2025-07-19 Daily Vulns
NEW:
| CVE | vendor-product | description | metric | Referenceurl | title | GithubURL | |
|---|---|---|---|---|---|---|---|
| CVE-2025-54309 | CrushFTP - CrushFTP | CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025. | CVSS3.1: 9 - CRITICAL | 0 1 2 | Exploitation: noneAutomatable: noTechnical Impact: partial | undefined | github |
| CVE-2025-45156 | n/a - n/a | Splashin iOS v2.0 fails to enforce server-side interval restrictions for location updates for free-tier users. | CNA n/a CVSS3.1: 5.3 - MEDIUM | 0 1 | Exploitation: noneAutomatable: noTechnical Impact: partial | undefined | github |
| CVE-2025-46732 | OpenCTI-Platform - opencti | OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.6.6, an IDOR vulnerability in the GrapQL `NotificationLineNotificationMarkReadMutation` and `NotificationLineNotificationDeleteMutation` mutations of OpenCTI allows an authenticated user to change the read status of a notification or delete a notification of another user in case he has knowledge of the UUID of the notification. When changing the read status of a notification, the user also receives the content of the notification they changed the read status of. Authenticated Users in OpenCTI can read, modify and delete notification of other users if they know the UUID of the notification. Version 6.6.6 fixes the issue. | CVSS3.1: 5.4 - MEDIUM | 0 | Exploitation: noneAutomatable: noTechnical Impact: partial | OpenCTI’s GraphQL IDOR enables authenticated users to modify or delete notifications of other users | github |
| CVE-2024-13175 | Vidco Software - VOC TESTER | Authorization Bypass Through User-Controlled Key vulnerability in Vidco Software VOC TESTER allows Forceful Browsing.This issue affects VOC TESTER: before 12.41.0. | CVSS3.1: 5.5 - MEDIUM | 0 | Exploitation: noneAutomatable: noTechnical Impact: partial | IDOR in Vidco Software’s VOC TESTER | github |
| CVE-2024-27779 | Fortinet - FortiSandboxFortinet - FortiIsolator | An insufficient session expiration vulnerability [CWE-613] in FortiSandbox FortiSandbox version 4.4.4 and below, version 4.2.6 and below, 4.0 all versions, 3.2 all versions and FortiIsolator version 2.4 and below, 2.3 all versions, 2.2 all versions, 2.1 all versions, 2.0 all versions, 1.2 all versions may allow a remote attacker in possession of an admin session cookie to keep using that admin’s session even after the admin user was deleted. | CVSS3.1: 6.3 - MEDIUM | 0 | Exploitation: noneAutomatable: noTechnical Impact: total | undefined | github |
| CVE-2025-6226 | Mattermost - Mattermost | Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don’t have access to via guessing the PendingPostID of recently created posts. | CVSS3.1: 6.5 - MEDIUM | 0 | Exploitation: noneAutomatable: noTechnical Impact: partial | IDOR in CreatePost API allows for timeboxed message disclosure | github |
| CVE-2025-2425 | ESET, spol. s.r.o - ESET NOD32 AntivirusESET, spol. s.r.o - ESET Internet SecurityESET, spol. s.r.o - ESET Smart Security PremiumESET, spol. s.r.o - ESET Security UltimateESET, spol. s.r.o - ESET Endpoint Antivirus for WindowsESET, spol. s.r.o - ESET Endpoint Security for WindowsESET, spol. s.r.o - ESET Small Business SecurityESET, spol. s.r.o - ESET Safe ServerESET, spol. s.r.o - ESET Server Security for Windows ServerESET, spol. s.r.o - ESET Mail Security for Microsoft Exchange ServerESET, spol. s.r.o - ESET Security for Microsoft SharePoint Server | Time-of-check to time-of-use race condition vulnerability potentially allowed an attacker to use the installed ESET security software to clear the content of an arbitrary file on the file system. | CVSS4.0: 5.1 - MEDIUM | 0 | Exploitation: noneAutomatable: noTechnical Impact: partial | TOCTOU race condition vulnerability in ESET products on Windows | github |
| CVE-2025-49484 | joomsky.com - JS Jobs component for Joomla | A SQL injection vulnerability in the JS Jobs plugin versions 1.0.0-1.4.1 for Joomla allows low-privilege users to execute arbitrary SQL commands via the ‘cvid’ parameter in the employee application feature. | CVSS4.0: 8.7 - HIGH | 0 1 | Exploitation: noneAutomatable: noTechnical Impact: total | Extension - joomsky.com - SQL injection in JS jobs component version 1.1.5 - 1.4.1 for Joomla | github |
This post is licensed under CC BY 4.0 by the author.