CVE-2025-2864

CVE-2025-2864

Título es
CVE-2025-2864

Vie, 28/03/2025 – 14:15

Tipo
CWE-79

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-2864

Descripción en
SaTECH BCU in its firmware version 2.1.3 allows an attacker to inject malicious code into the legitimate website owning the affected device, once the cookie is set. This attack only impacts the victim's browser (reflected XSS).

28/03/2025
28/03/2025
Vector CVSS:4.0
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Gravedad 4.0
2.00

Gravedad 4.0 txt
LOW

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

  • https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-arteches-satech-bcu

    • Enviar en el boletín
    Off

    CVE-2025-2863

    CVE-2025-2863

    Título es
    CVE-2025-2863

    Vie, 28/03/2025 – 14:15

    Tipo
    CWE-352

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-2863

    Descripción en
    Cross-site request forgery (CSRF) vulnerability in the web application of saTECH BCU firmware version 2.1.3, which could allow an unauthenticated local attacker to exploit active administrator sessions and perform malicious actions. The malicious actions that can be executed by the attacker depend on the logged-in user, and may include rebooting the device or modifying roles and permissions.

    28/03/2025
    28/03/2025
    Vector CVSS:4.0
    CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Gravedad 4.0
    5.70

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-arteches-satech-bcu

    • Enviar en el boletín
    Off

    CVE-2025-2862

    CVE-2025-2862

    Título es
    CVE-2025-2862

    Vie, 28/03/2025 – 14:15

    Tipo
    CWE-261

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-2862

    Descripción en
    SaTECH BCU, in its firmware version 2.1.3, performs weak password encryption. This allows an attacker with access to the device's system or website to obtain the credentials, as the storage methods used are not strong enough in terms of encryption.

    28/03/2025
    28/03/2025
    Vector CVSS:4.0
    CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Gravedad 4.0
    6.90

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-arteches-satech-bcu

    • Enviar en el boletín
    Off

    CVE-2025-2861

    CVE-2025-2861

    Título es
    CVE-2025-2861

    Vie, 28/03/2025 – 14:15

    Tipo
    CWE-319

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-2861

    Descripción en
    SaTECH BCU in its firmware version 2.1.3 uses the HTTP protocol. The use of the HTTP protocol for web browsing has the problem that information is exchanged in unencrypted text. Since sensitive data such as credentials are exchanged, an attacker could obtain them and log in legitimately.

    28/03/2025
    28/03/2025
    Vector CVSS:4.0
    CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Gravedad 4.0
    6.90

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-arteches-satech-bcu

    • Enviar en el boletín
    Off

    CVE-2025-2901

    CVE-2025-2901

    Título es
    CVE-2025-2901

    Vie, 28/03/2025 – 14:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-2901

    Descripción en
    A flaw was found in the JBoss EAP Management Console, where a stored Cross-site scripting vulnerability occurs when an application improperly sanitizes user input before storing it in a data store. When this stored data is later included in web pages without adequate sanitization, malicious scripts can execute in the context of users who view these pages, leading to potential data theft, session hijacking, or other malicious activities.

    28/03/2025
    28/03/2025
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    4.60

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://access.redhat.com/security/cve/CVE-2025-2901

  • https://bugzilla.redhat.com/show_bug.cgi?id=2355685

    • Enviar en el boletín
    Off

    CVE-2025-31094

    CVE-2025-31094

    Título es
    CVE-2025-31094

    Vie, 28/03/2025 – 10:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-31094

    Descripción en
    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in teastudio.pl WP Posts Carousel allows Stored XSS. This issue affects WP Posts Carousel: from n/a through 1.3.8.

    28/03/2025
    28/03/2025
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://patchstack.com/database/wordpress/plugin/wp-posts-carousel/vulnerability/wordpress-wp-posts-carousel-1-3-8-cross-site-scripting-xss-vulnerability?_s_id=cve

    • Enviar en el boletín
    Off

    CVE-2025-31093

    CVE-2025-31093

    Título es
    CVE-2025-31093

    Vie, 28/03/2025 – 10:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-31093

    Descripción en
    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in redpixelstudios RPS Include Content allows DOM-Based XSS. This issue affects RPS Include Content: from n/a through 1.2.1.

    28/03/2025
    28/03/2025
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://patchstack.com/database/wordpress/plugin/rps-include-content/vulnerability/wordpress-rps-include-content-1-2-1-cross-site-scripting-xss-vulnerability?_s_id=cve

    • Enviar en el boletín
    Off

    CVE-2025-31090

    CVE-2025-31090

    Título es
    CVE-2025-31090

    Vie, 28/03/2025 – 10:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-31090

    Descripción en
    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in alordiel Dropdown Multisite selector allows Stored XSS. This issue affects Dropdown Multisite selector: from n/a through n/a.

    28/03/2025
    28/03/2025
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://patchstack.com/database/wordpress/plugin/dropdown-multisite-selector/vulnerability/wordpress-dropdown-multisite-selector-0-9-4-cross-site-scripting-xss-vulnerability?_s_id=cve

    • Enviar en el boletín
    Off

    CVE-2025-31102

    CVE-2025-31102

    Título es
    CVE-2025-31102

    Vie, 28/03/2025 – 10:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-31102

    Descripción en
    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bob Hostel allows Reflected XSS. This issue affects Hostel: from n/a through 1.1.5.5.

    28/03/2025
    28/03/2025
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.10

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://patchstack.com/database/wordpress/plugin/hostel/vulnerability/wordpress-hostel-plugin-1-1-5-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve

    • Enviar en el boletín
    Off

    CVE-2025-31099

    CVE-2025-31099

    Título es
    CVE-2025-31099

    Vie, 28/03/2025 – 10:15

    Tipo
    CWE-89

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-31099

    Descripción en
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bestwebsoft Slider by BestWebSoft allows SQL Injection. This issue affects Slider by BestWebSoft: from n/a through 1.1.0.

    28/03/2025
    28/03/2025
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.60

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://patchstack.com/database/wordpress/plugin/slider-bws/vulnerability/wordpress-slider-by-bestwebsoft-1-1-0-sql-injection-vulnerability?_s_id=cve

    • Enviar en el boletín
    Off