Monthly
Broken access control in HomeBox prior to 0.25.0 allows authenticated users with revoked group access to continue performing full CRUD operations via API. After group invitation revocation, the defaultGroup ID persists on the user object, and when API requests omit the X-Tenant header, this unvalidated value enables bypassing access controls to read, modify, and delete group inventory data. Web interface correctly enforces revocation, creating a dangerous inconsistency. No active exploitation confirmed (EPSS data unavailable), but the authentication bypass tag and CVSS 8.1 with network vector indicate significant risk for multi-tenant HomeBox deployments.
Juju 3.0.0 through 3.6.18 contains a race condition in secrets management that allows authenticated unit agents to intercept and claim ownership of newly created secrets due to a timing window between secret ID generation and revision creation. An attacker with valid unit agent credentials can exploit this to read the initial content of secrets intended for other units. The vulnerability requires local authentication and manual interaction but results in high-impact confidentiality disclosure with no available patch.
A security vulnerability in KNIME Business Hub (CVSS 4.3). Remediation should follow standard vulnerability management procedures.
An issue has been discovered in GitLab CE/EE affecting all versions from 17.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could have allowed an authenticated user to gain. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Privilege escalation vulnerability in Parallels Desktop for Mac version 20.1.1 (build 55740) affecting the Snapshot deletion functionality. A local attacker with standard user privileges can exploit a symlink race condition to manipulate root-owned snapshot files, escalating privileges to root. The vulnerability has a CVSS score of 7.8 (high severity) with low attack complexity, and while specific KEV/EPSS data is not provided, the low complexity and local attack vector suggest moderate real-world exploitation probability.
Incorrect ownership assignment in some Zoom Workplace Apps may allow a privileged user to conduct an information disclosure via network access. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Uncontrolled resource consumption in the installer for some Zoom apps for macOS before version 6.1.5 may allow a privileged user to conduct a disclosure of information via local access. Rated medium severity (CVSS 6.0), this vulnerability is low attack complexity. No vendor patch available.
Broken access control in HomeBox prior to 0.25.0 allows authenticated users with revoked group access to continue performing full CRUD operations via API. After group invitation revocation, the defaultGroup ID persists on the user object, and when API requests omit the X-Tenant header, this unvalidated value enables bypassing access controls to read, modify, and delete group inventory data. Web interface correctly enforces revocation, creating a dangerous inconsistency. No active exploitation confirmed (EPSS data unavailable), but the authentication bypass tag and CVSS 8.1 with network vector indicate significant risk for multi-tenant HomeBox deployments.
Juju 3.0.0 through 3.6.18 contains a race condition in secrets management that allows authenticated unit agents to intercept and claim ownership of newly created secrets due to a timing window between secret ID generation and revision creation. An attacker with valid unit agent credentials can exploit this to read the initial content of secrets intended for other units. The vulnerability requires local authentication and manual interaction but results in high-impact confidentiality disclosure with no available patch.
A security vulnerability in KNIME Business Hub (CVSS 4.3). Remediation should follow standard vulnerability management procedures.
An issue has been discovered in GitLab CE/EE affecting all versions from 17.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could have allowed an authenticated user to gain. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Privilege escalation vulnerability in Parallels Desktop for Mac version 20.1.1 (build 55740) affecting the Snapshot deletion functionality. A local attacker with standard user privileges can exploit a symlink race condition to manipulate root-owned snapshot files, escalating privileges to root. The vulnerability has a CVSS score of 7.8 (high severity) with low attack complexity, and while specific KEV/EPSS data is not provided, the low complexity and local attack vector suggest moderate real-world exploitation probability.
Incorrect ownership assignment in some Zoom Workplace Apps may allow a privileged user to conduct an information disclosure via network access. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Uncontrolled resource consumption in the installer for some Zoom apps for macOS before version 6.1.5 may allow a privileged user to conduct a disclosure of information via local access. Rated medium severity (CVSS 6.0), this vulnerability is low attack complexity. No vendor patch available.