Malicious code in valid-ip-scope (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7465414603f3c8dda0d63ea47cec0337ce0286407a8c488100a46b5a78a5b49d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-3133 Malicious code in valid-ip-ban (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b8178b30a109e454369e72c1f8e3c53686457f2af96fee398ca102ad91681e92 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

FreeBSD : openvpn -- server-side denial-of-service vulnerability with tls-crypt-v2 (2cad4541-0f5b-11f0-89f8-411aefea0df9)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 2cad4541-0f5b-11f0-89f8-411aefea0df9 advisory. Gert Doering reports: OpenVPN servers between 2.6.1 and 2.6.13 using --tls-crypt-v2 can be made to abor...

CVE-2025-31123

Zitadel is open-source identity infrastructure software. A vulnerability existed where expired keys can be used to retrieve tokens. Specifically, ZITADEL fails to properly check the expiration date of the JWT key when used for Authorization Grants. This allows an attacker with an expired key to...

CVE-2025-20212

A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series devices could allow an authenticated, remote attacker to cause a denial of service DoS condition in the Cisco AnyConnect service on an affected device. To exploit this vulnerability, the attacker must...

Citrix DaaS - Unable to change Master image for the machine catalog

When attempting to use the "Change Master Image" option in the machine catalog properties, the process may fail with the following error: "Preparation of the Master VM Image failed. Make sure that the selected image is a supported OS and has a valid VDA installed" However creating a new catalog...

GHSA-FCFQ-M8P6-GW56 Mobile Security Framework (MobSF) has a SSRF Vulnerability fix bypass on assetlinks_check with DNS Rebinding

Summary The latest deployed fix for the SSRF vulnerability is through the use of the call validhost. The code available at lines /ae34f7c055aa64fca58e995b70bc7f19da6ca33a/mobsf/MobSF/utils.pyL907-L957 is vulnerable to SSRF abuse using DNS rebinding technique. PoC The following proof of concept:...

PYSEC-2025-48

Mobile Security Framework MobSF is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. The mitigation for CVE-2024-29190 in validhost uses socket.gethostbyname, which is vulnerable to SSRF abuse using DNS rebinding technique. This...

Linux kernel 安全漏洞

Linux kernel is the kernel used by Linux, the open source operating system of the Linux Foundation in the United States. A security vulnerability exists in Linux kernel, which stems from an incorrect check in the updateparentsubpartscpumask function of the cgroup cpuset component, which could...

CVE-2024-11173

CVE-2024-11173 affects the danny-avila/librechat project (git 600d217). An unhandled exception in API request handling can crash the server, causing a full denial of service. Exploitation requires a valid JWT, but LibreChat’s open registration allows attackers to create accounts and trigger the a...

USN-7354-1 djoser vulnerability

Diego Cebrián discovered that djoser did not properly handle user authentication. An attacker with valid credentials could possibly use this to bypass authentication checks, such as two-factor authentication, to gain unintended access...

Siemens SCALANCE M-800 and SC-600 Families Partial String Comparison (CVE-2025-23384)

A remote attacker needs to have access to a valid certificate in order to perform a successful attack. This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information. %NASLMINLEVEL 80900 C Tenable, Inc. include'compat.inc'; if description...

btrfs: avoid NULL pointer dereference if no valid extent tree

...

CVE-2020-36843

The implementation of EdDSA in EdDSA-Java aka ed25519-java through 0.3.0 exhibits signature malleability and does not satisfy the SUF-CMA Strong Existential Unforgeability under Chosen Message Attacks property. This allows attackers to create new valid signatures different from previous signature...

CVE-2024-49823 IBM Common Cryptographic Architecture denial of service

IBM Common Cryptographic Architecture 7.0.0 through 7.5.51 could allow an authenticated user to cause a denial of service in the Hardware Security Module HSM using a specially crafted sequence of valid requests...

Unbreakable Enterprise kernel security update

5.4.17-2136.341.3.1 - Revert 'NFSD: Limit the number of concurrent async COPY operations' Sherry Yang Orabug: 37667080 5.4.17-2136.341.3 - iouring: fix possible deadlock in ioregisteriowqmaxworkers Hagar Hemdan Orabug: 37565787 - iouring/rw: fix missing NOWAIT check for ODIRECT start write Jens...

CVE-2024-58073 drm/msm/dpu: check dpu_plane_atomic_print_state() for valid sspp

In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: check dpuplaneatomicprintstate for valid sspp Similar to the rpipe sspp protect, add a check to protect the pipe state prints to avoid NULL ptr dereference for cases when the state is dumped without a corresponding...

CVE-2025-20206 Cisco Secure Client for Windows with VPN Posture (HostScan) Module DLL Hijacking Vulnerability

A vulnerability in the interprocess communication IPC channel of Cisco Secure Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected device if the Secure Firewall Posture Engine, formerly HostScan, is installed on Cisco Secure Client. This...

CVE-2025-1723

CVE-2025-1723 affects Zohocorp ManageEngine ADSelfService Plus versions 6510 and earlier. The root cause is session mishandling in ADSelfService Plus, which can enable account takeover by valid users, especially when MFA is not enabled. Multiple connected sources (Red Hat advisory, NVD/NCSC/CVE r...

CVE-2025-1723 Account takeover

Zohocorp ManageEngine ADSelfService Plus versions 6510 and below are vulnerable to account takeover due to the session mishandling. Valid account holders in the setup only have the potential to exploit this bug...