Security Vulnerabilities - CVEs Published In July 2025
A high privileged remote attacker can execute arbitrary system commands via GET requests in the cloud server communication script due to improper neutralization of special elements used in an OS command.
CVSS Score
7.2
EPSS Score
0.002
Published
2025-07-21
A high privileged remote attacker can exhaust critical system resources by sending specifically crafted POST requests to the send-sms action in fast succession.
CVSS Score
4.9
EPSS Score
0.002
Published
2025-07-21
A high privileged remote attacker can exhaust critical system resources by sending specifically crafted POST requests to the send-mail action in fast succession.
CVSS Score
4.9
EPSS Score
0.002
Published
2025-07-21
A high privileged remote attacker can alter the configuration database via POST requests due to improper neutralization of special elements used in a SQL statement.
CVSS Score
6.5
EPSS Score
0.002
Published
2025-07-21
A high privileged remote attacker can execute arbitrary system commands via POST requests in the send_sms action due to improper neutralization of special elements used in an OS command.
CVSS Score
7.2
EPSS Score
0.002
Published
2025-07-21
Due to insufficient verification, an attacker could use a malicious client to bypass authentication checks and run RPC commands in a region. This has been addressed in MAAS and updated in the corresponding snaps.
CVSS Score
9.6
EPSS Score
0.001
Published
2025-07-21
File contents could be read from the local file system by an attacker. Additionally, malicious code could be inserted in the file, leading to a full compromise of the web application and the container it is running on.
The vulnerable component is bound to the network stack and the set of possible attackers extends up to and including the entire Internet. The web application allows arbitrary files to be included in a file that was downloadable and executable by the web server.
CVSS Score
9.0
EPSS Score
0.0
Published
2025-07-21
The web application allows user input to pass unfiltered to a command executed on the underlying operating system. An attacker with high privileged access (administrator) to the application has the potential execute commands on the operating system under the context of the webserver.
The vulnerable component is bound to the network stack and the set of possible attackers extends up to and including the entire Internet. Has the potential to inject command while creating a new User from User Management.
CVSS Score
8.4
EPSS Score
0.0
Published
2025-07-21
The web application allows user input to pass unfiltered to a command executed on the underlying operating system. The vulnerable component is bound to the network stack and the set of possible attackers extends up to and including the entire Internet.
An attacker with low privileged access to the application has the potential to execute commands on the operating system under the context of the webserver.
CVSS Score
9.0
EPSS Score
0.001
Published
2025-07-21
A vulnerability has been found in Tenda AC6 15.03.06.50 and classified as critical. Affected by this vulnerability is the function setparentcontrolinfo of the component httpd. The manipulation leads to buffer overflow. The attack can be launched remotely.
CVSS Score
8.7
EPSS Score
0.004
Published
2025-07-21