24h | 7d | 30d

Overview

  • symfony
  • ux

19 May 2025
Published
19 May 2025
Updated

CVSS v3.1
MEDIUM (6.1)
EPSS
Pending

KEV

Description

Symfony UX is an initiative and set of libraries to integrate JavaScript tools into applications. Prior to version 2.25.1, rendering `{{ attributes }}` or using any method that returns a `ComponentAttributes` instance (e.g. `only()`, `defaults()`, `without()`) ouputs attribute values directly without escaping. If these values are unsafe (e.g. contain user input), this can lead to HTML attribute injection and XSS vulnerabilities. The issue is fixed in version `2.25.1` of `symfony/ux-twig-component` Those who use `symfony/ux-live-component` must also update it to `2.25.1` to benefit from the fix, as it reuses the `ComponentAttributes` class internally. As a workaround, avoid rendering `{{ attributes }}` or derived objects directly if it may contain untrusted values. Instead, use `{{ attributes.render('name') }}` for safe output of individual attributes.

Statistics

  • 2 Posts

Fediverse

Profile picture

🔐 Symfony UX CVE-2025-47946: Unsanitized HTML attribute injection via ComponentAttributes
➡️ symfony.com/blog/symfony-ux-cv

  • 0
  • 0
  • 21 hours ago

Overview

  • ConnectWise
  • Risk Assessment

19 May 2025
Published
19 May 2025
Updated

CVSS v3.1
MEDIUM (6.0)
EPSS
Pending

KEV

Description

ConnectWise-Password-Encryption-Utility.exe in ConnectWise Risk Assessment allows an attacker to extract a hardcoded AES decryption key via reverse engineering. This key is embedded in plaintext within the binary and used in cryptographic operations without dynamic key management. Once obtained the key can be used to decrypt CSV input files used for authenticated network scanning.

Statistics

  • 1 Post
  • 3 Interactions

Fediverse

Profile picture

Bwahahahahaha

github.com/packetlabs/vulnerab

sev:MED 6.0 - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

The ConnectWise-Password-Encryption-Utility.exe binary contains hardcoded encryption keys in plaintext which can be extracted by an attacker analyzing the binary strings.

nvd.nist.gov/vuln/detail/CVE-2

  • 2
  • 1
  • 16 hours ago

Overview

  • openpgpjs
  • openpgpjs

19 May 2025
Published
19 May 2025
Updated

CVSS v4.0
HIGH (8.7)
EPSS
Pending

KEV

Description

OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. Startinf in version 5.0.1 and prior to versions 5.11.3 and 6.1.1, a maliciously modified message can be passed to either `openpgp.verify` or `openpgp.decrypt`, causing these functions to return a valid signature verification result while returning data that was not actually signed. This flaw allows signature verifications of inline (non-detached) signed messages (using `openpgp.verify`) and signed-and-encrypted messages (using `openpgp.decrypt` with `verificationKeys`) to be spoofed, since both functions return extracted data that may not match the data that was originally signed. Detached signature verifications are not affected, as no signed data is returned in that case. In order to spoof a message, the attacker needs a single valid message signature (inline or detached) as well as the plaintext data that was legitimately signed, and can then construct an inline-signed message or signed-and-encrypted message with any data of the attacker's choice, which will appear as legitimately signed by affected versions of OpenPGP.js. In other words, any inline-signed message can be modified to return any other data (while still indicating that the signature was valid), and the same is true for signed+encrypted messages if the attacker can obtain a valid signature and encrypt a new message (of the attacker's choice) together with that signature. The issue has been patched in versions 5.11.3 and 6.1.1. Some workarounds are available. When verifying inline-signed messages, extract the message and signature(s) from the message returned by `openpgp.readMessage`, and verify the(/each) signature as a detached signature by passing the signature and a new message containing only the data (created using `openpgp.createMessage`) to `openpgp.verify`. When decrypting and verifying signed+encrypted messages, decrypt and verify the message in two steps, by first calling `openpgp.decrypt` without `verificationKeys`, and then passing the returned signature(s) and a new message containing the decrypted data (created using `openpgp.createMessage`) to `openpgp.verify`.

Statistics

  • 1 Post
  • 2 Interactions

Fediverse

Profile picture

Oh my.

github.com/openpgpjs/openpgpjs

sev:HIGH 8.7 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. Startinf in version 5.0.1 and prior to versions 5.11.3 and 6.1.1, a maliciously modified message can be passed to either openpgp.verify or openpgp.decrypt, causing these functions to return a valid signature verification result while returning data that was not actually signed. This flaw allows signature verifications of inline (non-detached) signed messages (using openpgp.verify) and signed-and-encrypted messages (using openpgp.decrypt with verificationKeys) to be spoofed, since both functions return extracted data that may not match the data that was originally signed. Detached signature verifications are not affected, as no signed data is returned in that case. In order to spoof a message, the attacker needs a single valid message signature (inline or detached) as well as the plaintext data that was legitimately signed, and can then construct an inline-signed message or signed-and-encrypted message with any data of the attacker's choice, which will appear as legitimately signed by affected versions of OpenPGP.js. In other words, any inline-signed message can be modified to return any other data (while still indicating that the signature was valid), and the same is true for signed+encrypted messages if the attacker can obtain a valid signature and encrypt a new message (of the attacker's choice) together with that signature. The issue has been patched in versions 5.11.3 and 6.1.1. Some workarounds are available. When verifying inline-signed messages, extract the message and signature(s) from the message returned by openpgp.readMessage, and verify the(/each) signature as a detached signature by passing the signature and a new message containing only the data (created using openpgp.createMessage) to openpgp.verify. When decrypting and verifying signed+encrypted messages, decrypt and verify the message in two steps, by first calling openpgp.decrypt without verificationKeys, and then passing the returned signature(s) and a new message containing the decrypted data (created using openpgp.createMessage) to openpgp.verify.

nvd.nist.gov/vuln/detail/CVE-2

  • 2
  • 0
  • 13 hours ago

Overview

  • auth0
  • auth0-PHP

15 May 2025
Published
16 May 2025
Updated

CVSS v3.1
CRITICAL (9.1)
EPSS
0.03%

KEV

Description

Auth0-PHP provides the PHP SDK for Auth0 Authentication and Management APIs. Starting in version 8.0.0-BETA1 and prior to version 8.14.0, session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. Certain pre-conditions are required to be vulnerable to this issue: Applications using the Auth0-PHP SDK, or the Auth0/symfony, Auth0/laravel-auth0, and Auth0/wordpress SDKs that rely on the Auth0-PHP SDK; and session storage configured with CookieStore. Upgrade Auth0/Auth0-PHP to v8.14.0 to receive a patch. As an additional precautionary measure, rotating cookie encryption keys is recommended. Note that once updated, any previous session cookies will be rejected.

Statistics

  • 1 Post
  • 2 Interactions

Fediverse

Profile picture

🚨 A critical vulnerability (CVE-2025-47275) in the Auth0 SDK exposes Symfony, Laravel, and WordPress users to brute-force session attacks. Okta has released patches—learn how to protect your application now.

#SecurityLand #CyberWatch #Auth0 #Okta #PHP #Laravel #WordPress #Symfony #Vulnerability #Patch

Read More: security.land/critical-vulnera

  • 2
  • 0
  • 22 hours ago

Overview

  • Pending

12 Aug 2024
Published
19 May 2025
Updated

CVSS
Pending
EPSS
0.10%

Description

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim's session, potentially leading to execution of arbitrary JavaScript code.

Statistics

  • 2 Posts

Fediverse

Profile picture
I found that CVE-2024-27443 doesn't qualify for XSS Reflections as it seems to be a stored XSS. Pretty neat vuln though!

https://github.com/v-p-b/xss-reflections

RE: https://mastodon.social/@cisakevtracker/114535804613431399
  • 0
  • 0
  • 15 hours ago
Profile picture

CISA published new KEVs earlier but I don't think any of them were unknown to the public to have been exploited.

CVE-2023-38950: ZKTeco
CVE-2024-27443: Synacor
CVE-2025-27920: Srimax
CVE-2024-11182: MDaemon
CVE-2025-4428: Ivanti
CVE-2025-4427: Ivanti

  • 0
  • 0
  • 14 hours ago

Overview

  • MDaemon
  • Email Server

15 Nov 2024
Published
19 May 2025
Updated

CVSS v4.0
MEDIUM (5.3)
EPSS
0.06%

Description

An XSS issue was discovered in MDaemon Email Server before version 24.5.1c. An attacker can send an HTML e-mail message with JavaScript in an img tag. This could allow a remote attacker to load arbitrary JavaScript code in the context of a webmail user's browser window.

Statistics

  • 2 Posts

Fediverse

Profile picture
CVE-2024-11182 also seems like a stored XSS: "attacker can send a specially crafted HTML e-mail message with JavaScript in an img tag" - The '90s called and they want their webmail bugs back!!

RE: https://mastodon.social/@cisakevtracker/114535806650652126
  • 0
  • 0
  • 15 hours ago
Profile picture

CISA published new KEVs earlier but I don't think any of them were unknown to the public to have been exploited.

CVE-2023-38950: ZKTeco
CVE-2024-27443: Synacor
CVE-2025-27920: Srimax
CVE-2024-11182: MDaemon
CVE-2025-4428: Ivanti
CVE-2025-4427: Ivanti

  • 0
  • 0
  • 14 hours ago

Overview

  • IBM
  • i

17 May 2025
Published
20 May 2025
Updated

CVSS v3.1
HIGH (8.5)
EPSS
0.04%

KEV

Description

IBM i 7.2, 7.3, 7.4, 7.5, and 7.6 product IBM TCP/IP Connectivity Utilities for i contains a privilege escalation vulnerability. A malicious actor with command line access to the host operating system can elevate privileges to gain root access to the host operating system.

Statistics

  • 1 Post
  • 2 Interactions

Fediverse

Profile picture
  • 1
  • 1
  • 16 hours ago

Overview

  • Qualcomm, Inc.
  • Snapdragon Mobile, Snapdragon Compute, Snapdragon Auto, Snapdragon IOT, Snapdragon Connectivity, Snapdragon Voice & Music

14 Jun 2022
Published
03 Aug 2024
Updated

CVSS v3.1
HIGH (7.5)
EPSS
0.07%

KEV

Description

Buffer overflow in sahara protocol while processing commands leads to overwrite of secure configuration data in Snapdragon Mobile, Snapdragon Compute, Snapdragon Auto, Snapdragon IOT, Snapdragon Connectivity, Snapdragon Voice & Music

Statistics

  • 1 Post

Fediverse

Profile picture

something I'm still curious about is wtf was CVE-2021-30327, allegedly some buffer overflow in EDL but there's not much to go off of.

The only hints I have atm are like,
- sxr2130 allows trying to upload an image again, and sigchecks happen after the segments are loaded into RAM
- sxr2250 has a lot of bounds checks near a memsz vs filesz memset for the sig segment
- MBNv7 changes in general

  • 0
  • 0
  • 6 hours ago

Overview

  • Microsoft
  • Windows Server 2019

14 Jan 2025
Published
02 Apr 2025
Updated

CVSS v3.1
HIGH (8.1)
EPSS
2.27%

KEV

Description

Windows Remote Desktop Services Remote Code Execution Vulnerability

Statistics

  • 1 Post

Fediverse

Profile picture

Don't expose Remote Desktop directly to the Internet, they said. Put it behind a Remote Desktop Gateway, they said. It will be fine, they said...

"Race Condition in Windows Remote Desktop Gateway Enables RCE – PoC Demonstrates Exploitability":

securityonline.info/cve-2025-2

(Fixed in the latest Patch Tuesday.)

  • 0
  • 0
  • 4 hours ago

Overview

  • Fortinet
  • FortiOS

14 Jan 2025
Published
23 Jan 2025
Updated

CVSS v3.1
CRITICAL (9.6)
EPSS
93.30%

Description

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.

Statistics

  • 2 Posts

Fediverse

Profile picture

🚨Spike in Fortinet CVE-2024-55591 vulnerability rapidly increased in the past week 👇

The Network has detected a wave of exploitation attempts targeting CVE-2024-55591, a Fortinet vulnerability that affects FortiWAN versions before 5.3.2. First seen on April 23rd, the CrowdSec Network still sees elevated levels of probing and exploitation.

ℹ️ About the exploit:
This flaw allows remote attackers to perform unauthenticated command injection on exposed FortiWAN instances. This vulnerability affects FortiWAN versions prior to 5.3.2. It enables attackers to execute arbitrary commands via crafted HTTP requests — no authentication required.

🔎 Trend analysis:
🔹 April 23rd: The CrowdSec Network detects a shift in the long-term trend of CVE-2024-55591 exploits.
🔹 April 23rd - April 28th: Activity increases rapidly from 30 to about 80 malicious IPs reported daily, producing over 400 distinct attack events.
🔹 April 29 - May 2nd: The attackers take a break. This provides a key point of insight into the nature of this attack campaign.
🔹 May 3rd - May 19th: The attack picks back up with increased intensity. It now originates from around 200 unique IP addresses per day and produces about 900 attack events per day.
🔹 May 19th: The CrowdSec Network still sees elevated levels of probing and exploitation attempts.

✅ How to protect your systems:
🔹 You can use CrowdSec’s open CTI search bar and blocklists to stay ahead of the curve. app.crowdsec.net/cti?q=cves%3A
🔹 Alternatively, you can use CrowdSec’s newest tool, IPDEX, to build instant reports for this particular CVE and explore the data CrowdSec has aggregated. crowdsec.net/blog/introducing-

For more information, visit 👉 crowdsec.net 🧵[1/2]

  • 0
  • 0
  • 21 hours ago
Profile picture

As the image shows, we see that inside the results, many actors are classified as benign, which confirms that although the exploit is dangerous, the actual campaign is not. This level of enrichment provided by CrowdSec CTI helps security teams prioritize alerts, and IPDEX supports this workflow, allowing analysts to filter out harmless campaigns such as the one by the Shadowserver Foundation. You can also add a filter within IPDEX to remove those benign actors and filter on the date of last activity.

You can get started with IPDEX by heading over to the CrowdSec GitHub 👉 github.com/crowdsecurity/ipdex

🧵[2/2]

  • 0
  • 0
  • 21 hours ago
Showing 1 to 10 of 31 CVEs