CVE-2025-2208

CVE-2025-2208

Título es
CVE-2025-2208

Mar, 11/03/2025 – 21:15

Tipo
CWE-79

Gravedad v2.0
3.30

Gravedad 2.0 Txt
LOW

Título en

CVE-2025-2208

Descripción en
A vulnerability, which was classified as problematic, has been found in aitangbao springboot-manager 3.0. This issue affects some unknown processing of the file /sysFiles/upload of the component Filename Handler. The manipulation of the argument name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

11/03/2025

11/03/2025

Vector CVSS:4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

Vector CVSS:2.0
AV:N/AC:L/Au:M/C:N/I:P/A:N

Gravedad 4.0
4.80

Gravedad 4.0 txt
MEDIUM

Gravedad 3.1 (CVSS 3.1 Base Score)
2.40

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
LOW

Referencias


  • https://github.com/uglory-gll/javasec/blob/main/spring-manage.md

  • https://vuldb.com/?ctiid_299279=

  • https://vuldb.com/?id_299279=

  • https://vuldb.com/?submit_511738=

  • https://github.com/uglory-gll/javasec/blob/main/spring-manage.md

    • Enviar en el boletín
    Off

    CVE-2025-1707

    CVE-2025-1707

    Título es
    CVE-2025-1707

    Mar, 11/03/2025 – 22:15

    Tipo
    CWE-98

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-1707

    Descripción en
    The Review Schema plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.4 via post meta. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.

    11/03/2025

    11/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    8.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias


  • https://plugins.trac.wordpress.org/browser/review-schema/tags/2.2.4/app/Shortcodes/ReviewSchema.php#L108

  • https://plugins.trac.wordpress.org/changeset/3253799/review-schema

  • https://www.wordfence.com/threat-intel/vulnerabilities/id/9b4de243-d337-4f29-a766-bcafb3848d1c?source=cve

    • Enviar en el boletín
    Off

    CVE-2025-2210

    CVE-2025-2210

    Título es
    CVE-2025-2210

    Mar, 11/03/2025 – 22:15

    Tipo
    CWE-79

    Gravedad v2.0
    3.30

    Gravedad 2.0 Txt
    LOW

    Título en

    CVE-2025-2210

    Descripción en
    A vulnerability has been found in aitangbao springboot-manager 3.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /sysJob/add. The manipulation of the argument name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.

    11/03/2025

    11/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

    Vector CVSS:2.0
    AV:N/AC:L/Au:M/C:N/I:P/A:N

    Gravedad 4.0
    4.80

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 (CVSS 3.1 Base Score)
    2.40

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    LOW

    Referencias


  • https://github.com/uglory-gll/javasec/blob/main/spring-manage.md

  • https://vuldb.com/?ctiid_299281=

  • https://vuldb.com/?id_299281=

  • https://vuldb.com/?submit_511740=

    • Enviar en el boletín
    Off

    CVE-2025-2209

    CVE-2025-2209

    Título es
    CVE-2025-2209

    Mar, 11/03/2025 – 22:15

    Tipo
    CWE-79

    Gravedad v2.0
    3.30

    Gravedad 2.0 Txt
    LOW

    Título en

    CVE-2025-2209

    Descripción en
    A vulnerability, which was classified as problematic, was found in aitangbao springboot-manager 3.0. Affected is an unknown function of the file /sysDict/add. The manipulation of the argument name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.

    11/03/2025

    11/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

    Vector CVSS:2.0
    AV:N/AC:L/Au:M/C:N/I:P/A:N

    Gravedad 4.0
    4.80

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 (CVSS 3.1 Base Score)
    2.40

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    LOW

    Referencias


  • https://github.com/uglory-gll/javasec/blob/main/spring-manage.md

  • https://vuldb.com/?ctiid_299280=

  • https://vuldb.com/?id_299280=

  • https://vuldb.com/?submit_511739=

    • Enviar en el boletín
    Off

    CVE-2025-27792

    CVE-2025-27792

    Título es
    CVE-2025-27792

    Mar, 11/03/2025 – 22:15

    Tipo
    CWE-352

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-27792

    Descripción en
    Opal is OBiBa’s core database application for biobanks or epidemiological studies. Prior to version 5.1.1, the protections against cross-site request forgery (CSRF) were insufficient application-wide. The referrer header is checked, and if it is invalid, the server returns 403. However, the referrer header can be dropped from CSRF requests using «, effectively bypassing this protection. Version 5.1.1 contains a patch for the issue.

    11/03/2025

    11/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Gravedad 4.0
    7.70

    Gravedad 4.0 txt
    HIGH

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://github.com/obiba/opal/security/advisories/GHSA-27vw-29rq-c358

    • Enviar en el boletín
    Off

    CVE-2025-27101

    CVE-2025-27101

    Título es
    CVE-2025-27101

    Mar, 11/03/2025 – 22:15

    Tipo
    CWE-22

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-27101

    Descripción en
    Opal is OBiBa’s core database application for biobanks or epidemiological studies. Prior to version 5.1.1, when copying any parent directory to a folder in the /temp/ directory, all files in that parent directory are copied, including files which the user should not have access to. All users of the application are impacted, as this is exploitable by any user to reveal all files in the opal filesystem. This also means that low-privilege users such as DataShield users can retrieve the files of other users. Version 5.1.1 contains a patch for the issue.

    11/03/2025

    11/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Gravedad 4.0
    7.30

    Gravedad 4.0 txt
    HIGH

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://github.com/obiba/opal/commit/fca7dc9c8348064741b2e8b2c31b66660a935743

  • https://github.com/obiba/opal/security/advisories/GHSA-rxmx-gqjj-vhv8

    • Enviar en el boletín
    Off

    CVE-2025-2211

    CVE-2025-2211

    Título es
    CVE-2025-2211

    Mar, 11/03/2025 – 22:15

    Tipo
    CWE-79

    Gravedad v2.0
    3.30

    Gravedad 2.0 Txt
    LOW

    Título en

    CVE-2025-2211

    Descripción en
    A vulnerability was found in aitangbao springboot-manager 3.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /sysDictDetail/add. The manipulation of the argument name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.

    11/03/2025

    11/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

    Vector CVSS:2.0
    AV:N/AC:L/Au:M/C:N/I:P/A:N

    Gravedad 4.0
    4.80

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 (CVSS 3.1 Base Score)
    2.40

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    LOW

    Referencias


  • https://github.com/uglory-gll/javasec/blob/main/spring-manage.md

  • https://vuldb.com/?ctiid_299282=

  • https://vuldb.com/?id_299282=

  • https://vuldb.com/?submit_511741=

    • Enviar en el boletín
    Off

    CVE-2025-2233

    CVE-2025-2233

    Título es
    CVE-2025-2233

    Mar, 11/03/2025 – 23:15

    Tipo
    CWE-347

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-2233

    Descripción en
    Samsung SmartThings Improper Verification of Cryptographic Signature Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Samsung SmartThings. Authentication is not required to exploit this vulnerability.

    The specific flaw exists within the Hub Local API service, which listens on TCP port 8766 by default. The issue results from the lack of proper verification of a cryptographic signature. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-25615.

    12/03/2025

    12/03/2025

    Vector CVSS:3.1
    CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    8.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias


  • https://www.zerodayinitiative.com/advisories/ZDI-25-127/

    • Enviar en el boletín
    Off

    CVE-2025-2213

    CVE-2025-2213

    Título es
    CVE-2025-2213

    Mar, 11/03/2025 – 23:15

    Tipo
    CWE-79

    Gravedad v2.0
    3.30

    Gravedad 2.0 Txt
    LOW

    Título en

    CVE-2025-2213

    Descripción en
    A vulnerability was found in Castlenet CBW383G2N up to 20250301. It has been declared as problematic. This vulnerability affects unknown code of the file /wlanPrimaryNetwork.asp of the component Wireless Menu. The manipulation of the argument SSID with the input leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.

    12/03/2025

    12/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

    Vector CVSS:2.0
    AV:N/AC:L/Au:M/C:N/I:P/A:N

    Gravedad 4.0
    4.80

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 (CVSS 3.1 Base Score)
    2.40

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    LOW

    Referencias


  • https://vuldb.com/?ctiid_299284=

  • https://vuldb.com/?id_299284=

  • https://vuldb.com/?submit_511882=

    • Enviar en el boletín
    Off

    CVE-2025-2212

    CVE-2025-2212

    Título es
    CVE-2025-2212

    Mar, 11/03/2025 – 23:15

    Tipo
    CWE-79

    Gravedad v2.0
    3.30

    Gravedad 2.0 Txt
    LOW

    Título en

    CVE-2025-2212

    Descripción en
    A vulnerability was found in Castlenet CBW383G2N up to 20250301. It has been classified as problematic. This affects an unknown part of the file /RgSwInfo.asp. The manipulation of the argument Description with the input leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.

    12/03/2025

    12/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

    Vector CVSS:2.0
    AV:N/AC:L/Au:M/C:N/I:P/A:N

    Gravedad 4.0
    4.80

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 (CVSS 3.1 Base Score)
    2.40

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    LOW

    Referencias


  • https://vuldb.com/?ctiid_299283=

  • https://vuldb.com/?id_299283=

  • https://vuldb.com/?submit_511873=

    • Enviar en el boletín
    Off