Security Vulnerabilities - CVEs Published In August 2025
Astro is a web framework for content-driven websites. In versions 5.2.0 through 5.12.7, there is an Open Redirect vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows an attacker to redirect users to arbitrary external domains by crafting URLs such as https://mydomain.com//malicious-site.com/. This increases the risk of phishing and other social engineering attacks. This affects sites that use on-demand rendering (SSR) with the Node or Cloudflare adapters. It does not affect static sites, or sites deployed to Netlify or Vercel. This issue is fixed in version 5.12.8. To work around this issue at the network level, block outgoing redirect responses with a Location header value that starts with `//`.
CVSS Score
5.5
EPSS Score
0.01
Published
2025-08-08
A vulnerability classified as critical has been found in Wanzhou WOES Intelligent Optimization Energy Saving System 1.0. This affects an unknown part of the file /CommonSolution/GetVariableByOneIDNew of the component Historical Data Query Module. The manipulation of the argument ObjectID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVSS Score
2.1
EPSS Score
0.001
Published
2025-08-08
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. There is a vulnerability in SuiteCRM version 7.14.6 which allows unauthenticated downloads of any file from the upload-directory, as long as it is named by an ID (e.g. attachments). An unauthenticated attacker could download internal files when he discovers a valid file-ID.
Valid IDs could be brute-forced, but this is quite time-consuming as the file-IDs are usually UUIDs. This issue is fixed in version 7.14.7.
CVSS Score
3.7
EPSS Score
0.001
Published
2025-08-07
A vulnerability was found in Wanzhou WOES Intelligent Optimization Energy Saving System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /OL_OprationLog/GetPageList. The manipulation of the argument optUser leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
CVSS Score
2.1
EPSS Score
0.001
Published
2025-08-07
A vulnerability was found in Open5GS up to 2.7.5. It has been classified as problematic. Affected is the function amf_nsmf_pdusession_handle_release_sm_context of the file src/amf/nsmf-handler.c of the component AMF Service. The manipulation leads to reachable assertion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The name of the patch is 66bc558e417e70ae216ec155e4e81c14ae0ecf30. It is recommended to apply a patch to fix this issue.
CVSS Score
1.9
EPSS Score
0.0
Published
2025-08-07
Azure OpenAI Elevation of Privilege Vulnerability
CVSS Score
10.0
EPSS Score
0.005
Published
2025-08-07
Microsoft 365 Copilot BizChat Information Disclosure Vulnerability
CVSS Score
6.5
EPSS Score
0.006
Published
2025-08-07
Microsoft 365 Copilot BizChat Information Disclosure Vulnerability
CVSS Score
8.2
EPSS Score
0.012
Published
2025-08-07
Azure Portal Elevation of Privilege Vulnerability
CVSS Score
9.1
EPSS Score
0.004
Published
2025-08-07
The installer for SAN Host Utilities for Windows versions prior to 8.0 is susceptible to a vulnerability which when successfully exploited could allow a local user to escalate their privileges.
CVSS Score
7.0
EPSS Score
0.0
Published
2025-08-07