Insecure Direct Object Reference (IDOR) in the Acer Connect M6E 5G Portable WiFi Router's summary service endpoint allows authenticated remote users to access device data belonging to other users by supplying arbitrary hardware serial numbers the endpoint fails to validate against session ownership. The vulnerability affects all tracked versions per CPE data, requires only a valid authenticated session, and involves no user interaction or special configuration. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Out-of-bounds read in Chrome's ANGLE graphics layer on Windows exposes sensitive process memory to an attacker who has already achieved renderer compromise. Affected are all Chrome for Windows installations prior to 149.0.7827.53; macOS, Linux, Android, and iOS are not in scope per available data. No public exploit code exists and no active exploitation is confirmed - EPSS at 0.03% (11th percentile) and SSVC exploitation status of 'none' jointly indicate this is a low-priority real-world threat, functioning primarily as a post-exploitation information-disclosure step in a multi-stage browser attack chain rather than a standalone critical vulnerability.
Out-of-bounds read in ANGLE (Almost Native Graphics Layer Engine) within Google Chrome prior to 149.0.7827.53 enables an attacker who has already compromised the renderer process to leak potentially sensitive data from process memory via a crafted HTML page. The CVSS vector (AC:H, UI:R) reflects a two-stage exploitation requirement: the attacker must first achieve renderer compromise through a separate vulnerability, then chain this ANGLE flaw as a second-stage information disclosure primitive. No public exploit code has been identified and EPSS sits at 0.03% (11th percentile), indicating low real-world exploitation probability at time of analysis.
Cross-origin data leakage in Google Chrome for Android (versions prior to 149.0.7827.53) is enabled by a race condition in the Geolocation subsystem, exploitable by a remote unauthenticated attacker who tricks a victim into visiting a crafted HTML page. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms network reachability with no required privileges, though user interaction is mandatory. No active exploitation has been confirmed (not in CISA KEV), and EPSS sits at 0.03% (10th percentile), indicating very low real-world exploitation probability despite the High confidentiality impact rating.
Sensitive data exposure in the WP eMember WordPress plugin (Tips and Tricks HQ) through version 10.2.2 allows unauthenticated remote attackers to retrieve embedded sensitive system information via a network request. The vulnerability is classified under CWE-497, meaning internally sensitive data is reachable from an unauthorized control sphere - in this case, the open internet without credentials. No public exploit code or CISA KEV listing has been identified at time of analysis, and exploitation probability from EPSS data was not provided, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms this is trivially reachable from any network source.
Site Isolation bypass in Google Chrome prior to 149.0.7827.53 enables a remote attacker - who has already compromised the renderer process - to escape cross-origin protections via a crafted HTML page, exposing high-confidentiality data from other origins loaded in the browser. This is a chained, second-stage exploit component: it does not function standalone but amplifies the impact of a separate renderer compromise by breaking Chrome's primary cross-site data isolation boundary. No public exploit code has been identified at time of analysis, and the EPSS score of 0.02% (4th percentile) reflects low current exploitation probability despite the high confidentiality impact rating.
Open redirect in MISP versions up to and including 2.5.38 allows unauthenticated remote attackers to craft links that silently redirect victims to attacker-controlled external URLs immediately after successful authentication. The vulnerability resides in UsersController::routeafterlogin(), where the pre_login_requested_url session value was reflected into a Location header without enforcing local-path constraints. SSVC signals exploitation as 'none' and no CISA KEV listing exists, but the automatable designation and the high-trust context of a threat intelligence platform make this a meaningful phishing amplifier against security teams who would not expect a trusted MISP login to forward them off-site.
Open redirect in MISP's dashboard button widget (versions up to and including 2.5.38) enables an authenticated, high-privileged user who controls dashboard configuration to plant a crafted button URL that appears to point internally but redirects clicking users to an attacker-controlled external site. The root cause is an incomplete URL allowlist in Button.ctp that blocked explicit schemes, hosts, and user components but did not reject paths beginning with /\ - a pattern several browsers normalize into a scheme-relative URL (i.e., //attacker.com). No public exploit exists and CISA SSVC rates exploitation as none; risk is substantially constrained by the PR:H requirement and the need for a victim to interact with the planted button.
Authorization bypass in MISP's Event Template Importer allows authenticated users with template import privileges to overwrite event templates owned by other organizations on the same shared instance, violating inter-organizational data ownership boundaries. Versions up to and including 2.5.38 are affected; the overwrite workflow confirmed template existence but omitted an organizational ownership check, enabling cross-org template corruption. No public exploit code has been identified at time of analysis and SSVC signals no active exploitation, but the integrity impact is operationally significant in multi-tenant MISP deployments where organizational trust boundaries are critical.
Weak hashing in milvus-io/milvus up to 2.6.13 exposes the Grantee ID Hash Handler in the KV metadata catalog (internal/metastore/kv/rootcoord/kv_catalog.go), allowing a low-privileged local attacker to predict or forge 16-character grantee IDs used in RBAC privilege assignments backed by etcd. Successful exploitation - rated high complexity - could result in unauthorized manipulation of access control metadata, yielding low-level confidentiality, integrity, and availability impact on the affected Milvus instance. A proof-of-concept has been publicly disclosed via GitHub issue #49857, though no active exploitation is confirmed in CISA KEV.
Cache key collision in modelscope ms-swift up to 4.2.0 allows a local, low-privileged attacker to cause PIL image integrity failures via the Template._save_pil_image function in swift/template/base.py. The root cause is that the image cache key was computed by hashing only raw pixel bytes (image.tobytes()), without incorporating image metadata such as dimensions or color mode - meaning two structurally different images (e.g., 120×80 vs 80×120) sharing identical byte payloads produce the same SHA-256 cache key and thus collide to the same cached file path. No public exploit identified at time of analysis beyond the publicly disclosed proof-of-concept; no active exploitation confirmed (not listed in CISA KEV).
Weak hash truncation in LMCache up to 0.4.6 allows a local low-privilege attacker to induce KV cache collisions by exploiting the severely constrained 16-bit integer output of `hex_hash_to_int16` in the vLLM integration's KV Cache Handler. The function masks multimodal content hash identifiers to at most 65,536 unique values, making engineered collisions feasible and causing incorrect cached KV entries to be served, affecting both cache integrity and availability. A proof-of-concept has been published on GitHub (issue #3301); no public exploit confirmed in active exploitation and no CISA KEV listing exists.
Cache poisoning in zilliztech GPTCache (up to version 0.1.44) allows a local, low-privileged attacker to corrupt LLM response cache entries by exploiting weak image fingerprinting in the Cache Key Handler. The `BufferedReader.peek()` method in `gptcache/processor/pre.py` only reads the first ~8192 bytes of an image file to construct a cache key, meaning two distinct images sharing an identical header prefix generate the same cache key and collide. An attacker can submit a crafted image whose header matches a previously cached image, causing GPTCache to return a poisoned (wrong) LLM response for subsequent queries. Publicly available exploit code exists per the GitHub issue and included PoC; no active exploitation confirmed in CISA KEV at time of analysis.
Stored cross-site scripting in Shopware's media manager allows any authenticated admin to upload an unsanitized SVG file containing arbitrary JavaScript that executes in the Shopware domain context when the file is accessed by any user. The upload pipeline - spanning MediaUploadController, FileSaver, and TypeDetector - classifies SVG as a valid ImageType with VECTOR_GRAPHIC flag but performs zero content sanitization: no DOMPurify, no enshrined/svg-sanitize, no strip_tags on SVG XML content. In an e-commerce context this enables admin account takeover, customer data exfiltration, and malicious plugin installation. No public exploit identified at time of analysis and this vulnerability is not listed in CISA KEV.
Use-after-free in libexpat before 2.8.2 allows memory corruption, information disclosure, and potential code execution when prohibited API functions are called from within XML event handler callbacks. All libexpat consumers - including language bindings such as CPython's xml.parsers.expat - are affected when handler code (or attacker-influenced handler logic) invokes XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset in a re-entrant manner during active parsing. No public exploit code exists at time of analysis and this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog, but the CPython project has an associated open issue (python/cpython#146169) indicating ecosystem-wide reach.
Message spoofing in matrix-sdk-ui before 0.16.1 allows an authenticated homeserver administrator to impersonate any user on that server by injecting unencrypted replacement events targeting encrypted original messages. The edit validation logic in the Rust crate's `matrix-sdk-ui` component omits the check that a replacement (edit) event for an encrypted original must itself also be encrypted, violating the Matrix specification's replacement event validity algorithm. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the integrity impact is high against affected clients that trust a malicious or compromised homeserver.
Path restriction bypass in SingularityCE allows local authenticated low-privilege users to execute containers from directories whose names share a string prefix with administrator-configured allowed paths, defeating the `limit container paths` security control in setuid mode. The flaw exists only when this directive is actively configured in `singularity.conf`; installations not using the directive are entirely unaffected per the vendor advisory. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Stored XSS in AVideo's YouTubeAPI plugin allows any YouTube video uploader whose video matches the AVideo operator's configured search keyword to inject arbitrary JavaScript into every visitor's browser via the homepage gallery section. The `snippet.title` field returned by the YouTube Data API is rendered verbatim across four HTML output sites in `plugin/YouTubeAPI/gallerySection.php`, three of which apply no encoding whatsoever; the fourth applies only a partial `str_replace` that strips double-quotes and leaves the other three sinks untouched. Publicly available exploit code is documented in GHSA-66q5-cj5g-wrfx; the payload persists for up to 3600 seconds (the default cache TTL) after the hostile video is removed from YouTube, and when the victim is an authenticated AVideo administrator the injected script can escalate to full administrative takeover via cookie-based requests lacking CSRF protection.
Same-origin policy bypass in Google Chrome's FoldableAPIs component (versions prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to exfiltrate cross-origin data by delivering a crafted HTML page. Rated Medium (CVSS 4.7) with a Changed scope, this is a second-stage exploit primitive - not a standalone critical - requiring a pre-existing renderer compromise before it is triggerable. EPSS at 0.02% (6th percentile), SSVC exploitation status of 'none', and Google's internal 'Low' severity rating collectively confirm this is a patch-on-schedule rather than emergency-response priority. No public exploit identified at time of analysis.
Plaintext credential exposure in GNCC GP5 v7.1.76 allows physically-proximate attackers to capture wireless network credentials by monitoring the device's serial UART interface during routine operations. The device transmits sensitive wireless network information - including network credentials - in cleartext to the serial console, making them trivially readable by anyone with physical access and a UART adapter. No public exploit is identified at time of analysis and no active exploitation is confirmed; however, a researcher-published IoT vulnerability disclosure exists on GitHub detailing the finding.
Runtime integrity bypass on GNCC GP5 firmware v7.1.76 enables a physically-proximate unauthenticated attacker to circumvent file system read-only protections via a bind-mount attack, allowing arbitrary modification of system files and binaries for the current boot session. The device, an IoT platform, lacks enforcement of filesystem immutability at runtime, meaning a read-only mount can be shadowed by a writable bind-mount without detection. No public exploit has been confirmed beyond the published IoT vulnerability research linked in references, and exploitation probability is very low at 0.02% EPSS (4th percentile), consistent with the physical-access requirement.
Factory reset in GNCC GP5 firmware v7.1.76 fails to purge cryptographic material from the JFFS2 configuration partition, leaving sensitive user data recoverable after a reset operation. An attacker with physical access to a reset device - such as a discarded, resold, or stolen unit - can read the raw flash storage and extract retained secrets. No public exploit identified at time of analysis as KEV-confirmed active exploitation, though a publicly available proof-of-concept exists per SSVC data and researcher publication.
Unauthorized payment triggering in Shopware's `/store-api/handle-payment` endpoint allows any low-privileged Store API caller - including guest checkout contexts - to initiate or retry the payment flow for another customer's order by supplying a known foreign `orderId`. The flaw affects `shopware/platform` and `shopware/core` versions below 6.6.10.18 and versions 6.7.0.0 through 6.7.10.0, and is confirmed fixed in releases 6.6.10.18 and 6.7.10.1 per GitHub advisory GHSA-9v5m-39wh-5chq. No public exploit code or CISA KEV listing has been identified at time of analysis, and the CVSS score of 4.3 (Medium) reflects limited scope: integrity of order and payment workflows is the primary risk, with no direct confidentiality or availability impact.
UI spoofing in Google Chrome's PointerLock API prior to version 149.0.7827.53 allows an attacker who has already compromised the renderer process to manipulate browser UI presentation via a crafted HTML page. The CVSS score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) reflects limited integrity-only impact with no confidentiality or availability consequences, and Google itself rated this 'Low' severity. No public exploit has been identified and the EPSS score of 0.05% (15th percentile) confirms very low real-world exploitation probability at time of analysis.
UI spoofing in Google Chrome's Password Manager component (versions prior to 149.0.7827.53) allows a remote unauthenticated attacker to manipulate the Password Manager's visual interface via crafted malicious network traffic, potentially deceiving users about credential prompts or password state. Exploitation requires user interaction (CVSS UI:R), limiting opportunistic mass exploitation. No public exploit code exists and no active exploitation is confirmed - EPSS sits at just 0.05% (15th percentile), consistent with a low-priority medium-severity browser component flaw. A vendor-released patch is available in Chrome 149.0.7827.53.
UI spoofing in Google Chrome's Password Manager component (versions prior to 149.0.7827.53) allows remote unauthenticated attackers to manipulate browser interface elements via crafted malicious network traffic. The flaw stems from insufficient input validation (CWE-20) in the Password Manager subsystem, enabling an attacker to deceive victims about the legitimacy of password prompts or credential states. No public exploit code or active exploitation has been identified; EPSS at 0.05% (15th percentile) reflects low community-assessed exploitation probability, and the mandatory user interaction requirement prevents automated mass exploitation.
UI spoofing in Google Chrome's File Input component allows remote unauthenticated attackers to misrepresent interface elements when a user is socially engineered into performing specific UI gestures on a crafted HTML page. Affected versions are all Chrome releases prior to 149.0.7827.53. The vulnerability carries a Chromium-assigned severity of Low and is limited to integrity impact (I:L) with no confidentiality or availability consequences. No public exploit code exists and no active exploitation is confirmed at time of analysis.
UI spoofing in Google Chrome's File Input component (versions prior to 149.0.7827.53) enables remote attackers to misrepresent security-critical interface elements to users through specially crafted HTML pages. The attacker must convince a target to perform specific UI gestures - such as drag-and-drop or deliberate click sequences - to trigger incorrect rendering of the browser's file selection security UI. No public exploit identified at time of analysis; EPSS at 0.03% (11th percentile) signals very low exploitation probability, consistent with no CISA KEV listing.
Cross-origin data leakage in Google Chrome's CSS implementation exposes sensitive information from other origins when a user visits a crafted HTML page. Affected are all Chrome versions prior to 149.0.7827.53 on desktop platforms. An unauthenticated remote attacker can exploit this to read data from cross-origin contexts, violating the browser's Same-Origin Policy via a CSS-based side channel or direct information disclosure path. No public exploit identified at time of analysis, and EPSS at 0.03% (11th percentile) signals low current exploitation activity.
Cross-origin data leakage in Google Chrome's DataTransfer API allows unauthenticated remote attackers to read data across origins by directing a victim to a crafted HTML page, affecting all Chrome desktop versions prior to 149.0.7827.53. The CVSS vector (AV:N/AC:L/PR:N/UI:R/C:L) confirms network accessibility without attacker authentication, but requires user interaction and yields only limited confidentiality impact with no integrity or availability consequences. No active exploitation is confirmed (not in CISA KEV), and EPSS at 0.03% (11th percentile) consistently signals low current exploitation probability.
Cross-origin data leakage in Google Chrome's Skia graphics library affects all versions prior to 149.0.7827.53, exploitable via a crafted HTML page requiring only a single user visit. The root cause (CWE-457: use of uninitialized memory) in Chrome's Skia rendering backend allows residual memory contents to be exposed across origin boundaries, violating the browser's same-origin policy. No public exploit identified at time of analysis; EPSS at 0.03% (11th percentile) and absence from CISA KEV indicate low real-world exploitation probability at this time.
Cross-origin data leakage in Google Chrome prior to 149.0.7827.53 allows a remote unauthenticated attacker to read sensitive cross-origin data by luring a user to a crafted HTML page that exploits an inappropriate CSS implementation. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms network-exploitable, no-privilege-required exploitation with a single user interaction as the only barrier. No public exploit has been identified and EPSS sits at 0.03% (11th percentile), indicating low current exploitation interest despite the low attack complexity.
Cross-origin data leakage in Google Chrome prior to 149.0.7827.53 allows remote unauthenticated attackers to read sensitive cross-origin information by directing a victim to a crafted HTML page that exploits an inappropriate CSS implementation. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms network delivery with no privilege requirement, limited only by the need for user interaction. EPSS is 0.03% (11th percentile) and no public exploit has been identified at time of analysis; however, Google has issued a confirmed patch in the stable channel release, and the CWE-352/CSRF tag alongside the data-leakage description suggests a novel or hybrid attack class that security teams should monitor for further clarification.
UI spoofing in Google Chrome's Downloads component prior to version 149.0.7827.53 enables remote attackers to misrepresent download-related interface elements by serving a crafted HTML page. The flaw stems from an inappropriate implementation (CWE-451) in the Downloads subsystem, allowing an attacker to manipulate what the user sees during a download interaction - potentially masking file names, types, or origin - without any authentication. No public exploit code exists and EPSS sits at 0.03% (11th percentile), indicating no public exploit identified at time of analysis; however, the no-authentication, low-complexity delivery path warrants prompt patching.
Cross-origin data leakage in Google Chrome's WebView component on Android allows an unauthenticated remote attacker to read data from origins outside the attacker's own domain by enticing a user to visit a crafted HTML page. Affected are all Android Chrome versions prior to 149.0.7827.53. No public exploit exists and SSVC classifies exploitation as none, but the network-accessible, low-complexity attack vector warrants patching for Android-heavy enterprise environments handling sensitive cross-origin content.
Site isolation bypass in Google Chrome's FoldableAPIs component allows a remote attacker who has already compromised the renderer process to cross origin boundaries via a crafted HTML page. Affected versions are all Chrome releases prior to 149.0.7827.53. The vulnerability carries a CVSS 4.3 score, an EPSS of 0.02% (4th percentile), is not listed in CISA KEV, and no public exploit has been identified - consistent with Chromium's own 'Low' severity rating. A vendor-released patch (149.0.7827.53) is available.
Navigation restriction bypass in Google Chrome prior to 149.0.7827.53 allows remote unauthenticated attackers to circumvent Chrome's built-in navigation controls by delivering a crafted HTML page to a victim. The flaw stems from an inappropriate implementation in Chrome's Navigation subsystem (CWE-693: Protection Mechanism Failure), yielding low integrity impact with no confidentiality or availability consequences. No public exploit has been identified at time of analysis and EPSS exploitation probability is 0.02% (4th percentile), consistent with Google Chromium's own Low severity classification for this issue.
Cross-origin data leakage in Google Chrome DevTools affects all versions prior to 149.0.7827.53, exploitable through a crafted malicious Chrome Extension. The inappropriate DevTools implementation allows an attacker who successfully social-engineers a victim into installing the extension to read data from cross-origin contexts - violating the browser's same-origin isolation guarantees at the DevTools layer. No public exploit code exists and no CISA KEV listing is present; EPSS at 0.02% (4th percentile) confirms low exploitation probability in the wild, making this a routine patch-cycle priority rather than an emergency response item.
Cross-origin data leakage in Google Chrome's DevTools component (prior to 149.0.7827.53) enables an attacker to bypass same-origin policy enforcement through a crafted malicious extension. Exploitation requires convincing a target user to install the attacker-controlled extension, after which cross-origin data can be exfiltrated via insufficient DevTools policy controls. No public exploit code has been identified at time of analysis, and the EPSS score of 0.01% (1st percentile) indicates very low observed exploitation probability; the vulnerability is not listed in the CISA KEV catalog.
Script and HTML injection into privileged Chrome pages is possible in Google Chrome prior to 149.0.7827.53 through insufficient policy enforcement in the Extensions subsystem. An attacker who convinces a user to install a crafted malicious extension can leverage this to inject content into otherwise-restricted privileged pages, compromising page integrity. EPSS is 0.01% (1st percentile), no KEV listing exists, and no public exploit has been identified at time of analysis - indicating low observed exploitation pressure despite the network-accessible attack vector.
Unauthenticated open redirect in Shopware's SSO entry point (GET /api/oauth/sso/auth) allows any remote attacker to cause a victim's browser to navigate to an arbitrary attacker-controlled URL - including javascript: URIs - by supplying a malicious Referer header. Affected are shopware/core and shopware/platform versions 6.7.3.0 through 6.7.10.0; the redirect is served from a trusted /api/oauth/ origin, materially increasing phishing credibility. A Python proof-of-concept demonstrating three distinct exploitation variants (no Referer, external HTTPS redirect, javascript: scheme injection) exists; no active exploitation is confirmed in CISA KEV at time of analysis.
Weak input validation in HCL iControl allows authenticated remote attackers to submit input of an unexpected type, resulting in limited integrity impact against the target system. The vulnerability stems from an implementation deficiency in an architectural security tactic - specifically, the application's failure to correctly validate received input against its expected type. No public exploit code exists and no active exploitation has been confirmed; however, the low-complexity, network-accessible attack vector lowers the bar for authenticated users to abuse this flaw.
Server-side request forgery in Shopware's media subsystem allows authenticated admin users to make arbitrary HTTP HEAD requests to internal network addresses and cloud metadata endpoints via the `/api/_action/media/external-link` endpoint. The root cause is an inconsistency between two URL-handling flows in `MediaUploadService`: the `uploadFromURL` flow correctly validates resolved IPs against private/reserved ranges, while the `linkURL` flow only checks that the URL begins with `http://` or `https://`. Exploiting this, an admin can probe cloud metadata services, enumerate internal ports, and leak `content-length` values from internal services; no public exploit has been identified at time of analysis, and a vendor-released patch exists in version 6.7.10.1.
Out-of-bounds memory read in Chrome's Media component allows a local-network-adjacent attacker to leak partial memory contents via specially crafted network traffic. Affects all Chrome releases prior to 149.0.7827.53 on desktop platforms, as confirmed by Google's stable channel advisory. No public exploit code exists and no active exploitation has been identified; SSVC assessment rates technical impact as partial with exploitation status none, placing this in a lower-priority remediation tier despite the unauthenticated vector.
Timing-based administrator username enumeration in Shopware's OAuth token endpoint exposes valid admin accounts to unauthenticated remote attackers. The flaw exists in shopware/platform and shopware/core packages across the 6.6.x and 6.7.x branches, where the API endpoint api/oauth/token responds measurably faster for non-existent usernames than for valid ones due to skipping the Argon2id password_verify() call. A publicly available proof-of-concept exploit exists; while not confirmed actively exploited in CISA KEV, the POC lowers the barrier for targeted brute-force, credential stuffing, and spear phishing campaigns against Shopware admin panels. CVSS rates this 3.7 (AC:H), reflecting that reliable exploitation requires statistical timing analysis across many requests.
Missing HTTP security response headers in HCL iControl fail to instruct client browsers to engage their built-in XSS filtering mechanisms, creating an exploitable gap classified under CWE-693 (Protection Mechanism Failure). The flaw is network-accessible and requires no authentication (PR:N per CVSS), but carries a CVSS 3.7 Low score due to high attack complexity (AC:H) and limited integrity-only impact (I:L). No public exploit code exists and this vulnerability is not listed in CISA KEV, placing it in the compliance/hardening category rather than immediate critical risk.
Local information exposure in HCL BigFix Cloud Lifecycle Management stems from insufficient input validation, allowing a locally authenticated low-privileged user to access data they should not be authorized to view. The CVSS vector (AV:L/AC:L/PR:L/UI:N) confirms exploitation requires local system access and a low-privilege account. No active exploitation has been confirmed and no public exploit code is known at time of analysis. Despite a tag of 'Authentication Bypass,' the PR:L vector indicates some authentication is required - this discrepancy should be clarified with the vendor advisory.
Stack trace disclosure in HCL iControl v4.0.0 exposes internal application details to authenticated remote attackers via unhandled JavaScript exceptions. The application fails to catch a runtime error when attempting to read the 'dashboard' key from an undefined object, returning a full stack trace to the requesting client. No public exploit exists and no active exploitation has been observed; CVSS scores this Low (3.1), reflecting strictly limited confidentiality impact with no integrity or availability consequences.
HCL iControl exposes session cookies without the Secure or SameSite attributes set, and with the cookie path scoped to root, enabling network-adjacent attackers with authenticated sessions to perform limited integrity modifications under high-complexity conditions. The missing Secure attribute allows cookies to be transmitted over unencrypted HTTP channels, while the absent SameSite attribute opens a cross-site request forgery vector. CVSS scores this at 3.1 (Low); no public exploit code exists and it is not listed in CISA KEV.
Incorrect RBAC policy in OpenStack Neutron before 28.0.1 allows an authenticated project manager to set device_owner on ports of shared networks they do not own to privileged network-service values (e.g., 'network:dhcp'), obtaining trusted network-service port behavior without owning the underlying network. Depending on backend and deployment configuration, this enables DHCP, MAC, or IP spoofing against co-tenants sharing that network, effectively bypassing anti-spoofing and security group protections. This is a confirmed regression of CVE-2015-5240 (OSSA-2015-018); no public exploit or active exploitation (CISA KEV) has been identified at time of analysis.