Malicious code in xboxlive-auth (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1aa54accd06c11d8f868fa0bc7915782404360d01db3c5f80d735584ca984dc8 The package xboxlive-auth was found to contain malicious code. Source: ghsa-malware 330ca3dbdf0006df9f2a21edc3027e6f158c2ee2b4f7c26498a386198e869878...

Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-6.10.1.12)

The version of AOS installed on the remote host is prior to 6.10.1.12. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-6.10.1.12 advisory. - A heap-buffer-overflow off-by-one flaw was found in the GnuTLS software in the template parsing logic within the certto...

Node.js: Missing AES-GCM Authentication Tag Validation and Improper Deprecation Handling

Summary: In Node.js' crypto module, the createDecipheriv states that "the authTagLength option defaults to 16 bytes and must be set to a different value if a different length is used." here The authentication tag's length is however not validated against that default value and can be truncated do...

CVE-2025-14572

The CVE-2025-14572 entry covers a memory-corruption vulnerability in UTT Progressive 512W devices (UTT 进取 512W) up to version 1.7.7-171114. The flaw resides in the /goform/formWebAuthGlobalConfig handler, where manipulating the hidcontact parameter can trigger memory corruption, enabling remote e...

CVE-2025-67737 AzuraCast Vulnerable to Pre-Auth File Deletion & Admin RCE

AzuraCast is a self-hosted, all-in-one web radio management suite. Versions 0.23.1 mistakenly include an API endpoint that is intended for internal use by the SFTP software sftpgo, exposing it to the public-facing HTTP API for AzuraCast installations. A user with specific internal knowledge of a...

CVE-2025-67737

CVE-2025-67737 affects AzuraCast versions 0.23.1, where an API endpoint intended for internal use by sftpgo was exposed in the public HTTP API (at /api/internal/sftp-event). A user with valid SFTP credentials and knowledge of the station’s internal filesystem can craft a tailored HTTP request to ...

CVE-2025-67737 AzuraCast Vulnerable to Pre-Auth File Deletion & Admin RCE

AzuraCast is a self-hosted, all-in-one web radio management suite. Versions 0.23.1 mistakenly include an API endpoint that is intended for internal use by the SFTP software sftpgo, exposing it to the public-facing HTTP API for AzuraCast installations. A user with specific internal knowledge of a...

UTT 512W 缓冲区错误漏洞

The UTT Progressive 512W is an enterprise-grade wireless router from Atech UTT designed for small and medium-sized businesses SOHO and similarly sized network environments for access scenarios of 30 to 50 users. The UTT Progress 512W suffers from a memory corruption vulnerability that originates...

CVE-2025-55184

A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafe...

CVE-2025-34428

MailEnable versions prior to 10.54 contain a cleartext storage of credentials vulnerability that can lead to local credential compromise and account takeover. The product stores user and administrative passwords in plaintext within AUTH.SAV with overly permissive filesystem access. A local...

CVE-2025-67648

Shopware is an open commerce platform. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 have a Reflected XSS vulnerability in AuthController.php. A request parameter from the login page URL is directly rendered within the Twig template of the Storefront login page without further...

EulerOS 2.0 SP13 : cups (EulerOS-SA-2025-2497)

According to the versions of the cups package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.12 and earlier, when the AuthTyp...

CVE-2025-67648 Shopware's inproper input validation can lead to Reflected XSS through Storefront Login Page

Shopware is an open commerce platform. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 have a Reflected XSS vulnerability in AuthController.php. A request parameter from the login page URL is directly rendered within the Twig template of the Storefront login page without further...

EUVD-2025-202481

MailEnable versions prior to 10.54 contain a cleartext storage of credentials vulnerability that can lead to local credential compromise and account takeover. The product stores user and administrative passwords in plaintext within AUTH.TAB with overly permissive filesystem access. A local...

CVE-2025-34428

MailEnable versions prior to 10.54 contain a cleartext storage of credentials vulnerability that can lead to local credential compromise and account takeover. The product stores user and administrative passwords in plaintext within AUTH.SAV with overly permissive filesystem access. A local...

CVE-2025-34428

MailEnable versions prior to 10.54 contain a cleartext storage of credentials vulnerability that can lead to local credential compromise and account takeover. The product stores user and administrative passwords in plaintext within AUTH.SAV with overly permissive filesystem access. A local...

CVE-2025-34427

MailEnable versions prior to 10.54 contain a cleartext storage of credentials vulnerability that can lead to local credential compromise and account takeover. The product stores user and administrative passwords in plaintext within AUTH.TAB with overly permissive filesystem access. A local...

CVE-2025-34427

MailEnable versions prior to 10.54 contain a cleartext storage of credentials vulnerability that can lead to local credential compromise and account takeover. The product stores user and administrative passwords in plaintext within AUTH.TAB with overly permissive filesystem access. A local...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +1886 more potentially affected by CVE-2025-67635 via org.jenkins-ci.main:cli (>=1.396 <=2.528.2)

org.jenkins-ci.main:cli MAVEN version =1.396, =1.1, =0.0.1, =1.0, =55.v51410e712e0c, =1.0, =0.0.1, =0.1.0, =1.0, =0.9, =1.3, =1.23 and more Source cves: CVE-2025-67635 Source advisory: OSV:GHSA-9P56-P6MW-W8QC...

CVE-2025-34427

Summary: CVE-2025-34427 affects MailEnable versions prior to 10.54, where credentials are stored in cleartext in AUTH.TAB with overly permissive filesystem access. A local authenticated user with read access to AUTH.TAB can recover all user passwords and super-admin credentials, then authenticate...