CVE-2025-27408

CVE-2025-27408

Título es
CVE-2025-27408

Vie, 28/02/2025 – 18:15

Tipo
CWE-759

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-27408

Descripción en
Manifest offers users a one-file micro back end. Prior to version 4.9.1, Manifest employs a weak password hashing implementation that uses SHA3 without a salt. This exposes user passwords to a higher risk of being cracked if an attacker gains access to the database. Without the use of a salt, identical passwords across multiple users will result in the same hash, making it easier for attackers to identify and exploit patterns, thereby accelerating the cracking process. Version 4.9.1 fixes the issue.

28/02/2025

28/02/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
4.80

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias


  • https://github.com/mnfst/manifest/commit/3ed6f1324e96ad469ad929d470dcd0cc386c6c69

  • https://github.com/mnfst/manifest/security/advisories/GHSA-h8h6-7752-g28c

    • Enviar en el boletín
    Off

    CVE-2025-25431

    CVE-2025-25431

    Título es
    CVE-2025-25431

    Vie, 28/02/2025 – 18:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-25431

    Descripción en
    Trendnet TEW-929DRU 1.0.0.10 contains a Stored Cross-site Scripting (XSS) vulnerability via the The ssid key of wifi_data parameter on the /captive_portal.htm page.

    28/02/2025

    28/02/2025

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://instinctive-acapella-fc7.notion.site/Trendnet-TEW-929DRU-XSS-17b15d9d4d26806a90f3d830a6143ebe

    • Enviar en el boletín
    Off

    CVE-2025-25430

    CVE-2025-25430

    Título es
    CVE-2025-25430

    Vie, 28/02/2025 – 18:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-25430

    Descripción en
    Trendnet TEW-929DRU 1.0.0.10 contains a Stored Cross-site Scripting (XSS) vulnerability via the configname parameter on the /cbi_addcert.htm page.

    28/02/2025

    28/02/2025

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://instinctive-acapella-fc7.notion.site/Trendnet-TEW-929DRU-XSS-17a15d9d4d2680fbb72ced0a02a64875

    • Enviar en el boletín
    Off

    CVE-2025-27400

    CVE-2025-27400

    Título es
    CVE-2025-27400

    Vie, 28/02/2025 – 16:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-27400

    Descripción en
    Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Versions prior to 20.12.3 and 20.13.1 contain a vulnerability that allows script execution in the admin panel which could lead to cross-site scripting against authenticated admin users. The attack requires an admin user with configuration access, so in practicality it is not very likely to be useful given that a user with this level of access is probably already a full admin. Versions 20.12.3 and 20.13.1 contain a patch for the issue.

    28/02/2025

    28/02/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L

    Gravedad 3.1 (CVSS 3.1 Base Score)
    2.90

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    LOW

    Referencias


  • https://github.com/OpenMage/magento-lts/commit/d307e5bf75729a2347dde0952fe9fd9fcd9c6aea

  • https://github.com/OpenMage/magento-lts/releases/tag/v20.12.3

  • https://github.com/OpenMage/magento-lts/releases/tag/v20.13.0

  • https://github.com/OpenMage/magento-lts/security/advisories/GHSA-5pxh-89cx-4668

    • Enviar en el boletín
    Off

    CVE-2025-0985

    CVE-2025-0985

    Título es
    CVE-2025-0985

    Vie, 28/02/2025 – 17:15

    Tipo
    CWE-526

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-0985

    Descripción en
    IBM MQ 9.3 LTS, 9.3 CD, 9.4 LTS, and 9.4 CD

    stores potentially sensitive information in environment variables that could be obtained by a local user.

    28/02/2025

    28/02/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    5.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://www.ibm.com/support/pages/node/7184453

    • Enviar en el boletín
    Off

    CVE-2024-54175

    CVE-2024-54175

    Título es
    CVE-2024-54175

    Vie, 28/02/2025 – 17:15

    Tipo
    CWE-754

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-54175

    Descripción en
    IBM MQ 9.3 LTS, 9.3 CD, 9.4 LTS, and 9.4 CD

    could allow a local user to cause a denial of service due to an improper check for unusual or exceptional conditions.

    28/02/2025

    28/02/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    5.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://www.ibm.com/support/pages/node/7184453

    • Enviar en el boletín
    Off

    CVE-2025-24318

    CVE-2025-24318

    Título es
    CVE-2025-24318

    Vie, 28/02/2025 – 17:15

    Tipo
    CWE-1004

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-24318

    Descripción en
    Cookie policy is observable via built-in browser tools. In the presence of XSS, this could lead to full session compromise.

    28/02/2025

    28/02/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

    Gravedad 4.0
    5.90

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-058-01

  • https://www.dariohealth.com/contact/

    • Enviar en el boletín
    Off

    CVE-2025-24316

    CVE-2025-24316

    Título es
    CVE-2025-24316

    Vie, 28/02/2025 – 17:15

    Tipo
    CWE-213

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-24316

    Descripción en
    The Dario Health Internet-based server infrastructure is vulnerable due to exposure of development environment details, which could lead to unsafe functionality.

    28/02/2025

    28/02/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

    Gravedad 4.0
    6.90

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 (CVSS 3.1 Base Score)
    5.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-058-01

  • https://www.dariohealth.com/contact/

    • Enviar en el boletín
    Off

    CVE-2025-23405

    CVE-2025-23405

    Título es
    CVE-2025-23405

    Vie, 28/02/2025 – 17:15

    Tipo
    CWE-117

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-23405

    Descripción en
    Unauthenticated log effects metrics gathering incident response efforts and potentially exposes risk of injection attacks (ex log injection).

    28/02/2025

    28/02/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

    Gravedad 4.0
    6.90

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 (CVSS 3.1 Base Score)
    5.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-058-01

  • https://www.dariohealth.com/contact/

    • Enviar en el boletín
    Off

    CVE-2025-20060

    CVE-2025-20060

    Título es
    CVE-2025-20060

    Vie, 28/02/2025 – 17:15

    Tipo
    CWE-359

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-20060

    Descripción en
    An attacker could expose cross-user personal identifiable information (PII) and personal health information transmitted to the Android device via the Dario Health application database.

    28/02/2025

    28/02/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

    Gravedad 4.0
    8.70

    Gravedad 4.0 txt
    HIGH

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias


  • https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-058-01

  • https://www.dariohealth.com/contact/

    • Enviar en el boletín
    Off