CVE-2025-25460

CVE-2025-25460

Título es
CVE-2025-25460

Lun, 24/02/2025 – 16:15

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-25460

Descripción en
A stored Cross-Site Scripting (XSS) vulnerability was identified in FlatPress 1.3.1 within the "Add Entry" feature. This vulnerability allows authenticated attackers to inject malicious JavaScript payloads into blog posts, which are executed when other users view the posts. The issue arises due to improper input sanitization of the "TextArea" field in the blog entry submission form.

24/02/2025

24/02/2025

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias


  • https://github.com/RoNiXxCybSeC0101/CVE-2025-25460

  • https://github.com/flatpressblog/flatpress

    • Enviar en el boletín
    Off

    CVE-2025-26803

    CVE-2025-26803

    Título es
    CVE-2025-26803

    Lun, 24/02/2025 – 16:15

    Tipo
    CWE-908

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-26803

    Descripción en
    The http parser in Phusion Passenger 6.0.21 through 6.0.25 before 6.0.26 allows a denial of service during parsing of a request with an invalid HTTP method.

    24/02/2025

    24/02/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

    Gravedad 3.1 (CVSS 3.1 Base Score)
    5.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://blog.phusion.nl/2025/02/19/passenger-6-0-26/

  • https://github.com/phusion/passenger/commit/bb15591646687064ab2d578d5f9660b2a4168017

  • https://github.com/phusion/passenger/compare/release-6.0.25…release-6.0.26

  • https://github.com/phusion/passenger/releases/tag/release-6.0.26

  • https://www.phusionpassenger.com/support

    • Enviar en el boletín
    Off

    CVE-2025-0545

    CVE-2025-0545

    Título es
    CVE-2025-0545

    Lun, 24/02/2025 – 14:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-0545

    Descripción en
    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Tekrom Technology T-Soft E-Commerce allows Cross-Site Scripting (XSS).This issue affects T-Soft E-Commerce: before v5.

    24/02/2025

    24/02/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

    Gravedad 3.1 (CVSS 3.1 Base Score)
    4.70

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://www.usom.gov.tr/bildirim/tr-25-0041

    • Enviar en el boletín
    Off

    CVE-2024-5174

    CVE-2024-5174

    Título es
    CVE-2024-5174

    Lun, 24/02/2025 – 14:15

    Tipo
    CWE-287

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-5174

    Descripción en
    A flaw in Gliffy results in broken authentication through the reset functionality of the application.

    24/02/2025

    24/02/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Gravedad 4.0
    5.30

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://portal.perforce.com/s/detail/a91PA000001ScD3YAK

    • Enviar en el boletín
    Off

    CVE-2023-52926

    CVE-2023-52926

    Título es
    CVE-2023-52926

    Lun, 24/02/2025 – 09:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2023-52926

    Descripción es
    Se ha resuelto una vulnerabilidad en el kernel de Linux consistente en que la operación IORING_OP_READ no consumia correctamente la lista de buffers proporcionada cuando la lectura de entrada salida devolvía un valor < 0 (excepto los casos en que devolvía -EAGAIN y -EIOCBQUEUED). Esto puede llevar a un potencial uso después de liberar memoria cuando el completado via io_rw_done se ejecuta en un contexto separado.

    Descripción en
    In the Linux kernel, the following vulnerability has been resolved:

    IORING_OP_READ did not correctly consume the provided buffer list when
    read i/o returned

    24/02/2025

    24/02/2025

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://git.kernel.org/stable/c/6c27fc6a783c8a77c756dd5461b15e465020d075

  • https://git.kernel.org/stable/c/72060434a14caea20925e492310d6e680e3f9007

  • https://git.kernel.org/stable/c/a08d195b586a217d76b42062f88f375a3eedda4d

    • Enviar en el boletín
    Off

    CVE-2025-1488

    CVE-2025-1488

    Título es
    CVE-2025-1488

    Lun, 24/02/2025 – 11:15

    Tipo
    CWE-601

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-1488

    Descripción en
    The WPO365 | MICROSOFT 365 GRAPH MAILER plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 3.2. This is due to insufficient validation on the redirect url supplied via the 'redirect_to' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if 1. they can successfully trick them into performing an action and 2. the plugin is activated but not configured.

    24/02/2025

    24/02/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    4.70

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://plugins.trac.wordpress.org/changeset/3244747/

  • WPO365 | MICROSOFT 365 GRAPH MAILER



  • https://www.wordfence.com/threat-intel/vulnerabilities/id/3a1782c3-ae0b-42f1-aa5e-dabfa2a5bbcd?source=cve

  • Change Log


    • Enviar en el boletín
    Off

    CVE-2025-1629

    CVE-2025-1629

    Título es
    CVE-2025-1629

    Lun, 24/02/2025 – 05:15

    Tipo
    CWE-307

    Gravedad v2.0
    2.70

    Gravedad 2.0 Txt
    LOW

    Título en

    CVE-2025-1629

    Descripción en
    A vulnerability was found in Excitel Broadband Private my Excitel App 3.13.0 on Android. It has been classified as problematic. Affected is an unknown function of the component One-Time Password Handler. The manipulation leads to improper restriction of excessive authentication attempts. The vendor was contacted early about this disclosure but did not respond in any way.

    24/02/2025

    24/02/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

    Vector CVSS:2.0
    AV:A/AC:L/Au:S/C:P/I:N/A:N

    Gravedad 4.0
    5.10

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 (CVSS 3.1 Base Score)
    3.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    LOW

    Referencias


  • https://vuldb.com/?ctiid_296610=

  • https://vuldb.com/?id_296610=

  • https://vuldb.com/?submit_501868=

    • Enviar en el boletín
    Off

    CVE-2024-12308

    CVE-2024-12308

    Título es
    CVE-2024-12308

    Lun, 24/02/2025 – 06:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-12308

    Descripción en
    The Logo Slider WordPress plugin before 4.6.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

    24/02/2025

    24/02/2025

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://wpscan.com/vulnerability/fa82ada7-357b-4f01-a0d6-ff633b188a80/

    • Enviar en el boletín
    Off

    CVE-2024-13822

    CVE-2024-13822

    Título es
    CVE-2024-13822

    Lun, 24/02/2025 – 06:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-13822

    Descripción en
    The Photo Contest | Competition | Video Contest WordPress plugin through 2.8.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

    24/02/2025

    24/02/2025

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://wpscan.com/vulnerability/1f0f1553-1987-428c-9fe3-ffb3f6b0aecc/

    • Enviar en el boletín
    Off

    CVE-2024-13605

    CVE-2024-13605

    Título es
    CVE-2024-13605

    Lun, 24/02/2025 – 06:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-13605

    Descripción en
    The Form Maker by 10Web WordPress plugin before 1.15.33 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

    24/02/2025

    24/02/2025

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://wpscan.com/vulnerability/d5543b3b-1c28-481b-aba4-9a07d160e1f2/

    • Enviar en el boletín
    Off