Security Vulnerabilities - CVEs Published In April 2025
Null pointer dereference in some Zoom Workplace Apps for Windows may allow an authenticated user to conduct a denial of service via network access.
CVSS Score
6.5
EPSS Score
0.003
Published
2025-04-08
Cross site scripting in some Zoom Workplace Apps may allow an unauthenticated user to conduct a loss of integrity via adjacent network access.
CVSS Score
4.6
EPSS Score
0.0
Published
2025-04-08
Cross site scripting in some Zoom Workplace Apps may allow an unauthenticated user to conduct a loss of integrity via adjacent network access.
CVSS Score
4.6
EPSS Score
0.0
Published
2025-04-08
Arbitrary File Write vulnerabilities exist in the web-based management interface of both the AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an Authenticated attacker to upload arbitrary files and execute arbitrary commands on the underlying host operating system.
CVSS Score
7.2
EPSS Score
0.004
Published
2025-04-08
Authenticated command injection vulnerabilities exist in the AOS-10 GW and AOS-8 Controller/Mobility Conductor web-based management interface. Successful exploitation of these vulnerabilities allows an Authenticated attacker to execute arbitrary commands as a privileged user on the underlying operating system.
CVSS Score
7.2
EPSS Score
0.006
Published
2025-04-08
A vulnerability in the Captive Portal of an AOS-10 GW and AOS-8 Controller/Mobility Conductor could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack. Successful exploitation could enable the attacker to execute arbitrary script code in the victim's browser within the context of the affected interface.
CVSS Score
5.4
EPSS Score
0.001
Published
2025-04-08
Multiple vulnerabilities exist in the web-based management interface of AOS-10 GW and AOS-8 Controller/Mobility Conductor. Successful exploitation of these vulnerabilities could allow an authenticated, remote attacker to download arbitrary files from the filesystem of an affected device.
CVSS Score
4.9
EPSS Score
0.003
Published
2025-04-08
An issue was discovered in Elasticsearch, where a large recursion using the Well-KnownText formatted string with nested GeometryCollection objects could cause a stackoverflow.
CVSS Score
4.9
EPSS Score
0.003
Published
2025-04-08
Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package. Please note: the affected method is a protected method. It has no usages in the original packages in neither the 2.x nor 3.x branch and therefore the vulnerability in question can not be exploited when using the original database class. However, classes extending the affected class might be affected, if the vulnerable method is used.
CVSS Score
9.8
EPSS Score
0.0
Published
2025-04-08
Insufficient state checks lead to a vector that allows to bypass 2FA checks.
CVSS Score
7.5
EPSS Score
0.0
Published
2025-04-08