Monthly
OpenSSH's legacy scp protocol (pre-10.3) can install downloaded files with elevated setuid/setgid permissions when root users transfer files with -O flag without -p. This enables privilege escalation vectors if attackers control file server content or conduct man-in-the-middle attacks (CVSS AV:N/AC:H/UI:R). No public exploit identified at time of analysis, though exploitation probability is moderate given the specific configuration requirements (root usage, legacy protocol flag, missing preserve-mode flag).
A flaw was found in NetworkManager. The NetworkManager package allows access to files that may belong to other users. [CVSS 3.3 LOW]
A flaw was found in the 3scale Developer Portal. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper preservation of permissions in Elastic Defend on Windows hosts can lead to arbitrary files on the system being deleted by the Defend service running as SYSTEM. Rated high severity (CVSS 7.0). No vendor patch available.
In multiple functions of GrantPermissionsActivity.java , there is a possible way to trick the user into granting the incorrect permission due to permission overload. Rated medium severity (CVSS 4.4), this vulnerability is no authentication required, low attack complexity.
CVE-2025-7346 is a security vulnerability (CVSS 8.7). High severity vulnerability requiring prompt remediation.
CVE-2025-43701 is an Improper Preservation of Permissions vulnerability in Salesforce OmniStudio FlexCards that allows unauthenticated network attackers to read Custom Settings data without authorization. Affecting OmniStudio versions before 254, this high-severity flaw (CVSS 7.5) enables direct exposure of sensitive configuration data through a low-complexity attack requiring no user interaction or privileges. While KEV status and active exploitation details are not available in provided data, the combination of high CVSS score, unauthenticated attack vector, and direct confidentiality impact indicates significant real-world risk to Salesforce deployments storing sensitive configuration in Custom Settings.
CVE-2025-43700 is an Improper Preservation of Permissions vulnerability in Salesforce OmniStudio FlexCards that allows unauthenticated network-based attackers to expose encrypted data without requiring user interaction. This high-impact confidentiality breach (CVSS 7.5) affects OmniStudio versions prior to Spring 2025 release and represents a significant risk to organizations using FlexCards for sensitive data handling, particularly given the low attack complexity and absence of privilege requirements.
A remote code execution vulnerability (CVSS 9.1). Critical severity with potential for significant impact on affected systems.
Improper Preservation of Permissions vulnerability in Salesforce OmniStudio's DataMapper component that allows unauthenticated network-based attackers to expose encrypted data without requiring user interaction. The vulnerability affects OmniStudio versions prior to Spring 2025 and carries a CVSS 7.5 (High) severity rating. While specific KEV status and EPSS data were not provided in the intelligence sources, the high CVSS score combined with unauthenticated access (AV:N, PR:N) indicates this is a significant exposure risk for organizations using affected OmniStudio deployments.
OpenSSH's legacy scp protocol (pre-10.3) can install downloaded files with elevated setuid/setgid permissions when root users transfer files with -O flag without -p. This enables privilege escalation vectors if attackers control file server content or conduct man-in-the-middle attacks (CVSS AV:N/AC:H/UI:R). No public exploit identified at time of analysis, though exploitation probability is moderate given the specific configuration requirements (root usage, legacy protocol flag, missing preserve-mode flag).
A flaw was found in NetworkManager. The NetworkManager package allows access to files that may belong to other users. [CVSS 3.3 LOW]
A flaw was found in the 3scale Developer Portal. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper preservation of permissions in Elastic Defend on Windows hosts can lead to arbitrary files on the system being deleted by the Defend service running as SYSTEM. Rated high severity (CVSS 7.0). No vendor patch available.
In multiple functions of GrantPermissionsActivity.java , there is a possible way to trick the user into granting the incorrect permission due to permission overload. Rated medium severity (CVSS 4.4), this vulnerability is no authentication required, low attack complexity.
CVE-2025-7346 is a security vulnerability (CVSS 8.7). High severity vulnerability requiring prompt remediation.
CVE-2025-43701 is an Improper Preservation of Permissions vulnerability in Salesforce OmniStudio FlexCards that allows unauthenticated network attackers to read Custom Settings data without authorization. Affecting OmniStudio versions before 254, this high-severity flaw (CVSS 7.5) enables direct exposure of sensitive configuration data through a low-complexity attack requiring no user interaction or privileges. While KEV status and active exploitation details are not available in provided data, the combination of high CVSS score, unauthenticated attack vector, and direct confidentiality impact indicates significant real-world risk to Salesforce deployments storing sensitive configuration in Custom Settings.
CVE-2025-43700 is an Improper Preservation of Permissions vulnerability in Salesforce OmniStudio FlexCards that allows unauthenticated network-based attackers to expose encrypted data without requiring user interaction. This high-impact confidentiality breach (CVSS 7.5) affects OmniStudio versions prior to Spring 2025 release and represents a significant risk to organizations using FlexCards for sensitive data handling, particularly given the low attack complexity and absence of privilege requirements.
A remote code execution vulnerability (CVSS 9.1). Critical severity with potential for significant impact on affected systems.
Improper Preservation of Permissions vulnerability in Salesforce OmniStudio's DataMapper component that allows unauthenticated network-based attackers to expose encrypted data without requiring user interaction. The vulnerability affects OmniStudio versions prior to Spring 2025 and carries a CVSS 7.5 (High) severity rating. While specific KEV status and EPSS data were not provided in the intelligence sources, the high CVSS score combined with unauthenticated access (AV:N, PR:N) indicates this is a significant exposure risk for organizations using affected OmniStudio deployments.