Monthly
TLS 1.3 client authentication bypass in Botan cryptography library versions prior to 3.11.1 allows unauthenticated remote attackers to skip certificate validation by sending ApplicationData records before the Finished handshake message. Exploiting this vulnerability requires no authentication (PR:N), low attack complexity (AC:L), and no user interaction (UI:N), resulting in complete integrity compromise (VI:H) for TLS 1.3 servers relying on mutual authentication. CVSS 8.7 severity reflects the network-accessible attack surface and direct violation of cryptographic protocol invariants (CWE-841: Improper Enforcement of Behavioral Workflow). No public exploit identified at time of analysis, though the protocol-level flaw in a widely-used cryptographic library presents significant risk to certificate-based access control mechanisms.
SourceCodester Pharmacy Product Management System 1.0 fails to enforce inventory constraints in the add-sales.php module, allowing attackers to create sales transactions for quantities that exceed available stock levels. This business logic flaw enables overselling scenarios where the system processes orders without validating stock availability, potentially leading to negative inventory records and operational disruption. Publicly available exploit code exists demonstrating the vulnerability, though no CVSS scoring or active exploitation via CISA KEV has been confirmed.
IBM Aspera Console 3.3.0 through 3.4.8 could allow a privileged user to cause a denial of service due to improper enforcement of behavioral workflow.
Behavioral control bypass in Devolutions Server 2025.3.15 allows authenticated users to exploit delete permissions.
Chamilo is a learning management system. Prior to version 1.11.30, a logic vulnerability in the friend request workflow of Chamilo’s social network module allows an authenticated user to forcibly add any user as a friend by directly calling the AJAX endpoint. [CVSS 7.1 HIGH]
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. [CVSS 4.3 MEDIUM]
A remote code execution vulnerability (CVSS 4.3). Remediation should follow standard vulnerability management procedures.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
TLS 1.3 client authentication bypass in Botan cryptography library versions prior to 3.11.1 allows unauthenticated remote attackers to skip certificate validation by sending ApplicationData records before the Finished handshake message. Exploiting this vulnerability requires no authentication (PR:N), low attack complexity (AC:L), and no user interaction (UI:N), resulting in complete integrity compromise (VI:H) for TLS 1.3 servers relying on mutual authentication. CVSS 8.7 severity reflects the network-accessible attack surface and direct violation of cryptographic protocol invariants (CWE-841: Improper Enforcement of Behavioral Workflow). No public exploit identified at time of analysis, though the protocol-level flaw in a widely-used cryptographic library presents significant risk to certificate-based access control mechanisms.
SourceCodester Pharmacy Product Management System 1.0 fails to enforce inventory constraints in the add-sales.php module, allowing attackers to create sales transactions for quantities that exceed available stock levels. This business logic flaw enables overselling scenarios where the system processes orders without validating stock availability, potentially leading to negative inventory records and operational disruption. Publicly available exploit code exists demonstrating the vulnerability, though no CVSS scoring or active exploitation via CISA KEV has been confirmed.
IBM Aspera Console 3.3.0 through 3.4.8 could allow a privileged user to cause a denial of service due to improper enforcement of behavioral workflow.
Behavioral control bypass in Devolutions Server 2025.3.15 allows authenticated users to exploit delete permissions.
Chamilo is a learning management system. Prior to version 1.11.30, a logic vulnerability in the friend request workflow of Chamilo’s social network module allows an authenticated user to forcibly add any user as a friend by directly calling the AJAX endpoint. [CVSS 7.1 HIGH]
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. [CVSS 4.3 MEDIUM]
A remote code execution vulnerability (CVSS 4.3). Remediation should follow standard vulnerability management procedures.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.