CVE-2025-27705

CVE-2025-27705

Título es
CVE-2025-27705

Mié, 19/03/2025 – 20:15

Tipo
CWE-79

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-27705

Descripción en
There is a cross-site scripting vulnerability in the Secure
Access administrative console of Absolute Secure Access prior to version 13.53.
Attackers with system administrator permissions can interfere with another
system administrator’s use of the management console when the second
administrator logs in. Attack complexity is high, attack requirements are
present, privileges required are none, user interaction is required. The impact
to confidentiality is low, the impact to availability is none, and the impact
to system integrity is none.

19/03/2025

19/03/2025

Vector CVSS:4.0
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Gravedad 4.0
5.50

Gravedad 4.0 txt
MEDIUM

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias


  • https://www.absolute.com/platform/security-information/vulnerability-archive/secure-access-1353/

    • Enviar en el boletín
    Off

    CVE-2025-30258

    CVE-2025-30258

    Título es
    CVE-2025-30258

    Mié, 19/03/2025 – 20:15

    Tipo
    CWE-754

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-30258

    Descripción en
    In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS."

    19/03/2025

    19/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L

    Gravedad 3.1 (CVSS 3.1 Base Score)
    2.70

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    LOW

    Referencias


  • https://dev.gnupg.org/T7527

  • https://dev.gnupg.org/rG48978ccb4e20866472ef18436a32744350a65158

  • https://lists.gnupg.org/pipermail/gnupg-announce/2025q1/000491.html

    • Enviar en el boletín
    Off

    CVE-2024-25132

    CVE-2024-25132

    Título es
    CVE-2024-25132

    Mié, 19/03/2025 – 18:15

    Tipo
    CWE-400

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-25132

    Descripción en
    A flaw was found in the Hive hibernation controller component of OpenShift Dedicated. The ClusterDeployment.hive.openshift.io/v1 resource can be created with the spec.installed field set to true, regardless of the installation status, and a positive timespan for the spec.hibernateAfter value. If a ClusterSync.hiveinternal.openshift.io/v1alpha1 resource is also created, the hive hibernation controller will enter the reconciliation loop leading to a panic when accessing a non-existing field in the ClusterDeployment’s status section, resulting in a denial of service.

    19/03/2025

    19/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

    Gravedad 3.1 (CVSS 3.1 Base Score)
    4.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://access.redhat.com/security/cve/CVE-2024-25132

  • https://bugzilla.redhat.com/show_bug.cgi?id=2260371

    • Enviar en el boletín
    Off

    CVE-2025-30154

    CVE-2025-30154

    Título es
    CVE-2025-30154

    Mié, 19/03/2025 – 16:15

    Tipo
    CWE-506

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-30154

    Descripción en
    reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos.

    19/03/2025

    19/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    8.60

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias


  • https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887

  • https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ec

  • https://github.com/reviewdog/reviewdog/issues/2079

  • https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc

  • https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup

    • Enviar en el boletín
    Off

    CVE-2025-30153

    CVE-2025-30153

    Título es
    CVE-2025-30153

    Mié, 19/03/2025 – 16:15

    Tipo
    CWE-409

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-30153

    Descripción en
    kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file (e.g., a ZIP bomb), causing the server to consume all available system memory. The root cause comes from the ZipFileBodyDecoder, which is registered automatically by the module (contrary to what the documentation says). This vulnerability is fixed in 0.131.0.

    19/03/2025

    19/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias


  • https://github.com/getkin/kin-openapi/blob/6da871e0e170b7637eb568c265c08bc2b5d6e7a3/openapi3filter/req_resp_decoder.go#L1275

  • https://github.com/getkin/kin-openapi/blob/6da871e0e170b7637eb568c265c08bc2b5d6e7a3/openapi3filter/req_resp_decoder.go#L1523

  • https://github.com/getkin/kin-openapi/commit/67f0b233ffc01332f7d993f79490fbea5f4455f1

  • https://github.com/getkin/kin-openapi/security/advisories/GHSA-wq9g-9vfc-cfq9

  • https://github.com/getkin/kin-openapi?tab=readme-ov-file#custom-content-type-for-body-of-http-requestresponse

    • Enviar en el boletín
    Off

    CVE-2025-30152

    CVE-2025-30152

    Título es
    CVE-2025-30152

    Mié, 19/03/2025 – 16:15

    Tipo
    CWE-472

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-30152

    Descripción en
    The Syliud PayPal Plugin is the Sylius Core Team’s plugin for the PayPal Commerce Platform. Prior to 1.6.2, 1.7.2, and 2.0.2, a discovered vulnerability allows users to modify their shopping cart after completing the PayPal Checkout process and payment authorization. If a user initiates a PayPal transaction from a product page or the cart page and then returns to the order summary page, they can still manipulate the cart contents before finalizing the order. As a result, the order amount in Sylius may be higher than the amount actually captured by PayPal, leading to a scenario where merchants deliver products or services without full payment. The issue is fixed in versions: 1.6.2, 1.7.2, 2.0.2 and above.

    19/03/2025

    19/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://github.com/Sylius/PayPalPlugin/commit/5613df827a6d4fc50862229295976200a68e97aa

  • https://github.com/Sylius/PayPalPlugin/security/advisories/GHSA-hxg4-65p5-9w37

    • Enviar en el boletín
    Off

    CVE-2025-30144

    CVE-2025-30144

    Título es
    CVE-2025-30144

    Mié, 19/03/2025 – 16:15

    Tipo
    CWE-290

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-30144

    Descripción en
    fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 5.0.6, the fast-jwt library does not properly validate the iss claim based on the RFC 7519. The iss (issuer) claim validation within the fast-jwt library permits an array of strings as a valid iss value. This design flaw enables a potential attack where a malicious actor crafts a JWT with an iss claim structured as ['https://attacker-domain/', 'https://valid-iss']. Due to the permissive validation, the JWT will be deemed valid. Furthermore, if the application relies on external libraries like get-jwks that do not independently validate the iss claim, the attacker can leverage this vulnerability to forge a JWT that will be accepted by the victim application. Essentially, the attacker can insert their own domain into the iss array, alongside the legitimate issuer, and bypass the intended security checks. This issue is fixed in 5.0.6.

    19/03/2025

    19/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://datatracker.ietf.org/doc/html/rfc7519#page-9

  • https://github.com/nearform/fast-jwt/commit/cc26b1d473f900446ad846f8f0b10eb1c0adcbdd

  • https://github.com/nearform/fast-jwt/security/advisories/GHSA-gm45-q3v2-6cf8

    • Enviar en el boletín
    Off

    CVE-2025-30197

    CVE-2025-30197

    Título es
    CVE-2025-30197

    Mié, 19/03/2025 – 16:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-30197

    Descripción en
    Jenkins Zoho QEngine Plugin 1.0.29.vfa_cc23396502 and earlier does not mask the QEngine API Key form field, increasing the potential for attackers to observe and capture it.

    19/03/2025

    19/03/2025

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://www.jenkins.io/security/advisory/2025-03-19/#SECURITY-3511

    • Enviar en el boletín
    Off

    CVE-2024-53970

    CVE-2024-53970

    Título es
    CVE-2024-53970

    Mié, 19/03/2025 – 17:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-53970

    Descripción en
    Adobe Experience Manager versions 6.5.21 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

    19/03/2025

    19/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    5.40

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://helpx.adobe.com/security/products/experience-manager/apsb24-69.html

    • Enviar en el boletín
    Off

    CVE-2024-53969

    CVE-2024-53969

    Título es
    CVE-2024-53969

    Mié, 19/03/2025 – 17:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-53969

    Descripción en
    Adobe Experience Manager versions 6.5.21 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited to execute arbitrary code in the context of the victim's browser session. By manipulating the DOM environment in the victim's browser, a low privileged attacker can inject malicious scripts that are executed by the victim's browser. Exploitation of this issue requires user interaction, typically in the form of following a malicious link.

    19/03/2025

    19/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    5.40

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://helpx.adobe.com/security/products/experience-manager/apsb24-69.html

    • Enviar en el boletín
    Off