Total
315593 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-34502 | 2025-10-24 | N/A | ||
| Deck Mate 2 lacks a verified secure-boot chain and runtime integrity validation for its controller and display modules. Without cryptographic boot verification, an attacker with physical access can modify or replace the bootloader, kernel, or filesystem and gain persistent code execution on reboot. This weakness allows long-term firmware tampering that survives power cycles. The vendor indicates that more recent firmware updates strengthen update-chain integrity and disable physical update ports to mitigate related attack avenues. | ||||
| CVE-2025-34500 | 2025-10-24 | N/A | ||
| Deck Mate 2's firmware update mechanism accepts packages without cryptographic signature verification, encrypts them with a single hard-coded AES key shared across devices, and uses a truncated HMAC for integrity validation. Attackers with access to the update interface - typically via the unit's USB update port - can craft or modify firmware packages to execute arbitrary code as root, allowing persistent compromise of the device's integrity and deck randomization process. Physical or on-premises access remains the most likely attack path, though network-exposed or telemetry-enabled deployments could theoretically allow remote exploitation if misconfigured. The vendor confirmed that firmware updates have been issued to correct these update-chain weaknesses and that USB update access has been disabled on affected units. | ||||
| CVE-2025-12194 | 2025-10-24 | N/A | ||
| Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java FIPS bc-fips on All (API modules), Legion of the Bouncy Castle Inc. Bouncy Castle for Java LTS bcprov-lts8on on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCFB.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeGCM.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/SHA256NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeEngine.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCBC.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCTR.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCFB.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeGCM.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeEngine.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCBC.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeGCMSIV.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCCM.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCTR.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA256NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA224NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA3NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHAKENativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA512NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA384NativeDigest.Java. This issue affects Bouncy Castle for Java FIPS: from 2.1.0 through 2.1.1; Bouncy Castle for Java LTS: from 2.73.0 through 2.73.7. | ||||
| CVE-2025-59286 | 1 Microsoft | 3 365, 365 Copilot, 365 Copilot Chat | 2025-10-24 | 6.5 Medium |
| Copilot Spoofing Vulnerability | ||||
| CVE-2025-55321 | 1 Microsoft | 1 Azure Monitor | 2025-10-24 | 9.3 Critical |
| Improper neutralization of input during web page generation ('cross-site scripting') in Azure Monitor allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2025-59272 | 1 Microsoft | 3 365, 365 Copilot, 365 Copilot Chat | 2025-10-24 | 6.5 Medium |
| Copilot Spoofing Vulnerability | ||||
| CVE-2025-59271 | 1 Microsoft | 2 Azure Cache For Redis, Azure Managed Redis | 2025-10-24 | 8.7 High |
| Redis Enterprise Elevation of Privilege Vulnerability | ||||
| CVE-2025-59252 | 1 Microsoft | 3 365, 365 Copilot, 365 Word Copilot | 2025-10-24 | 6.5 Medium |
| M365 Copilot Spoofing Vulnerability | ||||
| CVE-2025-59247 | 1 Microsoft | 2 Azure, Azure Playfab | 2025-10-24 | 8.8 High |
| Azure PlayFab Elevation of Privilege Vulnerability | ||||
| CVE-2025-59246 | 1 Microsoft | 1 Entra Id | 2025-10-24 | 9.8 Critical |
| Azure Entra ID Elevation of Privilege Vulnerability | ||||
| CVE-2025-59218 | 1 Microsoft | 1 Entra Id | 2025-10-24 | 9.6 Critical |
| Azure Entra ID Elevation of Privilege Vulnerability | ||||
| CVE-2025-59497 | 2 Linux, Microsoft | 2 Linux, Defender For Endpoint | 2025-10-24 | 7 High |
| Time-of-check time-of-use (toctou) race condition in Microsoft Defender for Linux allows an authorized attacker to deny service locally. | ||||
| CVE-2025-59289 | 1 Microsoft | 13 Windows, Windows 10, Windows 10 21h2 and 10 more | 2025-10-24 | 7 High |
| Double free in Windows Bluetooth Service allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-59285 | 1 Microsoft | 2 Azure, Azure Monitor | 2025-10-24 | 7 High |
| Deserialization of untrusted data in Azure Monitor Agent allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-59278 | 1 Microsoft | 10 Windows, Windows 10, Windows 11 and 7 more | 2025-10-24 | 7.8 High |
| Improper validation of specified type of input in Windows Authentication Methods allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-59275 | 1 Microsoft | 9 Windows, Windows 10, Windows 11 and 6 more | 2025-10-24 | 7.8 High |
| Improper validation of specified type of input in Windows Authentication Methods allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-59261 | 1 Microsoft | 11 Graphics Component, Windows, Windows 11 and 8 more | 2025-10-24 | 7 High |
| Time-of-check time-of-use (toctou) race condition in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-59260 | 1 Microsoft | 7 Server, Windows Server, Windows Server 2016 and 4 more | 2025-10-24 | 5.5 Medium |
| Exposure of sensitive information to an unauthorized actor in Microsoft Failover Cluster Virtual Driver allows an authorized attacker to disclose information locally. | ||||
| CVE-2025-59253 | 1 Microsoft | 20 Windows, Windows 10, Windows 10 1507 and 17 more | 2025-10-24 | 5.5 Medium |
| Improper access control in Microsoft Windows Search Component allows an authorized attacker to deny service locally. | ||||
| CVE-2025-59230 | 1 Microsoft | 21 Remote, Windows, Windows 10 and 18 more | 2025-10-24 | 7.8 High |
| Improper access control in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally. | ||||