CVE-2025-1319

CVE-2025-1319

Título es
CVE-2025-1319

Vie, 28/02/2025 – 13:15

Tipo
CWE-79

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-1319

Descripción en
The Site Mailer – SMTP Replacement, Email API Deliverability & Email Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

28/02/2025

28/02/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
6.40

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias


  • https://plugins.trac.wordpress.org/changeset/3247059/

  • Site Mailer – SMTP Replacement, Email API Deliverability & Email Log



  • https://www.wordfence.com/threat-intel/vulnerabilities/id/c9fe3574-f338-474c-af78-f843501d422c?source=cve

    • Enviar en el boletín
    Off

    CVE-2025-1300

    CVE-2025-1300

    Título es
    CVE-2025-1300

    Vie, 28/02/2025 – 13:15

    Tipo
    CWE-601

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-1300

    Descripción en
    CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy.

    The CodeChecker web server contains an open redirect vulnerability due to missing protections against multiple slashes after the product name in the URL. This results in bypassing the protections against CVE-2021-28861, leading to the same open redirect pathway.

    This issue affects CodeChecker: through 6.24.5.

    28/02/2025

    28/02/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.10

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://github.com/Ericsson/codechecker/security/advisories/GHSA-g839-x3p3-g5fm

    • Enviar en el boletín
    Off

    CVE-2025-22274

    CVE-2025-22274

    Título es
    CVE-2025-22274

    Vie, 28/02/2025 – 13:15

    Tipo
    CWE-80

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-22274

    Descripción en
    It is possible to inject HTML code into the page content using the "content" field in the "Application definition" page.

    This issue affects CyberArk Endpoint Privilege Manager in SaaS version 24.7.1. The status of other versions is unknown. After multiple attempts to contact the vendor we did not receive any answer.

    28/02/2025

    28/02/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Gravedad 4.0
    2.00

    Gravedad 4.0 txt
    LOW

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://cert.pl/en/posts/2025/02/CVE-2025-22270/

  • https://cert.pl/posts/2025/02/CVE-2025-22270/

  • https://docs.cyberark.com/epm/24.7.1/en/content/resources/_topnav/cc_home.htm

    • Enviar en el boletín
    Off

    CVE-2025-1413

    CVE-2025-1413

    Título es
    CVE-2025-1413

    Vie, 28/02/2025 – 09:15

    Tipo
    CWE-266

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-1413

    Descripción en
    DaVinci Resolve on MacOS was found to be installed with incorrect file permissions (rwxrwxrwx). This is inconsistent with standard macOS security practices, where applications should have drwxr-xr-x permissions. Incorrect permissions allow for Dylib Hijacking. Guest account, other users and applications can exploit this vulnerability for privilege escalation. This issue affects DaVinci Resolve on MacOS in versions before 19.1.3.

    28/02/2025

    28/02/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Gravedad 4.0
    9.20

    Gravedad 4.0 txt
    CRITICAL

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://apps.apple.com/pl/app/davinci-resolve/id571213070?mt=12

  • https://cert.pl/en/posts/2025/02/CVE-2025-1413/

  • https://cert.pl/posts/2025/02/CVE-2025-1413/

    • Enviar en el boletín
    Off

    CVE-2024-9195

    CVE-2024-9195

    Título es
    CVE-2024-9195

    Vie, 28/02/2025 – 09:15

    Tipo
    CWE-862

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-9195

    Descripción en
    The WHMPress – WHMCS Client Area plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the update_settings case in the /admin/ajax.php file in all versions up to, and including, 4.3-revision-3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

    28/02/2025

    28/02/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    8.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias


  • https://codecanyon.net/item/whmcs-client-area-whmpress-addon/11218646

  • https://www.wordfence.com/threat-intel/vulnerabilities/id/c8af0c5c-3d7b-416d-9d10-6867fcf909a5?source=cve

    • Enviar en el boletín
    Off

    CVE-2024-9193

    CVE-2024-9193

    Título es
    CVE-2024-9193

    Vie, 28/02/2025 – 09:15

    Tipo
    CWE-98

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-9193

    Descripción en
    The WHMpress – WHMCS WordPress Integration Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.3-revision-0 via the whmpress_domain_search_ajax_extended_results() function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. Utilizing the /admin/services.php file, this can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

    28/02/2025

    28/02/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    9.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    CRITICAL

    Referencias


  • https://whmpress.com/docs/change-log/

  • https://www.wordfence.com/threat-intel/vulnerabilities/id/5f3b0e75-d2f0-48b7-ba33-75c4e998030e?source=cve

    • Enviar en el boletín
    Off

    CVE-2024-9019

    CVE-2024-9019

    Título es
    CVE-2024-9019

    Vie, 28/02/2025 – 09:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-9019

    Descripción en
    The SecuPress Free — WordPress Security plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's secupress_check_ban_ips_form shortcode in all versions up to, and including, 2.2.5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

    28/02/2025

    28/02/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.40

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://plugins.trac.wordpress.org/browser/secupress/trunk/free/common.php#L238

  • https://www.wordfence.com/threat-intel/vulnerabilities/id/56e842c8-61ac-4281-8c4a-9cb1f8ecc062?source=cve

    • Enviar en el boletín
    Off

    CVE-2025-22492

    CVE-2025-22492

    Título es
    CVE-2025-22492

    Vie, 28/02/2025 – 09:15

    Tipo
    CWE-922

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-22492

    Descripción en
    The connection string visible to users with access to FRSCore database on Foreseer Reporting Software (FRS) VM, this
    string can be used for gaining administrative access to the 4crXref database. This vulnerability has been resolved in the latest version 1.5.100 of FRS.

    28/02/2025

    28/02/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2024-1009.pdf

    • Enviar en el boletín
    Off

    CVE-2025-22491

    CVE-2025-22491

    Título es
    CVE-2025-22491

    Vie, 28/02/2025 – 09:15

    Tipo
    CWE-20

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-22491

    Descripción en
    The user input was not sanitized on Reporting Hierarchy Management page of Foreseer Reporting Software (FRS) application which could lead into execution of arbitrary JavaScript in a browser context
    for all the interacting users. This security issue has been patched in the latest version 1.5.100 of the FRS.

    28/02/2025

    28/02/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.70

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2024-1009.pdf

    • Enviar en el boletín
    Off

    CVE-2025-1662

    CVE-2025-1662

    Título es
    CVE-2025-1662

    Vie, 28/02/2025 – 09:15

    Tipo
    CWE-918

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-1662

    Descripción en
    The URL Media Uploader plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.0 via the 'url_media_uploader_url_upload' action. This makes it possible for authenticated attackers, with author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

    28/02/2025

    28/02/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.40

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • URL Media Uploader



  • https://www.wordfence.com/threat-intel/vulnerabilities/id/ae8f1852-2d67-4ed9-ab3d-5b3bf4083e06?source=cve

    • Enviar en el boletín
    Off