2025-11-06 Daily Vulns
NEW:
| CVE | vendor-product | description | metric | Referenceurl | title | GithubURL | |
|---|---|---|---|---|---|---|---|
| CVE-2016-15054 | Nagios - XI | Nagios XI versions prior to 5.4.0 are vulnerable to cross-site scripting (XSS) via the jQuery Migrate library. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim’s browser. | CVSS4.0: 5.1 - MEDIUM | 0 1 | Exploitation: noneAutomatable: noTechnical Impact: partial | Nagios XI < 5.4.0 XSS via jQuery Migrate Library | github |
| CVE-2025-10853 | WSO2 - WSO2 Open Banking IAMWSO2 - WSO2 API ManagerWSO2 - WSO2 Identity ServerWSO2 - WSO2 Open Banking AMWSO2 - WSO2 Identity Server as Key ManagerWSO2 - WSO2 Enterprise IntegratorWSO2 - WSO2 API Control PlaneWSO2 - WSO2 Universal GatewayWSO2 - WSO2 Traffic ManagerWSO2 - org.wso2.carbon.registry:org.wso2.carbon.registry.info.uiWSO2 - org.wso2.carbon.registry:org.wso2.carbon.registry.resource.uiWSO2 - org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.uiWSO2 - org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui | A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS. Successful exploitation could result in UI manipulation, redirection to malicious websites, or data theft from the browser. However, session-related sensitive cookies are protected with the httpOnly flag, which mitigates the risk of session hijacking. | CVSS3.1: 5.2 - MEDIUM | 0 | Exploitation: noneAutomatable: noTechnical Impact: partial | Reflected Cross-Site Scripting (XSS) in Management Console of Multiple WSO2 Products Due to Improper Output Encoding | github |
| CVE-2023-43000 | Apple - macOSApple - iOS and iPadOSApple - Safari | A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Ventura 13.5, iOS 16.6 and iPadOS 16.6, Safari 16.6. Processing maliciously crafted web content may lead to memory corruption. | CNA n/a CVSS3.1: 8.8 - HIGH | 0 1 2 | Exploitation: noneAutomatable: noTechnical Impact: total | undefined | github |
| CVE-2025-21078 | Samsung Mobile - Smart Switch | Use of insufficiently random value of secretKey in Smart Switch prior to version 3.7.68.6 allows adjacent attackers to access backup data from applications. | CVSS3.1: 8.8 - HIGH | 0 | Exploitation: noneAutomatable: noTechnical Impact: total | undefined | github |
| CVE-2025-21079 | Samsung Mobile - Samsung Members | Improper input validation in Samsung Members prior to version 5.5.01.3 allows remote attackers to connect arbitrary URL and launch arbitrary activity with Samsung Members privilege. User interaction is required for triggering this vulnerability. | CVSS3.1: 7.1 - HIGH | 0 | Exploitation: noneAutomatable: noTechnical Impact: partial | undefined | github |
| CVE-2021-47698 | Nagios - XI | Nagios XI versions prior to 5.8.7 using embedded Nagios Core are vulnerable to cross-site scripting (XSS) via the Core UI’s Views URL handling. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim’s browser. | CVSS4.0: 5.1 - MEDIUM | 0 1 | Exploitation: noneAutomatable: noTechnical Impact: partial | Nagios XI < 5.8.7 XSS in Core UI Views URL handling | github |
| CVE-2024-13997 | Nagios - XI | Nagios XI versions prior to 2024R1.1.3 contain a privilege escalation vulnerability in which an authenticated administrator could leverage the Migrate Server feature to obtain root privileges on the underlying XI host. By abusing the migration workflow, an admin-level attacker could execute actions outside the intended security scope of the application, resulting in full control of the operating system. | CVSS4.0: 9.4 - CRITICAL | 0 1 2 | Exploitation: noneAutomatable: yesTechnical Impact: total | Nagios XI < 2024R1.1.3 Privilege Escalation via Migrate Server Feature to Root on Host | github |
| CVE-2025-10622 | Red Hat - Red Hat Satellite 6.18 for RHEL 9Red Hat - Red Hat Satellite 6 | A flaw was found in Red Hat Satellite (Foreman component). This vulnerability allows an authenticated user with edit_settings permissions to achieve arbitrary command execution on the underlying operating system via insufficient server-side validation of command whitelisting. | CVSS3.1: 8 - HIGH | 0 1 2 | Exploitation: noneAutomatable: noTechnical Impact: total | Foreman: os command injection via ct_location and fcct_location parameters | github |
This post is licensed under CC BY 4.0 by the author.