CVE-2025-43918

MEDIUM Year: 2025
CVSS v3 Score
6.4
Medium
Weakness Type
CWE-348
View all →

Vulnerability Description

SSL.com before 2025-04-19, when domain validation method 3.2.2.4.14 is used, processes certificate requests such that a trusted TLS certificate may be issued for the domain name of a requester's email address, even when the requester does not otherwise establish administrative control of that domain.

Related Vulnerabilities

CVE-2022-4532

MEDIUM
CVSS:6.5(Medium)

The LOGIN AND REGISTRATION ATTEMPTS LIMIT plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.1. This is due to insufficient restrictions on where the IP Addr...

CWE-3482022

CVE-2025-1245

MEDIUM
CVSS:6.5(Medium)

Bypass Connection Restriction vulnerability in Hitachi Infrastructure Analytics Advisor (Data Center Analytics component), Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view componen...

CWE-3482025

CVE-2024-54840

MEDIUM
CVSS:6.1(Medium)

PVWA (Password Vault Web Access) in CyberArk Privileged Access Manager Self-Hosted before 14.4 does not properly address environment issues that can contribute to Host header injection.

CWE-3482024

CVE-2021-21373

MEDIUM
CVSS:5.9(Medium)

Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS by default. In cas...

CWE-3482021

CVE-2025-47424

HIGH
CVSS:7.1(High)

Retool (self-hosted) before 3.196.0 allows Host header injection. When the BASE_DOMAIN environment variable is not set, the HTTP host header can be manipulated.

CWE-3482025

CVE-2022-2255

HIGH
CVSS:7.5(High)

A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application ...

CWE-3482022