Security Vulnerabilities - Known exploited
CVE-2025-30066
tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.)
Known exploited
CVSS Score
8.6
EPSS Score
0.909
Published
2025-03-15
CVE-2025-27915
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a <details> tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration.
Known exploited
CVSS Score
5.4
EPSS Score
0.306
Published
2025-03-12
CVE-2025-21590
An Improper Isolation or Compartmentalization vulnerability in the kernel of Juniper Networks Junos OS allows a local attacker with high privileges to compromise the integrity of the device.
A local attacker with access to the shell is able to inject arbitrary code which can compromise an affected device.
This issue is not exploitable from the Junos CLI.
This issue affects Junos OS:
* All versions before 21.2R3-S9,
* 21.4 versions before 21.4R3-S10,
* 22.2 versions before 22.2R3-S6,
* 22.4 versions before 22.4R3-S6,
* 23.2 versions before 23.2R2-S3,
* 23.4 versions before 23.4R2-S4,
* 24.2 versions before 24.2R1-S2, 24.2R2.
Known exploited
CVSS Score
4.4
EPSS Score
0.024
Published
2025-03-12
CVE-2025-24201
An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in visionOS 2.3.2, iOS 18.3.2 and iPadOS 18.3.2, macOS Sequoia 15.3.2, Safari 18.3.1, watchOS 11.4, iPadOS 17.7.6, iOS 16.7.11 and iPadOS 16.7.11, iOS 15.8.4 and iPadOS 15.8.4. Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.).
Known exploited
CVSS Score
10.0
EPSS Score
0.001
Published
2025-03-11
CVE-2025-26633
Improper neutralization in Microsoft Management Console allows an unauthorized attacker to bypass a security feature locally.
Known exploited
CVSS Score
7.0
EPSS Score
0.093
Published
2025-03-11
CVE-2025-24991
Out-of-bounds read in Windows NTFS allows an authorized attacker to disclose information locally.
Known exploited
CVSS Score
5.5
EPSS Score
0.007
Published
2025-03-11
CVE-2025-24993
Heap-based buffer overflow in Windows NTFS allows an unauthorized attacker to execute code locally.
Known exploited
CVSS Score
7.8
EPSS Score
0.011
Published
2025-03-11
CVE-2025-24984
Insertion of sensitive information into log file in Windows NTFS allows an unauthorized attacker to disclose information with a physical attack.
Known exploited
CVSS Score
4.6
EPSS Score
0.05
Published
2025-03-11
CVE-2025-24985
Integer overflow or wraparound in Windows Fast FAT Driver allows an unauthorized attacker to execute code locally.
Known exploited
CVSS Score
7.8
EPSS Score
0.01
Published
2025-03-11
CVE-2025-24983
Use after free in Windows Win32 Kernel Subsystem allows an authorized attacker to elevate privileges locally.
Known exploited
CVSS Score
7.0
EPSS Score
0.007
Published
2025-03-11