Security Vulnerabilities - CVEs Published In June 2025
The server supports authentication methods in which credentials are sent in plaintext over unencrypted channels. If an attacker were to intercept traffic between a client and this server, the credentials would be exposed.
CVSS Score
7.5
EPSS Score
0.002
Published
2025-06-12
The FTP server’s login mechanism does not restrict authentication attempts, allowing an attacker to brute-force user passwords and potentially compromising the FTP server.
CVSS Score
5.3
EPSS Score
0.004
Published
2025-06-12
A service supports the use of a deprecated and unsafe TLS version. This could be exploited to expose sensitive information, modify data in unexpected ways or spoof identities of other users or devices, affecting the confidentiality and integrity of the device.
CVSS Score
6.5
EPSS Score
0.002
Published
2025-06-12
The application uses a weak password hash function, allowing an attacker to crack the weak password hash to gain access to an FTP user account.
CVSS Score
6.5
EPSS Score
0.002
Published
2025-06-12
XWiki is a generic wiki platform. It's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. This vulnerability is fixed in 16.10.2, 16.4.7, and 15.10.16.
CVSS Score
9.3
EPSS Score
0.016
Published
2025-06-12
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks.
CVSS Score
5.3
EPSS Score
0.003
Published
2025-06-12
For failed login attempts, the application returns different error messages depending on whether the login failed due to an incorrect password or a non-existing username. This allows an attacker to guess usernames until they find an existing one.
CVSS Score
5.3
EPSS Score
0.004
Published
2025-06-12
The application sends user credentials as URL parameters instead of POST bodies, making it vulnerable to information gathering.
CVSS Score
5.3
EPSS Score
0.004
Published
2025-06-12
The HttpOnlyflag of the session cookie \"@@\" is set to false. Since this flag helps preventing access to cookies via client-side scripts, setting the flag to false can lead to a higher possibility of Cross-Side-Scripting attacks which target the stored cookies.
CVSS Score
5.3
EPSS Score
0.002
Published
2025-06-12
The application is vulnerable to Server-Side Request Forgery (SSRF). An endpoint can be used to send server internal requests to other ports.
CVSS Score
4.3
EPSS Score
0.003
Published
2025-06-12