Jose Alexis Correa Valencia, Author at AlterPlex

12 Mar 2025

CVE-2025-2002

Título es
CVE-2025-2002

Mié, 12/03/2025 – 16:15

Tipo
CWE-532

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-2002

Descripción en
CWE-532: Insertion of Sensitive Information into Log Files vulnerability exists that could cause the disclosure
of FTP server credentials when the FTP server is deployed, and the device is placed in debug mode by an
administrative user and the debug files are exported from the device.

12/03/2025

Vector CVSS:4.0
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Vector CVSS:3.1
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Gravedad 4.0
4.00

Gravedad 4.0 txt
MEDIUM

Gravedad 3.1 (CVSS 3.1 Base Score)
6.00

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-070-01&p_enDocType=Security%20and%20Safety%20Notice&p_File_Name=SEVD-2025-070-01.pdf

Enviar en el boletín
Off

12 Mar 2025

CVE-2025-27867

Título es
CVE-2025-27867

Mié, 12/03/2025 – 16:15

Tipo
CWE-79

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-27867

Descripción en
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Felix HTTP Webconsole Plugin.

This issue affects Apache Felix HTTP Webconsole Plugin: from Version 1.X through 1.2.0.

Users are recommended to upgrade to version 1.2.2, which fixes the issue.

12/03/2025

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

https://lists.apache.org/thread/y83f2rvm8bccr5ctgv7mzxd69p6f77dp

Enviar en el boletín
Off

12 Mar 2025

CVE-2024-34398

Título es
CVE-2024-34398

Mié, 12/03/2025 – 17:15

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-34398

Descripción en
An issue was discovered in BMC Remedy Mid Tier 7.6.04. The web application allows stored HTML Injection by authenticated remote attackers.

12/03/2025

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

https://www.gruppotim.it/it/footer/red-team.html

Enviar en el boletín
Off

12 Mar 2025

CVE-2025-25774

Título es
CVE-2025-25774

Mié, 12/03/2025 – 17:15

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-25774

Descripción en
An issue was discovered in Open5GS v2.7.2. When a UE switches between two gNBs and sends a handover request at a specific time, it may cause an exception in the AMF's internal state machine, leading to an AMF crash and resulting in a Denial of Service (DoS).

12/03/2025

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

https://github.com/guoweifk/BugReport/blob/main/Open5GS%20AMF%20Denial%20of%20Service%20via%20GMM%20State%20Handling%20in%20Handover

https://github.com/open5gs/open5gs/commit/2e68706f1eea029d5172ccad946e78b352c031d0

https://github.com/open5gs/open5gs/issues/3671

Enviar en el boletín
Off

12 Mar 2025

CVE-2025-25683

Título es
CVE-2025-25683

Mié, 12/03/2025 – 17:15

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-25683

Descripción en
AlekSIS-Core is vulnerable to Incorrect Access Control. Unauthenticated users can access all PDF files. This affects AlekSIS-Core 3.0, 3.1, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.2.0 and 3.2.1.

12/03/2025

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

https://aleksis.org/news/2025/01/security-advisory-cve-2025-25683-pdf-files-accessible-without-authentication/

https://edugit.org/AlekSIS/official/AlekSIS-Core/-/issues/1180

Enviar en el boletín
Off

12 Mar 2025

CVE-2025-27017

Título es
CVE-2025-27017

Mié, 12/03/2025 – 17:15

Tipo
CWE-538

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-27017

Descripción en
Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to authenticate with MongoDB in the NiFi provenance events that MongoDB components generate during processing. An authorized user with read access to the provenance events of those processors may see the credentials information. Upgrading to Apache NiFi 2.3.0 is the recommended mitigation, which removes the credentials from provenance event records.

12/03/2025

Vector CVSS:4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:L/U:Green

Gravedad 4.0
6.90

Gravedad 4.0 txt
MEDIUM

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

https://lists.apache.org/thread/d4n5474jkhp82dvnht13pjtlfx7bhn5q

http://www.openwall.com/lists/oss-security/2025/03/11/1

Enviar en el boletín
Off

12 Mar 2025

CVE-2025-21590

Título es
CVE-2025-21590

Mié, 12/03/2025 – 14:15

Tipo
CWE-653

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-21590

Descripción en
An Improper Isolation or Compartmentalization vulnerability in the kernel of Juniper Networks Junos OS allows a local attacker with high privileges to compromise the integrity of the device.

A local attacker with access to the shell is able to inject arbitrary code which can compromise an affected device.
This issue is not exploitable from the Junos CLI.
This issue affects Junos OS:

* All versions before 21.2R3-S9,
* 21.4 versions before 21.4R3-S10,
* 22.2 versions before 22.2R3-S6,
* 22.4 versions before 22.4R3-S6,
* 23.2 versions before 23.2R2-S3,
* 23.4 versions before 23.4R2-S4,
* 24.2 versions before 24.2R1-S2, 24.2R2.

12/03/2025

Vector CVSS:4.0
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Vector CVSS:3.1
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Gravedad 4.0
6.70

Gravedad 4.0 txt
MEDIUM

Gravedad 3.1 (CVSS 3.1 Base Score)
4.40

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers

https://supportportal.juniper.net/JSA93446

Enviar en el boletín
Off

12 Mar 2025

CVE-2024-52362

Título es
CVE-2024-52362

Mié, 12/03/2025 – 14:15

Tipo
CWE-1286

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-52362

Descripción en
IBM App Connect Enterprise Certified Container 7.2, 8.0, 8.1, 8.2, 9.0, 9.1, 9.2, 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 11.4, 11.5, 11.6, 12.0, 12.1, 12.2, 12.3, 12.4, 12.5, 12.6, 12.7, and 12.8 could allow an authenticated user to cause a denial of service in the App Connect flow due to improper validation of server-side input.

12/03/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Gravedad 3.1 (CVSS 3.1 Base Score)
4.30

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

https://www.ibm.com/support/pages/node/7185527

Enviar en el boletín
Off

12 Mar 2025

CVE-2025-27788

Título es
CVE-2025-27788

Mié, 12/03/2025 – 14:15

Tipo
CWE-125

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-27788

Descripción en
JSON is a JSON implementation for Ruby. Starting in version 2.10.0 and prior to version 2.10.2, a specially crafted document could cause an out of bound read, most likely resulting in a crash. Versions prior to 2.10.0 are not vulnerable. Version 2.10.2 fixes the problem. No known workarounds are available.

12/03/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Gravedad 3.1 (CVSS 3.1 Base Score)
7.50

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
HIGH

Referencias

https://github.com/ruby/json/commit/c56db31f800d5d508389793e69682f99749dbadf

https://github.com/ruby/json/releases/tag/v2.10.2

https://github.com/ruby/json/security/advisories/GHSA-9m3q-rhmv-5q44

Enviar en el boletín
Off