Shinycolumn

#7687of 53,622
35.8Total CVSS
Vulnerabilities · 4
High
3
Critical
1
PT-2025-37564
9.8
2025-09-15
Avtech · Avtech Eagleeyes · CVE-2025-46408
**Name of the Vulnerable Software and Affected Versions** AVTECH EagleEyes version 2.0.0 **Description** An issue was discovered in the `GetHttpsResponse` method of `push.lite.avtech.com.AvtechLib` and the `getNewHttpClient` method of `push.lite.avtech.com.Push HttpService`. These methods set `ALLOW ALL HOSTNAME VERIFIER`, bypassing domain validation. **Recommendations** Update AVTECH EagleEyes to a newer version that addresses this issue. As a temporary workaround, consider disabling the use of the `GetHttpsResponse` and `getNewHttpClient` methods until a patch is available.
PT-2025-37565
8.8
2025-09-15
Avtech · Avtech Eagleeyes Lite · CVE-2025-50110
**Name of the Vulnerable Software and Affected Versions** AVTECH EagleEyes Lite version 2.0.0 **Description** The `GetHttpsResponse` method transmits sensitive information – including internal server URLs, account IDs, passwords, and device tokens – as plaintext query parameters over HTTPS. The affected API endpoint is `push.lite.avtech.com.AvtechLib.GetHttpsResponse`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2025-37566
8.8
2025-09-15
Avtech · Avtech Eagleeyes · CVE-2025-50944
**Name of the Vulnerable Software and Affected Versions** AVTECH EagleEyes version 2.0.0 **Description** The custom `X509TrustManager` used in the `checkServerTrusted` function only checks the certificate's expiration date, bypassing proper TLS chain validation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2025-35802
8.4
2025-09-03
Figma · Figma Desktop · CVE-2025-56803
**Name of the Vulnerable Software and Affected Versions** Figma Desktop versions 125.6.5 **Description** Figma Desktop for Windows version 125.6.5 contains a command injection issue in the local plugin loader. An attacker can execute arbitrary OS commands by setting a crafted `build` field in the plugin's `manifest.json`. This field is passed to `child process.exec` without validation, potentially leading to remote code execution (RCE). **Recommendations** Update to a newer version that contains a fix for this issue. As a temporary workaround, consider restricting the use of local plugins until a patch is available.