eq3btsmart (=0.0.0), hass-auth-synology (>=0.0.0 <=0.4.28) +5 more potentially affected by CVE-2025-25305 via homeassistant (>=0.83.3 <=2024.12.5)

homeassistant PYPI version =0.83.3, =0.0.0, =2021.4.0, =0.4.11, =1.2.0, =0.3.0, =0.13.85 Source cves: CVE-2025-25305 Source advisory: OSV:GHSA-M3PM-RPGG-5WJ6...

CVE-2024-57049

A vulnerability in the TP-Link Archer c20 router with firmware version V6.6230412 and earlier permits unauthorized individuals to bypass the authentication of some interfaces under the /cgi directory. When adding Referer: http://tplinkwifi.net to the the request, it will be recognized as passing...

CVE-2024-32638

Inconsistent Interpretation of HTTP Requests 'HTTP Request Smuggling' vulnerability in Apache APISIX when using forward-auth plugin.This issue affects Apache APISIX: from 3.8.0, 3.9.0. Users are recommended to upgrade to version 3.8.1, 3.9.1 or higher, which fixes the issue...

CVE-2024-27348

RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.3.0 in Java8 & Java11 Users are recommended to upgrade to version 1.3.0 with Java11 & enable the Auth system, which fixes the issue...

The vulnerability of the TypeScript-based authentication library Better Auth, related to the lack of protective measures for website structure, allows attackers to perform cross-site scripting attacks.

The vulnerability of the TypeScript-based authentication library Better Auth relates to the lack of measures taken to protect the website structure when processing the error parameter. Exploiting this vulnerability allows a malicious actor to perform cross-site scripting attacks remotely...

February Microsoft Patch Tuesday

February Microsoft Patch Tuesday. 89 CVEs, 33 added since January. Two with signs of exploitation in the wild: EoP - Windows Ancillary Function Driver for WinSock CVE-2025-21418 EoP - Windows Storage CVE-2025-21391 There are no vulnerabilities with public exploits, but there are 7 with private...

Astra Linux – Vulnerability in symfony

The Symphony process is a module for the Symphony PHP framework that executes commands in sub-processes. When using a persisted remember-me cookie, Symphony does not check whether the username stored in the database matches the username contained in the cookie, resulting in an authentication...

GHSA-R385-C5FC-X56C CouchAuth has a Server-Side Template Injection vulnerability in its email functionality

A host header injection vulnerability exists in the NPM package of perfood/couch-auth = 0.21.2. By sending a specially crafted host header in the email change confirmation request, it is possible to trigger a SSTI which can be leveraged to run limited commands or leak server-side information...

CVE-2024-57177

A host header injection vulnerability exists in the NPM package of perfood/couch-auth = 0.21.2. By sending a specially crafted host header in the email change confirmation request, it is possible to trigger a SSTI which can be leveraged to run limited commands or leak server-side information...

CVE-2024-57177

A host header injection vulnerability exists in the NPM package of perfood/couch-auth = 0.21.2. By sending a specially crafted host header in the email change confirmation request, it is possible to trigger a SSTI which can be leveraged to run limited commands or leak server-side information...

PT-2025-6098 · Perfood · Couch-Auth

Name of the Vulnerable Software and Affected Versions: perfood/couch-auth versions = 0.21.2 Description: A host header injection vulnerability exists in the NPM package of perfood/couch-auth. By sending a specially crafted host header in the email change confirmation request, it is possible to...

Reflected Cross-Site Scripting (Reflected XSS)

Better-auth is vulnerable to Reflected cross-site scripting XSS. The vulnerability is due to HTML injection due to improper handling of user input on the /api/auth/error page, allowing an attacker to execute arbitrary JavaScript in a victim’s browser...

trojan 安全漏洞

trojan is a multi-user administration and deployment program by Jrohy Individual Developer, supporting web page administration. A security vulnerability exists in trojan versions v.2.0.0 through v.2.15.3, which is caused by elevation of privilege via the initialization interface /auth/register...

CVE-2022-3095

The implementation of backslash parsing in the Dart URI class for versions prior to 2.18 and Flutter versions prior to 3.30 differs from the WhatWG URL standards. Dart uses the RFC 3986 syntax, which creates incompatibilities with the '' characters in URIs, which can lead to auth bypass in webapp...

CVE-2022-3696

A post-auth code injection vulnerability allows admins to execute code in Webadmin of Sophos Firewall releases older than version 19.5 GA...

Better Auth URL parameter HTML Injection (Reflected Cross-Site scripting)

Summary The better-auth /api/auth/error page was vulnerable to HTML injection, resulting in a reflected cross-site scripting XSS vulnerability. Details The value of error URL parameter was reflected as HTML on the error page:...

GHSA-9X4V-XFQ5-M8X5 Better Auth URL parameter HTML Injection (Reflected Cross-Site scripting)

Summary The better-auth /api/auth/error page was vulnerable to HTML injection, resulting in a reflected cross-site scripting XSS vulnerability. Details The value of error URL parameter was reflected as HTML on the error page:...

CVE-2022-39268

Impact In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user...

Security Bulletin: IBM Cloud Pak for Network Automation 2.7.5 addresses multiple security vulnerabilities.

Summary IBM Cloud Pak for Network Automation 2.7.5 addresses multiple security vulnerabilities. Vulnerability Details CVEID:CVE-2024-32879 DESCRIPTION: Python Social Auth Django could allow a remote authenticated attacker to bypass security restrictions, caused by improper handling of case...

Security update for selinux-policy

This update for selinux-policy fixes the following issues: Update to version 20230523+git25.ad22dd7f: Backport wtmpdb label change to have the same wtmpdb label as in SL Micro 6.1 bsc1229132 Add authrwwtmpdbloginrecords to domains using authmanageloginrecords Add authrwwtmpdbloginrecords to modul...