Jose Alexis Correa Valencia, Author at AlterPlex

25 Feb 2025

CVE-2025-1643

Título es
CVE-2025-1643

Mar, 25/02/2025 – 01:15

Tipo
CWE-352

Gravedad v2.0
5.00

Gravedad 2.0 Txt
MEDIUM

Título en

CVE-2025-1643

Descripción en
A vulnerability was found in Benner ModernaNet up to 1.1.0. It has been rated as problematic. This issue affects some unknown processing of the file /DadosPessoais/SG_AlterarSenha. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. Upgrading to version 1.1.1 is able to address this issue. It is recommended to upgrade the affected component.

25/02/2025

Vector CVSS:4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Vector CVSS:2.0
AV:N/AC:L/Au:N/C:N/I:P/A:N

Gravedad 4.0
5.30

Gravedad 4.0 txt
MEDIUM

Gravedad 3.1 (CVSS 3.1 Base Score)
4.30

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

https://github.com/yago3008/cves

https://vuldb.com/?ctiid_296693=

https://vuldb.com/?id_296693=

https://vuldb.com/?submit_500574=

Enviar en el boletín
Off

25 Feb 2025

CVE-2025-1642

Título es
CVE-2025-1642

Mar, 25/02/2025 – 01:15

Tipo
CWE-99

Gravedad v2.0
4.00

Gravedad 2.0 Txt
MEDIUM

Título en

CVE-2025-1642

Descripción en
A vulnerability was found in Benner ModernaNet up to 1.1.0. It has been declared as critical. This vulnerability affects unknown code of the file /AGE0000700/GetImageMedico?fooId=1. The manipulation of the argument fooId leads to improper control of resource identifiers. The attack can be initiated remotely. Upgrading to version 1.1.1 is able to address this issue. It is recommended to upgrade the affected component.

25/02/2025

Vector CVSS:4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Vector CVSS:2.0
AV:N/AC:L/Au:S/C:P/I:N/A:N

Gravedad 4.0
5.30

Gravedad 4.0 txt
MEDIUM

Gravedad 3.1 (CVSS 3.1 Base Score)
4.30

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

https://github.com/yago3008/cves

https://vuldb.com/?ctiid_296692=

https://vuldb.com/?id_296692=

https://vuldb.com/?submit_499877=

Enviar en el boletín
Off

24 Feb 2025

CVE-2025-27140

Título es
CVE-2025-27140

Lun, 24/02/2025 – 22:15

Tipo
CWE-78

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-27140

Descripción en
WeGIA is a Web manager for charitable institutions. An OS Command Injection vulnerability was discovered in versions prior to 3.2.15 of the WeGIA application, `importar_dump.php` endpoint. This vulnerability could allow an attacker to execute arbitrary code remotely. The command is basically a command to move a temporary file, so a webshell upload is also possible. Version 3.2.15 contains a patch for the issue.

24/02/2025

Vector CVSS:4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Gravedad 4.0
10.00

Gravedad 4.0 txt
CRITICAL

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

https://github.com/LabRedesCefetRJ/WeGIA/commit/7d0df8c9a0b8b7d6862bbc23dc729d73e39672a1

https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-xw6w-x28r-2p5c

Enviar en el boletín
Off

24 Feb 2025

CVE-2025-27141

Título es
CVE-2025-27141

Lun, 24/02/2025 – 22:15

Tipo
CWE-732

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-27141

Descripción en
Metabase Enterprise Edition is the enterprise version of Metabase business intelligence and data analytics software. Starting in version 1.47.0 and prior to versions 1.50.36, 1.51.14, 1.52.11, and 1.53.2 of Metabase Enterprise Edition, users with impersonation permissions may be able to see results of cached questions, even if their permissions don’t allow them to see the data. If some user runs a question which gets cached, and then an impersonated user runs that question, then the impersonated user sees the same results as the previous user. These cached results may include data the impersonated user should not have access to. This vulnerability only impacts the Enterprise Edition of Metabase and not the Open Source Edition. Versions 1.53.2, 1.52.11, 1.51.14, and 1.50.36 contains a patch. Versions on the 1.49.X, 1.48.X, and 1.47.X branches are vulnerable but do not have a patch available, so users should upgrade to a major version with an available fix. Disabling question caching is a workaround for this issue.

24/02/2025

Vector CVSS:4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Gravedad 4.0
4.80

Gravedad 4.0 txt
MEDIUM

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

https://github.com/metabase/metabase/security/advisories/GHSA-6cc4-h534-xh5p

https://www.metabase.com/docs/latest/configuring-metabase/caching

https://www.metabase.com/docs/latest/permissions/impersonation

Enviar en el boletín
Off

24 Feb 2025

CVE-2024-53542

Título es
CVE-2024-53542

Lun, 24/02/2025 – 23:15

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-53542

Descripción en
Incorrect access control in the component /iclock/Settings?restartNCS=1 of NovaCHRON Zeitsysteme GmbH & Co. KG Smart Time Plus v8.x to v8.6 allows attackers to arbitrarily restart the NCServiceManger via a crafted GET request.

25/02/2025

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

https://secure77.de/smart-time-plus-rce-cve-2024-53543/

Enviar en el boletín
Off

24 Feb 2025

CVE-2024-57685

Título es
CVE-2024-57685

Lun, 24/02/2025 – 23:15

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-57685

Descripción en
An issue in sparkshop v.1.1.7 and before allows a remote attacker to execute arbitrary code via a crafted phar file.

25/02/2025

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

https://github.com/lhRaMk7/notebook/blob/main/phar_rce

Enviar en el boletín
Off

24 Feb 2025

CVE-2024-56525

Título es
CVE-2024-56525

Lun, 24/02/2025 – 23:15

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-56525

Descripción en
In Public Knowledge Project (PKP) OJS, OMP, and OPS before 3.3.0.21 and 3.4.x before 3.4.0.8, an XXE attack by the Journal Editor Role can create a new role as super admin in the journal context, and insert a backdoor plugin, by uploading a crafted XML document as a User XML Plugin.

25/02/2025

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

User-XML Fatal Vulnerabilities For OJS/OMP/OPS < 3.3.0.21 (CVE 2024-56525)

Enviar en el boletín
Off

24 Feb 2025

CVE-2024-53544

Título es
CVE-2024-53544

Lun, 24/02/2025 – 23:15

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-53544

Descripción en
NovaCHRON Zeitsysteme GmbH & Co. KG Smart Time Plus v8.x to v8.6 was discovered to contain a SQL injection vulnerability via the getCookieNames method in the smarttimeplus/MySQLConnection endpoint.

25/02/2025

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

https://secure77.de/smart-time-plus-rce-cve-2024-53543/

Enviar en el boletín
Off

24 Feb 2025

CVE-2024-53543

Título es
CVE-2024-53543

Lun, 24/02/2025 – 23:15

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-53543

Descripción en
NovaCHRON Zeitsysteme GmbH & Co. KG Smart Time Plus v8.x to v8.6 was discovered to contain a SQL injection vulnerability via the addProject method in the smarttimeplus/MySQLConnection endpoint.

25/02/2025

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

https://secure77.de/smart-time-plus-rce-cve-2024-53543/

Enviar en el boletín
Off

24 Feb 2025

CVE-2025-27144

Título es
CVE-2025-27144

Lun, 24/02/2025 – 23:15

Tipo
CWE-770

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-27144

Descripción en
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters.

25/02/2025

Vector CVSS:4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Gravedad 4.0
6.60

Gravedad 4.0 txt
MEDIUM

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22

https://github.com/go-jose/go-jose/releases/tag/v4.0.5

https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78

Enviar en el boletín
Off

Autor: Jose Alexis Correa Valencia