CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-4082 – openSUSE Security Advisory - openSUSE-SU-2025:15042-1
https://notcve.org/view.php?id=CVE-2025-4082
29 Apr 2025 — Modification of specific WebGL shader attributes could trigger an out-of-bounds read, which, when chained with other vulnerabilities, could be used to escalate privileges. *This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Firefox ESR < 115.23, Thunderbird < 138, and Thunderbird ESR < 128.10. Modification of specific WebGL shader attributes could trigger an out-of-bounds read, which, when chained with other vul... • https://bugzilla.mozilla.org/show_bug.cgi?id=1937097 • CWE-125: Out-of-bounds Read •
CVSS: 9.0EPSS: 0%CPEs: 7EXPL: 0CVE-2025-2817 – firefox: thunderbird: Privilege escalation in Firefox Updater
https://notcve.org/view.php?id=CVE-2025-2817
29 Apr 2025 — Mozilla Firefox's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file operations on paths controlled by a non-privileged user and enabling privilege escalation. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Firefox ESR < 115.23, Thunderbird < 138, and Thunderbird ESR < 128... • https://bugzilla.mozilla.org/show_bug.cgi?id=1917536 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-3647 – Moodle: idor when accessing the cohorts report
https://notcve.org/view.php?id=CVE-2025-3647
25 Apr 2025 — A flaw was discovered in Moodle. Additional checks were required to ensure that users can only access cohort data they are authorized to retrieve. • https://access.redhat.com/security/cve/CVE-2025-3647 • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-3645 – Moodle: idor in messaging web service allows access to some user details
https://notcve.org/view.php?id=CVE-2025-3645
25 Apr 2025 — A flaw was found in Moodle. Insufficient capability checks in a messaging web service allowed users to view other users' names and online statuses. • https://access.redhat.com/security/cve/CVE-2025-3645 • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-3644 – Moodle: ajax section delete does not respect course_can_delete_section()
https://notcve.org/view.php?id=CVE-2025-3644
25 Apr 2025 — A flaw was found in Moodle. Additional checks were required to prevent users from deleting course sections they did not have permission to modify. • https://access.redhat.com/security/cve/CVE-2025-3644 • CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-3643 – Moodle: reflected xss risk in policy tool
https://notcve.org/view.php?id=CVE-2025-3643
25 Apr 2025 — A flaw was found in Moodle. The return URL in the policy tool required additional sanitizing to prevent a reflected Cross-site scripting (XSS) risk. • https://access.redhat.com/security/cve/CVE-2025-3643 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2025-3642 – Moodle: authenticated remote code execution risk in the moodle lms equella repository
https://notcve.org/view.php?id=CVE-2025-3642
25 Apr 2025 — A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS EQUELLA repository. By default, this was only available to teachers and managers on sites with the EQUELLA repository enabled. • https://access.redhat.com/security/cve/CVE-2025-3642 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2025-3641 – Moodle: authenticated remote code execution risk in the moodle lms dropbox repository
https://notcve.org/view.php?id=CVE-2025-3641
25 Apr 2025 — A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS Dropbox repository. By default, this was only available to teachers and managers on sites with the Dropbox repository enabled. • https://access.redhat.com/security/cve/CVE-2025-3641 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3638 – Moodle: csrf risk in brickfield tool's analysis request action
https://notcve.org/view.php?id=CVE-2025-3638
25 Apr 2025 — A flaw was found in Moodle. The analysis request action in the Brickfield tool did not include the necessary token to prevent a Cross-site request forgery (CSRF) risk. • https://access.redhat.com/security/cve/CVE-2025-3638 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.0EPSS: 0%CPEs: 29EXPL: 0CVE-2025-32911 – Libsoup: double free on soup_message_headers_get_content_disposition() through "soup-message-headers.c" via "params" ghashtable value
https://notcve.org/view.php?id=CVE-2025-32911
15 Apr 2025 — A flaw was found in libsoup, which is vulnerable to a use-after-free memory issue not on the heap in the soup_message_headers_get_content_disposition() function. This flaw allows a malicious HTTP client to cause memory corruption in the libsoup server. A use-after-free type vulnerability was found in libsoup, in the soup_message_headers_get_content_disposition() function. This flaw allows a malicious HTTP client to cause memory corruption in the libsoup server. Tan Wei Chong discovered that libsoup incorrec... • https://access.redhat.com/security/cve/CVE-2025-32911 • CWE-590: Free of Memory not on the Heap •