Loading Threat Intelligence...
HIGH Score: 8.3/10

Vulnerability Summary

An Incorrect Access Control vulnerability in the user management component of ZwiiCMS up to v13.6.07 allows a remote, authenticated attacker to escalate their privileges. By sending a specially crafted HTTP request, a low-privilege user can access and modify the profile data of any other user, including administrators.

Technical Analysis

  • CVE ID: CVE-2025-57130
  • Published: 2025-11-05T16:15:40.203
  • Status: Active

How to Fix & Protect

The primary mitigation is to update the affected software immediately. Check the vendor's official security advisory for the latest patch.

Mitigation: If a patch is not available, restrict network access to the vulnerable component or disable the service.

Read Report
CRITICAL Score: 9.1/10

Vulnerability Summary

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.

Technical Analysis

  • CVE ID: CVE-2025-64459
  • Published: 2025-11-05T15:15:41.080
  • Status: Active

How to Fix & Protect

The primary mitigation is to update the affected software immediately. Check the vendor's official security advisory for the latest patch.

Mitigation: If a patch is not available, restrict network access to the vulnerable component or disable the service.

Read Report
HIGH Score: 7.5/10

Vulnerability Summary

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect` were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Technical Analysis

  • CVE ID: CVE-2025-64458
  • Published: 2025-11-05T15:15:40.940
  • Status: Active

How to Fix & Protect

The primary mitigation is to update the affected software immediately. Check the vendor's official security advisory for the latest patch.

Mitigation: If a patch is not available, restrict network access to the vulnerable component or disable the service.

Read Report
HIGH Score: 7.1/10

Vulnerability Summary

MDaemon Mail Server 23.5.2 validates SPF, DKIM, and DMARC using the email enclosed in angle brackets (<>) in the From: header of SMTP DATA. An attacker can craft a From: header with multiple invisible Unicode thin spaces to display a spoofed sender while passing validation, allowing email spoofing even when anti-spoofing protections are in place. NOTE: this is disputed by the Supplier because UI spoofing occurs in a client, not in a server such as MDaemon's product or any other server implementation. Also, if a client without its own spoofing protection must be used, the Header Screening feature in MDaemon's product can be employed to mitigate the client-side vulnerability.

Technical Analysis

  • CVE ID: CVE-2025-61084
  • Published: 2025-11-05T15:15:39.997
  • Status: Active

How to Fix & Protect

The primary mitigation is to update the affected software immediately. Check the vendor's official security advisory for the latest patch.

Mitigation: If a patch is not available, restrict network access to the vulnerable component or disable the service.

Read Report
MEDIUM Score: 4.2/10

Vulnerability Summary

HCL BigFix Query is affected by a sensitive information disclosure in the WebUI Query application.  An HTTP GET endpoint request returns discoverable responses that may disclose: group names, active user names (or IDs).  An attacker can use that information to target individuals with phishing or other social-engineering attacks.

Technical Analysis

  • CVE ID: CVE-2025-52602
  • Published: 2025-11-05T15:15:39.337
  • Status: Active

How to Fix & Protect

The primary mitigation is to update the affected software immediately. Check the vendor's official security advisory for the latest patch.

Mitigation: If a patch is not available, restrict network access to the vulnerable component or disable the service.

Read Report
CRITICAL Score: 9.8/10

Vulnerability Summary

A type confusion vulnerability exists in the lasso_node_impl_init_from_xml functionality of Entr'ouvert Lasso 2.5.1 and 2.8.2. A specially crafted SAML response can lead to an arbitrary code execution. An attacker can send a malformed SAML response to trigger this vulnerability.

Technical Analysis

  • CVE ID: CVE-2025-47151
  • Published: 2025-11-05T15:15:39.183
  • Status: Active

How to Fix & Protect

The primary mitigation is to update the affected software immediately. Check the vendor's official security advisory for the latest patch.

Mitigation: If a patch is not available, restrict network access to the vulnerable component or disable the service.

Read Report
HIGH Score: 7.5/10

Vulnerability Summary

A denial of service vulnerability exists in the lasso_node_init_from_message_with_format functionality of Entr'ouvert Lasso 2.5.1. A specially crafted SAML response can lead to a memory depletion, resulting in denial of service. An attacker can send a malformed SAML response to trigger this vulnerability.

Technical Analysis

  • CVE ID: CVE-2025-46784
  • Published: 2025-11-05T15:15:39.030
  • Status: Active

How to Fix & Protect

The primary mitigation is to update the affected software immediately. Check the vendor's official security advisory for the latest patch.

Mitigation: If a patch is not available, restrict network access to the vulnerable component or disable the service.

Read Report
HIGH Score: 7.5/10

Vulnerability Summary

A denial of service vulnerability exists in the g_assert_not_reached functionality of Entr'ouvert Lasso 2.5.1 and 2.8.2. A specially crafted SAML assertion response can lead to a denial of service. An attacker can send a malformed SAML response to trigger this vulnerability.

Technical Analysis

  • CVE ID: CVE-2025-46705
  • Published: 2025-11-05T15:15:38.530
  • Status: Active

How to Fix & Protect

The primary mitigation is to update the affected software immediately. Check the vendor's official security advisory for the latest patch.

Mitigation: If a patch is not available, restrict network access to the vulnerable component or disable the service.

Read Report
HIGH Score: 7.5/10

Vulnerability Summary

A denial of service vulnerability exists in the lasso_provider_verify_saml_signature functionality of Entr'ouvert Lasso 2.5.1. A specially crafted SAML response can lead to a denial of service. An attacker can send a malformed SAML response to trigger this vulnerability.

Technical Analysis

  • CVE ID: CVE-2025-46404
  • Published: 2025-11-05T15:15:37.843
  • Status: Active

How to Fix & Protect

The primary mitigation is to update the affected software immediately. Check the vendor's official security advisory for the latest patch.

Mitigation: If a patch is not available, restrict network access to the vulnerable component or disable the service.

Read Report
MEDIUM Score: 6.7/10

Vulnerability Summary

An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin service endpoint. An authenticated attacker with appropriate privileges can upload a malicious file to a user-controlled location on the server, potentially leading to remote code execution (RCE). This functionality is restricted by default to admin users; therefore, successful exploitation requires valid credentials with administrative permissions.

Technical Analysis

  • CVE ID: CVE-2025-3125
  • Published: 2025-11-05T15:15:33.953
  • Status: Active

How to Fix & Protect

The primary mitigation is to update the affected software immediately. Check the vendor's official security advisory for the latest patch.

Mitigation: If a patch is not available, restrict network access to the vulnerable component or disable the service.

Read Report
Older