In Zitadel versions prior to 2.71.0 a critical severity vulnerability CVE-2025-27507 was detected. This vulnerability allows authenticated users, without specific IAM roles, to modify sensitive settings due to Insecure Direct Object Reference (IDOR) issues in the Admin API, with the most critical impact being the ability to manipulate LDAP configurations. However, customers who do not utilize LDAP for authentication are not at risk from the most severe aspects of this vulnerability. To address this issue, users should upgrade Zitadel to versions 2.71.0, 2.70.1, 2.69.4, 2.68.4, 2.67.8, 2.66.11, 2.65.6, 2.64.5 or 2.63.8. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27507.
Read more Developer Tools
In Kibana versions 8.15.0 up to, but not including, 8.17.1 a critical severity vulnerability CVE-2025-25015 was detected. This vulnerability allows users with the Viewer role to achieve arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. To address this issue, users should upgrade Kibana to version 8.17.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-25015.
Read more Data Analytics
In Spreadsheet Integration plugin for WordPress versions 3.8.2 and prior a medium severity vulnerability CVE-2025-1463 was detected. This vulnerability allows attackers to publish arbitrary posts, including private ones, by exploiting improper nonce validation in the class-wpgsi-show.php script. To address this issue, users should upgrade Spreadsheet Integration plugin to versions 3.8.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1463.
Read more CMS Newsflash Business and Enterprise Solutions
In DesignThemes Core Features plugin for WordPress versions 4.7 and prior a high severity vulnerability CVE-2024-13471 was detected. This vulnerability allows unauthenticated attackers to read arbitrary files on the underlying operating system due to a missing capability check on the `dt_process_imported_file` function. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13471.
Read more CMS Newsflash Business and Enterprise Solutions
In Homey Login Register plugin for WordPress versions 2.4.0 and prior a critical severity vulnerability CVE-2024-11951 was detected. This vulnerability allows unauthenticated attackers to escalate privileges by registering an account with an administrator role due to improper role assignment controls. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11951.
Read more CMS Business and Enterprise Solutions
In GitLab CE/EE versions 15.10 prior to 17.7.6, 17.8 prior to 17.8.4 and 17.9 prior to 17.9.1 a high severity vulnerability CVE-2025-0475 was detected. This vulnerability allows attackers to exploit the proxy feature, potentially leading to unintended content rendering and cross-site scripting (XSS) under specific circumstances. To address this issue, users should upgrade GitLab CE/EE to versions 17.9.1, 17.8.4 or 17.7.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-0475.
Read more Developer Tools
In GitLab EE versions 16.2 prior to 17.7.6, 17.8 prior to 17.8.4 and 17.9 prior to 17.9.1 a medium severity vulnerability CVE-2024-10925 was detected. This vulnerability allows attackers to access and view sensitive security configurations in the system. To fix this issue, users should upgrade GitLab EE to versions 17.7.6, 17.8.4 or 17.9.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-10925.
Read more Developer Tools
In GitLab CE/EE versions 16.6 before 17.7.6, 17.8 before 17.8.4 and 17.9 before 17.9.1 a medium severity vulnerability CVE-2024-8186 was detected. This vulnerability allows attackers to inject HTML into the child item search, potentially leading to cross-site scripting (XSS) in certain situations. To address this issue, users should upgrade GitLab CE/EE to versions 17.9.1, 17.8.4 or 17.7.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-8186.
Read more Developer Tools
In the Admin and Site Enhancements (ASE) plugin for WordPress versions before 7.6.10 a medium severity vulnerability CVE-2024-13685 was detected. This vulnerability allows attackers to manipulate client IP addresses via untrusted headers, potentially bypassing the login limit feature. To address this issue, users should upgrade Admin and Site Enhancements (ASE) plugin to version 7.6.10 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13685.
Read more CMS Newsflash Business and Enterprise Solutions