CVE-2025-0353

CVE-2025-0353

Título es
CVE-2025-0353

Mié, 29/01/2025 – 12:15

Tipo
CWE-79

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-0353

Descripción en
The Divi Torque Lite – Best Divi Addon, Extensions, Modules & Social Modules plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

29/01/2025
29/01/2025
Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
6.40

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

  • https://plugins.trac.wordpress.org/browser/addons-for-divi/trunk/includes/modules/divi-4/FlipBox/FlipBox.php#L1053

  • https://plugins.trac.wordpress.org/browser/addons-for-divi/trunk/includes/modules/divi-4/GradientHeading/GradientHeading.php#L344

  • https://plugins.trac.wordpress.org/browser/addons-for-divi/trunk/includes/modules/divi-4/ImageCarouselChild/ImageCarouselChild.php#L507

  • https://plugins.trac.wordpress.org/browser/addons-for-divi/trunk/includes/modules/divi-4/InfoBox/InfoBox.php#L852

  • https://plugins.trac.wordpress.org/browser/addons-for-divi/trunk/includes/modules/divi-4/InfoCard/InfoCard.php#L688

  • https://plugins.trac.wordpress.org/browser/addons-for-divi/trunk/includes/modules/divi-4/InlineNotice/InlineNotice.php#L486

  • https://plugins.trac.wordpress.org/browser/addons-for-divi/trunk/includes/modules/divi-4/LogoCarouselChild/LogoCarouselChild.php#L177

  • https://plugins.trac.wordpress.org/browser/addons-for-divi/trunk/includes/modules/divi-4/LogoGridChild/LogoGridChild.php#L193

  • https://plugins.trac.wordpress.org/browser/addons-for-divi/trunk/includes/modules/divi-4/Review/Review.php#L703

  • https://plugins.trac.wordpress.org/browser/addons-for-divi/trunk/includes/modules/divi-4/ScrollImage/ScrollImage.php#L388

  • https://plugins.trac.wordpress.org/browser/addons-for-divi/trunk/includes/modules/divi-4/Testimonial/Testimonial.php#L1147

  • https://plugins.trac.wordpress.org/browser/addons-for-divi/trunk/includes/modules/divi-4/VideoModal/VideoModal.php#L593

  • https://plugins.trac.wordpress.org/changeset/3230743/

  • Divi Torque Lite



  • https://www.wordfence.com/threat-intel/vulnerabilities/id/d5810757-1866-4788-809f-2c68e16a5156?source=cve

    • Enviar en el boletín
    Off

    CVE-2024-57439

    CVE-2024-57439

    Título es
    CVE-2024-57439

    Mié, 29/01/2025 – 15:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-57439

    Descripción en
    An issue in the reset password interface of ruoyi v4.8.0 allows attackers with Admin privileges to cause a Denial of Service (DoS) by duplicating the login name of the account.

    29/01/2025
    29/01/2025
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://gitee.com/y_project/RuoYi

  • https://github.com/peccc/restful_vul/blob/main/ruoyi_dos/ruoyi_dos.md

  • https://github.com/yangzongzhuan/RuoYi

  • https://ruoyi.vip/

    • Enviar en el boletín
    Off

    CVE-2024-57438

    CVE-2024-57438

    Título es
    CVE-2024-57438

    Mié, 29/01/2025 – 15:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-57438

    Descripción en
    Insecure permissions in RuoYi v4.8.0 allows authenticated attackers to escalate privileges by assigning themselves higher level roles.

    29/01/2025
    29/01/2025
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://gitee.com/y_project/RuoYi

  • https://github.com/peccc/restful_vul/blob/main/ruoyi_insecure_role_assignments/ruoyi_insecure_role_assignments.md

  • https://github.com/yangzongzhuan/RuoYi

  • https://ruoyi.vip/

    • Enviar en el boletín
    Off

    CVE-2024-57437

    CVE-2024-57437

    Título es
    CVE-2024-57437

    Mié, 29/01/2025 – 15:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-57437

    Descripción en
    RuoYi v4.8.0 was discovered to contain a SQL injection vulnerability via the orderby parameter at /monitor/online/list.

    29/01/2025
    29/01/2025
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://gitee.com/y_project/RuoYi

  • https://github.com/peccc/restful_vul/blob/main/ruoyi_sqli_orderby/ruoyi_sqli_orderby.md

  • https://github.com/yangzongzhuan/RuoYi

  • https://ruoyi.vip/

    • Enviar en el boletín
    Off

    CVE-2024-57436

    CVE-2024-57436

    Título es
    CVE-2024-57436

    Mié, 29/01/2025 – 15:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-57436

    Descripción en
    RuoYi v4.8.0 was discovered to allow unauthorized attackers to view the session ID of the admin in the system monitoring. This issue can allow attackers to impersonate Admin users via using a crafted cookie.

    29/01/2025
    29/01/2025
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://github.com/peccc/restful_vul/blob/main/ruoyi_elevation_of_privileges/ruoyi_elevation_of_privileges.md

  • https://github.com/yangzongzhuan/RuoYi

  • https://ruoyi.vip/

    • Enviar en el boletín
    Off

    CVE-2024-57965

    CVE-2024-57965

    Título es
    CVE-2024-57965

    Mié, 29/01/2025 – 09:15

    Tipo
    CWE-346

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-57965

    Descripción en
    In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL object when determining an origin, and has a potentially unwanted setAttribute('href',href) call. NOTE: some parties feel that the code change only addresses a warning message from a SAST tool and does not fix a vulnerability.

    29/01/2025
    29/01/2025
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    0.00

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    NONE

    Referencias

  • https://github.com/axios/axios/commit/0a8d6e19da5b9899a2abafaaa06a75ee548597db

  • https://github.com/axios/axios/issues/6351

  • https://github.com/axios/axios/pull/6714

  • https://github.com/axios/axios/releases/tag/v1.7.8

    • Enviar en el boletín
    Off

    CVE-2021-3978

    CVE-2021-3978

    Título es
    CVE-2021-3978

    Mié, 29/01/2025 – 10:15

    Tipo
    CWE-269

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2021-3978

    Descripción en
    When copying files with rsync, octorpki uses the "-a" flag 0, which forces rsync to copy binaries with the suid bit set as root. Since the provided service definition defaults to root ( https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service ) this could allow for a vector, when combined with another vulnerability that causes octorpki to process a malicious TAL file, for a local privilege escalation.

    29/01/2025
    29/01/2025
    Vector CVSS:3.1
    CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3pqh-p72c-fj85

    • Enviar en el boletín
    Off

    CVE-2025-0762

    CVE-2025-0762

    Título es
    CVE-2025-0762

    Mié, 29/01/2025 – 11:15

    Tipo
    CWE-416

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-0762

    Descripción en
    Use after free in DevTools in Google Chrome prior to 132.0.6834.159 allowed a remote attacker to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Medium)

    29/01/2025
    29/01/2025
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://chromereleases.googleblog.com/2025/01/stable-channel-update-for-desktop_28.html

  • https://issues.chromium.org/issues/384844003

    • Enviar en el boletín
    Off

    CVE-2025-0617

    CVE-2025-0617

    Título es
    CVE-2025-0617

    Mié, 29/01/2025 – 11:15

    Tipo
    CWE-776

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-0617

    Descripción en
    An attacker with access to an HX 10.0.0 and previous versions, may send specially-crafted data to the HX console. The malicious detection would then trigger file parsing containing exponential entity expansions in the consumer process thus causing a Denial of Service.

    29/01/2025
    29/01/2025
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    5.90

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://thrive.trellix.com/s/article/000014214

    • Enviar en el boletín
    Off

    CVE-2024-7695

    CVE-2024-7695

    Título es
    CVE-2024-7695

    Mié, 29/01/2025 – 08:15

    Tipo
    CWE-787

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-7695

    Descripción en
    Multiple switches are affected by an out-of-bounds write vulnerability. This vulnerability is caused by insufficient input validation, which allows data to be written to memory outside the bounds of the buffer. Successful exploitation of this vulnerability could result in a denial-of-service attack.

    This vulnerability poses a significant remote threat if the affected products are exposed to publicly accessible networks. Attackers could potentially disrupt operations by shutting down the affected systems. Due to the critical nature of this security risk, we strongly recommend taking immediate action to prevent its potential exploitation.

    29/01/2025
    29/01/2025
    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    Gravedad 4.0
    8.70

    Gravedad 4.0 txt
    HIGH

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://www.moxa.com/en/support/product-support/security-advisory/mpsa-240162-cve-2024-7695-out-of-bounds-write-vulnerability-identified-in-multiple-pt-switches

    • Enviar en el boletín
    Off