA-2024:1129)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2024:1129 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities...

CVE-2025-49584

XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default...

CVE-2025-49584

XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default...

CVE-2025-49584

CVE-2025-49584 (XWiki) affects XWiki Platform versions 10.9–16.4.6, 16.5.0-rc-1–16.10.2, and 17.0.0-rc-1. The REST API can disclose the titles of pages whose reference is known when an XClass with a page property is accessible, potentially leaking page names. Impact on confidentiality is task-dep...

CVE-2025-4128

Mattermost versions 10.5.x = 10.5.4, 9.11.x = 9.11.13 fail to properly restrict API access to team information, allowing guest users to bypass permissions and view information about public teams they are not members of via a direct API call to /api/v4/teams/teamid...