Microsoft: >> Windows Security Vulnerabilities
In affected versions of Octopus Server error messages were handled unsafely on the error page. If an adversary could control any part of the error message they could embed code which may impact the user viewing the error message.
CVSS Score
5.4
EPSS Score
0.001
Published
2025-02-11
In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.
CVSS Score
5.4
EPSS Score
0.001
Published
2025-02-11
In affected versions of Octopus Server the preview import feature could be leveraged to identify the existence of a target file. This could provide an adversary with information that may aid in further attacks against the server.
CVSS Score
7.5
EPSS Score
0.001
Published
2025-02-11
In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when crafted correctly would return specific information from user profiles (Email address/UPN and Display name) from one endpoint and group information ( Group ID and Display name) from the other. This vulnerability does not expose data within the Octopus Server product itself.
CVSS Score
5.3
EPSS Score
0.001
Published
2025-02-11
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.
CVSS Score
5.5
EPSS Score
0.001
Published
2025-02-10
IBM EntireX 11.1 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. An authenticated attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
CVSS Score
7.1
EPSS Score
0.002
Published
2025-02-06
IBM EntireX 11.1 could allow a local user to obtain sensitive information when a detailed technical error message is returned. This information could be used in further attacks against the system.
CVSS Score
3.3
EPSS Score
0.0
Published
2025-02-06
IBM EntireX 11.1 could allow a local user to cause a denial of service due to an unhandled error and fault isolation.
CVSS Score
5.5
EPSS Score
0.0
Published
2025-02-06
An insufficient verification of data authenticity vulnerability exists in BIG-IP APM Access Policy endpoint inspection that may allow an attacker to bypass endpoint inspection checks for VPN connection initiated thru BIG-IP APM browser network access VPN client for Windows, macOS and Linux.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVSS Score
3.1
EPSS Score
0.001
Published
2025-02-05
Dell NetWorker, version(s) prior to 19.11.0.3, all versions of 19.10 & prior versions contain(s) an Unquoted Search Path or Element vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution.
CVSS Score
7.8
EPSS Score
0.0
Published
2025-01-30