CVE-2024-51966

CVE-2024-51966

Título es
CVE-2024-51966

Lun, 03/03/2025 – 20:15

Tipo
CWE-22

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-51966

Descripción en
There is a path traversal vulnerability in ESRI ArcGIS Server versions 10.9.1 thru 11.3. Successful exploitation may allow a remote authenticated attacker with admin privileges to traverse the file system to access files outside of the intended directory. There is no impact to integrity or availability due to the nature of the files that can be accessed, but there is a potential high impact to confidentiality.

03/03/2025

03/03/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
4.90

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias


  • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/

    • Enviar en el boletín
    Off

    CVE-2024-51963

    CVE-2024-51963

    Título es
    CVE-2024-51963

    Lun, 03/03/2025 – 20:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-51963

    Descripción en
    There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 10.9.1 – 11.3 that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

    03/03/2025

    03/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    4.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/

    • Enviar en el boletín
    Off

    CVE-2024-51962

    CVE-2024-51962

    Título es
    CVE-2024-51962

    Lun, 03/03/2025 – 20:15

    Tipo
    CWE-89

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-51962

    Descripción en
    A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify Column properties allowing for the execution of a SQL Injection by a remote authenticated user with elevated (non admin) privileges.  There is a high impact to integrity and confidentiality and no impact to availability.

    03/03/2025

    03/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    8.70

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias


  • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/

    • Enviar en el boletín
    Off

    CVE-2025-1880

    CVE-2025-1880

    Título es
    CVE-2025-1880

    Lun, 03/03/2025 – 20:15

    Tipo
    CWE-287

    Gravedad v2.0
    1.20

    Gravedad 2.0 Txt
    LOW

    Título en

    CVE-2025-1880

    Descripción en
    A vulnerability was found in i-Drive i11 and i12 up to 20250227. It has been classified as problematic. Affected is an unknown function of the component Device Pairing. The manipulation leads to authentication bypass by primary weakness. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. The exploitability is told to be difficult. It was not possible to identify the current maintainer of the product. It must be assumed that the product is end-of-life.

    03/03/2025

    03/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

    Vector CVSS:2.0
    AV:L/AC:H/Au:N/C:P/I:N/A:N

    Gravedad 4.0
    1.00

    Gravedad 4.0 txt
    LOW

    Gravedad 3.1 (CVSS 3.1 Base Score)
    2.00

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    LOW

    Referencias


  • https://github.com/geo-chen/i-Drive

  • https://vuldb.com/?ctiid_298194=

  • https://vuldb.com/?id_298194=

  • https://vuldb.com/?submit_510951=

    • Enviar en el boletín
    Off

    CVE-2025-1879

    CVE-2025-1879

    Título es
    CVE-2025-1879

    Lun, 03/03/2025 – 20:15

    Tipo
    CWE-259

    Gravedad v2.0
    2.10

    Gravedad 2.0 Txt
    LOW

    Título en

    CVE-2025-1879

    Descripción en
    A vulnerability was found in i-Drive i11 and i12 up to 20250227 and classified as problematic. This issue affects some unknown processing of the component APK. The manipulation leads to hard-coded credentials. It is possible to launch the attack on the physical device. It was not possible to identify the current maintainer of the product. It must be assumed that the product is end-of-life.

    03/03/2025

    03/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

    Vector CVSS:2.0
    AV:L/AC:L/Au:N/C:P/I:N/A:N

    Gravedad 4.0
    2.40

    Gravedad 4.0 txt
    LOW

    Gravedad 3.1 (CVSS 3.1 Base Score)
    2.40

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    LOW

    Referencias


  • https://github.com/geo-chen/i-Drive

  • https://vuldb.com/?ctiid_298193=

  • https://vuldb.com/?id_298193=

  • https://vuldb.com/?submit_510950=

    • Enviar en el boletín
    Off

    CVE-2025-0289

    CVE-2025-0289

    Título es
    CVE-2025-0289

    Lun, 03/03/2025 – 17:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-0289

    Descripción en
    Paragon Partition Manager version 17, both community and Business versions, contain an insecure kernel resource access vulnerability facilitated by the driver not validating the MappedSystemVa pointer before passing it to HalReturnToFirmware, which can allows an attacker the ability to compromise the service.

    03/03/2025

    03/03/2025

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://paragon-software.zendesk.com/hc/en-us/articles/32993902732817-IMPORTANT-Paragon-Driver-Security-Patch-for-All-Products-of-Hard-Disk-Manager-Product-Line-Biontdrv-sys

  • https://www.kb.cert.org/vuls/id/726882

    • Enviar en el boletín
    Off

    CVE-2025-25302

    CVE-2025-25302

    Título es
    CVE-2025-25302

    Lun, 03/03/2025 – 17:15

    Tipo
    CWE-346

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-25302

    Descripción en
    Rembg is a tool to remove images background. In Rembg 2.0.57 and earlier, the CORS middleware is setup incorrectly. All origins are reflected, which allows any website to send cross site requests to the rembg server and thus query any API. Even if authentication were to be enabled, allow_credentials is set to True, which would allow any website to send authenticated cross site requests.

    03/03/2025

    03/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Gravedad 4.0
    8.70

    Gravedad 4.0 txt
    HIGH

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://github.com/danielgatis/rembg/blob/d1e00734f8a996abf512a3a5c251c7a9a392c90a/rembg/commands/s_command.py#L93

  • https://securitylab.github.com/advisories/GHSL-2024-161_GHSL-2024-162_rembg/

    • Enviar en el boletín
    Off

    CVE-2025-25301

    CVE-2025-25301

    Título es
    CVE-2025-25301

    Lun, 03/03/2025 – 17:15

    Tipo
    CWE-918

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-25301

    Descripción en
    Rembg is a tool to remove images background. In Rembg 2.0.57 and earlier, the /api/remove endpoint takes a URL query parameter that allows an image to be fetched, processed and returned. An attacker may be able to query this endpoint to view pictures hosted on the internal network of the rembg server. This issue may lead to Information Disclosure.

    03/03/2025

    03/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Gravedad 4.0
    6.90

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://securitylab.github.com/advisories/GHSL-2024-161_GHSL-2024-162_rembg/

    • Enviar en el boletín
    Off

    CVE-2025-1876

    CVE-2025-1876

    Título es
    CVE-2025-1876

    Lun, 03/03/2025 – 17:15

    Tipo
    CWE-119

    Gravedad v2.0
    7.50

    Gravedad 2.0 Txt
    HIGH

    Título en

    CVE-2025-1876

    Descripción en
    A vulnerability, which was classified as critical, has been found in D-Link DAP-1562 1.10. Affected by this issue is the function http_request_parse of the component HTTP Header Handler. The manipulation of the argument Authorization leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

    03/03/2025

    03/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

    Vector CVSS:2.0
    AV:N/AC:L/Au:N/C:P/I:P/A:P

    Gravedad 4.0
    6.90

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias


  • https://vuldb.com/?ctiid_298190=

  • https://vuldb.com/?id_298190=

  • https://vuldb.com/?submit_506106=

  • https://witty-maiasaura-083.notion.site/D-link-DAP-1562-http_request_parse-Vulnerability-1a4b2f2a636180a2a67de271ad5fe6d7

  • https://www.dlink.com/

    • Enviar en el boletín
    Off

    CVE-2025-0678

    CVE-2025-0678

    Título es
    CVE-2025-0678

    Lun, 03/03/2025 – 17:15

    Tipo
    CWE-787

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-0678

    Descripción en
    A flaw was found in grub2. When reading data from a squash4 filesystem, grub's squash4 fs module uses user-controlled parameters from the filesystem geometry to determine the internal buffer size, however, it improperly checks for integer overflows. A maliciously crafted filesystem may lead some of those buffer size calculations to overflow, causing it to perform a grub_malloc() operation with a smaller size than expected. As a result, the direct_read() will perform a heap based out-of-bounds write during data reading. This flaw may be leveraged to corrupt grub's internal critical data and may result in arbitrary code execution, by-passing secure boot protections.

    03/03/2025

    03/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.40

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://access.redhat.com/security/cve/CVE-2025-0678

  • https://bugzilla.redhat.com/show_bug.cgi?id=2346118

    • Enviar en el boletín
    Off