CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-4600 – HTTP Request Smuggling in Google Cloud Classic Application Load Balancer due to Improper Chunked Encoding Validation
https://notcve.org/view.php?id=CVE-2025-4600
16 May 2025 — A request smuggling vulnerability existed in the Google Cloud Classic Application Load Balancer due to improper handling of chunked-encoded HTTP requests. This allowed attackers to craft requests that could be misinterpreted by backend servers. The issue was fixed by disallowing stray data after a chunk, and is no longer exploitable. No action is required as Classic Application Load Balancer service after 2025-04-26 is not vulnerable. • https://cloud.google.com/support/bulletins#gcp-2025-027 • CWE-20: Improper Input Validation •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-0982 – Sandbox Escape in Google Cloud Application Integration's JavaScript Task (Rhino Engine)
https://notcve.org/view.php?id=CVE-2025-0982
06 Feb 2025 — Sandbox escape in the JavaScript Task feature of Google Cloud Application Integration allows an actor to execute arbitrary unsandboxed code via crafted JavaScript code executed by the Rhino engine. Effective January 24, 2025, Application Integration will no longer support Rhino as the JavaScript execution engine. No further fix actions are needed. • https://cloud.google.com/application-integration/docs/release-notes#January_23_2025 • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12236 – Use of Custom URI for media inputs with VPC-SC enabled potentially leads to data exfiltration
https://notcve.org/view.php?id=CVE-2024-12236
10 Dec 2024 — A security issue exists in Vertex Gemini API for customers using VPC-SC. By utilizing a custom crafted file URI for image input, data exfiltration is possible due to requests being routed outside the VPC-SC security perimeter, circumventing the intended security restrictions of VPC-SC. No further fix actions are needed. Google Cloud Platform implemented a fix to return an error message when a media file URL is specified in the fileUri parameter and VPC Service Controls is enabled. Other use cases are unaffe... • https://cloud.google.com/vertex-ai/generative-ai/docs/security-bulletins#gcp-2024-063 • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9858 – Insecure user permissions in Google Cloud Migrate to Containers for Windows
https://notcve.org/view.php?id=CVE-2024-9858
16 Oct 2024 — There exists an insecure default user permission in Google Cloud Migrate to containers from version 1.1.0 to 1.2.2 Windows installs. A local "m2cuser" was greated with administrator privileges. This posed a security risk if the "analyze" or "generate" commands were interrupted or skipping the action to delete the local user “m2cuser”. We recommend upgrading to 1.2.3 or beyond Existe un permiso de usuario predeterminado inseguro en las instalaciones de Google Cloud Migrate to Containers desde la versión 1.1.... • https://cloud.google.com/migrate/containers/docs/m2c-cli-relnotes#october_8_2024 • CWE-276: Incorrect Default Permissions •
CVSS: 6.5EPSS: 0%CPEs: 13EXPL: 0CVE-2024-5166 – Insecure Direct Object Reference In Looker
https://notcve.org/view.php?id=CVE-2024-5166
22 May 2024 — An Insecure Direct Object Reference in Google Cloud's Looker allowed metadata exposure across authenticated Looker users sharing the same LookML model. Una referencia de objeto directa insegura en Looker de Google Cloud permitió la exposición de metadatos entre usuarios autenticados de Looker que compartían el mismo modelo LookML. • https://cloud.google.com/looker/docs/best-practices/query-id-update-instructions • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32777 – WordPress BizPrint plugin <= 4.3.39 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-32777
22 Apr 2024 — Missing Authorization vulnerability in BizSwoop a CPF Concepts, LLC Brand BizPrint.This issue affects BizPrint: from n/a through 4.3.39. Vulnerabilidad de autorización faltante en BizSwoop de CPF Concepts, LLC Brand BizPrint. Este problema afecta a BizPrint: desde n/a hasta 4.3.39. The BizPrint plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the showTemplatePreview() function in versions up to, and including, 4.3.39. This makes it possible for unauthent... • https://patchstack.com/database/vulnerability/print-google-cloud-print-gcp-woocommerce/wordpress-bizprint-plugin-4-3-39-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29773 – WordPress BizPrint plugin <= 4.5.5 - CSRF to XSS vulnerability
https://notcve.org/view.php?id=CVE-2024-29773
25 Mar 2024 — Cross-Site Request Forgery (CSRF) vulnerability in BizSwoop a CPF Concepts, LLC Brand BizPrint allows Cross-Site Scripting (XSS).This issue affects BizPrint: from n/a through 4.5.5. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en BizSwoop a CPF Concepts, LLC Brand BizPrint permite cross-site scripting (XSS). Este problema afecta a BizPrint: desde n/a hasta 4.5.5. The BizPrint plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.5. This is due to missi... • https://patchstack.com/database/vulnerability/print-google-cloud-print-gcp-woocommerce/wordpress-bizprint-plugin-4-5-5-csrf-to-xss-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •