Security Vulnerabilities
An issue was discovered in AnyDesk through 9.0.4. When the connection between two clients is established via an IP address, it is possible to manipulate the data and spoof the AnyDesk ID.
CVSS Score
7.5
EPSS Score
0.0
Published
2025-11-06
An issue was discovered in AnyDesk through 9.0.4. Remote Denial of Service can occur because of incorrect deserialization that results in failed memory allocation and a NULL pointer dereference.
CVSS Score
7.5
EPSS Score
0.001
Published
2025-11-06
An issue was discovered in AnyDesk before 9.0.0. It has an integer overflow and resultant heap-based buffer overflow via a UDP packet during processing of an Identity user image within the Discovery feature, or when establishing a connection between any two clients.
CVSS Score
9.8
EPSS Score
0.0
Published
2025-11-06
An issue was discovered in AnyDesk through 9.0.4. A remotely connected user with the "Control my device" permission can manipulate remote AnyDesk settings and create a password for the Full Access profile without needing confirmation from the counterparty. Consequently, the attacker can later connect without this counterparty confirmation.
CVSS Score
8.2
EPSS Score
0.0
Published
2025-11-06
An unauthenticated reflected cross-site scripting vulnerability in the query handling of CMSimpleXH allows remote attackers to inject and execute arbitrary JavaScript in a victim's browser via a crafted request (e.g., a maliciously crafted POST login). Successful exploitation may lead to theft of session cookies, credential disclosure, or other client-side impacts.
CVSS Score
7.1
EPSS Score
0.0
Published
2025-11-06
A reflected XSS vulnerability exists in CMSimple_XH 1.8's index.php router when attacker-controlled path segments are not sanitized or encoded before being inserted into the generated HTML (navigation links, breadcrumbs, search form action, footer links). An attacker-controlled string placed in the URL path is reflected into multiple HTML elements, allowing execution of arbitrary JavaScript in victims' browsers visiting a crafted URL.
CVSS Score
7.1
EPSS Score
0.0
Published
2025-11-06
Improper privilege management during pre-MFA cookie handling in Devolutions Server allows a low-privileged authenticated user to impersonate another account by replaying the pre-MFA cookie.This does not bypass the target account MFA verification step.
This issue affects the following versions :
* Devolutions Server 2025.3.2.0 through 2025.3.5.0
*
Devolutions Server 2025.2.15.0 and earlier
CVSS Score
8.8
EPSS Score
0.0
Published
2025-11-06
Improper access control in Devolutions allows a View-only user to retrieve sensitive third-level nested fields, such as password lists custom values, resulting in password disclosure.
This issue affects the following versions :
* Devolutions Server 2025.3.2.0 through 2025.3.5.0
*
Devolutions Server 2025.2.15.0 and earlier
CVSS Score
6.5
EPSS Score
0.0
Published
2025-11-06
Dataease is an open source data visualization analysis tool. In versions 2.10.14 and below, DataEase did not properly filter when establishing JDBC connections to Oracle, resulting in a risk of JNDI injection (Java Naming and Directory Interface injection). This issue is fixed in version 2.10.15.
CVSS Score
9.8
EPSS Score
0.0
Published
2025-11-06
DataEase is an open source data visualization analysis tool. In versions 2.10.14 and below, the vendor added a blacklist to filter ldap:// and ldaps://. However, omission of protection for the dns:// protocol results in an SSRF vulnerability. This issue is fixed in version 2.10.15.
CVSS Score
9.8
EPSS Score
0.0
Published
2025-11-06
Page 1