Authen::SASL::Perl::DIGEST_MD5 versions 2.04 through 2.1800 for Perl generates the cnonce insecurely.

The cnonce (client nonce) is generated from an MD5 hash of the PID, the epoch time and the built-in rand function. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.

According to RFC 2831, "The cnonce-value is an opaque quoted string value provided by the client and used by both client and server to avoid chosen plaintext attacks, and to provide mutual authentication. The security of the implementation depends on a good choice. It is RECOMMENDED that it contain at least 64 bits of entropy."

CVE Database V5

Detailed information about CVE-2025-40918: CWE-340 Generation of Predictable Numbers or Identifiers in EHUELS Authen::SASL::Perl::DIGEST_MD5 affecting EHUELS Au

CVE-2025-40918: CWE-340 Generation of Predictable Numbers or Identifiers in EHUELS Authen::SASL::Perl::DIGEST_MD5 - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-40918: CWE-340 Generation of Predictable Numbers or Identifiers in EHUELS Authen::SASL::Perl::DIGEST_MD5

Broken access control in Fortra's GoAnywhere MFT prior to 7.8.1 allows an attacker to create a denial of service situation when configured to use GoAnywhere One-Time Password (GOTP) email two-factor authentication (2FA) and the user has not set an email address. In this scenario, the attacker may enter the email address of a known user when prompted and the user will be disabled if that user has configured GOTP.

Detailed information about CVE-2025-3871: CWE-862 Missing Authorization in Fortra GoAnywhere MFT affecting Fortra GoAnywhere MFT. Get real-time updates, technic

CVE-2025-3871: CWE-862 Missing Authorization in Fortra GoAnywhere MFT - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-3871: CWE-862 Missing Authorization in Fortra GoAnywhere MFT

Authen::DigestMD5 versions 0.01 through 0.02 for Perl generate the cnonce insecurely.

The cnonce (client nonce) is generated from an MD5 hash of the PID, the epoch time and the built-in rand function. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.

According to RFC 2831, "The cnonce-value is an opaque quoted string value provided by the client and used by both client and server to avoid chosen plaintext attacks, and to provide mutual authentication. The security of the implementation depends on a good choice. It is RECOMMENDED that it contain at least 64 bits of entropy."

Detailed information about CVE-2025-40919: CWE-340 Generation of Predictable Numbers or Identifiers in SALVA Authen::DigestMD5 affecting SALVA Authen::DigestMD5

CVE-2025-40919: CWE-340 Generation of Predictable Numbers or Identifiers in SALVA Authen::DigestMD5 - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-40919: CWE-340 Generation of Predictable Numbers or Identifiers in SALVA Authen::DigestMD5

Vue I18n is the internationalization plugin for Vue.js. The escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, starting in version 9.0.0 and prior to versions 9.14.5, 10.0.8, and 11.1.0, this setting fails to prevent execution of certain tag-based payloads, such as <img src=x onerror=...>, if the interpolated value is inserted inside an HTML context using v-html. This may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html. Versions 9.14.5, 10.0.8, and 11.1.0 contain a fix for the issue.

CVE-2025-53892 is a medium-severity DOM-based Cross-Site Scripting (XSS) vulnerability affecting the vue-i18n internationalization plugin for Vue.js, specifically versions from 9.0.0 up to but not including 9.14.5, 10.0.0 up to but not including 10.0.8, and 11.0.0 up to but not including 11.1.0. The vulnerability arises due to improper neutralization of input during web page generation (CWE-79). The plugin offers an option called escapeParameterHtml, which is intended to escape HTML/script injection by sanitizing interpolated parameters in translation strings. However, when this option is enabled and translation strings containing minor HTML are rendered using Vue's v-html directive, certain tag-based payloads such as <img src=x onerror=...> can bypass the escaping mechanism. This leads to execution of malicious scripts in the victim's browser context, enabling DOM-based XSS attacks. The vulnerability does not require authentication and can be triggered by user interaction (e.g., clicking or loading a page with vulnerable content). The CVSS 4.0 score is 5.3 (medium), reflecting network attack vector, low attack complexity, no privileges required, user interaction needed, and limited scope impact. Fixed versions include 9.14.5, 10.0.8, and 11.1.0, which properly address the escaping issue. No known exploits are currently reported in the wild.

Detailed information about CVE-2025-53892: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in intlify vue-i18n affe

CVE-2025-53892: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in intlify vue-i18n - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-53892: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in intlify vue-i18n

Net::Dropbear versions through 0.16 for Perl contains a dependency that may be susceptible to an integer overflow.

Net::Dropbear embeds a version of the libtommath library that is susceptible to an integer overflow associated with CVE-2023-36328.

Detailed information about CVE-2025-40913: CWE-1395 Dependency on Vulnerable Third-Party Component in ATRODO Net::Dropbear affecting ATRODO Net::Dropbear. Get r

CVE-2025-40913: CWE-1395 Dependency on Vulnerable Third-Party Component in ATRODO Net::Dropbear

CVE-2025-40913: CWE-1395 Dependency on Vulnerable Third-Party Component in ATRODO Net::Dropbear

Description

Technical Details

Related Threats

CVE-2025-40918: CWE-340 Generation of Predictable Numbers or Identifiers in EHUELS Authen::SASL::Perl::DIGEST_MD5

CVE-2025-3871: CWE-862 Missing Authorization in Fortra GoAnywhere MFT

CVE-2025-40919: CWE-340 Generation of Predictable Numbers or Identifiers in SALVA Authen::DigestMD5

CVE-2025-53892: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in intlify vue-i18n

CVE-2025-53840: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in Icinga icingadb-web

Actions

External Links

Need enhanced features?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility