37 matches found
GHSA-64CV-VXPR-J6VC edx-enterprise has SSRF via SAML metadata URL in sync_provider_data endpoint
Summary The syncproviderdata endpoint in SAMLProviderDataViewSet fetches SAML metadata from a URL stored in SAMLProviderConfig.metadatasource. An authenticated user with the Enterprise Admin role can set this field to an arbitrary URL via the SAMLProviderConfigViewSet PATCH endpoint, then trigger...
CVE-2025-11492
In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. Additionally, the encryption method used to obfuscate some...
EUVD-2025-34826
The ConnectWise Automate Agent does not fully verify the authenticity of files downloaded from the server, such as updates, dependencies, and integrations. This creates a risk where an on-path attacker could perform a man-in-the-middle attack and substitute malicious files for legitimate ones by...
CVE-2025-11492
In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. Additionally, the encryption method used to obfuscate some...
CVE-2025-11493
The CVE-2025-11493 entry concerns the ConnectWise Automate Agent. The connected sources describe that the agent does not fully verify the authenticity of files downloaded from the server (updates, dependencies, and integrations), creating a risk of a man-in-the-middle substitution of legitimate f...
CVE-2025-11492 HTTP Configuration and Encryption in Transit
In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. Additionally, the encryption method used to obfuscate some...
EUVD-2014-5972
Malware in sbrugna...
EUVD-2016-3037
Malware in sbrugna...
EUVD-2024-30650
Malicious code in bioql PyPI...
EUVD-2025-23896
Malicious code in bioql PyPI...
EUVD-2022-5966
Malicious code in bioql PyPI...
SUSE CVE-2025-54799
Let's Encrypt client and ACME library written in Go Lego. In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package thus the lego library and the lego cli as well don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which solves an ACME...
DEBIAN-CVE-2025-54799
Let's Encrypt client and ACME library written in Go Lego. In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package thus the lego library and the lego cli as well don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which solves an ACME...
CVE-2025-54799
Let's Encrypt client and ACME library written in Go Lego. In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package thus the lego library and the lego cli as well don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which solves an ACME...
CVE-2025-54799
Let's Encrypt client and ACME library written in Go Lego. In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package thus the lego library and the lego cli as well don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which solves an ACME...
UBUNTU-CVE-2025-54799
Let's Encrypt client and ACME library written in Go Lego. In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package thus the lego library and the lego cli as well don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which solves an ACME...
CVE-2025-54799 Lego does not enforce HTTPS
Let's Encrypt client and ACME library written in Go Lego. In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package thus the lego library and the lego cli as well don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which solves an ACME...
CVE-2025-54799 Lego does not enforce HTTPS
Let's Encrypt client and ACME library written in Go Lego. In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package thus the lego library and the lego cli as well don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which solves an ACME...
Cleartext Transmission of Sensitive Information
Overview Affected versions of this package are vulnerable to Cleartext Transmission of Sensitive Information due to the lack of HTTPS enforcement for the ACME client. An attacker can intercept sensitive information by capturing unencrypted network traffic if the library user accidentally inputs a...
CVE-2025-54799
CVE-2025-54799 affects the Lets Encrypt Go-based client and the lego v4/acme/api package. In 4.25.1 and earlier, the library does not enforce HTTPS when the ACME client communicates with CAs, applying to both the initial discover URL and the URLs returned in directory/order objects. If an HTTP UR...