CVE-2025-59270 psPAS does not enforce TLS 1.2 within Get-PASSAMLResponse

psPAS PowerShell module does not explicitly enforce TLS 1.2 within the 'Get-PASSAMLResponse' function during the SAML authentication process. An unauthenticated attacker in a 'Man-in-the-Middle' position could manipulate the TLS handshake and downgrade TLS to a deprecated protocol. Fixed in 7.0.2...

CVE-2023-53206 hwmon: (pmbus_core) Fix NULL pointer dereference

In the Linux kernel, the following vulnerability has been resolved: hwmon: pmbuscore Fix NULL pointer dereference Pass i2cclient to pmbusisenabled to drop the assumption that a regulator device is passed in. This will fix the issue of a NULL pointer dereference when called from pmbusgetflags...

CVE-2025-58439

ERP is a free and open source Enterprise Resource Planning tool. In versions below 14.89.2 and 15.0.0 through 15.75.1, lack of validation of parameters left certain endpoints vulnerable to error-based SQL Injection. Some information like version could be retrieved. This issue is fixed in versions...

f2fs: fix to avoid potential panic during recovery

...

PT-2025-35495

Name of the Vulnerable Software and Affected Versions: StreamVault versions prior to 250822 Description: StreamVault is a multi-platform video parsing and downloading tool. Prior to version 250822, after logging into the StreamVault system, an attacker can modify system parameters, construct...

CVE-2025-55304 Exiv2 has quadratic performance in ICC profile parsing in JpegBase::readMetadata

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A denial-of-service was found in Exiv2 version 0.28.5: a quadratic algorithm in the ICC profile parsing code in jpegBase::readMetadata can cause Exiv2 to run for a long time...

PT-2025-35096

Name of the Vulnerable Software and Affected Versions: Asterisk versions prior to 18.26.4 Asterisk versions prior to 18.9-cert17 Description: Asterisk, an open source private branch exchange and telephony toolkit, is susceptible to resource exhaustion due to a lack of session termination. This ca...

OpenBao TOTP Secrets Engine Code Reuse

Impact OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library. Patches OpenBao v2.3.2 will patch this issue. In patching, codes which were not normalized strictly N numeric digits...

quiche connection ID retirement can trigger an infinite loop

Impact Cloudflare quiche was discovered to be vulnerable to an infinite loop when sending packets containing RETIRECONNECTIONID frames. QUIC connections possess a set of connection identifiers IDs; see Section 5.1 of RFC 9000. Once the QUIC handshake completes, a local endpoint is responsible for...

The Thinbus Javascript Secure Remote Password (SRP) Client Generates Fewer Bits of Entropy Than Intended

Impact A protocol compliance bug in thinbus-srp-npm versions prior to 2.0.1 causes the client to generate a fixed 252 bits of entropy instead of the intended bit length of the safe prime defaulted to 2048 bits. RFC 5054 states in section 2.5.4 Client Key Exchange The client key exchange message...

GHSA-8Q6V-474H-WHGG The Thinbus Javascript Secure Remote Password (SRP) Client Generates Fewer Bits of Entropy Than Intended

Impact A protocol compliance bug in thinbus-srp-npm versions prior to 2.0.1 causes the client to generate a fixed 252 bits of entropy instead of the intended bit length of the safe prime defaulted to 2048 bits. RFC 5054 states in section 2.5.4 Client Key Exchange The client key exchange message...

PT-2025-32220 · Unknown · Vedo Suite

Name of the Vulnerable Software and Affected Versions: Vedo Suite version 2024.17 Description: An unrestricted file upload issue exists in Vedo Suite version 2024.17. Remote authenticated attackers can write to arbitrary filesystem paths by exploiting the insecure uploadPreviews custom function i...

SUSE-SU-2025:02707-1 Security update for the Linux Kernel (Live Patch 59 for SLE 15 SP3)

This update for the Linux Kernel 5.3.18-15030059211 fixes one issue. The following security issue was fixed: - CVE-2025-37797: netsched: hfsc: Fix a UAF vulnerability in class handling bsc1245793...

WordPress Betheme Theme <= 28.1.3 is vulnerable to Cross Site Scripting (XSS)

Software Betheme Type Theme Vulnerable versions = 28.1.3 Fixed in 28.1.4 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2025-7399 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 9f439b9a2b5e Credits stealthcopter Required privileg...

The ADOdb sqlite3 driver allows SQL injection

Improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a sqlite3 database and calls the metaColumns, metaForeignKeys or metaIndexes methods with a crafted table name. Note that the indicated Severity corresponds to a...

Security update for nvidia-open-driver-G06-signed

This update for nvidia-open-driver-G06-signed fixes the following issues: This update was retracted due to dependency problems with the CUDA Kmp. Update to 550.144.03 bsc1235461, bsc1235871: fixes CVE-2024-0131, CVE-2024-0147, CVE-2024-0149, CVE-2024-0150, CVE-2024-53869 let -cuda KMP conflict wi...

CVE-2025-54593

FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.1 and below, an authenticated administrator user can execute arbitrary code on the FreshRSS server by modifying the update URL to one they control, and gain code execution after running an update. After successfully executing code...

Debian dla-4264 : exempi - security update

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4264 advisory. - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4264-1 [email protected]...

OpenSearch unauthorized data access on fields protected by field masking for fields of type ip, geo_point, geo_shape, xy_point, xy_shape

Impact OpenSearch versions 2.19.2 and earlier improperly apply field masking rules on fields of the types ip, geopoint, geoshape, xypoint, xyshape. While the content of these fields is properly redacted in the source document returned by search operations, the original unredacted values remain...

WordPress Benaa Framework plugin <= 4.0.0 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

Missing Authorization to Authenticated Subscriber+ Stored Cross-Site Scripting vulnerability discovered by Lucio Sá in WordPress Plugin Benaa Framework versions = 4.0.0...