Infrastructure and Network

In Invoice Ninja versions 5.8.56 through 5.11.23 a high severity vulnerability CVE-2025-0474 was detected. This vulnerability allows attackers to perform authenticated Server-Side Request Forgery (SSRF), enabling arbitrary file read and network resource requests as the application user. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-0474.

In Keycloak versions prior to 26.0.8 a medium severity vulnerability CVE-2024-11736 was detected. This vulnerability allows admin users to access sensitive server environment variables and system properties through URLs. By using placeholders like ${env.VARNAME} or ${PROPNAME}, the server replaces them with actual values during URL processing. To address this issue, users should upgrade Keycloak to version 26.0.8 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11736.

In Keycloak version 21.0.2 a medium severity vulnerability CVE-2024-11734 was detected. This vulnerability allows attackers to disrupt the Keycloak service by modifying security headers, causing requests to fail and the service to become unavailable. To fix this issue, users should upgrade Keycloak to version 26.0.8. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-11734.

In Vaultwarden versions before 1.32.5 a critical severity vulnerability CVE-2024-55225 was detected. This vulnerability allows attackers to impersonate users, including administrators, through a crafted authorization request. To address this issue, users should upgrade Vaultwarden to version 1.32.5 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-55225.

In Vaultwarden version 1.32.5 a low severity vulnerability CVE-2024-55226 was detected. This vulnerability allows attackers to execute authenticated reflected Cross-Site Scripting (XSS) attacks via the `/api/core/mod.rs` component. To address this issue, users should upgrade Vaultwarden to version 1.32.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-55226.

In OpenVPN versions prior to 2.6.11 a critical severity vulnerability CVE-2024-5594 was detected. This vulnerability allows attackers to exploit improperly sanitized PUSH_REPLY messages, potentially injecting arbitrary data into third-party executables or plug-ins. To address this issue, users should upgrade to OpenVPN version 2.6.11 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-5594.

In Nextcloud Server and Enterprise Server versions from 22.0.0 to 24.0.6 a medium severity vulnerability was detected. This vulnerability allows shared items to remain accessible to users after they are removed from a group, even when the server is configured to restrict sharing within groups. To address this issue, users should upgrade to Nextcloud Server versions 22.2.11, 23.0.11, or 24.0.6, and Nextcloud Enterprise Server versions 22.2.11, 23.0.11, or 24.0.6. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-52516.

In Invoice Ninja versions before 5.10.43 a high severity vulnerability CVE-2024-55555 was detected. This vulnerability allows attackers with access to the APP_KEY to execute remote code without authentication. The issue arises from insecure handling of serialized objects in a pre-authenticated route. To address this issue, users must upgrade to Invoice Ninja version 5.10.43 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-55555.

In Nextcloud Server and Enterprise Server versions from 25.0.0 to 30.0.1 a medium severity vulnerability CVE-2024-52517 was detected. This vulnerability allows attackers with access to an active user session to read global credentials in plain text. To address this issue, users should upgrade to Nextcloud Server versions 28.0.11, 29.0.8, or 30.0.1 and Nextcloud Enterprise Server versions 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8, or 30.0.1. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-52517.