Common Weakness Enumeration

CWE-266

Allowed

Incorrect Privilege Assignment

Abstraction: Base · Status: Draft

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

1915 vulnerabilities reference this CWE, most recent first.

CVE-2025-4374 (GCVE-0-2025-4374)

Vulnerability from cvelistv5 – Published: 2025-05-06 14:49 – Updated: 2026-02-27 16:40
VLAI
Title
Quay: incorrect privilege assignment
Summary
A flaw was found in Quay. When an organization acts as a proxy cache, and a user or robot pulls an image that hasn't been mirrored yet, they are granted "Admin" permissions on the newly created repository.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-266 - Incorrect Privilege Assignment
Assigner
References
URL Tags
https://access.redhat.com/security/cve/CVE-2025-4374 vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2364267 issue-trackingx_refsource_REDHAT
Impacted products
Vendor Product Version
Project Quay quay Affected: 0 , < 3.11.11 (semver)
Affected: 2.14.0 , < 3.14.2 (semver)
Affected: 3.12.0 , < 3.12.10 (semver)
Create a notification for this product.
Red Hat Red Hat Quay 3     cpe:/a:redhat:quay:3
Create a notification for this product.
Date Public
2025-05-06 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4374",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-06T19:50:08.826161Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-06T19:50:23.456Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/quay/quay",
          "defaultStatus": "unaffected",
          "packageName": "quay",
          "product": "quay",
          "vendor": "Project Quay",
          "versions": [
            {
              "lessThan": "3.11.11",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.14.2",
              "status": "affected",
              "version": "2.14.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.12.10",
              "status": "affected",
              "version": "3.12.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:quay:3"
          ],
          "defaultStatus": "affected",
          "packageName": "quay/quay-rhel8",
          "product": "Red Hat Quay 3",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2025-05-06T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Quay. When an organization acts as a proxy cache, and a user or robot pulls an image that hasn\u0027t been mirrored yet, they are granted \"Admin\" permissions on the newly created repository."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-27T16:40:01.768Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2025-4374"
        },
        {
          "name": "RHBZ#2364267",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2364267"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-05-06T01:20:45.731Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2025-05-06T00:00:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Quay: incorrect privilege assignment",
      "workarounds": [
        {
          "lang": "en",
          "value": "Permissions can be updated after creation but there\u0027s no preventative measure before hand."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-266: Incorrect Privilege Assignment"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2025-4374",
    "datePublished": "2025-05-06T14:49:28.660Z",
    "dateReserved": "2025-05-06T01:24:21.315Z",
    "dateUpdated": "2026-02-27T16:40:01.768Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-4269 (GCVE-0-2025-4269)

Vulnerability from cvelistv5 – Published: 2025-05-05 07:00 – Updated: 2025-05-05 13:25
VLAI
Title
TOTOLINK A720R Log cstecgi.cgi access control
Summary
A vulnerability was found in TOTOLINK A720R 4.1.5cu.374 and classified as critical. This issue affects some unknown processing of the file /cgi-bin/cstecgi.cgi of the component Log Handler. The manipulation of the argument topicurl with the input clearDiagnosisLog/clearSyslog/clearTracerouteLog leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-284 - Improper Access Controls
  • CWE-266 - Incorrect Privilege Assignment
Assigner
Impacted products
Vendor Product Version
TOTOLINK A720R Affected: 4.1.5cu.374
Create a notification for this product.
Credits
153528990 (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4269",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-05T13:25:07.458800Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-05T13:25:55.775Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "Log Handler"
          ],
          "product": "A720R",
          "vendor": "TOTOLINK",
          "versions": [
            {
              "status": "affected",
              "version": "4.1.5cu.374"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "153528990 (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in TOTOLINK A720R 4.1.5cu.374 and classified as critical. This issue affects some unknown processing of the file /cgi-bin/cstecgi.cgi of the component Log Handler. The manipulation of the argument topicurl with the input clearDiagnosisLog/clearSyslog/clearTracerouteLog leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used."
        },
        {
          "lang": "de",
          "value": "Eine kritische Schwachstelle wurde in TOTOLINK A720R 4.1.5cu.374 gefunden. Betroffen davon ist ein unbekannter Prozess der Datei /cgi-bin/cstecgi.cgi der Komponente Log Handler. Dank der Manipulation des Arguments topicurl mit der Eingabe clearDiagnosisLog/clearSyslog/clearTracerouteLog mit unbekannten Daten kann eine improper access controls-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.4,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "Improper Access Controls",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-05T07:00:06.643Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-307373 | TOTOLINK A720R Log cstecgi.cgi access control",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.307373"
        },
        {
          "name": "VDB-307373 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.307373"
        },
        {
          "name": "Submit #563430 | TOTOLINK A720R V4.1.5cu.374 Improper Access Controls",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.563430"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://github.com/at0de/my_vulns/blob/main/TOTOLINK/A720R/clearDiagnosisLog.md"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/at0de/my_vulns/blob/main/TOTOLINK/A720R/clearSyslog.md"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://www.totolink.net/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-05-04T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-05-04T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-05-04T20:29:53.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "TOTOLINK A720R Log cstecgi.cgi access control"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-4269",
    "datePublished": "2025-05-05T07:00:06.643Z",
    "dateReserved": "2025-05-04T18:24:46.975Z",
    "dateUpdated": "2025-05-05T13:25:55.775Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-4228 (GCVE-0-2025-4228)

Vulnerability from cvelistv5 – Published: 2025-06-12 23:41 – Updated: 2026-02-26 17:50
VLAI
Title
Cortex XDR Broker VM: Privilege Escalation (PE) Vulnerability
Summary
An incorrect privilege assignment vulnerability in Palo Alto Networks Cortex® XDR Broker VM allows an authenticated administrative user to execute certain files available within the Broker VM and escalate their privileges to root.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-266 - Incorrect Privilege Assignment
Assigner
References
Impacted products
Vendor Product Version
Palo Alto Networks Cortex XDR Broker VM Affected: 27.0.0 , < 27.0.26 (custom)
Create a notification for this product.
Date Public
2025-06-11 16:00
Credits
This issue was discovered during an internal penetration test
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4228",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-14T03:56:20.896226Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T17:50:38.802Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Cortex XDR Broker VM",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "changes": [
                {
                  "at": "27.0.26",
                  "status": "unaffected"
                }
              ],
              "lessThan": "27.0.26",
              "status": "affected",
              "version": "27.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eNo special configuration is required to be affected by this issue.\u003c/p\u003e"
            }
          ],
          "value": "No special configuration is required to be affected by this issue."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "This issue was discovered during an internal penetration test"
        }
      ],
      "datePublic": "2025-06-11T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An incorrect privilege assignment vulnerability in Palo Alto Networks Cortex\u00ae XDR Broker VM allows an authenticated administrative user to execute certain files available within the Broker VM and escalate their privileges to root."
            }
          ],
          "value": "An incorrect privilege assignment vulnerability in Palo Alto Networks Cortex\u00ae XDR Broker VM allows an authenticated administrative user to execute certain files available within the Broker VM and escalate their privileges to root."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
            }
          ],
          "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-233",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-233 Privilege Escalation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NO",
            "Recovery": "USER",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "HIGH",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "DIFFUSE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/AU:N/R:U/V:D/RE:M/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "MODERATE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "CWE-266 Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-12T23:41:37.071Z",
        "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
        "shortName": "palo_alto"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.paloaltonetworks.com/CVE-2025-4228"
        }
      ],
      "solutions": [
        {
          "lang": "eng",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThis issue is fixed in Cortex XDR Broker VM 27.0.26, and all later Cortex XDR Broker VM versions.\u003cbr\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eIf you enabled automatic upgrades for Broker VM, then no action is required at this time. \u003c/li\u003e\u003cli\u003eIf you did not enable automatic upgrades, then we recommend that you do so for Broker VM to ensure that you always have the latest security patches installed in your software.\u003c/li\u003e\u003c/ul\u003e"
            }
          ],
          "value": "This issue is fixed in Cortex XDR Broker VM 27.0.26, and all later Cortex XDR Broker VM versions.\n\n\n  *  If you enabled automatic upgrades for Broker VM, then no action is required at this time. \n  *  If you did not enable automatic upgrades, then we recommend that you do so for Broker VM to ensure that you always have the latest security patches installed in your software."
        }
      ],
      "source": {
        "defect": [
          "CRTX-101363",
          "CRTX-101771"
        ],
        "discovery": "INTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2025-06-11T16:00:00.000Z",
          "value": "Initial Publication"
        }
      ],
      "title": "Cortex XDR Broker VM: Privilege Escalation (PE) Vulnerability",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eNo known workarounds or mitigations exist for this issue.\u003c/p\u003e"
            }
          ],
          "value": "No known workarounds or mitigations exist for this issue."
        }
      ],
      "x_affectedList": [
        "Cortex XDR Broker VM   26.0.0",
        "Cortex XDR Broker VM   26.0.1",
        "Cortex XDR Broker VM   26.0.2",
        "Cortex XDR Broker VM   26.0.3",
        "Cortex XDR Broker VM   26.0.4",
        "Cortex XDR Broker VM   26.0.5",
        "Cortex XDR Broker VM   26.0.6",
        "Cortex XDR Broker VM   26.0.7",
        "Cortex XDR Broker VM   26.0.8",
        "Cortex XDR Broker VM   26.0.9",
        "Cortex XDR Broker VM   26.0.10",
        "Cortex XDR Broker VM   26.0.11",
        "Cortex XDR Broker VM   26.0.12",
        "Cortex XDR Broker VM   26.0.13",
        "Cortex XDR Broker VM   26.0.14",
        "Cortex XDR Broker VM   26.0.15",
        "Cortex XDR Broker VM   26.0.16",
        "Cortex XDR Broker VM   26.0.17",
        "Cortex XDR Broker VM   26.0.18",
        "Cortex XDR Broker VM   26.0.19",
        "Cortex XDR Broker VM   26.0.20",
        "Cortex XDR Broker VM   26.0.21",
        "Cortex XDR Broker VM   26.0.22",
        "Cortex XDR Broker VM   26.0.23",
        "Cortex XDR Broker VM   26.0.24",
        "Cortex XDR Broker VM   26.0.25",
        "Cortex XDR Broker VM   26.0.26",
        "Cortex XDR Broker VM   26.0.27",
        "Cortex XDR Broker VM   26.0.28",
        "Cortex XDR Broker VM   26.0.29",
        "Cortex XDR Broker VM   26.0.30",
        "Cortex XDR Broker VM   26.0.31",
        "Cortex XDR Broker VM   26.0.32",
        "Cortex XDR Broker VM   26.0.33",
        "Cortex XDR Broker VM   26.0.34",
        "Cortex XDR Broker VM   26.0.35",
        "Cortex XDR Broker VM   26.0.36",
        "Cortex XDR Broker VM   26.0.37",
        "Cortex XDR Broker VM   26.0.38",
        "Cortex XDR Broker VM   26.0.39",
        "Cortex XDR Broker VM   26.0.40",
        "Cortex XDR Broker VM   26.0.41",
        "Cortex XDR Broker VM   26.0.42",
        "Cortex XDR Broker VM   26.0.43",
        "Cortex XDR Broker VM   26.0.44",
        "Cortex XDR Broker VM   26.0.45",
        "Cortex XDR Broker VM   26.0.46",
        "Cortex XDR Broker VM   26.0.47",
        "Cortex XDR Broker VM   26.0.48",
        "Cortex XDR Broker VM   26.0.49",
        "Cortex XDR Broker VM   26.0.50",
        "Cortex XDR Broker VM   26.0.51",
        "Cortex XDR Broker VM   26.0.52",
        "Cortex XDR Broker VM   26.0.53",
        "Cortex XDR Broker VM   26.0.54",
        "Cortex XDR Broker VM   26.0.55",
        "Cortex XDR Broker VM   26.0.56",
        "Cortex XDR Broker VM   26.0.57",
        "Cortex XDR Broker VM   26.0.58",
        "Cortex XDR Broker VM   26.0.59",
        "Cortex XDR Broker VM   26.0.60",
        "Cortex XDR Broker VM   26.0.61",
        "Cortex XDR Broker VM   26.0.62",
        "Cortex XDR Broker VM   26.0.63",
        "Cortex XDR Broker VM   26.0.64",
        "Cortex XDR Broker VM   26.0.65",
        "Cortex XDR Broker VM   26.0.66",
        "Cortex XDR Broker VM   26.0.67",
        "Cortex XDR Broker VM   26.0.68",
        "Cortex XDR Broker VM   26.0.69",
        "Cortex XDR Broker VM   26.0.70",
        "Cortex XDR Broker VM   26.0.71",
        "Cortex XDR Broker VM   26.0.72",
        "Cortex XDR Broker VM   26.0.73",
        "Cortex XDR Broker VM   26.0.74",
        "Cortex XDR Broker VM   26.0.75",
        "Cortex XDR Broker VM   26.0.76",
        "Cortex XDR Broker VM   26.0.77",
        "Cortex XDR Broker VM   26.0.78",
        "Cortex XDR Broker VM   26.0.79",
        "Cortex XDR Broker VM   26.0.80",
        "Cortex XDR Broker VM   26.0.81",
        "Cortex XDR Broker VM   26.0.82",
        "Cortex XDR Broker VM   26.0.83",
        "Cortex XDR Broker VM   26.0.84",
        "Cortex XDR Broker VM   26.0.85",
        "Cortex XDR Broker VM   26.0.86",
        "Cortex XDR Broker VM   26.0.87",
        "Cortex XDR Broker VM   26.0.88",
        "Cortex XDR Broker VM   26.0.89",
        "Cortex XDR Broker VM   26.0.90",
        "Cortex XDR Broker VM   26.0.91",
        "Cortex XDR Broker VM   26.0.92",
        "Cortex XDR Broker VM   26.0.93",
        "Cortex XDR Broker VM   26.0.94",
        "Cortex XDR Broker VM   26.0.95",
        "Cortex XDR Broker VM   26.0.96",
        "Cortex XDR Broker VM   26.0.97",
        "Cortex XDR Broker VM   26.0.98",
        "Cortex XDR Broker VM   26.0.99",
        "Cortex XDR Broker VM   26.0.100",
        "Cortex XDR Broker VM   26.0.101",
        "Cortex XDR Broker VM   26.0.102",
        "Cortex XDR Broker VM   26.0.103",
        "Cortex XDR Broker VM   26.0.104",
        "Cortex XDR Broker VM   26.0.105",
        "Cortex XDR Broker VM   26.0.106",
        "Cortex XDR Broker VM   26.0.107",
        "Cortex XDR Broker VM   26.0.108",
        "Cortex XDR Broker VM   26.0.109",
        "Cortex XDR Broker VM   26.0.110",
        "Cortex XDR Broker VM   26.0.111",
        "Cortex XDR Broker VM   26.0.112",
        "Cortex XDR Broker VM   26.0.113",
        "Cortex XDR Broker VM   26.0.114",
        "Cortex XDR Broker VM   26.0.115",
        "Cortex XDR Broker VM   26.0.116",
        "Cortex XDR Broker VM   26.0.117",
        "Cortex XDR Broker VM   26.0.118"
      ],
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
    "assignerShortName": "palo_alto",
    "cveId": "CVE-2025-4228",
    "datePublished": "2025-06-12T23:41:37.071Z",
    "dateReserved": "2025-05-02T19:10:41.205Z",
    "dateUpdated": "2026-02-26T17:50:38.802Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-4136 (GCVE-0-2025-4136)

Vulnerability from cvelistv5 – Published: 2025-04-30 19:31 – Updated: 2025-05-01 18:50
VLAI
Title
Weitong Mall Sale Endpoint improper authorization
Summary
A vulnerability was found in Weitong Mall 1.0.0. It has been classified as critical. This affects an unknown part of the component Sale Endpoint. The manipulation of the argument ID leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-285 - Improper Authorization
  • CWE-266 - Incorrect Privilege Assignment
Assigner
References
URL Tags
https://vuldb.com/?id.306627 vdb-entrytechnical-description
https://vuldb.com/?ctiid.306627 signaturepermissions-required
https://vuldb.com/?submit.560782 third-party-advisory
https://www.cnblogs.com/aibot/p/18830909 exploit
Impacted products
Vendor Product Version
Weitong Mall Affected: 1.0.0
Create a notification for this product.
Credits
aibot88 (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4136",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-01T18:50:13.812475Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-01T18:50:28.153Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "Sale Endpoint"
          ],
          "product": "Mall",
          "vendor": "Weitong",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "aibot88 (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in Weitong Mall 1.0.0. It has been classified as critical. This affects an unknown part of the component Sale Endpoint. The manipulation of the argument ID leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used."
        },
        {
          "lang": "de",
          "value": "Es wurde eine Schwachstelle in Weitong Mall 1.0.0 ausgemacht. Sie wurde als kritisch eingestuft. Es geht dabei um eine nicht klar definierte Funktion der Komponente Sale Endpoint. Mit der Manipulation des Arguments ID mit unbekannten Daten kann eine improper authorization-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 5.5,
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-30T19:31:06.079Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-306627 | Weitong Mall Sale Endpoint improper authorization",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.306627"
        },
        {
          "name": "VDB-306627 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.306627"
        },
        {
          "name": "Submit #560782 | fuyang_lipengjun platform 1.0.0 broken function level authorization",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.560782"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://www.cnblogs.com/aibot/p/18830909"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-04-30T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-04-30T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-04-30T15:06:01.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Weitong Mall Sale Endpoint improper authorization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-4136",
    "datePublished": "2025-04-30T19:31:06.079Z",
    "dateReserved": "2025-04-30T13:00:57.976Z",
    "dateUpdated": "2025-05-01T18:50:28.153Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-4119 (GCVE-0-2025-4119)

Vulnerability from cvelistv5 – Published: 2025-04-30 13:31 – Updated: 2025-04-30 13:48
VLAI
Title
Weitong Mall Product Statistics queryTotal access control
Summary
A vulnerability classified as critical was found in Weitong Mall 1.0.0. This vulnerability affects unknown code of the file /queryTotal of the component Product Statistics Handler. The manipulation of the argument isDelete with the input 1 leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-284 - Improper Access Controls
  • CWE-266 - Incorrect Privilege Assignment
Assigner
References
URL Tags
https://vuldb.com/?id.306604 vdb-entrytechnical-description
https://vuldb.com/?ctiid.306604 signaturepermissions-required
https://vuldb.com/?submit.560778 third-party-advisory
https://www.cnblogs.com/aibot/p/18830908 exploit
Impacted products
Vendor Product Version
Weitong Mall Affected: 1.0.0
Create a notification for this product.
Credits
aibot88 (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4119",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-30T13:47:54.976889Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-30T13:48:10.312Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "Product Statistics Handler"
          ],
          "product": "Mall",
          "vendor": "Weitong",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "aibot88 (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability classified as critical was found in Weitong Mall 1.0.0. This vulnerability affects unknown code of the file /queryTotal of the component Product Statistics Handler. The manipulation of the argument isDelete with the input 1 leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used."
        },
        {
          "lang": "de",
          "value": "In Weitong Mall 1.0.0 wurde eine Schwachstelle entdeckt. Sie wurde als kritisch eingestuft. Hierbei betrifft es unbekannten Programmcode der Datei /queryTotal der Komponente Product Statistics Handler. Dank Manipulation des Arguments isDelete mit der Eingabe 1 mit unbekannten Daten kann eine improper access controls-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 5,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "Improper Access Controls",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-30T13:31:09.797Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-306604 | Weitong Mall Product Statistics queryTotal access control",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.306604"
        },
        {
          "name": "VDB-306604 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.306604"
        },
        {
          "name": "Submit #560778 | fuyang_lipengjun platform 1.0.0 broken function level authorization",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.560778"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://www.cnblogs.com/aibot/p/18830908"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-04-30T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-04-30T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-04-30T07:34:53.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Weitong Mall Product Statistics queryTotal access control"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-4119",
    "datePublished": "2025-04-30T13:31:09.797Z",
    "dateReserved": "2025-04-30T05:11:59.357Z",
    "dateUpdated": "2025-04-30T13:48:10.312Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-4118 (GCVE-0-2025-4118)

Vulnerability from cvelistv5 – Published: 2025-04-30 13:31 – Updated: 2025-04-30 13:48
VLAI
Title
Weitong Mall Product History historyList access control
Summary
A vulnerability classified as critical has been found in Weitong Mall 1.0.0. This affects an unknown part of the file /historyList of the component Product History Handler. The manipulation of the argument isDelete with the input 1 leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-284 - Improper Access Controls
  • CWE-266 - Incorrect Privilege Assignment
Assigner
References
URL Tags
https://vuldb.com/?id.306603 vdb-entrytechnical-description
https://vuldb.com/?ctiid.306603 signaturepermissions-required
https://vuldb.com/?submit.560777 third-party-advisory
https://www.cnblogs.com/aibot/p/18830907 exploit
Impacted products
Vendor Product Version
Weitong Mall Affected: 1.0.0
Create a notification for this product.
Credits
aibot88 (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4118",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-30T13:48:40.534859Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-30T13:48:52.380Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "Product History Handler"
          ],
          "product": "Mall",
          "vendor": "Weitong",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "aibot88 (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability classified as critical has been found in Weitong Mall 1.0.0. This affects an unknown part of the file /historyList of the component Product History Handler. The manipulation of the argument isDelete with the input 1 leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used."
        },
        {
          "lang": "de",
          "value": "Es wurde eine Schwachstelle in Weitong Mall 1.0.0 entdeckt. Sie wurde als kritisch eingestuft. Dabei betrifft es einen unbekannter Codeteil der Datei /historyList der Komponente Product History Handler. Dank der Manipulation des Arguments isDelete mit der Eingabe 1 mit unbekannten Daten kann eine improper access controls-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 5,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "Improper Access Controls",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-30T13:31:06.111Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-306603 | Weitong Mall Product History historyList access control",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.306603"
        },
        {
          "name": "VDB-306603 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.306603"
        },
        {
          "name": "Submit #560777 | fuyang_lipengjun platform 1.0.0 broken function level authorization",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.560777"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://www.cnblogs.com/aibot/p/18830907"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-04-30T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-04-30T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-04-30T07:34:47.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Weitong Mall Product History historyList access control"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-4118",
    "datePublished": "2025-04-30T13:31:06.111Z",
    "dateReserved": "2025-04-30T05:11:56.580Z",
    "dateUpdated": "2025-04-30T13:48:52.380Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-4067 (GCVE-0-2025-4067)

Vulnerability from cvelistv5 – Published: 2025-04-29 15:00 – Updated: 2025-04-29 15:36
VLAI
Title
ScriptAndTools Online-Travling-System viewpackage.php access control
Summary
A vulnerability classified as critical has been found in ScriptAndTools Online-Travling-System 1.0. Affected is an unknown function of the file /admin/viewpackage.php. The manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-284 - Improper Access Controls
  • CWE-266 - Incorrect Privilege Assignment
Assigner
References
Impacted products
Credits
MaloyRoyOrko (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4067",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-29T15:35:08.508809Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-29T15:36:29.663Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Online-Travling-System",
          "vendor": "ScriptAndTools",
          "versions": [
            {
              "status": "affected",
              "version": "1.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "MaloyRoyOrko (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability classified as critical has been found in ScriptAndTools Online-Travling-System 1.0. Affected is an unknown function of the file /admin/viewpackage.php. The manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used."
        },
        {
          "lang": "de",
          "value": "Es wurde eine kritische Schwachstelle in ScriptAndTools Online-Travling-System 1.0 entdeckt. Betroffen hiervon ist ein unbekannter Ablauf der Datei /admin/viewpackage.php. Dank der Manipulation mit unbekannten Daten kann eine improper access controls-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 5,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "Improper Access Controls",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-29T15:00:06.890Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-306504 | ScriptAndTools Online-Travling-System viewpackage.php access control",
          "tags": [
            "vdb-entry"
          ],
          "url": "https://vuldb.com/?id.306504"
        },
        {
          "name": "VDB-306504 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.306504"
        },
        {
          "name": "Submit #559514 | Script And Tools Online-Travling-System 1.0 Broken Access Control",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.559514"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://www.websecurityinsights.my.id/2025/04/script-and-tools-online-travling-system_71.html"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-04-29T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-04-29T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-04-29T07:24:36.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "ScriptAndTools Online-Travling-System viewpackage.php access control"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-4067",
    "datePublished": "2025-04-29T15:00:06.890Z",
    "dateReserved": "2025-04-29T05:19:25.056Z",
    "dateUpdated": "2025-04-29T15:36:29.663Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-4066 (GCVE-0-2025-4066)

Vulnerability from cvelistv5 – Published: 2025-04-29 14:31 – Updated: 2025-04-29 14:54
VLAI
Title
ScriptAndTools Online-Travling-System addpackage.php access control
Summary
A vulnerability was found in ScriptAndTools Online-Travling-System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /admin/addpackage.php. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-284 - Improper Access Controls
  • CWE-266 - Incorrect Privilege Assignment
Assigner
References
Impacted products
Credits
MaloyRoyOrko (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4066",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-29T14:53:23.276491Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-29T14:54:58.961Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Online-Travling-System",
          "vendor": "ScriptAndTools",
          "versions": [
            {
              "status": "affected",
              "version": "1.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "MaloyRoyOrko (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in ScriptAndTools Online-Travling-System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /admin/addpackage.php. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used."
        },
        {
          "lang": "de",
          "value": "Eine Schwachstelle wurde in ScriptAndTools Online-Travling-System 1.0 ausgemacht. Sie wurde als kritisch eingestuft. Betroffen davon ist ein unbekannter Prozess der Datei /admin/addpackage.php. Durch Beeinflussen mit unbekannten Daten kann eine improper access controls-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 7.5,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "Improper Access Controls",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-29T14:31:06.683Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-306503 | ScriptAndTools Online-Travling-System addpackage.php access control",
          "tags": [
            "vdb-entry"
          ],
          "url": "https://vuldb.com/?id.306503"
        },
        {
          "name": "VDB-306503 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.306503"
        },
        {
          "name": "Submit #559480 | Script And Tools Online-Travling-System 1.0 Broken Access Control",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.559480"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://www.websecurityinsights.my.id/2025/04/script-and-tools-online-travling-system_82.html"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-04-29T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-04-29T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-04-29T07:24:34.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "ScriptAndTools Online-Travling-System addpackage.php access control"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-4066",
    "datePublished": "2025-04-29T14:31:06.683Z",
    "dateReserved": "2025-04-29T05:19:22.410Z",
    "dateUpdated": "2025-04-29T14:54:58.961Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-4065 (GCVE-0-2025-4065)

Vulnerability from cvelistv5 – Published: 2025-04-29 14:31 – Updated: 2025-04-29 14:52
VLAI
Title
ScriptAndTools Online-Travling-System addadvertisement.php access control
Summary
A vulnerability was found in ScriptAndTools Online-Travling-System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/addadvertisement.php. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-284 - Improper Access Controls
  • CWE-266 - Incorrect Privilege Assignment
Assigner
References
Impacted products
Credits
MaloyRoyOrko (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4065",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-29T14:50:19.190389Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-29T14:52:17.498Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Online-Travling-System",
          "vendor": "ScriptAndTools",
          "versions": [
            {
              "status": "affected",
              "version": "1.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "MaloyRoyOrko (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in ScriptAndTools Online-Travling-System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/addadvertisement.php. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used."
        },
        {
          "lang": "de",
          "value": "In ScriptAndTools Online-Travling-System 1.0 wurde eine Schwachstelle ausgemacht. Sie wurde als kritisch eingestuft. Betroffen ist eine unbekannte Verarbeitung der Datei /admin/addadvertisement.php. Durch das Beeinflussen mit unbekannten Daten kann eine improper access controls-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 7.5,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "Improper Access Controls",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-29T14:31:04.679Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-306502 | ScriptAndTools Online-Travling-System addadvertisement.php access control",
          "tags": [
            "vdb-entry"
          ],
          "url": "https://vuldb.com/?id.306502"
        },
        {
          "name": "VDB-306502 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.306502"
        },
        {
          "name": "Submit #559478 | Script And Tools Online-Travling-System 1.0 Broken Access Control",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.559478"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://www.websecurityinsights.my.id/2025/04/script-and-tools-online-travling-system_16.html"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-04-29T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-04-29T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-04-29T07:24:32.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "ScriptAndTools Online-Travling-System addadvertisement.php access control"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-4065",
    "datePublished": "2025-04-29T14:31:04.679Z",
    "dateReserved": "2025-04-29T05:19:19.227Z",
    "dateUpdated": "2025-04-29T14:52:17.498Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-4064 (GCVE-0-2025-4064)

Vulnerability from cvelistv5 – Published: 2025-04-29 14:00 – Updated: 2025-04-29 14:14
VLAI
Title
ScriptAndTools Online-Travling-System viewenquiry.php access control
Summary
A vulnerability was found in ScriptAndTools Online-Travling-System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/viewenquiry.php. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-284 - Improper Access Controls
  • CWE-266 - Incorrect Privilege Assignment
Assigner
References
Impacted products
Credits
MaloyRoyOrko (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4064",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-29T14:09:47.216949Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-29T14:14:14.470Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Online-Travling-System",
          "vendor": "ScriptAndTools",
          "versions": [
            {
              "status": "affected",
              "version": "1.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "MaloyRoyOrko (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in ScriptAndTools Online-Travling-System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/viewenquiry.php. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used."
        },
        {
          "lang": "de",
          "value": "Es wurde eine Schwachstelle in ScriptAndTools Online-Travling-System 1.0 ausgemacht. Sie wurde als kritisch eingestuft. Hiervon betroffen ist ein unbekannter Codeblock der Datei /admin/viewenquiry.php. Durch Manipulieren mit unbekannten Daten kann eine improper access controls-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 5,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "Improper Access Controls",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-29T14:00:07.570Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-306501 | ScriptAndTools Online-Travling-System viewenquiry.php access control",
          "tags": [
            "vdb-entry"
          ],
          "url": "https://vuldb.com/?id.306501"
        },
        {
          "name": "VDB-306501 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.306501"
        },
        {
          "name": "Submit #559467 | Script And Tools Online-Travling-System 1.0 Broken Access Control",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.559467"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://www.websecurityinsights.my.id/2025/04/script-and-tools-online-travling-system.html"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-04-29T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-04-29T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-04-29T07:24:31.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "ScriptAndTools Online-Travling-System viewenquiry.php access control"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-4064",
    "datePublished": "2025-04-29T14:00:07.570Z",
    "dateReserved": "2025-04-29T05:19:15.649Z",
    "dateUpdated": "2025-04-29T14:14:14.470Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Mitigation MIT-1
Architecture and Design Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

No CAPEC attack patterns related to this CWE.