Jose Alexis Correa Valencia, Author at AlterPlex

13 Mar 2025

CVE-2025-0652

Título es
CVE-2025-0652

Jue, 13/03/2025 – 06:15

Tipo
CWE-863

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-0652

Descripción en
An issue has been discovered in GitLab EE/CE affecting all versions starting from 16.9 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2 could allow unauthorized users to access confidential information intended for internal use only.

13/03/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
4.30

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

https://gitlab.com/gitlab-org/gitlab/-/issues/514532

https://hackerone.com/reports/2947863

Enviar en el boletín
Off

13 Mar 2025

CVE-2025-1487

Título es
CVE-2025-1487

Jue, 13/03/2025 – 06:15

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-1487

Descripción en
The WoWPth WordPress plugin through 2.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

13/03/2025

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

https://wpscan.com/vulnerability/9c683c2e-4f7f-4862-b844-6bdc3d1885dd/

Enviar en el boletín
Off

13 Mar 2025

CVE-2025-1486

Título es
CVE-2025-1486

Jue, 13/03/2025 – 06:15

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-1486

13/03/2025

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

https://wpscan.com/vulnerability/182ecda8-3385-4f9f-a917-efdeb237247c/

Enviar en el boletín
Off

13 Mar 2025

CVE-2025-1436

Título es
CVE-2025-1436

Jue, 13/03/2025 – 06:15

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-1436

Descripción en
The Limit Bio WordPress plugin through 1.0 does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

13/03/2025

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

https://wpscan.com/vulnerability/849ed0a0-be17-43cf-a3a1-ad54dfb33d57/

Enviar en el boletín
Off

13 Mar 2025

CVE-2025-1119

Título es
CVE-2025-1119

Jue, 13/03/2025 – 07:15

Tipo
CWE-94

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-1119

Descripción en
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.6.8.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

13/03/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Gravedad 3.1 (CVSS 3.1 Base Score)
7.30

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
HIGH

Referencias

https://plugins.trac.wordpress.org/changeset/3250719/simply-schedule-appointments/trunk/booking-app-new/page-appointment-edit.php

https://www.wordfence.com/threat-intel/vulnerabilities/id/1be557db-daa8-4d86-819a-462f29da884b?source=cve

Enviar en el boletín
Off

13 Mar 2025

CVE-2025-2271

Título es
CVE-2025-2271

Jue, 13/03/2025 – 07:15

Tipo
CWE-639

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-2271

Descripción en
A vulnerability exists in Issuetrak v17.2.2 and prior that allows a low-privileged user to access audit results of other users by exploiting an Insecure Direct Object Reference (IDOR) vulnerability in the Issuetrak audit component. The vulnerability enables unauthorized access to sensitive information, including user details, network and hardware information, installed programs, running processes, drives, and printers. Due to improper access controls, an attacker can retrieve audit data belonging to other users, potentially leading to unauthorized data exposure, privacy violations, and security risks.

13/03/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
7.70

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
HIGH

Referencias

https://helpcenter.issuetrak.com/home/2340-issuetrak-release-notes

Enviar en el boletín
Off

13 Mar 2025

CVE-2025-1785

Título es
CVE-2025-1785

Jue, 13/03/2025 – 08:15

Tipo
CWE-22

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-1785

Descripción en
The Download Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.08 via the 'wpdm_newfile' action. This makes it possible for authenticated attackers, with Author-level access and above, to overwrite select file types outside of the originally intended directory, which may cause a denial of service.

13/03/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Gravedad 3.1 (CVSS 3.1 Base Score)
5.40

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3252990%40download-manager&new=3252990%40download-manager#file4

https://www.wordfence.com/threat-intel/vulnerabilities/id/bc5c7974-4c10-4880-8823-2accee3c0da4?source=cve

Enviar en el boletín
Off

13 Mar 2025

CVE-2020-36843

Título es
CVE-2020-36843

Jue, 13/03/2025 – 06:15

Tipo
CWE-347

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2020-36843

Descripción en
The implementation of EdDSA in EdDSA-Java (aka ed25519-java) through 0.3.0 exhibits signature malleability and does not satisfy the SUF-CMA (Strong Existential Unforgeability under Chosen Message Attacks) property. This allows attackers to create new valid signatures different from previous signatures for a known message.

13/03/2025

Vector CVSS:3.1
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
4.30

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

https://eprint.iacr.org/2020/1244

https://github.com/str4d/ed25519-java/issues/82#issue-727629226

Enviar en el boletín
Off

13 Mar 2025

CVE-2024-7296

Título es
CVE-2024-7296

Jue, 13/03/2025 – 06:15

Tipo
CWE-863

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-7296

Descripción en
An issue was discovered in GitLab EE affecting all versions from 16.5 prior to 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2 which allowed a user with a custom permission to approve pending membership requests beyond the maximum number of allowed users.

13/03/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
2.70

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
LOW

Referencias

https://gitlab.com/gitlab-org/gitlab/-/issues/475056

https://hackerone.com/reports/2602274

Enviar en el boletín
Off

13 Mar 2025

CVE-2024-13891

Título es
CVE-2024-13891

Jue, 13/03/2025 – 06:15

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-13891

Descripción en
The Schedule WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

13/03/2025

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

https://wpscan.com/vulnerability/58c8b73c-3a29-4a66-9b2e-f24b5c2769ac/

Enviar en el boletín
Off

Autor: Jose Alexis Correa Valencia