CVE-2025-35432

Medium CVSS: 6.9

CISA Thorium does not rate limit requests to send account verification email messages. A remote unauthenticated attacker can send unlimited messages to a user who is pending verification. Fixed in 1.1.1 by adding a rate limit set by default to 10 minutes.

Vendor

Cisa

Product

Thorium

CWE

CWE-400

Yayın Tarihi

2025-09-17 17:15:43

Güncelleme

2025-09-23 15:44:35

Source Identifier

9119a7d8-5eab-497f-8521-727c672e3725

KEV Date Added

Kategoriler

CWE-400 Thorium MEDIUM Cisa 2025

Referanslar

https://github.com/cisagov/thorium/commit/7c94a0b9bc2dc55e0c307360452f348bac06820c#diff-bf9baa11b76cd169902a976bd17a5a6ee95a4098b2d3d150ba7d8f85b7e21dc9R281-R334 https://github.com/cisagov/thorium/releases/tag/1.1.1 https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-259-01.json https://www.cve.org/CVERecord?id=CVE-2025-35432

Benzer Kayıtlar

Medium

CVE-2025-67634

The CISA Software Acquisition Guide Supplier Response Web Tool before 2025-12-11 was vulnerable to cross-site scripting…

Medium

CVE-2025-35436

CISA Thorium uses '.unwrap()' to handle errors related to account verification email messages. An unauthenticated remote…

Medium

CVE-2025-35430

CISA Thorium does not adequately validate the paths of downloaded files via 'download_ephemeral' and 'download_children'…

Medium

CVE-2025-35431

CISA Thorium does not escape user controlled strings used in LDAP queries. An authenticated remote attacker can modify L…

Low

CVE-2025-35433

CISA Thorium does not properly invalidate previously used tokens when resetting passwords. An attacker that possesses a…

Low

CVE-2025-35434

CISA Thorium does not validate TLS certificates when connecting to Elasticsearch. An unauthenticated attacker with acces…