CVE-2025-24963

CVE-2025-24963

Título es
CVE-2025-24963

Mar, 04/02/2025 – 20:15

Tipo
CWE-22

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-24963

Descripción en
Vitest is a testing framework powered by Vite. The `__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by `browser.api.host: true`, an attacker can send a request to that handler from remote to get the content of arbitrary files.This `__screenshot-error` handler on the browser mode HTTP server responds any file on the file system. This code was added by commit `2d62051`. Users explicitly exposing the browser mode server to the network by `browser.api.host: true` may get any files exposed. This issue has been addressed in versions 2.1.9 and 3.0.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.

04/02/2025
04/02/2025
Vector CVSS:3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
5.90

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

  • https://github.com/vitest-dev/vitest/blob/f17918a79969d27a415f70431e08a9445b051e45/packages/browser/src/node/plugin.ts#L88-L130

  • https://github.com/vitest-dev/vitest/commit/2d62051f13b4b0939b2f7e94e88006d830dc4d1f

  • https://github.com/vitest-dev/vitest/security/advisories/GHSA-8gvc-j273-4wm5

  • https://vitest.dev/guide/browser/config.html#browser-api

    • Enviar en el boletín
    Off

    CVE-2025-0960

    CVE-2025-0960

    Título es
    CVE-2025-0960

    Mar, 04/02/2025 – 20:15

    Tipo
    CWE-120

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-0960

    Descripción en
    AutomationDirect C-more EA9 HMI contains a function with bounds checks that can be skipped, which could result in an attacker abusing the function to cause a denial-of-service condition or achieving remote code execution on the affected device.

    04/02/2025
    04/02/2025
    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    Gravedad 4.0
    9.30

    Gravedad 4.0 txt
    CRITICAL

    Gravedad 3.1 (CVSS 3.1 Base Score)
    9.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    CRITICAL

    Referencias

  • https://community.automationdirect.com/s/cybersecurity/security-advisories

  • https://www.cisa.gov/news-events/ics-advisories/icsa-25-035-08

    • Enviar en el boletín
    Off

    CVE-2025-22699

    CVE-2025-22699

    Título es
    CVE-2025-22699

    Mar, 04/02/2025 – 15:15

    Tipo
    CWE-89

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-22699

    Descripción en
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound Traveler Code. This issue affects Traveler Code: from n/a through 3.1.0.

    04/02/2025
    04/02/2025
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    9.00

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    CRITICAL

    Referencias

  • https://patchstack.com/database/wordpress/plugin/traveler-code/vulnerability/wordpress-traveler-code-plugin-3-1-0-unauthenticated-arbitrary-sql-execution-vulnerability?_s_id=cve

    • Enviar en el boletín
    Off

    CVE-2025-23645

    CVE-2025-23645

    Título es
    CVE-2025-23645

    Mar, 04/02/2025 – 15:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-23645

    Descripción en
    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Optimize Worldwide Find Content IDs allows Reflected XSS. This issue affects Find Content IDs: from n/a through 1.0.

    04/02/2025
    04/02/2025
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.10

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://patchstack.com/database/wordpress/plugin/find-content-ids/vulnerability/wordpress-find-content-ids-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve

    • Enviar en el boletín
    Off

    CVE-2025-22794

    CVE-2025-22794

    Título es
    CVE-2025-22794

    Mar, 04/02/2025 – 15:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-22794

    Descripción en
    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Landoweb Programador World Cup Predictor allows Reflected XSS. This issue affects World Cup Predictor: from n/a through 1.9.6.

    04/02/2025
    04/02/2025
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.10

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://patchstack.com/database/wordpress/plugin/world-cup-predictor/vulnerability/wordpress-world-cup-predictor-plugin-1-9-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve

    • Enviar en el boletín
    Off

    CVE-2025-22730

    CVE-2025-22730

    Título es
    CVE-2025-22730

    Mar, 04/02/2025 – 15:15

    Tipo
    CWE-862

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-22730

    Descripción en
    Missing Authorization vulnerability in Ksher Ksher allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ksher: from n/a through 1.1.2.

    04/02/2025
    04/02/2025
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://patchstack.com/database/wordpress/plugin/ksher-payment/vulnerability/wordpress-ksher-plugin-1-1-2-broken-access-control-vulnerability?_s_id=cve

    • Enviar en el boletín
    Off

    CVE-2025-22700

    CVE-2025-22700

    Título es
    CVE-2025-22700

    Mar, 04/02/2025 – 15:15

    Tipo
    CWE-89

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-22700

    Descripción en
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound Traveler Code. This issue affects Traveler Code: from n/a through 3.1.0.

    04/02/2025
    04/02/2025
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    8.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://patchstack.com/database/wordpress/plugin/traveler-code/vulnerability/wordpress-traveler-code-plugin-3-1-0-subscriber-arbitrary-sql-execution-vulnerability?_s_id=cve

    • Enviar en el boletín
    Off

    CVE-2025-24677

    CVE-2025-24677

    Título es
    CVE-2025-24677

    Mar, 04/02/2025 – 15:15

    Tipo
    CWE-94

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-24677

    Descripción en
    Improper Control of Generation of Code ('Code Injection') vulnerability in WPSpins Post/Page Copying Tool allows Remote Code Inclusion. This issue affects Post/Page Copying Tool: from n/a through 2.0.3.

    04/02/2025
    04/02/2025
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    9.90

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    CRITICAL

    Referencias

  • https://patchstack.com/database/wordpress/plugin/postpage-import-export-with-custom-fields-taxonomies/vulnerability/wordpress-post-page-copying-tool-to-export-and-import-post-page-for-cross-site-migration-plugin-2-0-3-remote-code-execution-rce-vulnerability?_s_id=cve

    • Enviar en el boletín
    Off

    CVE-2025-24648

    CVE-2025-24648

    Título es
    CVE-2025-24648

    Mar, 04/02/2025 – 15:15

    Tipo
    CWE-266

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-24648

    Descripción en
    Incorrect Privilege Assignment vulnerability in wpase.com Admin and Site Enhancements (ASE) allows Privilege Escalation. This issue affects Admin and Site Enhancements (ASE): from n/a through 7.6.2.1.

    04/02/2025
    04/02/2025
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://patchstack.com/database/wordpress/plugin/admin-site-enhancements/vulnerability/wordpress-admin-and-site-enhancements-ase-plugin-7-6-1-1-privilege-escalation-vulnerability?_s_id=cve

    • Enviar en el boletín
    Off

    CVE-2025-24602

    CVE-2025-24602

    Título es
    CVE-2025-24602

    Mar, 04/02/2025 – 15:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-24602

    Descripción en
    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP24 WP24 Domain Check allows Reflected XSS. This issue affects WP24 Domain Check: from n/a through 1.10.14.

    04/02/2025
    04/02/2025
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.10

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://patchstack.com/database/wordpress/plugin/wp24-domain-check/vulnerability/wordpress-wp24-domain-check-plugin-1-10-14-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve

    • Enviar en el boletín
    Off