Security Vulnerabilities
Sensitive data exposure via logging in basic-auth leads to plaintext usernames and passwords written to error logs and forwarded to log sinks when log level is INFO/DEBUG. This creates a high risk of credential compromise through log access.
It has been fixed in the following commit: https://github.com/apache/apisix/pull/12629
Users are recommended to upgrade to version 3.14, which fixes this issue.
CVSS Score
7.5
EPSS Score
0.001
Published
2025-10-31
A malicious actor with access to the management network could exploit a misconfiguration in UniFi’s door access application, UniFi Access, that exposed a management API without proper authentication. This vulnerability was introduced in Version 3.3.22 and was fixed in Version 4.0.21 and later.
Affected Products:
UniFi Access Application (Version 3.3.22 through 3.4.31).
Mitigation:
Update your UniFi Access Application to Version 4.0.21 or later.
CVSS Score
10.0
EPSS Score
0.14
Published
2025-10-31
LibreChat version 0.7.9 is vulnerable to a Denial of Service (DoS) attack due to unbounded parameter values in the `/api/memories` endpoint. The `key` and `value` parameters accept arbitrarily large inputs without proper validation, leading to a null pointer error in the Rust-based backend when excessively large values are submitted. This results in the inability to create new memories, impacting the stability of the service.
CVSS Score
5.4
EPSS Score
0.001
Published
2025-10-31
A reflected Cross-Site Scripting (XSS) vulnerability has been identified in Revive Adserver version 5.5.2. An attacker could trick a user with access to the user interface of a Revive Adserver instance into clicking on a specifically crafted URL and execute injected JavaScript code in the context of the victim's browser. The session cookie cannot be accessed, but a number of other operations could be performed.
The vulnerability is present in the admin-search.php file and can be exploited via the compact parameter.
CVSS Score
6.3
EPSS Score
0.0
Published
2025-10-31
This vulnerability in Veeam Agent for Microsoft Windows allows for Local Privilege Escalation if a system administrator is tricked into restoring a malicious file.
CVSS Score
7.3
EPSS Score
0.0
Published
2025-10-31
A vulnerability in the Mount service of Veeam Backup & Replication, which allows for remote code execution (RCE) on the Backup infrastructure hosts by an authenticated domain user.
CVSS Score
9.9
EPSS Score
0.002
Published
2025-10-31
A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user.
CVSS Score
8.8
EPSS Score
0.003
Published
2025-10-31
SQL injection in Revive Adserver 6.0.0 causes potential disruption or information access when specifically crafted payloads are sent by logged in users
CVSS Score
8.8
EPSS Score
0.0
Published
2025-10-31
Nagios XI versions prior to 2024R2 contain an improperly owned script, process_perfdata.pl, which is executed periodically as the nagios user but owned by www-data. Because the file was writable by www-data, an attacker with web server privileges could modify its contents, leading to arbitrary code execution as the nagios user when the script is next run. This improper ownership and permission configuration enables local privilege escalation.
CVSS Score
7.8
EPSS Score
0.0
Published
2025-10-30
Nagios Log Server versions prior to 2024R1.3.2 contain a privilege escalation vulnerability in the account email-change workflow. A user could set their own email to an invalid value and, due to insufficient validation and authorization checks tied to email identity state, trigger inconsistent account state that granted elevated privileges or bypassed intended access controls.
CVSS Score
8.8
EPSS Score
0.001
Published
2025-10-30