?day POC 漏洞数据库

PAN-OS: Authentication Bypass in the Management Web Interface Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 02/12/2025 Created 02/14/2025 Added 02/13/2025 Modified 02/13/2025 Description An authentication bypass in the Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to bypass the authentication otherwise required by the PAN-OS management web interface and invoke certain PHP scripts. While invoking these PHP scripts does not enable remote code execution, it can negatively impact integrity and confidentiality of PAN-OS. You can greatly reduce the risk of this issue by…

Ivanti Pulse Connect Secure: February Security Advisory Ivanti Connect Secure (ICS),Ivanti Policy Secure (IPS) and Ivanti Secure Access Client (ISAC) (Multiple CVEs) Severity 6 CVSS (AV:L/AC:L/Au:S/C:N/I:C/A:C) Published 02/11/2025 Created 02/13/2025 Added 02/12/2025 Modified 02/12/2025 Description Insufficient permissions in Ivanti Secure Access Client before version 22.8R1 allows a local authenticated attacker to delete arbitrary files. Solution(s) pulse-secure-pulse-connect-secure-upgrade-22_8r1 References https://attackerkb.com/topics/cve-2024-13813 CVE - 2024-13813 https://forums.ivanti.com/s/article/February-Security…

Debian: CVE-2025-21699: linux -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 02/12/2025 Created 02/15/2025 Added 02/14/2025 Modified 02/14/2025 Description In the Linux kernel, the following vulnerability has been resolved: gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag Truncate an inode's address space when flipping the GFS2_DIF_JDATA flag: depending on that flag, the pages in the address space will either use buffer heads or iomap_folio_state structs, and we cannot mix the two. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2025-21699 CVE - 20…

Google Chrome Vulnerability: CVE-2025-0995 Use after free in V8 Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 02/13/2025 Created 02/14/2025 Added 02/13/2025 Modified 02/13/2025 Description Google Chrome Vulnerability: CVE-2025-0995 Use after free in V8 Solution(s) google-chrome-upgrade-latest References https://attackerkb.com/topics/cve-2025-0995 CVE - 2025-0995

Adobe Illustrator: CVE-2025-21163: Security updates available for Adobe Illustrator (APSB25-11) Severity 7 CVSS (AV:L/AC:L/Au:N/C:C/I:C/A:C) Published 02/11/2025 Created 02/14/2025 Added 02/12/2025 Modified 02/12/2025 Description Adobe has released an update for Adobe Illustrator. This update resolves critical vulnerabilities that could lead to arbitrary code execution. Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates. Solution(s) adobe-illustrator-upgrade-latest References https://attackerkb.com/topics/cve-2025-21163 CVE - 2025-21163 https://helpx.adobe.com/security/products/…

FreeBSD: VID-F7CA4FF7-E53F-11EF-A845-B42E991FC52E (CVE-2025-1018): mozilla -- multiple vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 02/04/2025 Created 02/11/2025 Added 02/08/2025 Modified 02/08/2025 Description The fullscreen notification is prematurely hidden when fullscreen is re-requested quickly by the user. This could have been leveraged to perform a potential spoofing attack. This vulnerability affects Firefox < 135 and Thunderbird < 135. Solution(s) freebsd-upgrade-package-mozilla References CVE-2025-1018

Alma Linux: CVE-2025-1014: Important: firefox security update (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 02/04/2025 Created 02/12/2025 Added 02/11/2025 Modified 02/13/2025 Description Certificate length was not properly checked when added to a certificate store. In practice only trusted data was processed. This vulnerability affects Firefox < 135, Firefox ESR < 128.7, Thunderbird < 128.7, and Thunderbird < 135. Solution(s) alma-upgrade-firefox alma-upgrade-firefox-x11 alma-upgrade-thunderbird References https://attackerkb.com/topics/cve-2025-1014 CVE - 2025-1014 https://erra…

F5 Networks: CVE-2025-22891: K000139778: BIG-IP PEM vulnerability CVE-2025-22891 Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 02/06/2025 Created 02/07/2025 Added 02/06/2025 Modified 02/10/2025 Description When BIG-IP PEM Control Plane listener Virtual Server is configured with Diameter Endpoint profile, undisclosed traffic can cause the Virtual Server to stop processing new client connections and an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Solution(s) f5-big-ip-upgrade-latest References https://attackerkb.com/topics/c…

Alma Linux: CVE-2025-1016: Important: firefox security update (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 02/04/2025 Created 02/12/2025 Added 02/11/2025 Modified 02/13/2025 Description Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird 128.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 135, Firefox ESR < 115.20, Firefox ESR < 128.7, Thunderbird < 128.7, and Thunderbird &lt…

Microsoft Office: CVE-2025-21387: Microsoft Excel Remote Code Execution Vulnerability Severity 6 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 02/11/2025 Created 02/12/2025 Added 02/11/2025 Modified 02/11/2025 Description Microsoft Office: CVE-2025-21387: Microsoft Excel Remote Code Execution Vulnerability Solution(s) microsoft-excel_2016-kb5002684 microsoft-excel_2016-kb5002687 microsoft-office_online_server-kb5002679 office-click-to-run-upgrade-latest References https://attackerkb.com/topics/cve-2025-21387 CVE - 2025-21387 https://support.microsoft.com/help/5002679 https://support.microsoft.com/help/5002684 https://supp…

Debian: CVE-2025-24158: webkit2gtk, wpewebkit -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/27/2025 Created 02/15/2025 Added 02/14/2025 Modified 02/14/2025 Description The issue was addressed with improved memory handling. This issue is fixed in visionOS 2.3, Safari 18.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, tvOS 18.3. Processing web content may lead to a denial-of-service. Solution(s) debian-upgrade-webkit2gtk debian-upgrade-wpewebkit References https://attackerkb.com/topics/cve-2025-24158 CVE - 2025-24158 DLA-4051-1 DSA-5865-1

Microsoft Edge Chromium: CVE-2025-21408 Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 02/07/2025 Created 02/11/2025 Added 02/07/2025 Modified 02/10/2025 Description Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Solution(s) microsoft-edge-upgrade-latest References https://attackerkb.com/topics/cve-2025-21408 CVE - 2025-21408 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21408

MFSA2025-07 Firefox: Security Vulnerabilities fixed in Firefox 135 (CVE-2025-1013) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 02/04/2025 Created 02/05/2025 Added 02/05/2025 Modified 02/06/2025 Description A race condition could have led to private browsing tabs being opened in normal browsing windows. This could have resulted in a potential privacy leak. This vulnerability affects Firefox < 135, Firefox ESR < 128.7, Thunderbird < 128.7, and Thunderbird < 135. Solution(s) mozilla-firefox-upgrade-135_0 References https://attackerkb.com/topics/cve-2025-1013 CVE - 2025-1013 http://www.mozilla.org/sec…

Rocky Linux: CVE-2025-1014: thunderbird (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 02/04/2025 Created 02/15/2025 Added 02/14/2025 Modified 02/14/2025 Description Certificate length was not properly checked when added to a certificate store. In practice only trusted data was processed. This vulnerability affects Firefox < 135, Firefox ESR < 128.7, Thunderbird < 128.7, and Thunderbird < 135. Solution(s) rocky-upgrade-firefox rocky-upgrade-firefox-debuginfo rocky-upgrade-firefox-debugsource rocky-upgrade-thunderbird rocky-upgrade-thunderbird-debuginfo rocky-upgrade-thunderbird-debugsource …

FreeBSD: VID-D598266D-7772-4A31-9594-83B76B1FB837 (CVE-2024-36293): Intel CPUs -- multiple vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 02/11/2025 Created 02/15/2025 Added 02/13/2025 Modified 02/13/2025 Description Improper access control in the EDECCSSA user leaf function for some Intel(R) Processors with Intel(R) SGX may allow an authenticated user to potentially enable denial of service via local access. Solution(s) freebsd-upgrade-package-cpu-microcode-intel References CVE-2024-36293

Debian: CVE-2024-57951: linux -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 02/12/2025 Created 02/15/2025 Added 02/14/2025 Modified 02/14/2025 Description In the Linux kernel, the following vulnerability has been resolved: hrtimers: Handle CPU state correctly on hotplug Consider a scenario where a CPU transitions from CPUHP_ONLINE to halfway through a CPU hotunplug down to CPUHP_HRTIMERS_PREPARE, and then back to CPUHP_ONLINE: Since hrtimers_prepare_cpu() does not run, cpu_base.hres_active remains set to 1 throughout. However, during a CPU unplug operation, the tick and the clockevents are shut down at CPUHP_AP_TICK_…

Apple Safari security update for CVE-2024-54658 Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 02/06/2025 Created 02/07/2025 Added 02/06/2025 Modified 02/12/2025 Description The issue was addressed with improved memory handling. This issue is fixed in iOS 17.4 and iPadOS 17.4, Safari 17.4, tvOS 17.4, watchOS 10.4, visionOS 1.1, macOS Sonoma 14.4. Processing web content may lead to a denial-of-service. Solution(s) apple-safari-upgrade-17_4 apple-safari-windows-uninstall References https://attackerkb.com/topics/cve-2024-54658 CVE - 2024-54658 http://support.apple.com/en-us/120894

Debian: CVE-2025-0510: thunderbird -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 02/04/2025 Created 02/11/2025 Added 02/10/2025 Modified 02/10/2025 Description Thunderbird displayed an incorrect sender address if the From field of an email used the invalid group name syntax that is described in CVE-2024-49040. This vulnerability affects Thunderbird < 128.7 and Thunderbird < 135. Solution(s) debian-upgrade-thunderbird References https://attackerkb.com/topics/cve-2025-0510 CVE - 2025-0510 DLA-4045-1 DSA-5861-1

F5 Networks: CVE-2025-20058: K000140947: BIG-IP message routing vulnerability CVE-2025-20058 Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 02/06/2025 Created 02/07/2025 Added 02/06/2025 Modified 02/10/2025 Description When a BIG-IP message routing profile is configured on a virtual server, undisclosed traffic can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated Solution(s) f5-big-ip-upgrade-latest References https://attackerkb.com/topics/cve-2025-20058 CVE - 2025-20058 https://my.f5.com/manage/s/article/K000140947

FreeBSD: VID-FA9AE646-DEBC-11EF-87BA-002590C1F29C (CVE-2025-0374): FreeBSD -- Unprivileged access to system files Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/29/2025 Created 02/04/2025 Added 01/31/2025 Modified 01/31/2025 Description When etcupdate encounters conflicts while merging files, it saves a version containing conflict markers in /var/db/etcupdate/conflicts.This version does not preserve the mode of the input file, and is world-readable.This applies to files that would normally have restricted visibility, such as /etc/master.passwd. An unprivileged local user may be able to read encrypted root and user passwords from the …

Debian: CVE-2025-21698: linux -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 02/12/2025 Created 02/15/2025 Added 02/14/2025 Modified 02/14/2025 Description In the Linux kernel, the following vulnerability has been resolved: Revert "usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null" This reverts commit 13014969cbf07f18d62ceea40bd8ca8ec9d36cec. It is reported to cause crashes on Tegra systems, so revert it for now. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2025-21698 CVE - 2025-21698

PAN-OS: Unauthenticated File Deletion Vulnerability on the Management Web Interface Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 02/12/2025 Created 02/14/2025 Added 02/13/2025 Modified 02/13/2025 Description An unauthenticated file deletion vulnerability in the Palo Alto Networks PAN-OS management web interface enables an unauthenticated attacker with network access to the management web interface to delete certain files as the “nobody” user; this includes limited logs and configuration files but does not include system files. You can greatly reduce the risk of this issue by restricting access to the management web interface to only trus…

MFSA2025-11 Thunderbird: Security Vulnerabilities fixed in Thunderbird 135 (CVE-2025-0510) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 02/04/2025 Created 02/05/2025 Added 02/05/2025 Modified 02/14/2025 Description Thunderbird displayed an incorrect sender address if the From field of an email used the invalid group name syntax that is described in CVE-2024-49040. This vulnerability affects Thunderbird < 128.7 and Thunderbird < 135. Solution(s) mozilla-thunderbird-upgrade-135_0 References https://attackerkb.com/topics/cve-2025-0510 CVE - 2025-0510 http://www.mozilla.org/security/announce/2025/mfsa2025-11…

Oracle Linux: CVE-2025-1015: ELSA-2025-1184:thunderbird security update (IMPORTANT) (Multiple Advisories) Severity 6 CVSS (AV:N/AC:L/Au:N/C:P/I:P/A:N) Published 02/04/2025 Created 02/12/2025 Added 02/10/2025 Modified 02/13/2025 Description The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the “Other” field of the Instant Messaging section. If another user imported the address book, clicking on the link could result in opening a web page inside Thunderbird, and that page could execute (unprivileged) Java…

Amazon Linux AMI 2: CVE-2024-11187: Security patch for bind (ALAS-2025-2751) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/29/2025 Created 02/05/2025 Added 02/05/2025 Modified 02/05/2025 Description It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use disproportionate resources processing the queries. Zones will usually need to have been deliberately crafted to attack this exposure. This issue affects BIND 9 versions 9.11.0 thro…