CVE-2025-24843

CVE-2025-24843

Título es
CVE-2025-24843

Vie, 28/02/2025 – 17:15

Tipo
CWE-921

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-24843

Descripción en
Insecure file retrieval process that facilitates potential for file manipulation to affect product stability and confidentiality, integrity, authenticity, and attestation of stored data.

28/02/2025

28/02/2025

Vector CVSS:4.0
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Vector CVSS:3.1
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Gravedad 4.0
5.10

Gravedad 4.0 txt
MEDIUM

Gravedad 3.1 (CVSS 3.1 Base Score)
5.10

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias


  • https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-058-01

  • https://www.dariohealth.com/contact/

    • Enviar en el boletín
    Off

    CVE-2025-1746

    CVE-2025-1746

    Título es
    CVE-2025-1746

    Vie, 28/02/2025 – 14:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-1746

    Descripción en
    Cross-Site Scripting vulnerability in OpenCart versions prior to 4.1.0. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the search in the /product/search endpoint. This vulnerability could be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.

    28/02/2025

    28/02/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.10

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://www.incibe.es/incibe-cert/alerta-temprana/avisos/multiples-vulnerabilidades-en-opencart

    • Enviar en el boletín
    Off

    CVE-2025-1776

    CVE-2025-1776

    Título es
    CVE-2025-1776

    Vie, 28/02/2025 – 14:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-1776

    Descripción en
    Cross-Site Scripting (XSS) vulnerability in Soteshop, versions prior to 8.3.4, which could allow remote attackers to execute arbitrary code via the ‘query’ parameter in /app-google-custom-search/searchResults. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.

    28/02/2025

    28/02/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.10

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-xss-vulnerability-soteshop

    • Enviar en el boletín
    Off

    CVE-2025-1749

    CVE-2025-1749

    Título es
    CVE-2025-1749

    Vie, 28/02/2025 – 14:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-1749

    Descripción es
    Vulnerabilidades de inyección HTML en versiones de OpenCart antes de 4.1.0. Estas vulnerabilidades podrían permitir a un atacante modificar el HTML del navegador de la víctima enviando una URL maliciosa y modificando el nombre del parámetro en /account/voucher.

    Descripción en
    HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/voucher.

    28/02/2025

    28/02/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    4.70

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://www.incibe.es/incibe-cert/alerta-temprana/avisos/multiples-vulnerabilidades-en-opencart

    • Enviar en el boletín
    Off

    CVE-2025-1748

    CVE-2025-1748

    Título es
    CVE-2025-1748

    Vie, 28/02/2025 – 14:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-1748

    Descripción en
    HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/register.

    28/02/2025

    28/02/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    4.70

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://www.incibe.es/incibe-cert/alerta-temprana/avisos/multiples-vulnerabilidades-en-opencart

    • Enviar en el boletín
    Off

    CVE-2025-1747

    CVE-2025-1747

    Título es
    CVE-2025-1747

    Vie, 28/02/2025 – 14:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-1747

    Descripción en
    HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/login.

    28/02/2025

    28/02/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    4.70

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://www.incibe.es/incibe-cert/alerta-temprana/avisos/multiples-vulnerabilidades-en-opencart

    • Enviar en el boletín
    Off

    CVE-2025-22273

    CVE-2025-22273

    Título es
    CVE-2025-22273

    Vie, 28/02/2025 – 13:15

    Tipo
    CWE-770

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-22273

    Descripción en
    Application does not limit the number or frequency of user interactions, such as the number of incoming requests. At the "/EPMUI/VfManager.asmx/ChangePassword" endpoint it is possible to perform a brute force attack on the current password in use.

    This issue affects CyberArk Endpoint Privilege Manager in SaaS version 24.7.1. The status of other versions is unknown. After multiple attempts to contact the vendor we did not receive any answer.

    28/02/2025

    28/02/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Gravedad 4.0
    9.30

    Gravedad 4.0 txt
    CRITICAL

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://cert.pl/en/posts/2025/02/CVE-2025-22270/

  • https://cert.pl/posts/2025/02/CVE-2025-22270/

  • https://docs.cyberark.com/epm/24.7.1/en/content/resources/_topnav/cc_home.htm

    • Enviar en el boletín
    Off

    CVE-2025-22272

    CVE-2025-22272

    Título es
    CVE-2025-22272

    Vie, 28/02/2025 – 13:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-22272

    Descripción en
    In the "/EPMUI/ModalDlgHandler.ashx?value=showReadonlyDlg" endpoint, it is possible to inject code in the "modalDlgMsgInternal" parameter via POST, which is then executed in the browser. The risk of exploiting vulnerability is reduced due to the required additional bypassing the Content-Security-Policy policy

    This issue affects CyberArk Endpoint Privilege Manager in SaaS version 24.7.1. The status of other versions is unknown. After multiple attempts to contact the vendor we did not receive any answer.

    28/02/2025

    28/02/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Gravedad 4.0
    2.10

    Gravedad 4.0 txt
    LOW

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://cert.pl/en/posts/2025/02/CVE-2025-22270/

  • https://cert.pl/posts/2025/02/CVE-2025-22270/

  • https://docs.cyberark.com/epm/24.7.1/en/content/resources/_topnav/cc_home.htm

    • Enviar en el boletín
    Off

    CVE-2025-22271

    CVE-2025-22271

    Título es
    CVE-2025-22271

    Vie, 28/02/2025 – 13:15

    Tipo
    CWE-290

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-22271

    Descripción en
    The application or its infrastructure allows for IP address spoofing by providing its own value in the "X-Forwarded-For" header. Thus, the action logging mechanism in the application loses accountability

    This issue affects CyberArk Endpoint Privilege Manager in SaaS version 24.7.1. The status of other versions is unknown. After multiple attempts to contact the vendor we did not receive any answer.

    28/02/2025

    28/02/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Gravedad 4.0
    6.90

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://cert.pl/en/posts/2025/02/CVE-2025-22270/

  • https://cert.pl/posts/2025/02/CVE-2025-22270/

  • https://docs.cyberark.com/epm/24.7.1/en/content/resources/_topnav/cc_home.htm

    • Enviar en el boletín
    Off

    CVE-2025-22270

    CVE-2025-22270

    Título es
    CVE-2025-22270

    Vie, 28/02/2025 – 13:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-22270

    Descripción en
    An attacker with access to the Administration panel, specifically the "Role Management"
    tab, can
    inject code by adding a new role in the "name" field. It should be noted, however, that the risk of exploiting vulnerability is reduced due to the
    required additional error that allows bypassing the Content-Security-Policy policy, which
    mitigates JS code execution while still allowing HTML injection.

    This issue affects CyberArk Endpoint Privilege Manager in SaaS version 24.7.1. The status of other versions is unknown. After multiple attempts to contact the vendor we did not receive any answer.

    28/02/2025

    28/02/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Gravedad 4.0
    7.30

    Gravedad 4.0 txt
    HIGH

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://cert.pl/en/posts/2025/02/CVE-2025-22270/

  • https://cert.pl/posts/2025/02/CVE-2025-22270/

  • https://docs.cyberark.com/epm/24.7.1/en/content/resources/_topnav/cc_home.htm

    • Enviar en el boletín
    Off