CVE-2025-25215 - Dell ControlVault3/Dell ControlVault3 Plus: Arbitrary Free Vulnerability
Published: Fri, 13 Jun 2025 22:15:19 +0000
CVE ID : CVE-2025-25215
Published : June 13, 2025, 10:15 p.m. | 1 hour, 2 minutes ago
Description : An arbitrary free vulnerability exists in the cv_close functionality of
Dell ControlVault3 prior to 5.15.10.14 and Dell ControlVault3 Plus prior to 6.2.26.36. A specially crafted ControlVault API call
can lead to an arbitrary free. An attacker can forge a fake session to
trigger this vulnerability.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-24919 - Dell ControlVault3/ControlVault3 Plus Deserialization of Untrusted Input Remote Code Execution Vulnerability
Published: Fri, 13 Jun 2025 22:15:18 +0000
CVE ID : CVE-2025-24919
Published : June 13, 2025, 10:15 p.m. | 1 hour, 2 minutes ago
Description : A deserialization of untrusted input vulnerability exists in the cvhDecapsulateCmd functionality of Dell ControlVault3 prior to 5.15.10.14 and ControlVault3 Plus prior to 6.2.26.36. A specially crafted ControlVault response to a command can lead to arbitrary code execution. An attacker can compromise a ControlVault firmware and have it craft a malicious response to trigger this vulnerability.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-6083 - ExtremeCloud Universal ZTNA SQL Injection
Published: Fri, 13 Jun 2025 21:15:20 +0000
CVE ID : CVE-2025-6083
Published : June 13, 2025, 9:15 p.m. | 2 hours, 2 minutes ago
Description : In ExtremeCloud Universal ZTNA, a syntax error in the 'searchKeyword' condition caused queries to bypass the owner_id filter. This issue may allow users to search data across the entire table instead of being restricted to their specific owner_id.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-49598 - Conda-Forge CI Setup Arbitrary Code Execution
Published: Fri, 13 Jun 2025 21:15:20 +0000
CVE ID : CVE-2025-49598
Published : June 13, 2025, 9:15 p.m. | 2 hours, 2 minutes ago
Description : conda-forge-ci-setup is a package installed by conda-forge each time a build is run on CI. The conda-forge-ci-setup-feedstock setup script is vulnerable due to the unsafe use of the eval function when parsing version information from a custom-formatted meta.yaml file. An attacker controlling meta.yaml can inject malicious code into the version assignment, which is executed during file processing, leading to arbitrary code execution. Exploitation requires an attacker to modify the recipe file by manipulating the RECIPE_DIR variable and introducing a malicious meta.yaml file. While this is more feasible in CI/CD pipelines, it is uncommon in typical environments, reducing overall risk. This vulnerability is fixed in 4.15.0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-25050 - Dell ControlVault3/Dell ControlVault 3 Plus Out-of-Bounds Write Vulnerability
Published: Fri, 13 Jun 2025 21:15:20 +0000
CVE ID : CVE-2025-25050
Published : June 13, 2025, 9:15 p.m. | 2 hours, 2 minutes ago
Description : An out-of-bounds write vulnerability exists in the
cv_upgrade_sensor_firmware functionality of Dell ControlVault3 prior to 5.15.10.14 and Dell ControlVault 3 Plus prior to 6.2.26.36.
A specially crafted ControlVault API call can lead to an out-of-bounds
write. An attacker can issue an API call to trigger this vulnerability.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-24922 - Dell ControlVault3/Dell ControlVault3 Plus Stack-Based Buffer Overflow Vulnerability
Published: Fri, 13 Jun 2025 21:15:20 +0000
CVE ID : CVE-2025-24922
Published : June 13, 2025, 9:15 p.m. | 2 hours, 2 minutes ago
Description : A stack-based buffer overflow vulnerability exists in the
securebio_identify functionality of Dell ControlVault3 prior to 5.15.10.14 and Dell ControlVault3 Plus prior to 6.2.26.36. A
specially crafted malicious cv_object can lead to a arbitrary code
execution. An attacker can issue an API call to trigger this
vulnerability.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-24311 - Dell ControlVault3/Dell ControlVault3 Plus Out-of-Bounds Read Information Leak
Published: Fri, 13 Jun 2025 21:15:20 +0000
CVE ID : CVE-2025-24311
Published : June 13, 2025, 9:15 p.m. | 2 hours, 2 minutes ago
Description : An out-of-bounds read vulnerability exists in the cv_send_blockdata
functionality of Dell ControlVault3 prior to 5.15.10.14 and Dell ControlVault3 Plus prior to 6.2.26.36. A specially crafted
ControlVault API call can lead to an information leak. An attacker can
issue an API call to trigger this vulnerability.
Severity: 8.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-49597 - Apache Goodbye CSV Remote Code Execution
Published: Fri, 13 Jun 2025 20:15:23 +0000
CVE ID : CVE-2025-49597
Published : June 13, 2025, 8:15 p.m. | 3 hours, 2 minutes ago
Description : handcraftedinthealps goodby-csv is a highly memory efficient, flexible and extendable open-source CSV import/export library. Prior to 1.4.3, goodby-csv could be used as part of a chain of methods that is exploitable when an insecure deserialization vulnerability exists in an application. This so-called "gadget chain" presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability. The problem is patched with Version 1.4.3.
Severity: 3.9 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-49596 - MCP Inspector Remote Code Execution Vulnerability
Published: Fri, 13 Jun 2025 20:15:23 +0000
CVE ID : CVE-2025-49596
Published : June 13, 2025, 8:15 p.m. | 3 hours, 2 minutes ago
Description : The MCP inspector is a developer tool for testing and debugging MCP servers. Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector client and proxy, allowing unauthenticated requests to launch MCP commands over stdio. Users should immediately upgrade to version 0.14.1 or later to address these vulnerabilities.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-49587 - XWiki XSS Through Unvalidated HTML in Notification Displayer
Published: Fri, 13 Jun 2025 18:15:22 +0000
CVE ID : CVE-2025-49587
Published : June 13, 2025, 6:15 p.m. | 5 hours, 2 minutes ago
Description : XWiki is an open-source wiki software platform. When a user without script right creates a document with an XWiki.Notifications.Code.NotificationDisplayerClass object, and later an admin edits and saves that document, the possibly malicious content of that object is output as raw HTML, allowing XSS attacks. While the notification displayer executes Velocity, the existing generic analyzer already warns admins before editing Velocity code. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This vulnerability has been patched in XWiki 15.10.16, 16.4.7, and 16.10.2 by adding a required rights analyzer that warns the admin before editing about the possibly malicious code.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-49586 - XWiki Remote Code Execution Vulnerability
Published: Fri, 13 Jun 2025 18:15:22 +0000
CVE ID : CVE-2025-49586
Published : June 13, 2025, 6:15 p.m. | 5 hours, 2 minutes ago
Description : XWiki is an open-source wiki software platform. Any XWiki user with edit right on at least one App Within Minutes application (the default for all users XWiki) can obtain programming right/perform remote code execution by editing the application. This vulnerability has been fixed in XWiki 17.0.0, 16.4.7, and 16.10.3.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-49585 - XWiki Unrestricted Code Execution Vulnerability
Published: Fri, 13 Jun 2025 18:15:22 +0000
CVE ID : CVE-2025-49585
Published : June 13, 2025, 6:15 p.m. | 5 hours, 2 minutes ago
Description : XWiki is a generic wiki platform. In versions before 15.10.16, 16.0.0-rc-1 through 16.4.6, and 16.5.0-rc-1 through 16.10.1, when an attacker without script or programming right creates an XClass definition in XWiki (requires edit right), and that same document is later edited by a user with script, admin, or programming right, malicious code could be executed with the rights of the editing user without prior warning. In particular, this concerns custom display code, the script of computed properties and queries in database list properties. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This has been patched in XWiki 16.10.2, 16.4.7 and 15.10.16 by adding an analysis for the respective XClass properties.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-49584 - XWiki Information Disclosure Vulnerability
Published: Fri, 13 Jun 2025 18:15:22 +0000
CVE ID : CVE-2025-49584
Published : June 13, 2025, 6:15 p.m. | 5 hours, 2 minutes ago
Description : XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default for an XWiki installation. This allows an attacker to get titles of pages whose reference is known, one title per request. This doesn't affect fully private wikis as the REST endpoint checks access rights on the XClass definition. The impact on confidentiality depends on the strategy for page names. By default, page names match the title, so the impact should be low but if page names are intentionally obfuscated because the titles are sensitive, the impact could be high. This has been fixed in XWiki 16.4.7, 16.10.3 and 17.0.0 by adding access control checks before getting the title of any page.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-49583 - XWiki Cross-Site Notification Vulnerability
Published: Fri, 13 Jun 2025 17:15:23 +0000
CVE ID : CVE-2025-49583
Published : June 13, 2025, 5:15 p.m. | 6 hours, 2 minutes ago
Description : XWiki is a generic wiki platform. When a user without script right creates a document with an `XWiki.Notifications.Code.NotificationEmailRendererClass` object, and later an admin edits and saves that document, the email templates in this object will be used for notifications. No malicious code can be executed, though, as while these templates allow Velocity code, the existing generic analyzer already warns admins before editing Velocity code. The main impact would thus be to send spam, e.g., with phishing links to other users or to hide notifications about other attacks. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This has been patched in XWiki 16.10.2, 16.4.7 and 15.10.16 by adding an analysis for the respective XClass properties.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-49582 - XWiki Macro Execution Remote Code Execution
Published: Fri, 13 Jun 2025 17:15:23 +0000
CVE ID : CVE-2025-49582
Published : June 13, 2025, 5:15 p.m. | 6 hours, 2 minutes ago
Description : XWiki is a generic wiki platform. When editing content that contains "dangerous" macros like malicious script macros that were authored by a user with fewer rights, XWiki warns about the execution of these macros since XWiki 15.9RC1. These required rights analyzers that trigger these warnings are incomplete, allowing an attacker to hide malicious content. For most macros, the existing analyzers don't consider non-lowercase parameters. Further, most macro parameters that can contain XWiki syntax like titles of information boxes weren't analyzed at all. Similarly, the "source" parameters of the content and context macro weren't anylzed even though they could contain arbitrary XWiki syntax. In the worst case, this could allow a malicious to add malicious script macros including Groovy or Python macros to a page that are then executed after another user with programming righs edits the page, thus allowing remote code execution. The required rights analyzers have been made more robust and extended to cover those cases in XWiki 16.4.7, 16.10.3 and 17.0.0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-6052 - GNOME GLib Memory Corruption Vulnerability
Published: Fri, 13 Jun 2025 16:15:28 +0000
CVE ID : CVE-2025-6052
Published : June 13, 2025, 4:15 p.m. | 7 hours, 2 minutes ago
Description : A flaw was found in how GLib’s GString manages memory when adding data to strings. If a string is already very large, combining it with more input can cause a hidden overflow in the size calculation. This makes the system think it has enough memory when it doesn’t. As a result, data may be written past the end of the allocated memory, leading to crashes or memory corruption.
Severity: 3.7 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-6035 - GIMP Integer Overflow Vulnerability in Despeckle Plug-in
Published: Fri, 13 Jun 2025 16:15:28 +0000
CVE ID : CVE-2025-6035
Published : June 13, 2025, 4:15 p.m. | 7 hours, 2 minutes ago
Description : A flaw was found in GIMP. An integer overflow vulnerability exists in the GIMP "Despeckle" plug-in. The issue occurs due to unchecked multiplication of image dimensions, such as width, height, and bytes-per-pixel (img_bpp), which can result in allocating insufficient memory and subsequently performing out-of-bounds writes. This issue could lead to heap corruption, a potential denial of service (DoS), or arbitrary code execution in certain scenarios.
Severity: 6.6 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-49581 - XWiki Macro Execution Arbitrary Code Execution Vulnerability
Published: Fri, 13 Jun 2025 16:15:27 +0000
CVE ID : CVE-2025-49581
Published : June 13, 2025, 4:15 p.m. | 7 hours, 2 minutes ago
Description : XWiki is a generic wiki platform. Any user with edit right on a page (could be the user's profile) can execute code (Groovy, Python, Velocity) with programming right by defining a wiki macro. This allows full access to the whole XWiki installation. The main problem is that if a wiki macro parameter allows wiki syntax, its default value is executed with the rights of the author of the document where it is used. This can be exploited by overriding a macro like the children macro that is used in a page that has programming right like the page XWiki.ChildrenMacro and thus allows arbitrary script macros. This vulnerability has been patched in XWiki 16.4.7, 16.10.3 and 17.0.0 by executing wiki parameters with the rights of the wiki macro's author when the parameter's value is the default value.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-49580 - XWiki Cross-Site Scripting (XSS) Vulnerability
Published: Fri, 13 Jun 2025 16:15:27 +0000
CVE ID : CVE-2025-49580
Published : June 13, 2025, 4:15 p.m. | 7 hours, 2 minutes ago
Description : XWiki is a generic wiki platform. From 8.2 and 7.4.5 until 17.1.0-rc-1, 16.10.4, and 16.4.7, pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never been executed. This vulnerability is fixed in 17.1.0-rc-1, 16.10.4, and 16.4.7.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-48920 - Drupal etracker Cross-Site Scripting (XSS)
Published: Fri, 13 Jun 2025 16:15:27 +0000
CVE ID : CVE-2025-48920
Published : June 13, 2025, 4:15 p.m. | 7 hours, 2 minutes ago
Description : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal etracker allows Cross-Site Scripting (XSS).This issue affects etracker: from 0.0.0 before 3.1.0.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-48919 - Drupal Simple Klaro Cross-Site Scripting (XSS)
Published: Fri, 13 Jun 2025 16:15:27 +0000
CVE ID : CVE-2025-48919
Published : June 13, 2025, 4:15 p.m. | 7 hours, 2 minutes ago
Description : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Simple Klaro allows Cross-Site Scripting (XSS).This issue affects Simple Klaro: from 0.0.0 before 1.10.0.
Severity: 5.0 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-48918 - Drupal Simple Klaro Cross-site Scripting (XSS)
Published: Fri, 13 Jun 2025 16:15:27 +0000
CVE ID : CVE-2025-48918
Published : June 13, 2025, 4:15 p.m. | 7 hours, 2 minutes ago
Description : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Simple Klaro allows Cross-Site Scripting (XSS).This issue affects Simple Klaro: from 0.0.0 before 1.10.0.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-48917 - Drupal EU Cookie Compliance Cross-Site Scripting (XSS)
Published: Fri, 13 Jun 2025 16:15:26 +0000
CVE ID : CVE-2025-48917
Published : June 13, 2025, 4:15 p.m. | 7 hours, 2 minutes ago
Description : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal EU Cookie Compliance (GDPR Compliance) allows Cross-Site Scripting (XSS).This issue affects EU Cookie Compliance (GDPR Compliance): from 0.0.0 before 1.26.0.
Severity: 5.0 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-48916 - Drupal Bookable Calendar Missing Authorization
Published: Fri, 13 Jun 2025 16:15:26 +0000
CVE ID : CVE-2025-48916
Published : June 13, 2025, 4:15 p.m. | 7 hours, 2 minutes ago
Description : Missing Authorization vulnerability in Drupal Bookable Calendar allows Forceful Browsing.This issue affects Bookable Calendar: from 0.0.0 before 2.2.13.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-48915 - Drupal COOKiES Consent Management Cross-Site Scripting (XSS)
Published: Fri, 13 Jun 2025 16:15:26 +0000
CVE ID : CVE-2025-48915
Published : June 13, 2025, 4:15 p.m. | 7 hours, 2 minutes ago
Description : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Consent Management: from 0.0.0 before 1.2.15.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
