Aggregator

A vulnerability was found in Grocy up to 4.3.0. It has been rated as problematic. Impacted is an unknown function. The manipulation leads to direct request. This vulnerability is traded as CVE-2024-55075. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability, which was classified as problematic, was found in TeamPass up to 3.1.3.0. This issue affects some unknown processing of the component Folder Handler. The manipulation results in incorrect privilege assignment. This vulnerability was named CVE-2024-50701. The attack may be performed from remote. There is no available exploit. You should upgrade the affected component.

A vulnerability has been found in TeamPass up to 3.1.3.0 and classified as critical. Impacted is the function mail_me of the component Action Mail Handler. This manipulation causes incorrect privilege assignment. The identification of this vulnerability is CVE-2024-50702. It is possible to initiate the attack remotely. There is no exploit available. The affected component should be upgraded.

A vulnerability has been found in LinZhaoguan pb-cms up to 2.0.1 and classified as problematic. Impacted is an unknown function of the file /admin#themes of the component Theme Management Module. The manipulation leads to cross site scripting. This vulnerability is traded as CVE-2024-10479. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. A duplicate CVE-2024-51229 appears to be assigned to this entry.

A vulnerability, which was classified as problematic, was found in Mattermost up to 9.5.9/9.10.2/9.11.1. This affects an unknown function of the component Message Handler. The manipulation results in missing authorization. This vulnerability is reported as CVE-2024-50052. The attack can be launched remotely. No exploit exists. You should upgrade the affected component.

A vulnerability was found in Mattermost up to 9.5.9/9.10.2/9.11.1 and classified as problematic. Affected is an unknown function of the component GraphQL Response Handler. Such manipulation leads to allocation of resources. This vulnerability is traded as CVE-2024-47401. The attack may be launched remotely. There is no exploit available. It is suggested to upgrade the affected component.

在回顾该问题时，发现提问者并没有把问题定位得很清楚，导致在没有人追问的情况下，大家给出的应答也不具体。说它不清楚在于内部漏洞，在我看来至少有两个主要来源： 1、产品发布上线前各类安全测试发现的漏洞：这种情况其实有比较明确的修复要求，至少是要在系统发版前完成修复，如果做得更好的话，也可以制定明确的修复时间来推动业务方修复，但这个时间一定是要与发版时间相比较，把短的用来做deadline； 2、产品或内部资产运行状态下日常漏扫漏洞：这类漏洞主要是针对内部资产或外部互联网侧的应用，缺少明确的时间参考系，所以要制定修复时间，可以细分出优先级。比如互联网侧的信息系统修复时间要求比内网的短，高危漏洞比低危修复时限要求短，从执行来看互联网系统按照几天甚至几小时比较合适、内网系统按照几周或1个月比较合适。 针对逾期修复的情况，可以在内部做红黑榜进行推动，可以设置安全风险分数（逾期修复天数*漏洞风险等级对应的权重*存在漏洞的资产重要性对应权重），然后按照部门进行风险分数计算并在全公司晒榜，以此激励大家修复漏洞。 ------------更多内容，请访问------------- 1、SDL 100问 SDL100问：我与SDL的故事 SAST误报太高，如何解决？ SDL需要哪些人参与？ 大家都有哪些SDL运营指标？ 开发安全左移和右移，哪一个更好？ SDL 99/100问：如何进行软件安全需求分析？ 2、SDL创新实践 首发！“ 研发安全运营 ” 架构研究与实践 DevSecOps实施关键：研发安全团队 DevSecOps实施关键：研发安全流程 DevSecOps实施关键：研发安全规范 DevSecOps实施关键：研发安全工具 数字化转型下研发安全痛点 一个思考：安全测试驱动产品安全？ 3、SDL最初实践 【SDL最初实践】开篇 【SDL最初实践】安全培训 【SDL最初实践】安全需求 【SDL最初实践】安全设计 【SDL最初实践】安全开发 【SDL最初实践】安全测试 【SDL最初实践】安全审核 【SDL最初实践】安全响应 4、安全运营实践 基于实践的安全事件简述 安全事件运营SOP：钓鱼邮件 安全事件运营SOP：网络攻击 安全事件运营SOP：蜜罐告警 安全事件运营SOP：webshell事件 安全事件运营SOP：接收漏洞事件

Threat Attack Daily - 29th of September 2025

A vulnerability categorized as problematic has been discovered in Mongoose up to 7.17. Affected by this issue is some unknown functionality of the component WebSocket. The manipulation results in integer overflow. This vulnerability is known as CVE-2025-51495. Access to the local network is required for this attack. No exploit is available. A patch should be applied to remediate this issue.

A vulnerability was found in Esri Portal for ArcGIS up to 11.4. It has been classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to open redirect. This vulnerability is documented as CVE-2025-57878. The attack can be initiated remotely. There is not any exploit available.

A vulnerability was found in Esri Portal for ArcGIS up to 11.4. It has been rated as problematic. This vulnerability affects unknown code. This manipulation causes open redirect. This vulnerability appears as CVE-2025-57879. The attack may be initiated remotely. There is no available exploit.

A vulnerability marked as problematic has been reported in Esri Portal for ArcGIS up to 11.4. The impacted element is an unknown function of the component String Handler. The manipulation leads to cross site scripting. This vulnerability is uniquely identified as CVE-2025-57875. The attack is possible to be carried out remotely. No exploit exists.

A vulnerability described as problematic has been identified in Esri Portal for ArcGIS up to 11.4. This affects an unknown function of the component String Handler. The manipulation results in cross site scripting. This vulnerability was named CVE-2025-57877. The attack may be performed from remote. There is no available exploit.

A vulnerability classified as critical was found in Payeer App 2.5.0 on Android. Affected is an unknown function. Such manipulation leads to improper access controls. This vulnerability is referenced as CVE-2025-57197. The attack can only be performed from a local environment. No exploit is available.

A vulnerability labeled as problematic has been found in Medical Informatics Engineering Enterprise Health. Affected by this issue is some unknown functionality of the component URL Handler. Such manipulation leads to cross-site request forgery. This vulnerability is traded as CVE-2025-35030. The attack may be launched remotely. There is no exploit available. The affected component should be upgraded.

A vulnerability was found in Trivision NC-227WF 5.80 Build 20141010. It has been rated as problematic. The affected element is an unknown function. Performing manipulation results in information exposure through error message. This vulnerability is reported as CVE-2025-56764. The attack is possible to be carried out remotely. No exploit exists.

A vulnerability was found in Medical Informatics Engineering Enterprise Health. It has been declared as problematic. This affects an unknown function. Executing manipulation can lead to csv injection. This vulnerability is registered as CVE-2025-35033. It is possible to launch the attack remotely. No exploit is available. It is recommended to upgrade the affected component.

A vulnerability was found in Medical Informatics Engineering Enterprise Health. It has been rated as problematic. This impacts an unknown function. The manipulation leads to debug messages revealing unnecessary information. This vulnerability is documented as CVE-2025-35031. The attack needs to be performed locally. There is not any exploit available. Upgrading the affected component is advised.

A vulnerability categorized as critical has been discovered in Medical Informatics Engineering Enterprise Health. Affected is an unknown function. The manipulation results in unrestricted upload. This vulnerability is reported as CVE-2025-35032. The attack can be launched remotely. No exploit exists. It is advisable to upgrade the affected component.

A vulnerability identified as problematic has been detected in Medical Informatics Engineering Enterprise Health. Affected by this vulnerability is an unknown functionality of the component URL Parameter Handler. This manipulation of the argument portlet_user_id causes cross site scripting. This vulnerability appears as CVE-2025-35034. The attack may be initiated remotely. There is no available exploit. You should upgrade the affected component.