Security Vulnerabilities - CVEs Published In September 2025
Stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.45 through 7.4.3.128, and Liferay DXP 2024 Q2.0 through 2024.Q2.9, 2024.Q1.1 through 2024.Q1.12, and 7.4 update 45 through update 92 allows remote attackers to execute an arbitrary web script or HTML in the My Workflow Tasks page.
CVSS Score
4.6
EPSS Score
0.0
Published
2025-09-10
Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component. Â Requires a high privileged user with a developer role.
CVSS Score
5.5
EPSS Score
0.0
Published
2025-09-10
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Prior to version 3.3.8, a legacy API to retrieve user details could be misused to retrieve profile details of other users without having admin permissions due to a broken access check. Users should to update to Indico 3.3.8 as soon as possible. As a workaround, it is possible to restrict access to the affected API (e.g. in the webserver config).
CVSS Score
4.3
EPSS Score
0.0
Published
2025-09-10
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Prior to version 3.3.8, there is a Cross-Site-Scripting vulnerability when rendering LaTeX math code in contribution or abstract descriptions. Users should to update to Indico 3.3.8 as soon as possible. As a workaround, only let trustworthy users create content on Indico. Note that a conference doing a Call for Abstracts actively invites external speakers (who the organizers may not know and thus cannot fully trust) to submit content, hence the need to update to a a fixed version ASAP in particular when using such workflows.
CVSS Score
4.6
EPSS Score
0.0
Published
2025-09-10
Claude Code is an agentic coding tool. At startup, Claude Code executed a command templated in with `git config user.email`. Prior to version 1.0.105, a maliciously configured user email in git could be used to trigger arbitrary code execution before a user accepted the workspace trust dialog. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to version 1.0.105 or the latest version.
CVSS Score
8.7
EPSS Score
0.002
Published
2025-09-10
Claude Code is an agentic coding tool. Due to an error in command parsing, versions prior to 1.0.105 were vulnerable to a bypass of the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to version 1.0.105 or the latest version.
CVSS Score
8.7
EPSS Score
0.002
Published
2025-09-10
Tenda F3 V12.01.01.48_multi and after is vulnerable to Buffer Overflow via the portList parameter in /goform/setNAT.
CVSS Score
5.6
EPSS Score
0.0
Published
2025-09-10
Tenda F3 V12.01.01.48_multi and after is vulnerable to Buffer Overflow via the QosList parameter in goform/setQoS.
CVSS Score
5.6
EPSS Score
0.0
Published
2025-09-10
Tenda F3 V12.01.01.48_multi and after is vulnerable to Buffer Overflow. via the macFilterList parameter in goform/setNAT.
CVSS Score
5.6
EPSS Score
0.0
Published
2025-09-10
Tenda F3 V12.01.01.48_multi and after is vulnerable to Buffer Overflow via the onlineList parameter in goform/setParentControl.
CVSS Score
5.6
EPSS Score
0.0
Published
2025-09-10