2025-09-25 Daily Vulns
NEW:
| CVE | vendor-product | description | metric | Referenceurl | title | GithubURL | |
|---|---|---|---|---|---|---|---|
| CVE-2025-10906 | Magnetism Studios - Endurance | A flaw has been found in Magnetism Studios Endurance up to 3.3.0 on macOS. This affects the function loadModuleNamed:WithReply of the file /Applications/Endurance.app/Contents/Library/LaunchServices/com.MagnetismStudios.endurance.helper of the component NSXPC Interface. Executing manipulation can lead to missing authentication. The attack needs to be launched locally. The exploit has been published and may be used.In Magnetism Studios Endurance up to 3.3.0 auf macOS ist eine Schwachstelle entdeckt worden. Betroffen davon ist die Funktion loadModuleNamed:WithReply der Datei /Applications/Endurance.app/Contents/Library/LaunchServices/com.MagnetismStudios.endurance.helper der Komponente NSXPC Interface. Durch das Beeinflussen mit unbekannten Daten kann eine missing authentication-Schwachstelle ausgenutzt werden. Der Angriff hat dabei lokal zu erfolgen. Der Exploit wurde der Öffentlichkeit bekannt gemacht und könnte verwendet werden. | CVSS4.0: 8.6 - HIGH CVSS3.1: 8.4 - HIGH | 0 1 2 3 4 | Exploitation: pocAutomatable: noTechnical Impact: partial | Magnetism Studios Endurance NSXPC com.MagnetismStudios.endurance.helper loadModuleNamed:WithReply missing authentication | github |
| CVE-2025-10360 | Perforce - Puppet Enterprise | In Puppet Enterprise versions 2025.4.0 and 2025.5, the encryption key used for encrypting content in the Infra Assistant database was not excluded from the files gathered by Puppet backup. The key is only present on the system if the user has a Puppet Enterprise Advanced license and has enabled the Infra Assistant feature. The key is used for encrypting one particular bit of data in the Infra Assistant database: the API key for their AI provider account. This has been fixed in Puppet Enterprise version 2025.6, and release notes for 2025.6 have remediation steps for users of affected versions who can’t update to the latest version. | CVSS4.0: 6.9 - MEDIUM | 0 | Exploitation: noneAutomatable: noTechnical Impact: partial | Insufficiently Protected Credentials in Puppet Enterprise 2025.4 and 2025.5 | github |
| CVE-2025-41715 | WAGO - Device SphereWAGO - Solution Builder | The database for the web application is exposed without authentication, allowing an unauthenticated remote attacker to gain unauthorized access and potentially compromise it. | CVSS3.1: 9.8 - CRITICAL | 0 | Exploitation: noneAutomatable: yesTechnical Impact: total | Missing Authentication for Database Access in Web Application | github |
This post is licensed under CC BY 4.0 by the author.