CVSS: 9.3EPSS: %CPEs: 1EXPL: 1CVE-2025-34072 – Anthropic Slack MCP Server Data Exfiltration via Link Unfurling
https://notcve.org/view.php?id=CVE-2025-34072
02 Jul 2025 — A data exfiltration vulnerability exists in Anthropic’s deprecated Slack Model Context Protocol (MCP) Server via automatic link unfurling. When an AI agent using the Slack MCP Server processes untrusted data, it can be manipulated to generate messages containing attacker-crafted hyperlinks embedding sensitive data. Slack’s link preview bots (e.g., Slack-LinkExpanding, Slackbot, Slack-ImgProxy) will then issue outbound requests to the attacker-controlled URL, resulting in zero-click exfi... • https://embracethered.com/blog/posts/2025/security-advisory-anthropic-slack-mcp-server-data-leakage • CWE-20: Improper Input Validation CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.7EPSS: %CPEs: 1EXPL: 2CVE-2025-34057 – Ruijie NBR Router Administrative Credential Disclosure
https://notcve.org/view.php?id=CVE-2025-34057
02 Jul 2025 — An information disclosure vulnerability exists in Ruijie NBR series routers (known to affect NBR2000G, NBR1300G, and NBR1000 models) via the /WEB_VMS/LEVEL15/ endpoint. ... This flaw allows direct disclosure of sensitive user data due to improper authentication checks and insecure backend logic. • https://vulncheck.com/advisories/ruijie-nbr-router-administrative-credential-disclosure • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-306: Missing Authentication for Critical Function •
CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27021 – Operating System Misconfiguration in Infinera G42
https://notcve.org/view.php?id=CVE-2025-27021
02 Jul 2025 — This could allow sensitive information disclosure, denial of service, and privilege escalation by tampering with kernel memory. • https://euvd.enisa.europa.eu/vulnerability/CVE-2025-27021 • CWE-266: Incorrect Privilege Assignment •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49741 – Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2025-49741
01 Jul 2025 — No cwe for this issue in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network. No hay solución para este problema en Microsoft Edge (basado en Chromium) que permite que un atacante no autorizado divulgue información a través de una red. • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49741 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-6600 – GitHub Enterprise Server Information Disclosure Vulnerability Exposes Private Repository Names via Search API
https://notcve.org/view.php?id=CVE-2025-6600
01 Jul 2025 — An exposure of sensitive information vulnerability was identified in GitHub Enterprise Server that could allow an attacker to disclose the names of private repositories within an organization. This issue could be exploited by leveraging a user-to-server token with no scopes via the Search API endpoint. Successful exploitation required an organization administrator to install a malicious GitHub App in the organization’s repositories. This vulnerability impacted only GitHub Enterprise Server version 3.17 and ... • https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.2 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-34064 – OneLogin AD Connector Log S3 Bucket Hijack Leading to Cross-Tenant Data Leakage
https://notcve.org/view.php?id=CVE-2025-34064
01 Jul 2025 — A cloud infrastructure misconfiguration in OneLogin AD Connector results in log data being sent to a hardcoded S3 bucket (onelogin-adc-logs-production) without validating bucket ownership. ... These logs may contain sensitive data such as directory tokens, user metadata, and environment configuration. This enables cross-tenant leakage of secrets, potentially allowing JWT signing key recovery and user impersonation. • https://specterops.io/blog/2025/06/10/onelogin-many-issues-how-i-pivoted-from-a-trial-tenant-to-compromising-customer-signing-keys • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-34062 – OneLogin AD Connector API Credential and Signing Key Exposure
https://notcve.org/view.php?id=CVE-2025-34062
01 Jul 2025 — An information disclosure vulnerability exists in OneLogin AD Connector versions prior to 6.1.5 via the /api/adc/v4/configuration endpoint. ... An information disclosure vulnerability exists in OneLogin AD Connector versions prior to 6.1.5 via the /api/adc/v4/configuration endpoint. • https://specterops.io/blog/2025/06/10/onelogin-many-issues-how-i-pivoted-from-a-trial-tenant-to-compromising-customer-signing-keys • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •
CVSS: 8.3EPSS: 0%CPEs: 3EXPL: 2CVE-2025-34066 – AVTECH IP camera, DVR, and NVR Devices Unauthenticated Information Disclosure
https://notcve.org/view.php?id=CVE-2025-34066
01 Jul 2025 — An improper certificate validation vulnerability exists in AVTECH IP cameras, DVRs, and NVRs due to the use of wget with --no-check-certificate in scripts like SyncCloudAccount.sh and SyncPermit.sh. This exposes HTTPS communications to man-in-the-middle (MITM) attacks. Existe una vulnerabilidad de validación incorrecta de certificados en AVTECH IP cameras, DVRs, y NVRs debido al uso de wget con --no-check-certificate en scripts como SyncCloudAccount.sh y SyncPermit.sh. Esto expone las comunicaciones HTTPS a... • https://avtech.com • CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 2CVE-2025-34052 – AVTECH IP camera, DVR, and NVR Devices Unauthenticated Information Disclosure
https://notcve.org/view.php?id=CVE-2025-34052
01 Jul 2025 — An unauthenticated information disclosure vulnerability exists in AVTECH IP cameras, DVRs, and NVRs via Machine.cgi? • https://avtech.com • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-306: Missing Authentication for Critical Function •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-36582
https://notcve.org/view.php?id=CVE-2025-36582
01 Jul 2025 — An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure. • https://www.dell.com/support/kbdoc/en-us/000338757/dsa-2025-268-security-update-for-dell-networker-selection-of-less-secure-algorithm-during-negotiation-vulnerability • CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') •