Development

CVE ID : CVE-2025-27409

Published : April 30, 2025, 3:16 p.m. | 1 hour, 42 minutes ago

Description : Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, path traversal is possible in Joplin Server if static file path starts with `css/pluginAssets` or `js/pluginAssets`. The `findLocalFile` function in the `default route` calls `localFileFromUrl` to check for special `pluginAssets` paths. If the function returns a path, the result is returned directly, without checking for path traversal. The vulnerability allows attackers to read files outside the intended directories. This issue has been patched in version 3.3.3.

Severity: 7.5 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-32973

Published : April 30, 2025, 3:16 p.m. | 25 minutes ago

Description : XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, when a user with programming rights edits a document in XWiki that was last edited by a user without programming rights and contains an XWiki.ComponentClass, there is no warning that this will grant programming rights to this object. An attacker who created such a malicious object could use this to gain programming rights on the wiki. For this, the attacker needs to have edit rights on at least one page to place this object and then get an admin user to edit that document. This issue has been patched in versions 15.10.12, 16.4.3, and 16.8.0-rc-1.

Severity: 9.0 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-32970

Published : April 30, 2025, 3:16 p.m. | 1 hour, 42 minutes ago

Description : XWiki is a generic wiki platform. In versions starting from 13.5-rc-1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0, an open redirect vulnerability in the HTML conversion request filter allows attackers to construct URLs on an XWiki instance that redirects to any URL. This issue has been patched in versions 15.10.13, 16.4.4, and 16.8.0.

Severity: 6.1 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-32971

Published : April 30, 2025, 3:16 p.m. | 1 hour, 42 minutes ago

Description : XWiki is a generic wiki platform. In versions starting from 4.5.1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the Solr script service doesn’t take dropped programming rights into account. The Solr script service that is accessible in XWiki’s scripting API normally requires programming rights to be called. Due to using the wrong API for checking rights, it doesn’t take the fact into account that programming rights might have been dropped by calling `$xcontext.dropPermissions()`. If some code relies on this for the safety of executing Velocity code with the wrong author context, this could allow a user with script rights to either cause a high load by indexing documents or to temporarily remove documents from the search index. This issue has been patched in versions 15.10.13, 16.4.4, and 16.8.0-rc-1.

Severity: 3.8 | LOW

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-32972

Published : April 30, 2025, 3:16 p.m. | 1 hour, 42 minutes ago

Description : XWiki is a generic wiki platform. In versions starting from 6.1-milestone-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the script API of the LESS compiler in XWiki is incorrectly checking for rights when calling the cache cleaning API, making it possible to clean the cache without having programming right. The only impact of this is a slowdown in XWiki execution as the caches are re-filled. As this vulnerability requires script right to exploit, and script right already allows unlimited execution of scripts, the additional impact due to this vulnerability is low. This issue has been patched in versions 15.10.12, 16.4.3, and 16.8.0-rc-1.

Severity: 2.7 | LOW

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-46342

Published : April 30, 2025, 3:16 p.m. | 1 hour, 42 minutes ago

Description : Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.13.5 and 1.14.0, it may happen that policy rules using namespace selector(s) in their match statements are mistakenly not applied during admission review request processing due to a missing error propagation in function `GetNamespaceSelectorsFromNamespaceLister` in `pkg/utils/engine/labels.go`. As a consequence, security-critical mutations and validations are bypassed, potentially allowing attackers with K8s API access to perform malicious operations. This issue has been patched in versions 1.13.5 and 1.14.0.

Severity: 8.5 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-4122

Published : April 30, 2025, 3:16 p.m. | 1 hour, 42 minutes ago

Description : A vulnerability was found in Netgear JWNR2000v2 1.0.0.11. It has been rated as critical. Affected by this issue is the function sub_435E04. The manipulation of the argument host leads to command injection. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.

Severity: 6.3 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Oracle Enterprise Resource Planning helps businesses manage finance and supply chains. It also supports human resources and brings different functions…

When I’m working with Django, one of the first things I often need to do is work with users –…

Lauren Bannon, 40, began experiencing unexplained weight loss and persistent stomach pain. Multiple doctors dismissed her concerns as rheumatoid arthritis…

Singapore Airlines (SIA) is teaming up with OpenAI to bring generative AI into the skies, marking OpenAI’s first-ever deal with…

New Meta AI app joins the chatbot war, and it’s personal. Meta has officially launched its standalone AI chatbot app,…

UK regulator to launch live AI testing lab to help firms go public. The Financial Conduct Authority (FCA) is set…

New film “Uncanny Valley” will be built using generative AI trained on fully licensed data. Natasha Lyonne, star of Poker…

This month marks a major milestone in our journey — Perficient Hyderabad proudly turned 3! What started as a bold…

Join the free virtual event along with community experts to celebrate 30 years of PHP! The post Celebrate 30 years…

Cybersecurity researchers have shed light on a Russian-speaking cyber espionage group called Nebulous Mantis that has deployed a remote access…

Researchers from Edith Cowan University (ECU) and the University of Manitoba have developed an automated program that can identify cardiovascular…

Strapi is the leading open-source headless CMS. It’s 100% JavaScript/TypeScript, fully customizable, and developer-first. Its flexibility and scalability make it…

Objective: Enable resource monitoring for AWS EC2 instances using the Dynatrace monitoring tool (OneAgent) to gain real-time insights into system…