CVE-2025-27506

CVE-2025-27506

Título es
CVE-2025-27506

Jue, 06/03/2025 – 19:15

Tipo
CWE-79

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-27506

Descripción en
NocoDB is software for building databases as spreadsheets. The API endpoint related to the password reset function is vulnerable to Reflected Cross-Site-Scripting. The endpoint /api/v1/db/auth/password/reset/:tokenId is vulnerable to Reflected Cross-Site-Scripting. The flaw occurs due to implementation of the client-side template engine ejs, specifically on file resetPassword.ts where the template is using the insecure function “

06/03/2025

06/03/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
5.40

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias


  • https://github.com/nocodb/nocodb/blob/ba5a191b33259d984fc92df225f7d82ede2ddb56/packages/nocodb/src/modules/auth/auth.controller.ts#L251

  • https://github.com/nocodb/nocodb/blob/ba5a191b33259d984fc92df225f7d82ede2ddb56/packages/nocodb/src/modules/auth/ui/auth/resetPassword.ts#L71

  • https://github.com/nocodb/nocodb/commit/ea821edb133e621e26183ae65c8ff9ee5d6f2723

  • https://github.com/nocodb/nocodb/security/advisories/GHSA-wf6c-hrhf-86cw

    • Enviar en el boletín
    Off

    CVE-2025-26699

    CVE-2025-26699

    Título es
    CVE-2025-26699

    Jue, 06/03/2025 – 19:15

    Tipo
    CWE-770

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-26699

    Descripción en
    An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings.

    06/03/2025

    06/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L

    Gravedad 3.1 (CVSS 3.1 Base Score)
    5.00

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://docs.djangoproject.com/en/dev/releases/security/

  • https://groups.google.com/g/django-announce

  • https://www.djangoproject.com/weblog/2025/mar/06/security-releases/

  • http://www.openwall.com/lists/oss-security/2025/03/06/12

    • Enviar en el boletín
    Off

    CVE-2025-2037

    CVE-2025-2037

    Título es
    CVE-2025-2037

    Jue, 06/03/2025 – 19:15

    Tipo
    CWE-74

    Gravedad v2.0
    6.50

    Gravedad 2.0 Txt
    MEDIUM

    Título en

    CVE-2025-2037

    Descripción en
    A vulnerability was found in code-projects Blood Bank Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /user_dashboard/delete_requester.php. The manipulation of the argument requester_id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

    06/03/2025

    06/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

    Vector CVSS:2.0
    AV:N/AC:L/Au:S/C:P/I:P/A:P

    Gravedad 4.0
    5.30

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://code-projects.org/

  • https://github.com/intercpt/XSS1/blob/main/SQL1.md

  • https://vuldb.com/?ctiid_298780=

  • https://vuldb.com/?id_298780=

  • https://vuldb.com/?submit_512550=

    • Enviar en el boletín
    Off

    CVE-2025-2036

    CVE-2025-2036

    Título es
    CVE-2025-2036

    Jue, 06/03/2025 – 19:15

    Tipo
    CWE-74

    Gravedad v2.0
    6.50

    Gravedad 2.0 Txt
    MEDIUM

    Título en

    CVE-2025-2036

    Descripción en
    A vulnerability was found in s-a-zhd Ecommerce-Website-using-PHP 1.0. It has been classified as critical. This affects an unknown part of the file details.php. The manipulation of the argument pro_id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

    06/03/2025

    06/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

    Vector CVSS:2.0
    AV:N/AC:L/Au:S/C:P/I:P/A:P

    Gravedad 4.0
    5.30

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://vuldb.com/?ctiid_298779=

  • https://vuldb.com/?id_298779=

  • https://vuldb.com/?submit_512405=

  • https://www.websecurityinsights.my.id/2025/03/e-commerce-10-detailsphpproid-sql.html?m=1

    • Enviar en el boletín
    Off

    CVE-2025-27600

    CVE-2025-27600

    Título es
    CVE-2025-27600

    Jue, 06/03/2025 – 19:15

    Tipo
    CWE-918

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-27600

    Descripción en
    FastGPT is a knowledge-based platform built on the LLMs. Since the web crawling plug-in does not perform intranet IP verification, an attacker can initiate an intranet IP request, causing the system to initiate a request through the intranet and potentially obtain some private data on the intranet. This issue is fixed in 4.9.0.

    06/03/2025

    06/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Gravedad 4.0
    6.90

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://github.com/labring/FastGPT/security/advisories/GHSA-vc67-62v5-8cwx

    • Enviar en el boletín
    Off

    CVE-2025-2040

    CVE-2025-2040

    Título es
    CVE-2025-2040

    Jue, 06/03/2025 – 20:15

    Tipo
    CWE-791

    Gravedad v2.0
    6.50

    Gravedad 2.0 Txt
    MEDIUM

    Título en

    CVE-2025-2040

    Descripción en
    A vulnerability classified as critical was found in zhijiantianya ruoyi-vue-pro 2.4.1. Affected by this vulnerability is an unknown functionality of the file /admin-api/bpm/model/deploy. The manipulation leads to improper neutralization of special elements used in a template engine. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

    06/03/2025

    06/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

    Vector CVSS:2.0
    AV:N/AC:L/Au:S/C:P/I:P/A:P

    Gravedad 4.0
    5.30

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://github.com/uglory-gll/javasec/blob/main/ruoyi-vue-pro.md

  • https://vuldb.com/?ctiid_298783=

  • https://vuldb.com/?id_298783=

  • https://vuldb.com/?submit_512574=

    • Enviar en el boletín
    Off

    CVE-2025-2039

    CVE-2025-2039

    Título es
    CVE-2025-2039

    Jue, 06/03/2025 – 20:15

    Tipo
    CWE-74

    Gravedad v2.0
    5.80

    Gravedad 2.0 Txt
    MEDIUM

    Título en

    CVE-2025-2039

    Descripción en
    A vulnerability classified as critical has been found in code-projects Blood Bank Management System 1.0. Affected is an unknown function of the file /admin/delete_members.php. The manipulation of the argument member_id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

    06/03/2025

    06/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

    Vector CVSS:2.0
    AV:N/AC:L/Au:M/C:P/I:P/A:P

    Gravedad 4.0
    5.10

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 (CVSS 3.1 Base Score)
    4.70

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://code-projects.org/

  • https://github.com/intercpt/XSS1/blob/main/SQL4.md

  • https://vuldb.com/?ctiid_298782=

  • https://vuldb.com/?id_298782=

  • https://vuldb.com/?submit_512564=

    • Enviar en el boletín
    Off

    CVE-2025-2038

    CVE-2025-2038

    Título es
    CVE-2025-2038

    Jue, 06/03/2025 – 20:15

    Tipo
    CWE-548

    Gravedad v2.0
    7.50

    Gravedad 2.0 Txt
    HIGH

    Título en

    CVE-2025-2038

    Descripción en
    A vulnerability was found in code-projects Blood Bank Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /upload/. The manipulation leads to exposure of information through directory listing. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

    06/03/2025

    06/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

    Vector CVSS:2.0
    AV:N/AC:L/Au:N/C:P/I:P/A:P

    Gravedad 4.0
    6.90

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias


  • https://code-projects.org/

  • https://github.com/intercpt/XSS1/blob/main/Directorylisting.md

  • https://vuldb.com/?ctiid_298781=

  • https://vuldb.com/?id_298781=

  • https://vuldb.com/?submit_512558=

    • Enviar en el boletín
    Off

    CVE-2025-25497

    CVE-2025-25497

    Título es
    CVE-2025-25497

    Jue, 06/03/2025 – 20:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-25497

    Descripción en
    An issue in account management interface in Netsweeper Server v.8.2.6 and earlier (fixed in v.8.2.7) allows unauthorized changes to the "Account Owner" field due to client-side-only restrictions and a lack of server-side validation. This vulnerability enables account ownership reassignment to or away from any user.

    06/03/2025

    06/03/2025

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://helpdesk.netsweeper.com/docs/8_2_Docs/8_2_Netsweeper_Docs/Content/Release_Notes/Netsweeper_Release_Notes/8_2_Release_Notes/8_2_7_Release_and_Downloads.htm

  • https://packetstorm.news/files/id/188626/

    • Enviar en el boletín
    Off

    CVE-2025-21830

    CVE-2025-21830

    Título es
    CVE-2025-21830

    Jue, 06/03/2025 – 17:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-21830

    Descripción en
    In the Linux kernel, the following vulnerability has been resolved:

    landlock: Handle weird files

    A corrupted filesystem (e.g. bcachefs) might return weird files.
    Instead of throwing a warning and allowing access to such file, treat
    them as regular files.

    06/03/2025

    06/03/2025

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://git.kernel.org/stable/c/0fde195a373ab1267e60baa9e1a703a97e7464cd

  • https://git.kernel.org/stable/c/2569e65d2eb6ac1afe6cb6dfae476afee8b6771a

  • https://git.kernel.org/stable/c/39bb3d56f1c351e76bb18895d0e73796e653d5c1

  • https://git.kernel.org/stable/c/49440290a0935f428a1e43a5ac8dc275a647ff80

  • https://git.kernel.org/stable/c/7d6121228959ddf44a4b9b6a177384ac7854e2f9

    • Enviar en el boletín
    Off