A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle’s (Ed)DSA signing checks.

References

https://github.com/sparkle-project/Sparkle/pull/2550

https://security.netapp.com/advisory/ntap-20250124-0008/

https://sparkle-project.org/documentation/security-and-reliability/

A vulnerability in the SageMaker Workflow component of aws/sagemaker-python-sdk allows for the possibility of MD5 hash collisions in all versions. This can lead to workflows being inadvertently replaced due to the reuse of results from different configurations that produce the same MD5 hash. This issue can cause integrity problems within the pipeline, potentially leading to erroneous processing outcomes.

References

https://github.com/aws/sagemaker-python-sdk/commit/dcdd99f911e8b1a05d19cf1ad939b0fefae47864

https://huntr.com/bounties/eb056818-5b81-466f-81ee-916058d34af2

https://nvd.nist.gov/vuln/detail/CVE-2025-0508

The Ticketmeo – Sell Tickets – Event Ticketing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 2.3.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

References

https://plugins.trac.wordpress.org/browser/ploxel/tags/2.2.0/ploxel.php#L49

https://plugins.trac.wordpress.org/changeset/3231203/

https://www.wordfence.com/threat-intel/vulnerabilities/id/149edbdf-4a27-4d79-8dd1-b5b3efbf648b?source=cve

The Rise Blocks – A Complete Gutenberg Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the titleTag parameter in all versions up to, and including, 3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

References

https://plugins.trac.wordpress.org/browser/rise-blocks/tags/3.6/classes/blocks/site-identity.php#L375

https://www.wordfence.com/threat-intel/vulnerabilities/id/2ec012e7-b997-466e-8676-8e9467473eae?source=cve

https://nvd.nist.gov/vuln/detail/CVE-2025-0506

On Arista CloudVision systems (virtual or physical on-premise deployments), Zero Touch Provisioning can be used to gain admin privileges on the CloudVision system, with more permissions than necessary, which can be used to query or manipulate system state for devices under management. Note that CloudVision as-a-Service is not affected.

Affected Software

• 2024.2.0 and 2024.2.1
• 2024.3.0

Affected Platforms

• CloudVision Portal, virtual appliance or physical appliance
• CloudVision CUE, virtual appliance or physical appliance

Mitigation

The ZTP component on CloudVision (on-premise) can be disabled by running the following on any of the nodes of the CloudVision deployment.

cvpi disable ztp
cvpi stop ztp

The following command can be used to verify that the component is stopped:

cvpi status ztp
 
Executing command. This may take some time...
Completed 1/1 discovered actions
primary  components total:1 running:0 disabled:1

Resolution

The recommended resolution is to upgrade to a remediated software version at your earliest convenience. 

• • • 2024.2.2 and later releases in the 2024.2.x train
    • 2024.3.1 and later releases in the 2024.3.x train

References

https://www.arista.com/en/support/advisories-notices/security-advisory/21315-security-advisory-0115

https://nvd.nist.gov/vuln/detail/CVE-2025-0505

Black Duck SCA versions prior to 2025.10.0 had user role permissions configured in an overly broad manner. Users with the scoped Project Manager user role with the Global User Read access permission enabled access to certain Project Administrator functionalities which should have be inaccessible. Exploitation does not grant full system control, but it may enable unauthorized changes to project configurations or access to system sensitive information.

References

https://community.blackduck.com/s/article/Black-Duck-Product-Security-Advisory-CVE-2025-0504

https://nvd.nist.gov/vuln/detail/CVE-2025-0504

Mattermost versions 9.11.x <= 9.11.6 fail to filter out DMs from the deleted channels endpoint which allows an attacker to infer user IDs and other metadata from deleted DMs if someone had manually marked DMs as deleted in the database.

References

https://mattermost.com/security-updates

https://nvd.nist.gov/vuln/detail/CVE-2025-05035

Transmission of Private Resources into a New Sphere ('Resource Leak') vulnerability in CrafterCMS Engine on Linux, MacOS, x86, Windows, 64 bit, ARM allows Directory Indexing, Resource Leak Exposure.This issue affects CrafterCMS: from 4.0.0 before 4.0.8, from 4.1.0 before 4.1.6.

References

https://craftercms.com/docs/current/security/advisory.html#cv-2025011501

https://nvd.nist.gov/vuln/detail/CVE-2025-0502

An issue in the native clients for Amazon WorkSpaces (when running PCoIP protocol) may allow an attacker to access remote sessions via man-in-the-middle.

References

https://aws.amazon.com/security/security-bulletins/AWS-2025-001/

https://docs.aws.amazon.com/workspaces/latest/userguide/amazon-workspaces-android-client.html#android-release-notes

https://docs.aws.amazon.com/workspaces/latest/userguide/amazon-workspaces-linux-client.html#linux-release-notes

https://docs.aws.amazon.com/workspaces/latest/userguide/amazon-workspaces-osx-client.html#osx-release-notes

https://docs.aws.amazon.com/workspaces/latest/userguide/amazon-workspaces-windows-client.html#windows-release-notes

An issue in the native clients for Amazon WorkSpaces (when running Amazon DCV protocol), Amazon AppStream 2.0, and Amazon DCV Clients may allow an attacker to access remote sessions via man-in-the-middle.

References

https://aws.amazon.com/security/security-bulletins/AWS-2025-001/

https://docs.aws.amazon.com/appstream2/latest/developerguide/client-release-versions.html

https://docs.aws.amazon.com/dcv/latest/adminguide/doc-history-release-notes.html#dcv-2023-1-16388jul

https://docs.aws.amazon.com/workspaces/latest/userguide/amazon-workspaces-linux-client.html#linux-release-notes

https://docs.aws.amazon.com/workspaces/latest/userguide/amazon-workspaces-osx-client.html#osx-release-notes

https://docs.aws.amazon.com/workspaces/latest/userguide/amazon-workspaces-windows-client.html#windows-release-notes