Vulnerability Summary for the Week of September 15, 2025

High Vulnerabilities

Primary Vendor — Product	Description	Published	CVSS Score	Source Info	Patch Info
Logo Software–Diva	Authorization Bypass Through User-Controlled SQL Primary Key, CWE – 89 – Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Logo Software Diva allows SQL Injection, CAPEC – 7 – Blind SQL Injection.This issue affects Diva: through 4.56.00.00.	2025-09-18	10	CVE-2024-13151	https://www.usom.gov.tr/bildirim/tr-25-0273
Fortra–GoAnywhere MFT	A deserialization vulnerability in the License Servlet of Fortra’s GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.	2025-09-18	10	CVE-2025-10035	https://www.fortra.com/security/advisories/product-security/fi-2025-012
Spring–Cloud Gateway	Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. An application should be considered vulnerable when all the following are true: * The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable). * Spring Boot actuator is a dependency. * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway. * The actuator endpoints are available to attackers. […] Content was cut in order to protect the source.Please visit the source for the rest of the article. This article has been indexed from Bulletins Read the original article: Vulnerability Summary for the Week of September 15, 2025 Share this: Facebook X LinkedIn Related Tags: Bulletins EN Post navigation ← MalTerminal Malware Turns GPT-4 Into a Ransomware Factory Analysis Surfaces High Degree to Which Malware Evades Detection → Search for: Pages Advertising Contact Legal and Contact information Opt-out preferences Privacy Policy Social Media Apps Telegram Channel Recent Posts Microsoft DCU’s Takedown of RaccoonO365 September 23, 2025 How to accelerate security finding reviews using automated business context validation in AWS Security Hub September 23, 2025 Jeep and Dodge Parent Company Stellantis Confirms Customer Data Breach September 23, 2025 KuppingerCole 2025: Why Thales is a Market Leader in API Security September 23, 2025 8 best practices for securing RESTful APIs September 23, 2025 SonicWall Releases Advisory for Customers after Security Incident September 23, 2025 European Airport Disruptions Caused by Ransomware: EU Cyber Office September 22, 2025 Analysis Surfaces High Degree to Which Malware Evades Detection September 22, 2025 Vulnerability Summary for the Week of September 15, 2025 September 22, 2025 MalTerminal Malware Turns GPT-4 Into a Ransomware Factory September 22, 2025 Closing the Visibility Gap: Corporate Exposure Analytics in the Infostealer Era September 22, 2025 FBI Warns of Spoofed IC3 Websites Harvesting Victim Data September 22, 2025 Threat Actors Leverage Oracle Database Scheduler to Gain Access to Corporate Environments September 22, 2025 BlockBlasters Steam Game Downloads Malware to Computer Disguised as Patch September 22, 2025 Innovator Spotlight: Wallarm September 22, 2025 How to Build Secure Knowledge Base Integrations for AI Agents September 22, 2025 Automaker giant Stellantis says customers’ personal data stolen during breach September 22, 2025 Cops cuff another teen over alleged Scattered Spider attack that broke Vegas casinos September 22, 2025 Ransomware Attack Disrupts Air Traffic Across Europe September 22, 2025 Stellantis probes data breach linked to third-party provider September 22, 2025 Copyright © 2025 IT Security News. All Rights Reserved. The Magazine Basic Theme by bavotasan.com. Manage Consent To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions. Functional Functional Always active The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network. Preferences Preferences The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user. Statistics Statistics The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you. Marketing Marketing The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes. Manage options Manage services Manage {vendor_count} vendors Read more about these purposes View preferences {title} {title} {title}

Primary
Vendor — Product

Description

Published

CVSS Score

Source Info

Patch Info

Logo Software–Diva

Authorization Bypass Through User-Controlled SQL Primary Key, CWE – 89 – Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Logo Software Diva allows SQL Injection, CAPEC – 7 – Blind SQL Injection.This issue affects Diva: through 4.56.00.00.

2025-09-18

CVE-2024-13151

https://www.usom.gov.tr/bildirim/tr-25-0273

Fortra–GoAnywhere MFT

A deserialization vulnerability in the License Servlet of Fortra’s GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.

2025-09-18

CVE-2025-10035

https://www.fortra.com/security/advisories/product-security/fi-2025-012

Spring–Cloud Gateway

Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. An application should be considered vulnerable when all the following are true: * The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable). * Spring Boot actuator is a dependency. * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway. * The actuator endpoints are available to attackers.

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from Bulletins

Read the original article:

Vulnerability Summary for the Week of September 15, 2025

← MalTerminal Malware Turns GPT-4 Into a Ransomware Factory

Analysis Surfaces High Degree to Which Malware Evades Detection →

High Vulnerabilities

Read the original article:

Share this:

Related

Post navigation