2025-06-13 Daily Vulns
NEW:
| CVE | vendor-product | description | metric | Referenceurl | title | GithubURL | |
|---|---|---|---|---|---|---|---|
| CVE-2025-2745 | AVEVA - PI Web API | A cross-site scripting vulnerability exists in AVEVA PI Web API version 2023 SP1 and prior that, if exploited, could allow an authenticated attacker (with privileges to create/update annotations or upload media files) to persist arbitrary JavaScript code that will be executed by users who were socially engineered to disable content security policy protections while rendering annotation attachments from within a web browser. | CVSS3.1: 6.5 - MEDIUM CVSS4.0: 4.5 - MEDIUM | 0 1 | Exploitation: noneAutomatable: noTechnical Impact: partial | AVEVA PI Web API Cross-site Scripting | github |
| CVE-2021-25736 | Kubernetes - Kubernetes | Kube-proxy on Windows can unintentionally forward traffic to local processes listening on the same port (“spec.ports[*].port”) as a LoadBalancer Service when the LoadBalancer controller does not set the “status.loadBalancer.ingress[].ip” field. Clusters where the LoadBalancer controller sets the “status.loadBalancer.ingress[].ip” field are unaffected. | CVSS3.1: 5.8 - MEDIUM | 0 1 2 | Exploitation: noneAutomatable: noTechnical Impact: partial | Windows kube-proxy LoadBalancer contention | github |
| CVE-2022-26461 | MediaTek, Inc. - MT6833, MT6853, MT6855, MT6873, MT6877, MT6879, MT6883, MT6885, MT6889, MT6893, MT6895, MT6983, MT8791, MT8797 | In vow, there is a possible undefined behavior due to an API misuse. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07032604; Issue ID: ALPS07032604. | CNA n/a CVSS3.1: 6.7 - MEDIUM | 0 | Exploitation: noneAutomatable: noTechnical Impact: total | undefined | github |
| CVE-2025-35978 | Fujitsu Client Computing Limited - UpdateNaviFujitsu Client Computing Limited - UpdateNaviInstallService | Improper restriction of communication channel to intended endpoints issue exists in UpdateNavi V1.4 L10 to L33 and UpdateNaviInstallService Service 1.2.0091 to 1.2.0125. If a local authenticated attacker send malicious data, an arbitrary registry value may be modified or arbitrary code may be executed. | CVSS4.0: 6.9 - MEDIUM | 0 1 | Exploitation: noneAutomatable: noTechnical Impact: total | undefined | github |
This post is licensed under CC BY 4.0 by the author.