Manager-io/Manager is accounting software. A critical unauthenticated full read Server-Side Request Forgery (SSRF) vulnerability has been identified in the proxy handler component of both manager Desktop and Server edition versions up to and including 25.7.18.2519. This vulnerability allows an unauthenticated attacker to bypass network isolation and access restrictions, potentially enabling access to internal services, cloud metadata endpoints, and exfiltration of sensitive data from isolated network segments. This vulnerability is fixed in version 25.7.21.2525.

CVE Database V5

Detailed information about CVE-2025-54122: CWE-918: Server-Side Request Forgery (SSRF) in Manager-io Manager affecting Manager-io Manager. Get real-time updates

CVE-2025-54122: CWE-918: Server-Side Request Forgery (SSRF) in Manager-io Manager - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-54122: CWE-918: Server-Side Request Forgery (SSRF) in Manager-io Manager

HAXcms with nodejs backend allows users to start the server in any HAXsite or HAXcms instance. In versions 11.0.6 and below, the NodeJS version of HAX CMS uses an insecure default configuration designed for local development. The default configuration does not perform authorization or authentication checks. If a user were to deploy haxcms-nodejs without modifying the default settings, ‘HAXCMS_DISABLE_JWT_CHECKS‘ would be set to ‘true‘ and their deployment would lack session authentication. This is fixed in version 11.0.7.

Detailed information about CVE-2025-54127: CWE-1188: Insecure Default Initialization of Resource in haxtheweb issues affecting haxtheweb issues. Get real-time u

CVE-2025-54127: CWE-1188: Insecure Default Initialization of Resource in haxtheweb issues - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-54127: CWE-1188: Insecure Default Initialization of Resource in haxtheweb issues

The web application allows user input to pass unfiltered to a command executed on the underlying operating system. An attacker with high privileged access (administrator) to the application has the potential execute commands on the operating system under the context of the webserver.

The vulnerable component is bound to the network stack and the set of possible attackers extends up to and including the entire Internet. Has the potential to inject command while creating a new User from User Management.

CVE-2025-24938 is a command injection vulnerability identified in Nokia WaveSuite NOC, specifically affecting versions WS-NOC 24.6, 23.6, and 23.12. The vulnerability arises because the web application improperly filters user input before passing it to an operating system command. This flaw exists in the user management functionality, particularly when creating a new user. An attacker with high privileged access (administrator level) to the application can exploit this vulnerability to execute arbitrary commands on the underlying operating system with the privileges of the webserver process. The vulnerability is bound to the network stack, meaning that the attack surface extends potentially to the entire Internet, increasing the risk of remote exploitation. However, exploitation requires the attacker to already have administrative access to the WaveSuite NOC application, which limits the initial attack vector to insiders or attackers who have compromised admin credentials. No known public exploits are currently reported in the wild, and no CVSS score has been assigned yet. The vulnerability could allow an attacker to escalate privileges, manipulate system files, disrupt services, or pivot within the network, depending on the webserver's operating system permissions and network architecture.

Detailed information about CVE-2025-24938: Vulnerability in Nokia WaveSuite NOC affecting Nokia WaveSuite NOC. Get real-time updates, technical details, and mit

CVE-2025-24938: Vulnerability in Nokia WaveSuite NOC - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-24938: Vulnerability in Nokia WaveSuite NOC

File contents could be read from the local file system by an attacker. Additionally, malicious code could be inserted in the file, leading to a full compromise of the web application and the container it is running on.

The vulnerable component is bound to the network stack and the set of possible attackers extends up to and including the entire Internet. The web application allows arbitrary files to be included in a file that was downloadable and executable by the web server.

CVE-2025-24937 is a critical vulnerability identified in Nokia's WaveSuite NOC product versions 23.6, 23.12, and 24.6. The vulnerability allows an attacker to read arbitrary files from the local file system of the server hosting the WaveSuite NOC web application. More severely, it permits the insertion of malicious code into files that are subsequently downloaded and executed by the web server. This leads to a full compromise of the web application and the container environment in which it operates. The vulnerability stems from the web application's capability to include arbitrary files into a downloadable and executable file without proper validation or sanitization. Since the vulnerable component is bound to the network stack and accessible over the Internet, the attack surface extends to any remote attacker with network access, potentially including the entire Internet. Exploitation does not require authentication or user interaction, increasing the risk. The lack of a CVSS score indicates this is a newly published vulnerability (as of July 2025) with no known exploits in the wild yet, but the technical details suggest a high risk of exploitation and impact. The vulnerability could lead to unauthorized disclosure of sensitive information, unauthorized code execution, and complete takeover of the affected containerized environment, severely impacting confidentiality, integrity, and availability of the system.

Detailed information about CVE-2025-24937: Vulnerability in Nokia WaveSuite NOC affecting Nokia WaveSuite NOC. Get real-time updates, technical details, and mit

CVE-2025-24937: Vulnerability in Nokia WaveSuite NOC - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-24937: Vulnerability in Nokia WaveSuite NOC

A vulnerability was found in jerryshensjf JPACookieShop 蛋糕商城JPA版 1.0. It has been classified as critical. Affected is the function addGoods of the file GoodsController.java. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely.

Detailed information about CVE-2025-7939: Unrestricted Upload in jerryshensjf JPACookieShop 蛋糕商城JPA版 affecting jerryshensjf JPACookieShop 蛋糕商城JPA版. Get real-tim

CVE-2025-7939: Unrestricted Upload in jerryshensjf JPACookieShop 蛋糕商城JPA版

CVE-2025-7939: Unrestricted Upload in jerryshensjf JPACookieShop 蛋糕商城JPA版

Description

Technical Details

Related Threats

CVE-2025-54122: CWE-918: Server-Side Request Forgery (SSRF) in Manager-io Manager

CVE-2025-54127: CWE-1188: Insecure Default Initialization of Resource in haxtheweb issues

CVE-2025-24938: Vulnerability in Nokia WaveSuite NOC

CVE-2025-24937: Vulnerability in Nokia WaveSuite NOC

CVE-2025-53832: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') in translated lara-mcp

Actions

External Links

Need enhanced features?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility