CVE-2024-6986

The CVE-2024-6986 entry concerns parisneo/lollms-webui (v9.8). A Cross-site Scripting (XSS) flaw arises from improper use of the v-html directive, which renders the full_template variable as HTML on the Settings page. An attacker can inject JavaScript by supplying a payload in the System Template...

CVE-2024-11821 Privilege Escalation in langgenius/dify

A privilege escalation vulnerability exists in langgenius/dify version 0.9.1. This vulnerability allows a normal user to modify Orchestrate instructions for a chatbot created by an admin user. The issue arises because the application does not properly enforce access controls on the endpoint...

CVE-2024-11821 Privilege Escalation in langgenius/dify

A privilege escalation vulnerability exists in langgenius/dify version 0.9.1. This vulnerability allows a normal user to modify Orchestrate instructions for a chatbot created by an admin user. The issue arises because the application does not properly enforce access controls on the endpoint...

CVE-2024-11821

CVE-2024-11821 affects langgenius/dify 0.9.1. The issue is a privilege escalation where a normal user can modify Orchestrate instructions for an admin-created chatbot due to improper access control on the endpoint /console/api/apps/{chatbot-id}/model-config. The CVE entry lists a CVSSv3 base scor...

CVE-2025-20142

A vulnerability in the IPv4 access control list ACL feature and quality of service QoS policy feature of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers, ASR 9902 Compact High-Performance Routers, and ASR 9903 Compact High-Performance Routers could allow an...

Cisco IOS XR Software for ASR 9000 Series Routers IPv4 Unicast Packets Denial of Service Vulnerability

A vulnerability in the IPv4 access control list ACL feature and quality of service QoS policy feature of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers, ASR 9902 Compact High-Performance Routers, and ASR 9903 Compact High-Performance Routers could allow an...

CVE-2025-27392

A vulnerability has been identified in SCALANCE LPE9403 6GK5998-3GS00-2AC2 All versions V4.0. Affected devices do not properly sanitize user input when creating new VXLAN configurations. This could allow an authenticated highly-privileged remote attacker to execute arbitrary code on the device...

CVE-2025-27392

CVE-2025-27392 affects Siemens SCALANCE LPE9403 (6GK5998-3GS00-2AC2), all versions before V4.0. The root cause is inadequate sanitization of input when creating VXLAN configurations, enabling an authenticated, highly-privileged remote attacker to execute arbitrary code on the device. Several sour...

Siemens SIMATIC IPC Family, ITP1000, and Field PGs

SUMMARY Multiple vulnerabilities has been identified in Siemens SIMATIC IPCs, SIMATIC Tablet PCs, and SIMATIC Field PGs that can allow an authenticated attacker to alter the secure boot and password configurations. Siemens has released new versions of BIOS for several affected products and...

GO-2025-3499 IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP Configurations in github.com/zitadel/zitadel

IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP Configurations in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive...

CVE-2025-27507

The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. ZITADEL's Admin API contains Insecure Direct Object Reference IDOR vulnerabilities that allow authenticated users, without specific IAM roles, to modify sensitive settings. While...

kafka-clients: privilege escalation to filesystem read-access via automatic ConfigProvider

A flaw was found in Apache Kafka Clients. Apache Kafka Clients accepts configuration data for customizing behavior and includes ConfigProvider plugins to manipulate these configurations. Apache Kafka also provides FileConfigProvider, DirectoryConfigProvider, and EnvVarConfigProvider...

CVE-2025-1260

CVE-2025-1260 affects Arista EOS when OpenConfig is enabled with a gNOI server; a gNOI request can be processed when it should be rejected, potentially causing unexpected configuration/operations on vulnerable switches. Affected EOS releases include multiple 4.3x/4.2x trains (examples listed in A...

CVE-2025-27507

The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. ZITADEL's Admin API contains Insecure Direct Object Reference IDOR vulnerabilities that allow authenticated users, without specific IAM roles, to modify sensitive settings. While...

GHSA-F3GH-529W-V32X IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP Configurations

Summary ZITADEL's Admin API contains Insecure Direct Object Reference IDOR vulnerabilities that allow authenticated users, without specific IAM roles, to modify sensitive settings. While several endpoints are affected, the most critical vulnerability lies in the ability to manipulate LDAP...

CVE-2025-27507 IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP Configurations

The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. ZITADEL's Admin API contains Insecure Direct Object Reference IDOR vulnerabilities that allow authenticated users, without specific IAM roles, to modify sensitive settings. While...

CVE-2025-27507

Summary: CVE-2025-27507 concerns IDOR flaws in Zitadel’s Admin API that authenticated users (without specific IAM roles) can exploit to modify sensitive settings, with the most critical impact on LDAP configurations. The vulnerability enables manipulation of LDAP-related endpoints (notably /idps/...

CVE-2025-27507 IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP Configurations

The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. ZITADEL's Admin API contains Insecure Direct Object Reference IDOR vulnerabilities that allow authenticated users, without specific IAM roles, to modify sensitive settings. While...

CVE-2025-27507 IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP Configurations

The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. ZITADEL's Admin API contains Insecure Direct Object Reference IDOR vulnerabilities that allow authenticated users, without specific IAM roles, to modify sensitive settings. While...

PT-2025-9686 · Zitadel · Zitadel

Name of the Vulnerable Software and Affected Versions: Zitadel versions prior to 2.71.0 Zitadel versions prior to 2.70.1 Zitadel versions prior to 2.69.4 Zitadel versions prior to 2.68.4 Zitadel versions prior to 2.67.8 Zitadel versions prior to 2.66.11 Zitadel versions prior to 2.65.6 Zitadel...