CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-24507
https://notcve.org/view.php?id=CVE-2025-24507
30 Jan 2025 — This vulnerability allows appliance compromise at boot time. • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24678 •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-24506
https://notcve.org/view.php?id=CVE-2025-24506
30 Jan 2025 — A specific authentication strategy allows to learn ids of PAM users associated with certain authentication types. • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24678 • CWE-203: Observable Discrepancy •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-24505
https://notcve.org/view.php?id=CVE-2025-24505
30 Jan 2025 — This vulnerability allows a high-privileged authenticated PAM user to achieve remote command execution on the affected PAM system by uploading a specially crafted upgrade file. • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24678 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-24504
https://notcve.org/view.php?id=CVE-2025-24504
30 Jan 2025 — An improper input validation the CSRF filter results in unsanitized user input written to the application logs. • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24678 • CWE-20: Improper Input Validation •
CVSS: 9.3EPSS: 0%CPEs: 3EXPL: 0CVE-2025-24503
https://notcve.org/view.php?id=CVE-2025-24503
30 Jan 2025 — A malicious actor can fix the session of a PAM user by tricking the user to click on a specially crafted link to the PAM server. • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24678 • CWE-384: Session Fixation •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-24502
https://notcve.org/view.php?id=CVE-2025-24502
30 Jan 2025 — An improper session validation allows an unauthenticated attacker to cause certain request notifications to be executed in the context of an incorrect user by spoofing the client IP address. • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24678 • CWE-384: Session Fixation •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-24501
https://notcve.org/view.php?id=CVE-2025-24501
30 Jan 2025 — An improper input validation allows an unauthenticated attacker to alter PAM logs by sending a specially crafted HTTP request. • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24678 • CWE-20: Improper Input Validation •
CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-24500
https://notcve.org/view.php?id=CVE-2025-24500
30 Jan 2025 — The vulnerability allows an unauthenticated attacker to access information in PAM database. • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24678 • CWE-863: Incorrect Authorization •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38499 – Improper Privilege Management Vulnerability in CA Client Automation 14.5
https://notcve.org/view.php?id=CVE-2024-38499
17 Dec 2024 — CA Client Automation (ITCM) allows non-admin/non-root users to encrypt a string using CAF CLI and SD_ACMD CLI. This would allow the non admin user to access the critical encryption keys which further causes the exploitation of stored credentials. This fix doesn't allow a non-admin/non-root user to execute "caf encrypt"/"sd_acmd encrypt" commands. The desktop and server management solution Broadcom CA DSM stores some configuration data of its agent component locally on managed systems in encrypted form. The ... • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25284 • CWE-269: Improper Privilege Management CWE-276: Incorrect Default Permissions •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-10403 – SFTP/FTP password could be captured in plain text in Supportsave generated from SANnav
https://notcve.org/view.php?id=CVE-2024-10403
21 Nov 2024 — Brocade Fabric OS versions before 8.2.3e2, versions 9.0.0 through 9.2.0c, and 9.2.1 through 9.2.1a can capture the SFTP/FTP server password used for a firmware download operation initiated by SANnav or through WebEM in a weblinker core dump that is later captured via supportsave. • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25145 • CWE-528: Exposure of Core Dump File to an Unauthorized Control Sphere •