CVE-2025-27155

CVE-2025-27155

Título es
CVE-2025-27155

Mar, 04/03/2025 – 17:15

Tipo
CWE-79

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-27155

Descripción en
Pinecone is an experimental overlay routing protocol suite which is the foundation of the current P2P Matrix demos. The Pinecone Simulator (pineconesim) included in Pinecone up to commit ea4c337 is vulnerable to stored cross-site scripting. The payload storage is not permanent and will be wiped when restarting pineconesim.

04/03/2025

04/03/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
6.10

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias


  • https://github.com/matrix-org/pinecone/commit/218b2801995b174085cb1c8fafe2d3aa661f85bd

  • https://github.com/matrix-org/pinecone/security/advisories/GHSA-fr62-mg2q-7wqv

    • Enviar en el boletín
    Off

    CVE-2025-27150

    CVE-2025-27150

    Título es
    CVE-2025-27150

    Mar, 04/03/2025 – 17:15

    Tipo
    CWE-538

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-27150

    Descripción en
    Tuleap is an Open Source Suite to improve management of software developments and collaboration. The password to connect the Redis instance is not purged from the archive generated with tuleap collect-system-data. These archives are likely to be used by support teams that should not have access to this password. The vulnerability is fixed in Tuleap Community Edition 16.4.99.1740492866 and Tuleap Enterprise Edition 16.4-6 and 16.3-11.

    04/03/2025

    04/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    5.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://github.com/Enalean/tuleap/commit/a6702622a8db969a17522b8fac0774afdb1c916f

  • https://github.com/Enalean/tuleap/security/advisories/GHSA-jc5r-684x-j46q

  • https://tuleap.net/plugins/tracker/?aid=41870

    • Enviar en el boletín
    Off

    CVE-2025-26182

    CVE-2025-26182

    Título es
    CVE-2025-26182

    Mar, 04/03/2025 – 17:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-26182

    Descripción en
    An issue in xxyopen novel plus v.4.4.0 and before allows a remote attacker to execute arbitrary code via the PageController.java file

    04/03/2025

    04/03/2025

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://gist.github.com/GSBP0/007355c5f6bd213264ae1c35c347e5cc

    • Enviar en el boletín
    Off

    CVE-2025-26091

    CVE-2025-26091

    Título es
    CVE-2025-26091

    Mar, 04/03/2025 – 17:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-26091

    Descripción en
    A Cross Site Scripting (XSS) vulnerability exists in TeamPasswordManager v12.162.284 and before that could allow a remote attacker to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'name' parameter when creating a new password in the "My Passwords" page.

    04/03/2025

    04/03/2025

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://brunocaseiro.github.io/CVE-2025-26091/

    • Enviar en el boletín
    Off

    CVE-2025-27402

    CVE-2025-27402

    Título es
    CVE-2025-27402

    Mar, 04/03/2025 – 17:15

    Tipo
    CWE-352

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-27402

    Descripción en
    Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap is missing CSRF protections on tracker fields administrative operations. An attacker could use this vulnerability to trick victims into removing or updating tracker fields. This vulnerability is fixed in Tuleap Community Edition 16.4.99.1740414959 and Tuleap Enterprise Edition 16.4-6 and 16.3-11.

    04/03/2025

    04/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

    Gravedad 3.1 (CVSS 3.1 Base Score)
    4.60

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://github.com/Enalean/tuleap/commit/ea6319e2ad40beeda335af4ccd7a204a6912765c

  • https://github.com/Enalean/tuleap/security/advisories/GHSA-66pg-cpjf-2mfg

  • https://tuleap.net/plugins/tracker/?aid=41857

    • Enviar en el boletín
    Off

    CVE-2025-27401

    CVE-2025-27401

    Título es
    CVE-2025-27401

    Mar, 04/03/2025 – 17:15

    Tipo
    CWE-440

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-27401

    Descripción en
    Tuleap is an Open Source Suite to improve management of software developments and collaboration. In a standard usages of Tuleap, the issue has a limited impact, it will mostly leave dangling data. However, a malicious user could create and delete reports multiple times to cycle through all the filters of all reports of the instance and delete them. The malicious user only needs to have access to one tracker. This would result in the loss of all criteria filters forcing users and tracker admins to re-create them. This vulnerability is fixed in Tuleap Community Edition 16.4.99.1740498975 and Tuleap Enterprise Edition 16.4-6 and 16.3-11.

    04/03/2025

    04/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

    Gravedad 3.1 (CVSS 3.1 Base Score)
    4.60

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://github.com/Enalean/tuleap/commit/0070fef5c3b27fd402d3232041c6e03f79a84ffd

  • https://github.com/Enalean/tuleap/security/advisories/GHSA-3rjf-87rf-h8m9

  • https://tuleap.net/plugins/tracker/?aid=41850

    • Enviar en el boletín
    Off

    CVE-2025-27507

    CVE-2025-27507

    Título es
    CVE-2025-27507

    Mar, 04/03/2025 – 17:15

    Tipo
    CWE-639

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-27507

    Descripción en
    The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. ZITADEL's Admin API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users, without specific IAM roles, to modify sensitive settings. While several endpoints are affected, the most critical vulnerability lies in the ability to manipulate LDAP configurations. Customers who do not utilize LDAP for authentication are not at risk from the most severe aspects of this vulnerability. However, upgrading to the patched version to address all identified issues is strongly recommended. This vulnerability is fixed in 2.71.0, 2.70.1, ,2.69.4, 2.68.4, 2.67.8, 2.66.11, 2.65.6, 2.64.5, and 2.63.8.

    04/03/2025

    04/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L

    Gravedad 3.1 (CVSS 3.1 Base Score)
    9.00

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    CRITICAL

    Referencias


  • https://github.com/zitadel/zitadel/commit/d9d8339813f1c43d3eb7d8d80f11fdabb2fd2ee4

  • https://github.com/zitadel/zitadel/security/advisories/GHSA-f3gh-529w-v32x

    • Enviar en el boletín
    Off

    CVE-2025-27424

    CVE-2025-27424

    Título es
    CVE-2025-27424

    Mar, 04/03/2025 – 14:15

    Tipo
    CWE-601

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-27424

    Descripción en
    Websites redirecting to a non-HTTP scheme URL could allow a website address to be spoofed for a malicious page This vulnerability affects Firefox for iOS

    04/03/2025

    04/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    4.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://bugzilla.mozilla.org/show_bug.cgi?id=1945392

  • https://www.mozilla.org/security/advisories/mfsa2025-13/

    • Enviar en el boletín
    Off

    CVE-2025-1942

    CVE-2025-1942

    Título es
    CVE-2025-1942

    Mar, 04/03/2025 – 14:15

    Tipo
    CWE-908

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-1942

    Descripción en
    When String.toUpperCase() caused a string to get longer it was possible for uninitialized memory to be incorporated into the result string This vulnerability affects Firefox

    04/03/2025

    04/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://bugzilla.mozilla.org/show_bug.cgi?id=1947139

  • https://www.mozilla.org/security/advisories/mfsa2025-14/

    • Enviar en el boletín
    Off

    CVE-2024-50706

    CVE-2024-50706

    Título es
    CVE-2024-50706

    Mar, 04/03/2025 – 15:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-50706

    Descripción en
    Unauthenticated SQL injection vulnerability in Uniguest Tripleplay before 24.2.1 allows remote attackers to execute arbitrary SQL queries on the backend database.

    04/03/2025

    04/03/2025

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • CVE Bulletins



  • https://uniguest.com/wp-content/uploads/2025/02/CVE-2024-50706-Vulnerability-Summary.pdf

    • Enviar en el boletín
    Off