CVE-2025-2200

CVE-2025-2200

Título es
CVE-2025-2200

Lun, 17/03/2025 – 10:15

Tipo
CWE-89

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-2200

Descripción en
QL injection vulnerability in the IcProgreso Innovación y Cualificación plugin. This vulnerability allows an attacker to obtain, update and delete data from the database by injecting an SQL query on the parameters user, id, idGroup, start_date and end_date in the endpoint /report/icprogreso/generar_blocks.php.

17/03/2025

17/03/2025

Vector CVSS:4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Gravedad 4.0
9.30

Gravedad 4.0 txt
CRITICAL

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

  • https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-moodle-innovacion-y-cualificacion-plugins

    • Enviar en el boletín
    Off

    CVE-2025-2372

    CVE-2025-2372

    Título es
    CVE-2025-2372

    Lun, 17/03/2025 – 10:15

    Tipo
    CWE-74

    Gravedad v2.0
    7.50

    Gravedad 2.0 Txt
    HIGH

    Título en

    CVE-2025-2372

    Descripción en
    A vulnerability classified as critical has been found in PHPGurukul Human Metapneumovirus Testing Management System 1.0. This affects an unknown part of the file /password-recovery.php of the component Password Recovery Page. The manipulation of the argument username leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

    17/03/2025

    17/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

    Vector CVSS:2.0
    AV:N/AC:L/Au:N/C:P/I:P/A:P

    Gravedad 4.0
    6.90

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias


  • https://github.com/SECWG/cve/issues/5

  • https://phpgurukul.com/

  • https://vuldb.com/?ctiid_299871=

  • https://vuldb.com/?id_299871=

  • https://vuldb.com/?submit_515389=

    • Enviar en el boletín
    Off

    CVE-2025-2371

    CVE-2025-2371

    Título es
    CVE-2025-2371

    Lun, 17/03/2025 – 10:15

    Tipo
    CWE-79

    Gravedad v2.0
    4.00

    Gravedad 2.0 Txt
    MEDIUM

    Título en

    CVE-2025-2371

    Descripción en
    A vulnerability was found in PHPGurukul Human Metapneumovirus Testing Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /registered-user-testing.php of the component Registered Mobile Number Search. The manipulation of the argument regmobilenumber leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

    17/03/2025

    17/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

    Vector CVSS:2.0
    AV:N/AC:L/Au:S/C:N/I:P/A:N

    Gravedad 4.0
    5.10

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 (CVSS 3.1 Base Score)
    3.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    LOW

    Referencias


  • https://github.com/sorcha-l/cve/blob/main/Human%20Metapneumovirus%20(HMPV)%20%E2%80%93%20Testing%20Management%20System%20%20XSS%20in%20registered-user-testing.php.md

  • https://phpgurukul.com/

  • https://vuldb.com/?ctiid_299870=

  • https://vuldb.com/?id_299870=

  • https://vuldb.com/?submit_515347=

    • Enviar en el boletín
    Off

    CVE-2025-2201

    CVE-2025-2201

    Título es
    CVE-2025-2201

    Lun, 17/03/2025 – 10:15

    Tipo
    CWE-863

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-2201

    Descripción en
    Broken access control vulnerability in the IcProgress Innovación y Cualificación plugin. This vulnerability allows an attacker to obtain sensitive information about other users such as public IP addresses, messages with other users and more.

    17/03/2025

    17/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Gravedad 4.0
    6.90

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-moodle-innovacion-y-cualificacion-plugins

    • Enviar en el boletín
    Off

    CVE-2025-2199

    CVE-2025-2199

    Título es
    CVE-2025-2199

    Lun, 17/03/2025 – 10:15

    Tipo
    CWE-89

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-2199

    Descripción en
    SQL injection vulnerability in the Innovación y Cualificación local administration plugin ajax.php. This vulnerability allows an attacker to obtain, update and delete data from the database by injecting an SQL query in ‘searchActionsToUpdate’, ‘searchSpecialitiesPending’, ‘searchSpecialitiesLinked’, ‘searchUsersToUpdateProfile’, ‘training_action_data’, ‘showContinuingTrainingCourses’ and ‘showUsersToEdit’ in /local/administration/ajax.php.

    17/03/2025

    17/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Gravedad 4.0
    9.30

    Gravedad 4.0 txt
    CRITICAL

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-moodle-innovacion-y-cualificacion-plugins

    • Enviar en el boletín
    Off

    CVE-2024-12992

    CVE-2024-12992

    Título es
    CVE-2024-12992

    Lun, 17/03/2025 – 10:15

    Tipo
    CWE-77

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-12992

    Descripción en
    Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection via RCE.

    This issue affects Pandora FMS from 700 to 777.6

    .

    17/03/2025

    17/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:M/U:Amber

    Gravedad 4.0
    8.60

    Gravedad 4.0 txt
    HIGH

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/

    • Enviar en el boletín
    Off

    CVE-2025-2202

    CVE-2025-2202

    Título es
    CVE-2025-2202

    Lun, 17/03/2025 – 11:15

    Tipo
    CWE-863

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-2202

    Descripción en
    Broken access control vulnerability in the Innovación y Cualificación local administration plugin ajax.php. This vulnerability allows an attacker to obtain sensitive information about other users such as id, name, login and email.

    17/03/2025

    17/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Gravedad 4.0
    6.90

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-moodle-innovacion-y-cualificacion-plugins

    • Enviar en el boletín
    Off

    CVE-2025-2374

    CVE-2025-2374

    Título es
    CVE-2025-2374

    Lun, 17/03/2025 – 11:15

    Tipo
    CWE-74

    Gravedad v2.0
    6.50

    Gravedad 2.0 Txt
    MEDIUM

    Título en

    CVE-2025-2374

    Descripción en
    A vulnerability, which was classified as critical, has been found in PHPGurukul Human Metapneumovirus Testing Management System 1.0. This issue affects some unknown processing of the file /profile.php. The manipulation of the argument aid/adminname/mobilenumber/email leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

    17/03/2025

    17/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

    Vector CVSS:2.0
    AV:N/AC:L/Au:S/C:P/I:P/A:P

    Gravedad 4.0
    5.30

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://github.com/SECWG/cve/issues/7

  • https://phpgurukul.com/

  • https://vuldb.com/?ctiid_299873=

  • https://vuldb.com/?id_299873=

  • https://vuldb.com/?submit_515429=

    • Enviar en el boletín
    Off

    CVE-2025-2373

    CVE-2025-2373

    Título es
    CVE-2025-2373

    Lun, 17/03/2025 – 11:15

    Tipo
    CWE-74

    Gravedad v2.0
    6.50

    Gravedad 2.0 Txt
    MEDIUM

    Título en

    CVE-2025-2373

    Descripción en
    A vulnerability classified as critical was found in PHPGurukul Human Metapneumovirus Testing Management System 1.0. This vulnerability affects unknown code of the file /check_availability.php. The manipulation of the argument mobnumber/employeeid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

    17/03/2025

    17/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

    Vector CVSS:2.0
    AV:N/AC:L/Au:S/C:P/I:P/A:P

    Gravedad 4.0
    5.30

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://github.com/SECWG/cve/issues/6

  • https://phpgurukul.com/

  • https://vuldb.com/?ctiid_299872=

  • https://vuldb.com/?id_299872=

  • https://vuldb.com/?submit_515408=

    • Enviar en el boletín
    Off

    CVE-2025-2395

    CVE-2025-2395

    Título es
    CVE-2025-2395

    Lun, 17/03/2025 – 06:15

    Tipo
    CWE-565

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-2395

    Descripción en
    The U-Office Force from e-Excellence has an Improper Authentication vulnerability, allowing unauthenticated remote attackers to use a particular API and alter cookies to log in as an administrator.

    17/03/2025

    17/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    9.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    CRITICAL

    Referencias


  • https://www.twcert.org.tw/en/cp-139-10012-d5bbc-2.html

  • https://www.twcert.org.tw/tw/cp-132-10011-3de72-1.html

    • Enviar en el boletín
    Off