A vulnerability in pbkdf2's input validation within `lib/to-buffer.js` allows signature spoofing. Versions 3.0.10 through 3.1.2 are affected. This critical vulnerability (CVSS-B 9.1, as assessed by Harborist) enables attackers to forge signatures.
Read more
A critical vulnerability (CVE-2025-32433) has been discovered in the Erlang/OTP SSH server, allowing unauthenticated remote code execution (RCE). Versions prior to OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20 are affected. Attackers can exploit a flaw in SSH protocol message handling to gain unauthorized access and execute arbitrary commands without credentials. Patches are available; update to OTP-27.3.3, OTP-26.2.5.11, or OTP-25.3.2.20 or later.
Read more
A critical vulnerability, CVE-2024-49035, has been discovered in Microsoft's Partner Center, allowing unauthenticated attackers to elevate privileges on a network. This improper access control vulnerability is listed in CISA's Known Exploited Vulnerabilities Catalog. Microsoft advises users to apply mitigations, follow BOD 22-01 guidance for cloud services, or discontinue use by March 18, 2025.
Read more