| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The vulnerability stems from an incorrect error-checking logic in the CreateCounter() function (in threadx/utility/rtos_compatibility_layers/OSEK/tx_osek.c) when handling the return value of osek_get_counter(). Specifically, the current code checks if cntr_id equals 0u to determine failure, but @osek_get_counter() actually returns E_OS_SYS_STACK (defined as 12U) when it fails. This mismatch causes the error branch to never execute even when the counter pool is exhausted.
As a result, when the counter pool is depleted, the code proceeds to cast the error code (12U) to a pointer (OSEK_COUNTER *), creating a wild pointer. Subsequent writes to members of this pointer lead to writes to illegal memory addresses (e.g., 0x0000000C), which can trigger immediate HardFaults or silent memory corruption.
This vulnerability poses significant risks, including potential denial-of-service attacks (via repeated calls to exhaust the counter pool) and unauthorized memory access. |
| The issue was addressed with improved checks. This issue is fixed in macOS Monterey 12.7.4, macOS Sonoma 14.4, macOS Ventura 13.6.5. An app may be able to break out of its sandbox. |
| An issue was discovered in Mbed TLS versions from 2.19.0 up to 3.6.5, Mbed TLS 4.0.0. Insufficient protection of serialized SSL context or session structures allows an attacker who can modify the serialized structures to induce memory corruption, leading to arbitrary code execution. This is caused by Incorrect Use of Privileged APIs. |
| An issue was discovered in Percona PMM before 3.7. Because an internal database user retains specific superuser privileges, an attacker with pmm-admin rights can abuse the "Add data source" feature to break out of the database context and execute shell commands on the underlying operating system. |
| Kirby CMS through 5.1.4 allows an authenticated user with 'Editor' permissions to cause a persistent Denial of Service (DoS) via a malformed image upload. The application fails to properly validate the return value of the PHP getimagesize() function. When the system attempts to process this file for metadata or thumbnail generation, it triggers a fatal TypeError. |
| A flaw was found in the Submariner project. Due to unnecessary role-based access control permissions, a privileged attacker can run a malicious container on a node that may allow them to steal service account tokens and further compromise other nodes and potentially the entire cluster. |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, progressive_decompress_tile_upgrade() detects a mismatch via progressive_rfx_quant_cmp_equal() but only emits WLog_WARN, execution continues. The wrapped value (247) is used as a shift exponent, causing undefined behavior and an approximately 80 billion iteration loop (CPU DoS). This issue has been patched in version 3.24.2. |
| A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User Datagram Protocol (UDP) packet. This can lead to an out-of-bounds read, causing a denial of service (DoS) and potentially disclosing limited memory contents. This vulnerability affects Corosync when running in totemudp/totemudpu mode, which is the default configuration. |
| A vulnerability has been found in wandb OpenUI up to 0.0.0.0/1.0. This impacts an unknown function of the file backend/openui/config.py. The manipulation of the argument LITELLM_MASTER_KEY leads to hard-coded credentials. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |
| Hardcoded Password Vulnerability have been found in CENTUM. Affected products contain a hardcoded password for the user account (PROG) used for CENTUM Authentication Mode within the system. Under the following conditions, there is a risk that an attacker could log in as the PROG user.
The default permission for the PROG users is S1 permission (equivalent to OFFUSER). Therefore, for properly permission-controlled targets of operation and monitoring, even if an attacker user in as the PROG user, the risk of critical operations or configuration changes being performed is considered low. (If the PROG user's permissions have been changed for any reason, there is a risk that operations or configuration changes may be performed under the modified permissions. The CVSS values below are for the default permissions.)
Additionally, exploiting this vulnerability requires an attacker to already have access to the HIS screen controls. Therefore, an attacker can already operate and monitor at that point, regardless of this vulnerability.
The conditions under which this vulnerability is exploited:
If all of the following conditions are met, the affected products are vulnerable to this vulnerability.
-An attacker obtains the hardcoded password using a certain method.
-The HIS with the affected product installed is configured in CTM authentication mode.
-An attacker must have direct access to the aforementioned HIS or be able to break into it remotely using a certain method and perform screen operations.
The affected products and versions are as follows: CENTUM VP R5.01.00 to R5.04.20, R6.01.00 to R6.12.00 and R7.01.00. |
| NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints. Versions 2.11.14 and 2.12.6 contain a fix. As a workaround, ensure monitoring end-points are adequately secured. Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users. |
| Medtronic MyCareLink Patient Monitor has a built-in user account with an empty password, which allows an attacker with physical access to log in with no password and access modify system functionality.
This issue affects MyCareLink Patient Monitor models 24950 and 24952: before June 25, 2025 |
| In the Linux kernel, the following vulnerability has been resolved:
ASoC: SDCA: Add allocation failure check for Entity name
Currently find_sdca_entity_iot() can allocate a string for the
Entity name but it doesn't check if that allocation succeeded.
Add the missing NULL check after the allocation. |
| In the Linux kernel, the following vulnerability has been resolved:
smb: client: Don't log plaintext credentials in cifs_set_cifscreds
When debug logging is enabled, cifs_set_cifscreds() logs the key
payload and exposes the plaintext username and password. Remove the
debug log to avoid exposing credentials. |
| In the Linux kernel, the following vulnerability has been resolved:
platform/x86: dell-wmi-sysman: Don't hex dump plaintext password data
set_new_password() hex dumps the entire buffer, which contains plaintext
password data, including current and new passwords. Remove the hex dump
to avoid leaking credentials. |
| IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 product stores user credentials and other sensitive information in plain text which can be read by a local user. |
| Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 stores sensitive information, including administrative credentials and WiFi pre-shared keys, in plaintext within exported configuration backup files. These backup files can be obtained through legitimate functionality or other weaknesses and do not apply encryption or hashing, allowing attackers to directly extract sensitive information. |
| Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'), Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-client RustDesk Client rustdesk, hbb_common on Windows, MacOS, Linux (Password security module, config encryption, machine UID modules) allows Retrieve Embedded Sensitive Data. This vulnerability is associated with program files hbb_common/src/password_security.Rs, hbb_common/src/config.Rs, hbb_common/src/lib.Rs (get_uuid), machine-uid/src/lib.Rs and program routines symmetric_crypt(), encrypt_str_or_original(), decrypt_str_or_original(), get_uuid(), get_machine_id().
This issue affects RustDesk Client: through 1.4.5. |
| GV Edge Recording Manager (ERM) v2.3.1 improperly runs application components with SYSTEM-level privileges, allowing any local user to gain full control of the operating system.
During installation, ERM creates a Windows service that runs under the LocalSystem account.
When the ERM application is launched, related processes are spawned under SYSTEM privileges rather than the security context of the logged-in user.
Functions such as 'Import Data' open a Windows file dialog operating with SYSTEM permissions, enabling modification or deletion of protected system files and directories.
Any ERM function invoking Windows file open/save dialogs exposes the same risk.
This vulnerability allows local privilege escalation and may result in full system compromise. |
| A flaw was found in openshift/builder. This vulnerability allows command injection via path traversal, where a malicious user can execute arbitrary commands on the OpenShift node running the builder container. When using the “Docker” strategy, executable files inside the privileged build container can be overridden using the `spec.source.secrets.secret.destinationDir` attribute of the `BuildConfig` definition. An attacker running code in a privileged container could escalate their permissions on the node running the container. |
