Total
3 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2025-35432 | 1 Cisa | 1 Thorium | 2025-09-23 | N/A | 5.3 MEDIUM |
CISA Thorium does not rate limit requests to send account verification email messages. A remote unauthenticated attacker can send unlimited messages to a user who is pending verification. Fixed in 1.1.1 by adding a rate limit set by default to 10 minutes. | |||||
CVE-2025-35434 | 1 Cisa | 1 Thorium | 2025-09-23 | N/A | 4.2 MEDIUM |
CISA Thorium does not validate TLS certificates when connecting to Elasticsearch. An unauthenticated attacker with access to a Thorium cluster could impersonate the Elasticsearch service. Fixed in 1.1.2. | |||||
CVE-2025-35433 | 1 Cisa | 1 Thorium | 2025-09-23 | N/A | 5.0 MEDIUM |
CISA Thorium does not properly invalidate previously used tokens when resetting passwords. An attacker that possesses a previously used token could still log in after a password reset. Fixed in 1.1.1. |