admin/nvd-json-data-feeds
1
0
Fork 0
mirror of https://github.com/fkie-cad/nvd-json-data-feeds.git synced 2025-06-19 17:31:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

Auto-Update: 2025-04-16T14:00:21.028393+00:00

Browse Source
This commit is contained in:
cad-safe-bot 2025-04-16 14:03:58 +00:00
parent 8a5c5f0091
commit 9b9858ed5d
295 changed files with 6098 additions and 710 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CVE-2023/CVE-2023-321xx/CVE-2023-32197.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2023-32197",
"sourceIdentifier": "meissner@suse.de",
"published": "2025-04-16T09:15:24.103",
"lastModified": "2025-04-16T09:15:24.103",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{

8
CVE-2023/CVE-2023-56xx/CVE-2023-5616.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2023-5616",
"sourceIdentifier": "security@ubuntu.com",
"published": "2025-04-15T19:16:06.647",
"lastModified": "2025-04-15T21:15:46.583",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Ubuntu, gnome-control-center did not properly reflect SSH remote login status when the system was configured to use systemd socket activation for openssh-server. This could unknowingly leave the local machine exposed to remote SSH access contrary to expectation of the user."
},
{
"lang": "es",
"value": "En Ubuntu, gnome-control-center no reflejaba correctamente el estado de inicio de sesi\u00f3n remoto SSH cuando el sistema estaba configurado para usar la activaci\u00f3n del socket systemd para openssh-server. Esto pod\u00eda dejar, sin que el usuario lo supiera, la m\u00e1quina local expuesta al acceso remoto SSH, contrariamente a lo esperado."
}
],
"metrics": {

8
CVE-2024/CVE-2024-106xx/CVE-2024-10680.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-10680",
"sourceIdentifier": "contact@wpscan.com",
"published": "2025-04-16T06:15:42.367",
"lastModified": "2025-04-16T06:15:42.367",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Form Maker by 10Web WordPress plugin before 1.15.32 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)."
},
{
"lang": "es",
"value": "El complemento Form Maker de 10Web para WordPress anterior a la versi\u00f3n 1.15.32 no depura ni escapa de algunas de sus configuraciones, lo que podr\u00eda permitir a usuarios con privilegios elevados como el administrador realizar ataques de Cross-Site Scripting almacenado incluso cuando la capacidad unfiltered_html no est\u00e1 permitida (por ejemplo, en una configuraci\u00f3n de varios sitios)."
}
],
"metrics": {},

8
CVE-2024/CVE-2024-134xx/CVE-2024-13452.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-13452",
"sourceIdentifier": "security@wordfence.com",
"published": "2025-04-16T03:15:17.067",
"lastModified": "2025-04-16T03:15:17.067",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Contact Form by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.29. This is due to missing or incorrect nonce validation on a saveAsCopy function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
},
{
"lang": "es",
"value": "El complemento Contact Form de Supsystic para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 1.7.29 incluida. Esto se debe a la falta o la validaci\u00f3n incorrecta de nonce en la funci\u00f3n saveAsCopy. Esto permite a atacantes no autenticados actualizar la configuraci\u00f3n e inyectar scripts web maliciosos mediante una solicitud falsificada, ya que pueden enga\u00f1ar al administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."
}
],
"metrics": {

4
CVE-2024/CVE-2024-220xx/CVE-2024-22036.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2024-22036",
"sourceIdentifier": "meissner@suse.de",
"published": "2025-04-16T09:15:27.300",
"lastModified": "2025-04-16T09:15:27.300",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{

8
CVE-2024/CVE-2024-421xx/CVE-2024-42193.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-42193",
"sourceIdentifier": "psirt@hcl.com",
"published": "2025-04-15T19:16:06.800",
"lastModified": "2025-04-15T19:16:06.800",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "HCL BigFix Web Reports' service communicates over HTTPS but exhibits a weakness in its handling of SSL certificate validation. This scenario presents a possibility of man-in-the-middle (MITM) attacks and data exposure as, if exploited, this vulnerability could potentially lead to unauthorized access."
},
{
"lang": "es",
"value": "El servicio de HCL BigFix Web Reports se comunica mediante HTTPS, pero presenta una vulnerabilidad en la validaci\u00f3n de certificados SSL. Este escenario presenta la posibilidad de ataques de intermediario (MITM) y exposici\u00f3n de datos, ya que, de explotarse, esta vulnerabilidad podr\u00eda provocar acceso no autorizado."
}
],
"metrics": {

8
CVE-2024/CVE-2024-448xx/CVE-2024-44843.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-44843",
"sourceIdentifier": "cve@mitre.org",
"published": "2025-04-15T21:15:46.730",
"lastModified": "2025-04-15T21:15:46.730",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue in the web socket handshake process of SteVe v3.7.1 allows attackers to bypass authentication and execute arbitrary coammands via supplying crafted OCPP requests."
},
{
"lang": "es",
"value": "Un problema en el proceso de protocolo de enlace de sockets web de SteVe v3.7.1 permite a los atacantes eludir la autenticaci\u00f3n y ejecutar comandos arbitrarios mediante el suministro de solicitudes OCPP manipuladas."
}
],
"metrics": {},

16
CVE-2024/CVE-2024-469xx/CVE-2024-46915.json Normal file
View File

@ -0,0 +1,16 @@
{
"id": "CVE-2024-46915",
"sourceIdentifier": "cve@mitre.org",
"published": "2025-04-16T13:15:43.983",
"lastModified": "2025-04-16T13:15:43.983",
"vulnStatus": "Rejected",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none."
}
],
"metrics": {},
"references": []
}

8
CVE-2024/CVE-2024-492xx/CVE-2024-49200.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-49200",
"sourceIdentifier": "cve@mitre.org",
"published": "2025-04-15T22:15:15.467",
"lastModified": "2025-04-15T22:15:15.467",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in AcpiS3SaveDxe and ChipsetSvcDxe in Insyde InsydeH2O with kernel 5.2 though 5.7. A potential DXE memory corruption vulnerability has been identified. The root cause is use of a pointer originating from the value of an NVRAM variable as the target of a write operation. This can be leveraged by an attacker to perform arbitrary writes, potentially leading to arbitrary code execution. The issue has been fixed in kernel 5.2, Version 05.29.44; kernel 5.3, Version 05.38.44; kernel 5.4, Version 05.46.44; kernel 5.5, Version 05.54.44; kernel 5.6, Version 05.61.44; and kernel 5.7, Version 05.70.44."
},
{
"lang": "es",
"value": "Se descubri\u00f3 un problema en AcpiS3SaveDxe y ChipsetSvcDxe en Insyde InsydeH2O con las versiones del kernel 5.2 a 5.7. Se identific\u00f3 una posible vulnerabilidad de corrupci\u00f3n de memoria DXE. La causa principal es el uso de un puntero originado en el valor de una variable NVRAM como destino de una operaci\u00f3n de escritura. Un atacante puede aprovechar esto para realizar escrituras arbitrarias, lo que podr\u00eda provocar la ejecuci\u00f3n de c\u00f3digo arbitrario. El problema se ha corregido en las versiones del kernel 5.2, 05.29.44; 5.3, 05.38.44; 5.4, 05.46.44; 5.5, 05.54.44; 5.6, 05.61.44; y 5.7, 05.70.44."
}
],
"metrics": {},

4
CVE-2024/CVE-2024-522xx/CVE-2024-52281.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2024-52281",
"sourceIdentifier": "meissner@suse.de",
"published": "2025-04-16T09:15:27.620",
"lastModified": "2025-04-16T09:15:27.620",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{

39
CVE-2024/CVE-2024-572xx/CVE-2024-57222.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2024-57222",
"sourceIdentifier": "cve@mitre.org",
"published": "2025-01-10T18:15:24.807",
"lastModified": "2025-01-14T17:15:19.537",
"vulnStatus": "Awaiting Analysis",
"lastModified": "2025-04-16T13:59:08.477",
"vulnStatus": "Analyzed",
"cveTags": [],
"descriptions": [
{
@ -51,10 +51,43 @@
]
}
],
"configurations": [
{
"operator": "AND",
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linksys:e7350_firmware:1.1.00.032:*:*:*:*:*:*:*",
"matchCriteriaId": "F262DB25-2184-4755-A3B3-DE21D743D0BF"
}
]
},
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": false,
"criteria": "cpe:2.3:h:linksys:e7350:-:*:*:*:*:*:*:*",
"matchCriteriaId": "EFB82A85-4363-480C-83D9-071E81C842EB"
}
]
}
]
}
],
"references": [
{
"url": "https://github.com/yanggao017/vuln/blob/main/Linksys/E7350/CI_5_apcli_cancel_wps/README.md",
"source": "cve@mitre.org"
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
]
}
]
}

4
CVE-2024/CVE-2024-580xx/CVE-2024-58092.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2024-58092",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2025-04-16T11:15:42.427",
"lastModified": "2025-04-16T11:15:42.427",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{

17
CVE-2024/CVE-2024-91xx/CVE-2024-9102.json
View File

@ -2,13 +2,20 @@
"id": "CVE-2024-9102",
"sourceIdentifier": "vulnerability@ncsc.ch",
"published": "2024-12-19T14:15:06.327",
"lastModified": "2024-12-19T14:15:06.327",
"lastModified": "2025-04-16T12:15:15.727",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"cveTags": [
{
"sourceIdentifier": "vulnerability@ncsc.ch",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "phpLDAPadmin since at least version 1.2.0 through the latest version 1.2.6.7 allows users to export elements from the LDAP directory into a Comma-Separated Value (CSV) file, but it does not neutralize special elements that could be interpreted as a command when the file is opened by a spreadsheet product. Thus, this could lead to CSV Formula Injection."
"value": "phpLDAPadmin since at least version 1.2.0 through the latest version 1.2.6.7 allows users to export elements from the LDAP directory into a Comma-Separated Value (CSV) file, but it does not neutralize special elements that could be interpreted as a command when the file is opened by a spreadsheet product. Thus, this could lead to CSV Formula Injection. NOTE: This vulnerability will not be addressed, the maintainer's position is that it is not the intention of phpLDAPadmin to control what data Administrators can put in their LDAP database, nor filter it on export."
},
{
"lang": "es",
@ -78,6 +85,10 @@
"url": "https://github.com/leenooks/phpLDAPadmin/commit/ea17aadef46fd29850160987fe7740ceed1381ad#diff-93b9f3e6d4c5bdacf469ea0ec74c1e9217ca6272da9be5a1bfd711f7da16f9e3R240",
"source": "vulnerability@ncsc.ch"
},
{
"url": "https://github.com/leenooks/phpLDAPadmin/issues/274#issuecomment-2586859072",
"source": "vulnerability@ncsc.ch"
},
{
"url": "https://sourceforge.net/projects/phpldapadmin/files/phpldapadmin-php5/1.2.0",
"source": "vulnerability@ncsc.ch"

8
CVE-2025/CVE-2025-01xx/CVE-2025-0101.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-0101",
"sourceIdentifier": "info@cert.vde.com",
"published": "2025-04-16T08:15:13.423",
"lastModified": "2025-04-16T08:15:13.423",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A low privileged user can set the date of the devices to the 19th of January 2038 an therefore exceed the 32-Bit time limit. This causes some functions to work unexpected or stop working at all. Both during runtime and after a restart."
},
{
"lang": "es",
"value": "Un usuario con pocos privilegios puede establecer la fecha de los dispositivos al 19 de enero de 2038 y, por lo tanto, superar el l\u00edmite de 32 bits. Esto provoca que algunas funciones se ejecuten inesperadamente o dejen de funcionar, tanto durante la ejecuci\u00f3n como despu\u00e9s de un reinicio."
}
],
"metrics": {

12
CVE-2025/CVE-2025-07xx/CVE-2025-0721.json
View File

@ -2,13 +2,13 @@
"id": "CVE-2025-0721",
"sourceIdentifier": "cna@vuldb.com",
"published": "2025-01-27T00:15:26.317",
"lastModified": "2025-02-25T20:28:55.787",
"vulnStatus": "Analyzed",
"lastModified": "2025-04-16T12:15:16.413",
"vulnStatus": "Modified",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as problematic has been found in needyamin image_gallery 1.0. This affects the function image_gallery of the file /view.php. The manipulation of the argument username leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
"value": "A vulnerability classified as problematic has been found in needyamin image_gallery 1.0. This affects the function image_gallery of the file /view.php. The manipulation of the argument Username leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "es",
@ -22,14 +22,14 @@
"type": "Secondary",
"cvssData": {
"version": "4.0",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"baseScore": 6.9,
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"userInteraction": "PASSIVE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnAvailabilityImpact": "NONE",

8
CVE-2025/CVE-2025-11xx/CVE-2025-1122.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-1122",
"sourceIdentifier": "7f6e188d-c52a-4a19-8674-3c3fa7d1fc7f",
"published": "2025-04-15T20:15:38.317",
"lastModified": "2025-04-15T20:15:38.317",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Out-Of-Bounds Write in TPM2 Reference Library in Google ChromeOS 122.0.6261.132 stable on Cr50 Boards allows an attacker with root access to gain persistence and \nbypass operating system verification via exploiting the NV_Read functionality during the Challenge-Response process."
},
{
"lang": "es",
"value": "La escritura fuera de los l\u00edmites en TPM2 Reference Library in Google ChromeOS 122.0.6261.132 estable en placas Cr50 permite que un atacante con acceso de root obtenga persistencia y eluda la verificaci\u00f3n del sistema operativo mediante la explotaci\u00f3n de la funcionalidad NV_Read durante el proceso de desaf\u00edo-respuesta."
}
],
"metrics": {},

8
CVE-2025/CVE-2025-12xx/CVE-2025-1273.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-1273",
"sourceIdentifier": "psirt@autodesk.com",
"published": "2025-04-15T21:15:46.960",
"lastModified": "2025-04-15T21:15:46.960",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A maliciously crafted PDF file, when linked or imported into Autodesk applications, can force a Heap-Based Overflow vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process."
},
{
"lang": "es",
"value": "Un archivo PDF manipulado con fines maliciosos, al vincularse o importarse a aplicaciones de Autodesk, puede generar una vulnerabilidad de desbordamiento basado en mont\u00f3n. Un agente malicioso puede aprovechar esta vulnerabilidad para provocar un bloqueo, leer datos confidenciales o ejecutar c\u00f3digo arbitrario en el contexto del proceso actual."
}
],
"metrics": {

8
CVE-2025/CVE-2025-12xx/CVE-2025-1274.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-1274",
"sourceIdentifier": "psirt@autodesk.com",
"published": "2025-04-15T21:15:47.083",
"lastModified": "2025-04-15T21:15:47.083",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A maliciously crafted RCS file, when parsed through Autodesk Revit, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process."
},
{
"lang": "es",
"value": "Un archivo RCS manipulado con fines maliciosos, al analizarse mediante Autodesk Revit, puede forzar una vulnerabilidad de escritura fuera de los l\u00edmites. Un agente malicioso podr\u00eda aprovechar esta vulnerabilidad para provocar un bloqueo, da\u00f1ar datos o ejecutar c\u00f3digo arbitrario en el contexto del proceso actual."
}
],
"metrics": {

8
CVE-2025/CVE-2025-12xx/CVE-2025-1275.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-1275",
"sourceIdentifier": "psirt@autodesk.com",
"published": "2025-04-15T21:15:47.197",
"lastModified": "2025-04-15T21:15:47.197",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A maliciously crafted JPG file, when linked or imported into certain Autodesk applications, can force a Heap-Based Overflow vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process."
},
{
"lang": "es",
"value": "Un archivo JPG manipulado con fines maliciosos, al vincularse o importarse a ciertas aplicaciones de Autodesk, puede generar una vulnerabilidad de desbordamiento basado en mont\u00f3n. Un agente malicioso puede aprovechar esta vulnerabilidad para provocar un bloqueo, leer datos confidenciales o ejecutar c\u00f3digo arbitrario en el contexto del proceso actual."
}
],
"metrics": {

8
CVE-2025/CVE-2025-12xx/CVE-2025-1276.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-1276",
"sourceIdentifier": "psirt@autodesk.com",
"published": "2025-04-15T21:15:47.320",
"lastModified": "2025-04-15T21:15:47.320",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A maliciously crafted DWG file, when parsed through certain Autodesk applications, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process."
},
{
"lang": "es",
"value": "Un archivo DWG manipulado con fines maliciosos, al analizarse mediante ciertas aplicaciones de Autodesk, puede forzar una vulnerabilidad de escritura fuera de los l\u00edmites. Un agente malicioso podr\u00eda aprovechar esta vulnerabilidad para provocar un bloqueo, da\u00f1ar datos o ejecutar c\u00f3digo arbitrario en el contexto del proceso actual."
}
],
"metrics": {

8
CVE-2025/CVE-2025-12xx/CVE-2025-1277.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-1277",
"sourceIdentifier": "psirt@autodesk.com",
"published": "2025-04-15T21:15:47.443",
"lastModified": "2025-04-15T21:15:47.443",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A maliciously crafted PDF file, when parsed through Autodesk applications, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process."
},
{
"lang": "es",
"value": "Un archivo PDF manipulado con fines maliciosos, al analizarse mediante aplicaciones de Autodesk, puede generar una vulnerabilidad de corrupci\u00f3n de memoria. Un agente malicioso puede aprovechar esta vulnerabilidad para ejecutar c\u00f3digo arbitrario en el contexto del proceso actual."
}
],
"metrics": {

8
CVE-2025/CVE-2025-12xx/CVE-2025-1292.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-1292",
"sourceIdentifier": "7f6e188d-c52a-4a19-8674-3c3fa7d1fc7f",
"published": "2025-04-15T20:15:38.410",
"lastModified": "2025-04-15T20:15:38.410",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Out-Of-Bounds Write in TPM2 Reference Library in Google ChromeOS 122.0.6261.132 stable on Cr50 Boards allows an attacker with root access to gain persistence and \nbypass operating system verification via exploiting the NV_Read functionality during the Challenge-Response process."
},
{
"lang": "es",
"value": "La escritura fuera de los l\u00edmites en TPM2 Reference Library in Google ChromeOS 122.0.6261.132 estable en placas Cr50 permite que un atacante con acceso de root obtenga persistencia y eluda la verificaci\u00f3n del sistema operativo mediante la explotaci\u00f3n de la funcionalidad NV_Read durante el proceso de desaf\u00edo-respuesta."
}
],
"metrics": {},

8
CVE-2025/CVE-2025-16xx/CVE-2025-1656.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-1656",
"sourceIdentifier": "psirt@autodesk.com",
"published": "2025-04-15T21:15:47.560",
"lastModified": "2025-04-15T21:15:47.560",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A maliciously crafted PDF file, when linked or imported into Autodesk applications, can force a Heap-Based Overflow vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process."
},
{
"lang": "es",
"value": "Un archivo PDF manipulado con fines maliciosos, al vincularse o importarse a aplicaciones de Autodesk, puede generar una vulnerabilidad de desbordamiento basado en mont\u00f3n. Un agente malicioso puede aprovechar esta vulnerabilidad para provocar un bloqueo, leer datos confidenciales o ejecutar c\u00f3digo arbitrario en el contexto del proceso actual."
}
],
"metrics": {

86
CVE-2025/CVE-2025-19xx/CVE-2025-1980.json Normal file
View File

@ -0,0 +1,86 @@
{
"id": "CVE-2025-1980",
"sourceIdentifier": "cvd@cert.pl",
"published": "2025-04-16T13:15:44.083",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Ready_ application's Profile section allows users to upload files of any type and extension without restriction. If the server is misconfigured, as it was by default when installed at the turn of 2021 and 2022, it can result in Remote Code Execution. Refer to the Required Configuration for Exposure section for more information."
}
],
"metrics": {
"cvssMetricV40": [
{
"source": "cvd@cert.pl",
"type": "Secondary",
"cvssData": {
"version": "4.0",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"subAvailabilityImpact": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"confidentialityRequirement": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"availabilityRequirement": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"valueDensity": "NOT_DEFINED",
"vulnerabilityResponseEffort": "NOT_DEFINED",
"providerUrgency": "NOT_DEFINED"
}
}
]
},
"weaknesses": [
{
"source": "cvd@cert.pl",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-434"
}
]
}
],
"references": [
{
"url": "https://cert.pl/en/posts/2025/04/CVE-2025-1980",
"source": "cvd@cert.pl"
},
{
"url": "https://cert.pl/posts/2025/04/CVE-2025-1980",
"source": "cvd@cert.pl"
},
{
"url": "https://ready-os.com/pl/",
"source": "cvd@cert.pl"
}
]
}

86
CVE-2025/CVE-2025-19xx/CVE-2025-1981.json Normal file
View File

@ -0,0 +1,86 @@
{
"id": "CVE-2025-1981",
"sourceIdentifier": "cvd@cert.pl",
"published": "2025-04-16T13:15:44.223",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of input provided by a low-privileged user into a file search functionality in Ready_'s Invoices module allows for SQL Injection attacks."
}
],
"metrics": {
"cvssMetricV40": [
{
"source": "cvd@cert.pl",
"type": "Secondary",
"cvssData": {
"version": "4.0",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"subAvailabilityImpact": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"confidentialityRequirement": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"availabilityRequirement": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"valueDensity": "NOT_DEFINED",
"vulnerabilityResponseEffort": "NOT_DEFINED",
"providerUrgency": "NOT_DEFINED"
}
}
]
},
"weaknesses": [
{
"source": "cvd@cert.pl",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-89"
}
]
}
],
"references": [
{
"url": "https://cert.pl/en/posts/2025/04/CVE-2025-1980",
"source": "cvd@cert.pl"
},
{
"url": "https://cert.pl/posts/2025/04/CVE-2025-1980",
"source": "cvd@cert.pl"
},
{
"url": "https://ready-os.com/pl/",
"source": "cvd@cert.pl"
}
]
}

86
CVE-2025/CVE-2025-19xx/CVE-2025-1982.json Normal file
View File

@ -0,0 +1,86 @@
{
"id": "CVE-2025-1982",
"sourceIdentifier": "cvd@cert.pl",
"published": "2025-04-16T13:15:44.343",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Local File Inclusion vulnerability in Ready's attachment upload panel allows low privileged user to provide link to a local file using the file:// protocol thus allowing the attacker to read content of the file. This vulnerability can be use to read content of system files."
}
],
"metrics": {
"cvssMetricV40": [
{
"source": "cvd@cert.pl",
"type": "Secondary",
"cvssData": {
"version": "4.0",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"subAvailabilityImpact": "NONE",
"exploitMaturity": "NOT_DEFINED",
"confidentialityRequirement": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"availabilityRequirement": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"valueDensity": "NOT_DEFINED",
"vulnerabilityResponseEffort": "NOT_DEFINED",
"providerUrgency": "NOT_DEFINED"
}
}
]
},
"weaknesses": [
{
"source": "cvd@cert.pl",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-552"
}
]
}
],
"references": [
{
"url": "https://cert.pl/en/posts/2025/04/CVE-2025-1980",
"source": "cvd@cert.pl"
},
{
"url": "https://cert.pl/posts/2025/04/CVE-2025-1980",
"source": "cvd@cert.pl"
},
{
"url": "https://ready-os.com/pl/",
"source": "cvd@cert.pl"
}
]
}

86
CVE-2025/CVE-2025-19xx/CVE-2025-1983.json Normal file
View File

@ -0,0 +1,86 @@
{
"id": "CVE-2025-1983",
"sourceIdentifier": "cvd@cert.pl",
"published": "2025-04-16T13:15:44.477",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A cross-site scripting (XSS) vulnerability in Ready_'s File Explorer upload functionality allows injection of arbitrary JavaScript code in filename. Injected content is stored on server and is executed every time a user interacts with the uploaded file."
}
],
"metrics": {
"cvssMetricV40": [
{
"source": "cvd@cert.pl",
"type": "Secondary",
"cvssData": {
"version": "4.0",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"privilegesRequired": "LOW",
"userInteraction": "PASSIVE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"subAvailabilityImpact": "NONE",
"exploitMaturity": "NOT_DEFINED",
"confidentialityRequirement": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"availabilityRequirement": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"valueDensity": "NOT_DEFINED",
"vulnerabilityResponseEffort": "NOT_DEFINED",
"providerUrgency": "NOT_DEFINED"
}
}
]
},
"weaknesses": [
{
"source": "cvd@cert.pl",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
],
"references": [
{
"url": "https://cert.pl/en/posts/2025/04/CVE-2025-1980",
"source": "cvd@cert.pl"
},
{
"url": "https://cert.pl/posts/2025/04/CVE-2025-1980",
"source": "cvd@cert.pl"
},
{
"url": "https://ready-os.com/pl/",
"source": "cvd@cert.pl"
}
]
}

8
CVE-2025/CVE-2025-215xx/CVE-2025-21573.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-21573",
"sourceIdentifier": "secalert_us@oracle.com",
"published": "2025-04-15T21:15:47.670",
"lastModified": "2025-04-15T21:15:47.670",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the Oracle Financial Services Revenue Management and Billing product of Oracle Financial Services Applications (component: Chatbot). Supported versions that are affected are 5.1.0.0.0, 6.1.0.0.0 and 7.0.0.0.0. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Financial Services Revenue Management and Billing. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Financial Services Revenue Management and Billing accessible data as well as unauthorized access to critical data or complete access to all Oracle Financial Services Revenue Management and Billing accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Financial Services Revenue Management and Billing. CVSS 3.1 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L)."
},
{
"lang": "es",
"value": "Vulnerabilidad en el producto Oracle Financial Services Revenue Management and Billing de Oracle Financial Services Applications (componente: Chatbot). Las versiones compatibles afectadas son 5.1.0.0.0, 6.1.0.0.0 y 7.0.0.0.0. Esta vulnerabilidad, dif\u00edcil de explotar, permite a un atacante con privilegios elevados y acceso a la red a trav\u00e9s de HTTP comprometer Oracle Financial Services Revenue Management and Billing. Los ataques exitosos requieren la interacci\u00f3n humana de una persona distinta al atacante. Los ataques exitosos de esta vulnerabilidad pueden resultar en la creaci\u00f3n, eliminaci\u00f3n o modificaci\u00f3n no autorizadas de datos cr\u00edticos o de todos los datos accesibles de Oracle Financial Services Revenue Management and Billing, as\u00ed como en el acceso no autorizado a datos cr\u00edticos o a todos los datos accesibles de Oracle Financial Services Revenue Management and Billing, y en la posibilidad no autorizada de causar una denegaci\u00f3n de servicio parcial (DOS parcial) de Oracle Financial Services Revenue Management and Billing. Puntuaci\u00f3n base CVSS 3.1: 6.0 (impactos en confidencialidad, integridad y disponibilidad). Vector CVSS: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L)."
}
],
"metrics": {

8
CVE-2025/CVE-2025-215xx/CVE-2025-21574.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-21574",
"sourceIdentifier": "secalert_us@oracle.com",
"published": "2025-04-15T21:15:47.793",
"lastModified": "2025-04-15T21:15:47.793",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)."
},
{
"lang": "es",
"value": "Vulnerabilidad en el producto MySQL Server de Oracle MySQL (componente: Server: Parser). Las versiones compatibles afectadas son 8.0.0-8.0.41, 8.4.0-8.4.4 y 9.0.0-9.2.0. Esta vulnerabilidad, f\u00e1cilmente explotable, permite a un atacante con pocos privilegios y acceso a la red a trav\u00e9s de m\u00faltiples protocolos comprometer MySQL Server. Los ataques exitosos a esta vulnerabilidad pueden provocar un bloqueo o un fallo repetitivo (DOS completo) de MySQL Server. Puntuaci\u00f3n base de CVSS 3.1: 6.5 (Afecta a la disponibilidad). Vector CVSS: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)."
}
],
"metrics": {

8
CVE-2025/CVE-2025-215xx/CVE-2025-21575.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-21575",
"sourceIdentifier": "secalert_us@oracle.com",
"published": "2025-04-15T21:15:47.897",
"lastModified": "2025-04-15T21:15:47.897",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)."
},
{
"lang": "es",
"value": "Vulnerabilidad en el producto MySQL Server de Oracle MySQL (componente: Server: Parser). Las versiones compatibles afectadas son 8.0.0-8.0.41, 8.4.0-8.4.4 y 9.0.0-9.2.0. Esta vulnerabilidad, f\u00e1cilmente explotable, permite a un atacante con pocos privilegios y acceso a la red a trav\u00e9s de m\u00faltiples protocolos comprometer MySQL Server. Los ataques exitosos a esta vulnerabilidad pueden provocar un bloqueo o un fallo repetitivo (DOS completo) de MySQL Server. Puntuaci\u00f3n base de CVSS 3.1: 6.5 (Afecta a la disponibilidad). Vector CVSS: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)."
}
],
"metrics": {

8
CVE-2025/CVE-2025-215xx/CVE-2025-21576.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-21576",
"sourceIdentifier": "secalert_us@oracle.com",
"published": "2025-04-15T21:15:48.007",
"lastModified": "2025-04-15T21:15:48.007",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the Oracle Commerce Platform product of Oracle Commerce (component: Dynamo Personalization Server). Supported versions that are affected are 11.3.0, 11.3.1 and 11.3.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Commerce Platform. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Commerce Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Commerce Platform accessible data as well as unauthorized read access to a subset of Oracle Commerce Platform accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)."
},
{
"lang": "es",
"value": "Vulnerabilidad en Oracle Commerce Platform (componente: Dynamo Personalization Server). Las versiones compatibles afectadas son 11.3.0, 11.3.1 y 11.3.2. Esta vulnerabilidad, f\u00e1cilmente explotable, permite a un atacante con pocos privilegios y acceso a la red a trav\u00e9s de HTTP comprometer Oracle Commerce Platform. Los ataques exitosos requieren la interacci\u00f3n humana de una persona distinta al atacante y, si bien la vulnerabilidad se encuentra en Oracle Commerce Platform, los ataques pueden afectar significativamente a otros productos (cambio de alcance). Los ataques exitosos de esta vulnerabilidad pueden resultar en actualizaciones, inserciones o eliminaciones no autorizadas de algunos datos accesibles de Oracle Commerce Platform, as\u00ed como en accesos de lectura no autorizados a un subconjunto de dichos datos. Puntuaci\u00f3n base CVSS 3.1: 5.4 (Afecta a la confidencialidad y la integridad). Vector CVSS: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)."
}
],
"metrics": {

8
CVE-2025/CVE-2025-215xx/CVE-2025-21577.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-21577",
"sourceIdentifier": "secalert_us@oracle.com",
"published": "2025-04-15T21:15:48.120",
"lastModified": "2025-04-15T21:15:48.120",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)."
},
{
"lang": "es",
"value": "Vulnerabilidad en el producto MySQL Server de Oracle MySQL (componente: InnoDB). Las versiones compatibles afectadas son 8.0.0-8.0.41, 8.4.0-8.4.4 y 9.0.0-9.2.0. Esta vulnerabilidad, f\u00e1cilmente explotable, permite a un atacante con pocos privilegios y acceso a la red a trav\u00e9s de m\u00faltiples protocolos comprometer MySQL Server. Los ataques exitosos a esta vulnerabilidad pueden provocar un bloqueo o un fallo repetitivo (DOS completo) de MySQL Server. Puntuaci\u00f3n base de CVSS 3.1: 6.5 (Afecta a la disponibilidad). Vector CVSS: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)."
}
],
"metrics": {

8
CVE-2025/CVE-2025-215xx/CVE-2025-21578.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-21578",
"sourceIdentifier": "secalert_us@oracle.com",
"published": "2025-04-15T21:15:48.240",
"lastModified": "2025-04-15T21:15:48.240",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in Oracle Secure Backup (component: General). Supported versions that are affected are 12.1.0.1, 12.1.0.2, 12.1.0.3, 18.1.0.0, 18.1.0.1 and 18.1.0.2. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Secure Backup executes to compromise Oracle Secure Backup. Successful attacks of this vulnerability can result in takeover of Oracle Secure Backup. CVSS 3.1 Base Score 6.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)."
},
{
"lang": "es",
"value": "Vulnerabilidad en Oracle Secure Backup (componente: General). Las versiones compatibles afectadas son 12.1.0.1, 12.1.0.2, 12.1.0.3, 18.1.0.0, 18.1.0.1 y 18.1.0.2. Esta vulnerabilidad, f\u00e1cilmente explotable, permite a un atacante con privilegios elevados, con acceso a la infraestructura donde se ejecuta Oracle Secure Backup, comprometer Oracle Secure Backup. Los ataques con \u00e9xito pueden resultar en la toma de control de Oracle Secure Backup. Puntuaci\u00f3n base de CVSS 3.1: 6.7 (impactos en confidencialidad, integridad y disponibilidad). Vector CVSS: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)."
}
],
"metrics": {

8
CVE-2025/CVE-2025-215xx/CVE-2025-21579.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-21579",
"sourceIdentifier": "secalert_us@oracle.com",
"published": "2025-04-15T21:15:53.233",
"lastModified": "2025-04-15T21:15:53.233",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Options). Supported versions that are affected are 8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)."
},
{
"lang": "es",
"value": "Vulnerabilidad en el producto MySQL Server de Oracle MySQL (componente: Server: Options). Las versiones compatibles afectadas son 8.0.0-8.0.41, 8.4.0-8.4.4 y 9.0.0-9.2.0. Esta vulnerabilidad, f\u00e1cilmente explotable, permite a un atacante con privilegios elevados y acceso a la red a trav\u00e9s de m\u00faltiples protocolos comprometer MySQL Server. Los ataques exitosos a esta vulnerabilidad pueden provocar un bloqueo o un fallo repetitivo (DOS completo) de MySQL Server. Puntuaci\u00f3n base de CVSS 3.1: 4.9 (Afecta a la disponibilidad). Vector CVSS: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)."
}
],
"metrics": {

8
CVE-2025/CVE-2025-215xx/CVE-2025-21580.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-21580",
"sourceIdentifier": "secalert_us@oracle.com",
"published": "2025-04-15T21:15:53.393",
"lastModified": "2025-04-15T21:15:53.393",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)."
},
{
"lang": "es",
"value": "Vulnerabilidad en el producto MySQL Server de Oracle MySQL (componente: Server: DML). Las versiones compatibles afectadas son 8.0.0-8.0.41, 8.4.0-8.4.4 y 9.0.0-9.2.0. Esta vulnerabilidad, f\u00e1cilmente explotable, permite a un atacante con privilegios elevados y acceso a la red a trav\u00e9s de m\u00faltiples protocolos comprometer MySQL Server. Los ataques exitosos a esta vulnerabilidad pueden provocar un bloqueo o un fallo repetitivo (DOS completo) de MySQL Server. Puntuaci\u00f3n base de CVSS 3.1: 4.9 (Afecta a la disponibilidad). Vector CVSS: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)."
}
],
"metrics": {

8
CVE-2025/CVE-2025-215xx/CVE-2025-21581.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-21581",
"sourceIdentifier": "secalert_us@oracle.com",
"published": "2025-04-15T21:15:53.557",
"lastModified": "2025-04-15T21:15:53.557",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)."
},
{
"lang": "es",
"value": "Vulnerabilidad en el producto MySQL Server de Oracle MySQL (componente: Server: Optimizer). Las versiones compatibles afectadas son 8.0.0-8.0.41, 8.4.0-8.4.4 y 9.0.0-9.2.0. Esta vulnerabilidad, f\u00e1cilmente explotable, permite a un atacante con privilegios elevados y acceso a la red a trav\u00e9s de m\u00faltiples protocolos comprometer MySQL Server. Los ataques exitosos a esta vulnerabilidad pueden provocar un bloqueo o un fallo repetitivo (DOS completo) de MySQL Server. Puntuaci\u00f3n base de CVSS 3.1: 4.9 (Afecta a la disponibilidad). Vector CVSS: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)."
}
],
"metrics": {

8
CVE-2025/CVE-2025-215xx/CVE-2025-21582.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-21582",
"sourceIdentifier": "secalert_us@oracle.com",
"published": "2025-04-15T21:15:53.687",
"lastModified": "2025-04-15T21:15:53.687",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the Oracle CRM Technical Foundation product of Oracle E-Business Suite (component: Preferences). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle CRM Technical Foundation. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle CRM Technical Foundation, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle CRM Technical Foundation accessible data as well as unauthorized read access to a subset of Oracle CRM Technical Foundation accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)."
},
{
"lang": "es",
"value": "Vulnerabilidad en Oracle CRM Technical Foundation de Oracle E-Business Suite (componente: Preferencias). Las versiones compatibles afectadas son la 12.2.3-12.2.14. Esta vulnerabilidad, f\u00e1cilmente explotable, permite que un atacante no autenticado con acceso a la red a trav\u00e9s de HTTP comprometa Oracle CRM Technical Foundation. Los ataques exitosos requieren la interacci\u00f3n humana de una persona distinta al atacante y, si bien la vulnerabilidad afecta a Oracle CRM Technical Foundation, pueden afectar significativamente a otros productos (cambio de alcance). Los ataques exitosos de esta vulnerabilidad pueden resultar en actualizaciones, inserciones o eliminaciones no autorizadas de algunos datos accesibles de Oracle CRM Technical Foundation, as\u00ed como en accesos de lectura no autorizados a un subconjunto de dichos datos. Puntuaci\u00f3n base de CVSS 3.1: 6.1 (Afecta a la confidencialidad y la integridad). Vector CVSS: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)."
}
],
"metrics": {

8
CVE-2025/CVE-2025-215xx/CVE-2025-21583.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-21583",
"sourceIdentifier": "secalert_us@oracle.com",
"published": "2025-04-15T21:15:53.797",
"lastModified": "2025-04-15T21:15:53.797",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.4.0 and 9.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)."
},
{
"lang": "es",
"value": "Vulnerabilidad en el producto MySQL Server de Oracle MySQL (componente: Server: DDL). Las versiones compatibles afectadas son 8.4.0 y 9.0.0. Esta vulnerabilidad, f\u00e1cilmente explotable, permite a un atacante con privilegios elevados y acceso a la red a trav\u00e9s de m\u00faltiples protocolos comprometer MySQL Server. Los ataques exitosos a esta vulnerabilidad pueden provocar un bloqueo o un fallo repetitivo (DOS completo) de MySQL Server. Puntuaci\u00f3n base de CVSS 3.1: 4.9 (Afecta a la disponibilidad). Vector CVSS: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)."
}
],
"metrics": {

8
CVE-2025/CVE-2025-215xx/CVE-2025-21584.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-21584",
"sourceIdentifier": "secalert_us@oracle.com",
"published": "2025-04-15T21:15:53.910",
"lastModified": "2025-04-15T21:15:53.910",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)."
},
{
"lang": "es",
"value": "Vulnerabilidad en el producto MySQL Server de Oracle MySQL (componente: Server: DDL). Las versiones compatibles afectadas son 8.0.0-8.0.41, 8.4.0-8.4.4 y 9.0.0-9.2.0. Esta vulnerabilidad, f\u00e1cilmente explotable, permite a un atacante con privilegios elevados y acceso a la red a trav\u00e9s de m\u00faltiples protocolos comprometer MySQL Server. Los ataques exitosos a esta vulnerabilidad pueden provocar un bloqueo o un fallo repetitivo (DOS completo) de MySQL Server. Puntuaci\u00f3n base de CVSS 3.1: 4.9 (Afecta a la disponibilidad). Vector CVSS: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)."
}
],
"metrics": {

8
CVE-2025/CVE-2025-215xx/CVE-2025-21585.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-21585",
"sourceIdentifier": "secalert_us@oracle.com",
"published": "2025-04-15T21:15:54.037",
"lastModified": "2025-04-15T21:15:54.037",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)."
},
{
"lang": "es",
"value": "Vulnerabilidad en el producto MySQL Server de Oracle MySQL (componente: Server: Optimizer). Las versiones compatibles afectadas son 8.0.0-8.0.41, 8.4.0-8.4.4 y 9.0.0-9.2.0. Esta vulnerabilidad, f\u00e1cilmente explotable, permite a un atacante con privilegios elevados y acceso a la red a trav\u00e9s de m\u00faltiples protocolos comprometer MySQL Server. Los ataques exitosos a esta vulnerabilidad pueden provocar un bloqueo o un fallo repetitivo (DOS completo) de MySQL Server. Puntuaci\u00f3n base de CVSS 3.1: 4.9 (Afecta a la disponibilidad). Vector CVSS: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)."
}
],
"metrics": {

8
CVE-2025/CVE-2025-215xx/CVE-2025-21586.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-21586",
"sourceIdentifier": "secalert_us@oracle.com",
"published": "2025-04-15T21:15:54.160",
"lastModified": "2025-04-15T21:15:54.160",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are 9.2.0.0-9.2.9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in JD Edwards EnterpriseOne Tools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of JD Edwards EnterpriseOne Tools accessible data as well as unauthorized read access to a subset of JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)."
},
{
"lang": "es",
"value": "Vulnerabilidad en el producto JD Edwards EnterpriseOne Tools de Oracle JD Edwards (componente: Web Runtime SEC). Las versiones compatibles afectadas son 9.2.0.0-9.2.9.2. Esta vulnerabilidad, f\u00e1cilmente explotable, permite a un atacante con pocos privilegios y acceso a la red a trav\u00e9s de HTTP comprometer JD Edwards EnterpriseOne Tools. Los ataques exitosos requieren la interacci\u00f3n humana de una persona distinta al atacante y, si bien la vulnerabilidad se encuentra en JD Edwards EnterpriseOne Tools, los ataques pueden afectar significativamente a otros productos (cambio de alcance). Los ataques exitosos de esta vulnerabilidad pueden resultar en actualizaciones, inserciones o eliminaciones no autorizadas de algunos datos accesibles de JD Edwards EnterpriseOne Tools, as\u00ed como en accesos de lectura no autorizados a un subconjunto de dichos datos. Puntuaci\u00f3n base de CVSS 3.1: 5.4 (Afecta a la confidencialidad y la integridad). Vector CVSS: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)."
}
],
"metrics": {

8
CVE-2025/CVE-2025-215xx/CVE-2025-21587.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-21587",
"sourceIdentifier": "secalert_us@oracle.com",
"published": "2025-04-15T21:15:54.293",
"lastModified": "2025-04-15T21:15:54.293",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE:8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24; Oracle GraalVM for JDK:17.0.14, 21.0.6, 24; Oracle GraalVM Enterprise Edition:20.3.17 and 21.3.13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)."
},
{
"lang": "es",
"value": "Vulnerabilidad en Oracle Java SE, Oracle GraalVM para JDK y Oracle GraalVM Enterprise Edition (componente: JSSE). Las versiones compatibles afectadas son Oracle Java SE: 8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6 y 24; Oracle GraalVM para JDK: 17.0.14, 21.0.6 y 24; Oracle GraalVM Enterprise Edition: 20.3.17 y 21.3.13. Esta vulnerabilidad, dif\u00edcil de explotar, permite que un atacante no autenticado con acceso a la red a trav\u00e9s de m\u00faltiples protocolos comprometa Oracle Java SE, Oracle GraalVM para JDK y Oracle GraalVM Enterprise Edition. Los ataques exitosos de esta vulnerabilidad pueden resultar en acceso no autorizado a la creaci\u00f3n, eliminaci\u00f3n o modificaci\u00f3n de datos cr\u00edticos o a todos los datos accesibles de Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, as\u00ed como acceso no autorizado a datos cr\u00edticos o acceso completo a todos los datos accesibles de Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Nota: Esta vulnerabilidad se puede explotar mediante el uso de API en el componente especificado, p. ej., a trav\u00e9s de un servicio web que suministra datos a las API. Esta vulnerabilidad tambi\u00e9n se aplica a implementaciones de Java, t\u00edpicamente en clientes que ejecutan aplicaciones Java Web Start en espacio aislado o subprogramas Java en espacio aislado, que cargan y ejecutan c\u00f3digo no confiable (p. ej., c\u00f3digo que proviene de Internet) y dependen del espacio aislado de Java para su seguridad. Puntuaci\u00f3n base CVSS 3.1 7.4 (impactos en la confidencialidad e integridad). Vector CVSS: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)."
}
],
"metrics": {

8
CVE-2025/CVE-2025-215xx/CVE-2025-21588.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-21588",
"sourceIdentifier": "secalert_us@oracle.com",
"published": "2025-04-15T21:15:54.427",
"lastModified": "2025-04-15T21:15:54.427",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)."
},
{
"lang": "es",
"value": "Vulnerabilidad en el producto MySQL Server de Oracle MySQL (componente: Server: DML). Las versiones compatibles afectadas son 8.4.0-8.4.4 y 9.0.0-9.2.0. Esta vulnerabilidad, f\u00e1cilmente explotable, permite a un atacante con privilegios elevados y acceso a la red a trav\u00e9s de m\u00faltiples protocolos comprometer MySQL Server. Los ataques exitosos a esta vulnerabilidad pueden provocar un bloqueo o un fallo repetitivo (DOS completo) de MySQL Server. Puntuaci\u00f3n base de CVSS 3.1: 4.9 (Afecta a la disponibilidad). Vector CVSS: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)."
}
],
"metrics": {

8
CVE-2025/CVE-2025-220xx/CVE-2025-22018.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-22018",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2025-04-16T05:15:31.297",
"lastModified": "2025-04-16T05:15:31.297",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: Fix NULL pointer dereference\n\nWhen MPOA_cache_impos_rcvd() receives the msg, it can trigger\nNull Pointer Dereference Vulnerability if both entry and\nholding_time are NULL. Because there is only for the situation\nwhere entry is NULL and holding_time exists, it can be passed\nwhen both entry and holding_time are NULL. If these are NULL,\nthe entry will be passd to eg_cache_put() as parameter and\nit is referenced by entry->use code in it.\n\nkasan log:\n\n[ 3.316691] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006:I\n[ 3.317568] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]\n[ 3.318188] CPU: 3 UID: 0 PID: 79 Comm: ex Not tainted 6.14.0-rc2 #102\n[ 3.318601] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n[ 3.319298] RIP: 0010:eg_cache_remove_entry+0xa5/0x470\n[ 3.319677] Code: c1 f7 6e fd 48 c7 c7 00 7e 38 b2 e8 95 64 54 fd 48 c7 c7 40 7e 38 b2 48 89 ee e80\n[ 3.321220] RSP: 0018:ffff88800583f8a8 EFLAGS: 00010006\n[ 3.321596] RAX: 0000000000000006 RBX: ffff888005989000 RCX: ffffffffaecc2d8e\n[ 3.322112] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000030\n[ 3.322643] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6558b88\n[ 3.323181] R10: 0000000000000003 R11: 203a207972746e65 R12: 1ffff11000b07f15\n[ 3.323707] R13: dffffc0000000000 R14: ffff888005989000 R15: ffff888005989068\n[ 3.324185] FS: 000000001b6313c0(0000) GS:ffff88806d380000(0000) knlGS:0000000000000000\n[ 3.325042] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 3.325545] CR2: 00000000004b4b40 CR3: 000000000248e000 CR4: 00000000000006f0\n[ 3.326430] Call Trace:\n[ 3.326725] <TASK>\n[ 3.326927] ? die_addr+0x3c/0xa0\n[ 3.327330] ? exc_general_protection+0x161/0x2a0\n[ 3.327662] ? asm_exc_general_protection+0x26/0x30\n[ 3.328214] ? vprintk_emit+0x15e/0x420\n[ 3.328543] ? eg_cache_remove_entry+0xa5/0x470\n[ 3.328910] ? eg_cache_remove_entry+0x9a/0x470\n[ 3.329294] ? __pfx_eg_cache_remove_entry+0x10/0x10\n[ 3.329664] ? console_unlock+0x107/0x1d0\n[ 3.329946] ? __pfx_console_unlock+0x10/0x10\n[ 3.330283] ? do_syscall_64+0xa6/0x1a0\n[ 3.330584] ? entry_SYSCALL_64_after_hwframe+0x47/0x7f\n[ 3.331090] ? __pfx_prb_read_valid+0x10/0x10\n[ 3.331395] ? down_trylock+0x52/0x80\n[ 3.331703] ? vprintk_emit+0x15e/0x420\n[ 3.331986] ? __pfx_vprintk_emit+0x10/0x10\n[ 3.332279] ? down_trylock+0x52/0x80\n[ 3.332527] ? _printk+0xbf/0x100\n[ 3.332762] ? __pfx__printk+0x10/0x10\n[ 3.333007] ? _raw_write_lock_irq+0x81/0xe0\n[ 3.333284] ? __pfx__raw_write_lock_irq+0x10/0x10\n[ 3.333614] msg_from_mpoad+0x1185/0x2750\n[ 3.333893] ? __build_skb_around+0x27b/0x3a0\n[ 3.334183] ? __pfx_msg_from_mpoad+0x10/0x10\n[ 3.334501] ? __alloc_skb+0x1c0/0x310\n[ 3.334809] ? __pfx___alloc_skb+0x10/0x10\n[ 3.335283] ? _raw_spin_lock+0xe0/0xe0\n[ 3.335632] ? finish_wait+0x8d/0x1e0\n[ 3.335975] vcc_sendmsg+0x684/0xba0\n[ 3.336250] ? __pfx_vcc_sendmsg+0x10/0x10\n[ 3.336587] ? __pfx_autoremove_wake_function+0x10/0x10\n[ 3.337056] ? fdget+0x176/0x3e0\n[ 3.337348] __sys_sendto+0x4a2/0x510\n[ 3.337663] ? __pfx___sys_sendto+0x10/0x10\n[ 3.337969] ? ioctl_has_perm.constprop.0.isra.0+0x284/0x400\n[ 3.338364] ? sock_ioctl+0x1bb/0x5a0\n[ 3.338653] ? __rseq_handle_notify_resume+0x825/0xd20\n[ 3.339017] ? __pfx_sock_ioctl+0x10/0x10\n[ 3.339316] ? __pfx___rseq_handle_notify_resume+0x10/0x10\n[ 3.339727] ? selinux_file_ioctl+0xa4/0x260\n[ 3.340166] __x64_sys_sendto+0xe0/0x1c0\n[ 3.340526] ? syscall_exit_to_user_mode+0x123/0x140\n[ 3.340898] do_syscall_64+0xa6/0x1a0\n[ 3.341170] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 3.341533] RIP: 0033:0x44a380\n[ 3.341757] Code: 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c00\n[ \n---truncated---"
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: atm: Correcci\u00f3n de la desreferencia de puntero nulo. Cuando MPOA_cache_impos_rcvd() recibe el mensaje, puede activar la vulnerabilidad de desreferencia de puntero nulo si tanto la entrada como el tiempo de retenci\u00f3n son nulos. Dado que solo existe cuando la entrada es nula y el tiempo de retenci\u00f3n existe, se puede pasar cuando tanto la entrada como el tiempo de retenci\u00f3n son nulos. Si son nulos, la entrada se pasa a eg_cache_put() como par\u00e1metro y se referencia mediante el c\u00f3digo de entrada-&gt;uso. registro de kasan: [3.316691] Ups: fallo de protecci\u00f3n general, probablemente para la direcci\u00f3n no can\u00f3nica 0xdffffc0000000006:I [3.317568] KASAN: null-ptr-deref en el rango [0x0000000000000030-0x0000000000000037] [3.318188] CPU: 3 UID: 0 PID: 79 Comm: ex No contaminado 6.14.0-rc2 #102 [3.318601] Nombre del hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [3.319298] RIP: 0010:eg_cache_remove_entry+0xa5/0x470 [ 3.319677] Code: c1 f7 6e fd 48 c7 c7 00 7e 38 b2 e8 95 64 54 fd 48 c7 c7 40 7e 38 b2 48 89 ee e80 [ 3.321220] RSP: 0018:ffff88800583f8a8 EFLAGS: 00010006 [ 3.321596] RAX: 0000000000000006 RBX: ffff888005989000 RCX: ffffffffaecc2d8e [ 3.322112] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000030 [ 3.322643] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6558b88 [ 3.323181] R10: 0000000000000003 R11: 203a207972746e65 R12: 1ffff11000b07f15 [ 3.323707] R13: dffffc0000000000 R14: ffff888005989000 R15: ffff888005989068 [ 3.324185] FS: 000000001b6313c0(0000) GS:ffff88806d380000(0000) knlGS:0000000000000000 [ 3.325042] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3.325545] CR2: 00000000004b4b40 CR3: 000000000248e000 CR4: 00000000000006f0 [ 3.326430] Call Trace: [ 3.326725] [ 3.326927] ? die_addr+0x3c/0xa0 [ 3.327330] ? exc_general_protection+0x161/0x2a0 [ 3.327662] ? asm_exc_general_protection+0x26/0x30 [ 3.328214] ? vprintk_emit+0x15e/0x420 [ 3.328543] ? eg_cache_remove_entry+0xa5/0x470 [ 3.328910] ? eg_cache_remove_entry+0x9a/0x470 [ 3.329294] ? __pfx_eg_cache_remove_entry+0x10/0x10 [ 3.329664] ? console_unlock+0x107/0x1d0 [ 3.329946] ? __pfx_console_unlock+0x10/0x10 [ 3.330283] ? do_syscall_64+0xa6/0x1a0 [ 3.330584] ? entry_SYSCALL_64_after_hwframe+0x47/0x7f [ 3.331090] ? __pfx_prb_read_valid+0x10/0x10 [ 3.331395] ? down_trylock+0x52/0x80 [ 3.331703] ? vprintk_emit+0x15e/0x420 [ 3.331986] ? __pfx_vprintk_emit+0x10/0x10 [ 3.332279] ? down_trylock+0x52/0x80 [ 3.332527] ? _printk+0xbf/0x100 [ 3.332762] ? __pfx__printk+0x10/0x10 [ 3.333007] ? _raw_write_lock_irq+0x81/0xe0 [ 3.333284] ? __pfx__raw_write_lock_irq+0x10/0x10 [ 3.333614] msg_from_mpoad+0x1185/0x2750 [ 3.333893] ? __build_skb_around+0x27b/0x3a0 [ 3.334183] ? __pfx_msg_from_mpoad+0x10/0x10 [ 3.334501] ? __alloc_skb+0x1c0/0x310 [ 3.334809] ? __pfx___alloc_skb+0x10/0x10 [ 3.335283] ? _raw_spin_lock+0xe0/0xe0 [ 3.335632] ? finish_wait+0x8d/0x1e0 [ 3.335975] vcc_sendmsg+0x684/0xba0 [ 3.336250] ? __pfx_vcc_sendmsg+0x10/0x10 [ 3.336587] ? __pfx_autoremove_wake_function+0x10/0x10 [ 3.337056] ? fdget+0x176/0x3e0 [ 3.337348] __sys_sendto+0x4a2/0x510 [ 3.337663] ? __pfx___sys_sendto+0x10/0x10 [ 3.337969] ? ioctl_has_perm.constprop.0.isra.0+0x284/0x400 [ 3.338364] ? sock_ioctl+0x1bb/0x5a0 [ 3.338653] ? __rseq_handle_notify_resume+0x825/0xd20 [ 3.339017] ? __pfx_sock_ioctl+0x10/0x10 [ 3.339316] ? __pfx___rseq_handle_notify_resume+0x10/0x10 [ 3.339727] ? selinux_file_ioctl+0xa4/0x260 [ 3.340166] __x64_sys_sendto+0xe0/0x1c0 [ 3.340526] ? syscall_exit_to_user_mode+0x123/0x140 [ 3.340898] do_syscall_64+0xa6/0x1a0 [ 3.341170] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 3.341533] RIP: 0033:0x44a380 [ 3.341757] Code: 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c00 [ ---truncado---"
}
],
"metrics": {},

4
CVE-2025/CVE-2025-220xx/CVE-2025-22019.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2025-22019",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2025-04-16T11:15:42.537",
"lastModified": "2025-04-16T11:15:42.537",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{

4
CVE-2025/CVE-2025-220xx/CVE-2025-22020.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2025-22020",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2025-04-16T11:15:42.640",
"lastModified": "2025-04-16T11:15:42.640",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{

4
CVE-2025/CVE-2025-220xx/CVE-2025-22021.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2025-22021",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2025-04-16T11:15:42.773",
"lastModified": "2025-04-16T11:15:42.773",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{

4
CVE-2025/CVE-2025-220xx/CVE-2025-22022.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2025-22022",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2025-04-16T11:15:42.883",
"lastModified": "2025-04-16T11:15:42.883",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{

4
CVE-2025/CVE-2025-220xx/CVE-2025-22023.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2025-22023",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2025-04-16T11:15:42.987",
"lastModified": "2025-04-16T11:15:42.987",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{

8
CVE-2025/CVE-2025-222xx/CVE-2025-22263.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-22263",
"sourceIdentifier": "audit@patchstack.com",
"published": "2025-04-15T22:15:15.590",
"lastModified": "2025-04-15T22:15:15.590",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Global Gallery allows Reflected XSS. This issue affects Global Gallery: from n/a through 8.8.0."
},
{
"lang": "es",
"value": "La vulnerabilidad de neutralizaci\u00f3n incorrecta de la entrada durante la generaci\u00f3n de p\u00e1ginas web ('Cross-site Scripting') en NotFound Global Gallery permite XSS reflejado. Este problema afecta a Global Gallery desde n/d hasta la versi\u00f3n 8.8.0."
}
],
"metrics": {

8
CVE-2025/CVE-2025-222xx/CVE-2025-22268.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-22268",
"sourceIdentifier": "audit@patchstack.com",
"published": "2025-04-15T22:15:15.730",
"lastModified": "2025-04-15T22:15:15.730",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Uncanny Owl Uncanny Toolkit for LearnDash allows Stored XSS. This issue affects Uncanny Toolkit for LearnDash: from n/a through 3.7.0.1."
},
{
"lang": "es",
"value": "La vulnerabilidad de neutralizaci\u00f3n incorrecta de la entrada durante la generaci\u00f3n de p\u00e1ginas web ('Cross-site Scripting') en Uncanny Owl Uncanny Toolkit para LearnDash permite XSS almacenado. Este problema afecta a Uncanny Toolkit para LearnDash desde n/d hasta la versi\u00f3n 3.7.0.1."
}
],
"metrics": {

8
CVE-2025/CVE-2025-222xx/CVE-2025-22269.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-22269",
"sourceIdentifier": "audit@patchstack.com",
"published": "2025-04-15T22:15:15.850",
"lastModified": "2025-04-15T22:15:15.850",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ShapedPlugin LLC Real Testimonials allows Stored XSS. This issue affects Real Testimonials: from n/a through 3.1.6."
},
{
"lang": "es",
"value": "La vulnerabilidad de neutralizaci\u00f3n incorrecta de la entrada durante la generaci\u00f3n de p\u00e1ginas web ('Cross-site Scripting') en ShapedPlugin LLC Real Testimonials permite XSS almacenado. Este problema afecta a Real Testimonials desde n/d hasta la versi\u00f3n 3.1.6."
}
],
"metrics": {

8
CVE-2025/CVE-2025-229xx/CVE-2025-22900.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-22900",
"sourceIdentifier": "cve@mitre.org",
"published": "2025-04-15T19:16:06.987",
"lastModified": "2025-04-15T19:16:06.987",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Totolink N600R v4.3.0cu.7647_B20210106 was discovered to contain a stack overflow via the macCloneMac parameter in the setWanConfig function."
},
{
"lang": "es",
"value": "Se descubri\u00f3 que Totolink N600R v4.3.0cu.7647_B20210106 conten\u00eda un desbordamiento de pila a trav\u00e9s del par\u00e1metro macCloneMac en la funci\u00f3n setWanConfig."
}
],
"metrics": {},

8
CVE-2025/CVE-2025-229xx/CVE-2025-22903.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-22903",
"sourceIdentifier": "cve@mitre.org",
"published": "2025-04-15T19:16:07.090",
"lastModified": "2025-04-15T19:16:07.090",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "TOTOLINK N600R V4.3.0cu.7647_B20210106 was discovered to contain a stack overflow via the pin parameter in the function setWiFiWpsConfig."
},
{
"lang": "es",
"value": "Se descubri\u00f3 que TOTOLINK N600R V4.3.0cu.7647_B20210106 contiene un desbordamiento de pila a trav\u00e9s del par\u00e1metro pin en la funci\u00f3n setWiFiWpsConfig."
}
],
"metrics": {},

8
CVE-2025/CVE-2025-229xx/CVE-2025-22911.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-22911",
"sourceIdentifier": "cve@mitre.org",
"published": "2025-04-15T23:15:42.550",
"lastModified": "2025-04-15T23:15:42.550",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "RE11S v1.11 was discovered to contain a stack overflow via the rootAPmac parameter in the formiNICbasicREP function."
},
{
"lang": "es",
"value": "Se descubri\u00f3 que RE11S v1.11 contiene un desbordamiento de pila a trav\u00e9s del par\u00e1metro rootAPmac en la funci\u00f3n formiNICbasicREP."
}
],
"metrics": {},

8
CVE-2025/CVE-2025-23xx/CVE-2025-2314.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-2314",
"sourceIdentifier": "security@wordfence.com",
"published": "2025-04-16T03:15:17.240",
"lastModified": "2025-04-16T03:15:17.240",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The User Profile Builder \u2013 Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.13.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.\r\nThe issue was partially patched in version 3.13.6 of the plugin, and fully patched in 3.13.7."
},
{
"lang": "es",
"value": "El complemento User Profile Builder \u2013 Beautiful User Registration Forms, User Profiles &amp; User Role Editor para WordPress es vulnerable a Cross-Site Scripting almacenado a trav\u00e9s de los shortcodes del complemento en todas las versiones hasta la 3.13.5 incluida, debido a una depuraci\u00f3n de entrada y al escape de salida insuficiente en los atributos proporcionados por el usuario. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en las p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada. El problema se solucion\u00f3 parcialmente en la versi\u00f3n 3.13.6 del complemento y completamente en la 3.13.7."
}
],
"metrics": {

8
CVE-2025/CVE-2025-242xx/CVE-2025-24297.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-24297",
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"published": "2025-04-15T22:15:15.990",
"lastModified": "2025-04-15T22:15:15.990",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Due to lack of server-side input validation, attackers can inject malicious JavaScript code into users personal spaces of the web portal."
},
{
"lang": "es",
"value": "Debido a la falta de validaci\u00f3n de entrada del lado del servidor, los atacantes pueden inyectar c\u00f3digo JavaScript malicioso en los espacios personales de los usuarios del portal web."
}
],
"metrics": {

8
CVE-2025/CVE-2025-243xx/CVE-2025-24315.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-24315",
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"published": "2025-04-15T22:15:16.143",
"lastModified": "2025-04-15T22:15:16.143",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unauthenticated attackers can add devices of other users to their scenes (or arbitrary scenes of other arbitrary users)."
},
{
"lang": "es",
"value": "Los atacantes no autenticados pueden agregar dispositivos de otros usuarios a sus escenas (o escenas arbitrarias de otros usuarios arbitrarios)."
}
],
"metrics": {

8
CVE-2025/CVE-2025-243xx/CVE-2025-24358.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-24358",
"sourceIdentifier": "security-advisories@github.com",
"published": "2025-04-15T19:16:07.193",
"lastModified": "2025-04-15T19:16:07.193",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "gorilla/csrf provides Cross Site Request Forgery (CSRF) prevention middleware for Go web applications & services. Prior to 1.7.2, gorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests only when it believes the request is being served over TLS. It determines this by inspecting the r.URL.Scheme value. However, this value is never populated for \"server\" requests per the Go spec, and so this check does not run in practice. This vulnerability allows an attacker who has gained XSS on a subdomain or top level domain to perform authenticated form submissions against gorilla/csrf protected targets that share the same top level domain. This vulnerability is fixed in 1.7.2."
},
{
"lang": "es",
"value": "gorilla/csrf proporciona middleware para la prevenci\u00f3n de Cross-Site Request Forgery (CSRF) en aplicaciones y servicios web de Go. Antes de la versi\u00f3n 1.7.2, gorilla/csrf no validaba el encabezado \"Origin\" con una lista de permitidos. Validaba el encabezado \"Referer\" para solicitudes de origen cruzado solo cuando cre\u00eda que la solicitud se atend\u00eda mediante TLS. Esto se determina inspeccionando el valor de r.URL.Scheme. Sin embargo, este valor nunca se rellena para las solicitudes de \"servidor\" seg\u00fan la especificaci\u00f3n de Go, por lo que esta comprobaci\u00f3n no se ejecuta en la pr\u00e1ctica. Esta vulnerabilidad permite a un atacante que ha obtenido XSS en un subdominio o dominio de nivel superior realizar env\u00edos de formularios autenticados contra objetivos protegidos por gorilla/csrf que comparten el mismo dominio de nivel superior. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 1.7.2."
}
],
"metrics": {

8
CVE-2025/CVE-2025-244xx/CVE-2025-24487.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-24487",
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"published": "2025-04-15T21:15:54.717",
"lastModified": "2025-04-15T21:15:54.717",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An unauthenticated attacker can infer the existence of usernames in the system by querying an API."
},
{
"lang": "es",
"value": "Un atacante no autenticado puede inferir la existencia de nombres de usuario en el sistema consultando una API."
}
],
"metrics": {

8
CVE-2025/CVE-2025-248xx/CVE-2025-24839.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-24839",
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"published": "2025-04-16T08:15:13.987",
"lastModified": "2025-04-16T08:15:13.987",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to prevent Wrangler posts from triggering AI responses. This vulnerability allows users without access to the AI bot to activate it by attaching the activate_ai override property to a post via the Wrangler plugin, provided both the AI and Wrangler plugins are enabled."
},
{
"lang": "es",
"value": "Las versiones de Mattermost 10.5.x &lt;= 10.5.1, 10.4.x &lt;= 10.4.3 y 9.11.x &lt;= 9.11.9 no impiden que las publicaciones de Wrangler activen respuestas de la IA. Esta vulnerabilidad permite a los usuarios sin acceso al bot de IA activarlo adjuntando la propiedad de anulaci\u00f3n activate_ai a una publicaci\u00f3n mediante el complemento de Wrangler, siempre que ambos complementos est\u00e9n habilitados."
}
],
"metrics": {

8
CVE-2025/CVE-2025-248xx/CVE-2025-24850.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-24850",
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"published": "2025-04-15T22:15:16.283",
"lastModified": "2025-04-15T22:15:16.283",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An attacker can export other users' plant information."
},
{
"lang": "es",
"value": "Un atacante puede exportar informaci\u00f3n de la planta de otros usuarios."
}
],
"metrics": {

8
CVE-2025/CVE-2025-24xx/CVE-2025-2497.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-2497",
"sourceIdentifier": "psirt@autodesk.com",
"published": "2025-04-15T21:15:56.630",
"lastModified": "2025-04-15T21:15:56.630",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A maliciously crafted DWG file, when parsed through Autodesk Revit, can cause a Stack-Based Buffer Overflow vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process."
},
{
"lang": "es",
"value": "Un archivo DWG manipulado con fines maliciosos, al analizarse mediante Autodesk Revit, puede causar una vulnerabilidad de desbordamiento de b\u00fafer basado en pila. Un agente malicioso puede aprovechar esta vulnerabilidad para ejecutar c\u00f3digo arbitrario en el contexto del proceso actual."
}
],
"metrics": {

8
CVE-2025/CVE-2025-252xx/CVE-2025-25276.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-25276",
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"published": "2025-04-15T22:15:16.430",
"lastModified": "2025-04-15T22:15:16.430",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An unauthenticated attacker can hijack other users' devices and potentially control them."
},
{
"lang": "es",
"value": "Un atacante no autenticado puede secuestrar los dispositivos de otros usuarios y potencialmente controlarlos."
}
],
"metrics": {

8
CVE-2025/CVE-2025-254xx/CVE-2025-25453.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-25453",
"sourceIdentifier": "cve@mitre.org",
"published": "2025-04-15T23:15:42.647",
"lastModified": "2025-04-15T23:15:42.647",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Tenda AC10 V4.0si_V16.03.10.20 is vulnerable to Buffer Overflow in AdvSetMacMtuWan via serviceName2."
},
{
"lang": "es",
"value": "Tenda AC10 V4.0si_V16.03.10.20 es vulnerable al desbordamiento del b\u00fafer en AdvSetMacMtuWan a trav\u00e9s de serviceName2."
}
],
"metrics": {},

8
CVE-2025/CVE-2025-254xx/CVE-2025-25456.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-25456",
"sourceIdentifier": "cve@mitre.org",
"published": "2025-04-15T19:16:07.327",
"lastModified": "2025-04-15T21:15:54.877",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Tenda AC10 V4.0si_V16.03.10.20 is vulnerable to Buffer Overflow in AdvSetMacMtuWan via mac2."
},
{
"lang": "es",
"value": "Tenda AC10 V4.0si_V16.03.10.20 es vulnerable al desbordamiento del b\u00fafer en AdvSetMacMtuWan a trav\u00e9s de mac2."
}
],
"metrics": {

8
CVE-2025/CVE-2025-254xx/CVE-2025-25458.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-25458",
"sourceIdentifier": "cve@mitre.org",
"published": "2025-04-15T23:15:42.747",
"lastModified": "2025-04-15T23:15:42.747",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Tenda AC10 V4.0si_V16.03.10.20 is vulnerable to Buffer Overflow in AdvSetMacMtuWan via serverName2."
},
{
"lang": "es",
"value": "Tenda AC10 V4.0si_V16.03.10.20 es vulnerable a un desbordamiento de b\u00fafer en AdvSetMacMtuWan a trav\u00e9s de serverName2."
}
],
"metrics": {},

8
CVE-2025/CVE-2025-25xx/CVE-2025-2567.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-2567",
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"published": "2025-04-15T20:15:38.990",
"lastModified": "2025-04-15T20:15:38.990",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An attacker could modify or disable settings, disrupt fuel monitoring \nand supply chain operations, leading to disabling of ATG monitoring. \nThis would result in potential safety hazards in fuel storage and \ntransportation."
},
{
"lang": "es",
"value": "Un atacante podr\u00eda modificar o deshabilitar la configuraci\u00f3n, interrumpir el monitoreo de combustible y las operaciones de la cadena de suministro, lo que provocar\u00eda la desactivaci\u00f3n del monitoreo de ATG. Esto podr\u00eda generar riesgos de seguridad en el almacenamiento y transporte de combustible."
}
],
"metrics": {

8
CVE-2025/CVE-2025-267xx/CVE-2025-26730.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-26730",
"sourceIdentifier": "audit@patchstack.com",
"published": "2025-04-15T22:15:16.577",
"lastModified": "2025-04-15T22:15:16.577",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in NotFound Macro Calculator with Admin Email Optin & Data. This issue affects Macro Calculator with Admin Email Optin & Data: from n/a through 1.0."
},
{
"lang": "es",
"value": "Vulnerabilidad de exposici\u00f3n de informaci\u00f3n confidencial del sistema a una esfera de control no autorizada en NotFound Macro Calculator with Admin Email Optin &amp; Data. Este problema afecta a la Macro Calculadora con suscripci\u00f3n y datos de correo electr\u00f3nico de administrador desde la versi\u00f3n n/d hasta la 1.0."
}
],
"metrics": {

8
CVE-2025/CVE-2025-267xx/CVE-2025-26740.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-26740",
"sourceIdentifier": "audit@patchstack.com",
"published": "2025-04-15T22:15:16.717",
"lastModified": "2025-04-15T22:15:16.717",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in burgersoftware SpaBiz allows DOM-Based XSS. This issue affects SpaBiz: from n/a through 1.0.18."
},
{
"lang": "es",
"value": "Vulnerabilidad de neutralizaci\u00f3n incorrecta de la entrada durante la generaci\u00f3n de p\u00e1ginas web ('Cross-site Scripting') en burgersoftware SpaBiz que permite XSS basado en DOM. Este problema afecta a SpaBiz desde n/d hasta la versi\u00f3n 1.0.18."
}
],
"metrics": {

8
CVE-2025/CVE-2025-267xx/CVE-2025-26746.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-26746",
"sourceIdentifier": "audit@patchstack.com",
"published": "2025-04-15T22:15:16.893",
"lastModified": "2025-04-15T22:15:16.893",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Advanced Custom Fields: Link Picker Field allows Reflected XSS. This issue affects Advanced Custom Fields: Link Picker Field: from n/a through 1.2.8."
},
{
"lang": "es",
"value": "Vulnerabilidad de neutralizaci\u00f3n incorrecta de la entrada durante la generaci\u00f3n de p\u00e1ginas web ('Cross-site Scripting') en NotFound Advanced Custom Fields: Link Picker Field permite XSS reflejado. Este problema afecta a los campos personalizados avanzados: el campo Selector de enlaces, desde n/d hasta la versi\u00f3n 1.2.8."
}
],
"metrics": {

8
CVE-2025/CVE-2025-267xx/CVE-2025-26748.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-26748",
"sourceIdentifier": "audit@patchstack.com",
"published": "2025-04-15T22:15:17.053",
"lastModified": "2025-04-15T22:15:17.053",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in LOOS,Inc. Arkhe allows PHP Local File Inclusion. This issue affects Arkhe: from n/a through 3.11.0."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-Site Request Forgery (CSRF) en LOOS, Inc. Arkhe permite la inclusi\u00f3n de archivos locales en PHP. Este problema afecta a Arkhe desde la versi\u00f3n n/d hasta la 3.11.0."
}
],
"metrics": {

8
CVE-2025/CVE-2025-267xx/CVE-2025-26749.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-26749",
"sourceIdentifier": "audit@patchstack.com",
"published": "2025-04-15T22:15:17.210",
"lastModified": "2025-04-15T22:15:17.210",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Additional Custom Product Tabs for WooCommerce allows Stored XSS. This issue affects Additional Custom Product Tabs for WooCommerce: from n/a through 1.7.0."
},
{
"lang": "es",
"value": "La vulnerabilidad de neutralizaci\u00f3n incorrecta de la entrada durante la generaci\u00f3n de p\u00e1ginas web ('Cross-site Scripting') en WPFactory Additional Custom Product Tabs for WooCommerce permite XSS almacenado. Este problema afecta a las Pesta\u00f1as de Producto Personalizadas Adicionales de WooCommerce desde n/d hasta la versi\u00f3n 1.7.0."
}
],
"metrics": {

8
CVE-2025/CVE-2025-268xx/CVE-2025-26857.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-26857",
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"published": "2025-04-15T22:15:17.360",
"lastModified": "2025-04-15T22:15:17.360",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unauthenticated attackers can rename arbitrary devices of arbitrary users (i.e., EV chargers)."
},
{
"lang": "es",
"value": "Los atacantes no autenticados pueden cambiar el nombre de dispositivos arbitrarios de usuarios arbitrarios (es decir, cargadores de veh\u00edculos el\u00e9ctricos)."
}
],
"metrics": {

8
CVE-2025/CVE-2025-268xx/CVE-2025-26870.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-26870",
"sourceIdentifier": "audit@patchstack.com",
"published": "2025-04-15T22:15:17.503",
"lastModified": "2025-04-15T22:15:17.503",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound JetEngine allows DOM-Based XSS. This issue affects JetEngine: from n/a through 3.6.4.1."
},
{
"lang": "es",
"value": "La vulnerabilidad de neutralizaci\u00f3n incorrecta de la entrada durante la generaci\u00f3n de p\u00e1ginas web ('Cross-site Scripting') en NotFound JetEngine permite XSS basado en DOM. Este problema afecta a JetEngine desde n/d hasta la versi\u00f3n 3.6.4.1."
}
],
"metrics": {

8
CVE-2025/CVE-2025-268xx/CVE-2025-26880.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-26880",
"sourceIdentifier": "audit@patchstack.com",
"published": "2025-04-15T22:15:17.643",
"lastModified": "2025-04-15T22:15:17.643",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Skill Bar allows Stored XSS. This issue affects SKT Skill Bar: from n/a through 2.3."
},
{
"lang": "es",
"value": "Vulnerabilidad de neutralizaci\u00f3n incorrecta de la entrada durante la generaci\u00f3n de p\u00e1ginas web ('Cross-site Scripting') en sonalsinha21 SKT Skill Bar que permite XSS almacenado. Este problema afecta a la barra de habilidades de SKT desde n/d hasta la versi\u00f3n 2.3."
}
],
"metrics": {

8
CVE-2025/CVE-2025-269xx/CVE-2025-26903.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-26903",
"sourceIdentifier": "audit@patchstack.com",
"published": "2025-04-15T22:15:17.787",
"lastModified": "2025-04-15T22:15:17.787",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in RealMag777 InPost Gallery allows Cross Site Request Forgery. This issue affects InPost Gallery: from n/a through 2.1.4.3."
},
{
"lang": "es",
"value": "La vulnerabilidad de Cross-Site Request Forgery (CSRF) en RealMag777 InPost Gallery permite Cross-Site Request Forgery. Este problema afecta a la galer\u00eda InPost desde la versi\u00f3n n/d hasta la 2.1.4.3."
}
],
"metrics": {

8
CVE-2025/CVE-2025-269xx/CVE-2025-26906.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-26906",
"sourceIdentifier": "audit@patchstack.com",
"published": "2025-04-15T22:15:17.920",
"lastModified": "2025-04-15T22:15:17.920",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ren Ventura WP Delete User Accounts allows DOM-Based XSS. This issue affects WP Delete User Accounts: from n/a through 1.2.3."
},
{
"lang": "es",
"value": "La vulnerabilidad de neutralizaci\u00f3n incorrecta de la entrada durante la generaci\u00f3n de p\u00e1ginas web ('Cross-site Scripting') en Ren Ventura WP Delete User Accounts permite XSS basado en DOM. Este problema afecta a WP Delete User Accounts desde n/d hasta la versi\u00f3n 1.2.3."
}
],
"metrics": {

8
CVE-2025/CVE-2025-269xx/CVE-2025-26908.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-26908",
"sourceIdentifier": "audit@patchstack.com",
"published": "2025-04-15T22:15:18.057",
"lastModified": "2025-04-15T22:15:18.057",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Gurmehub Kargo Entegrat\u00f6r allows SQL Injection. This issue affects Kargo Entegrat\u00f6r: from n/a through 1.1.14."
},
{
"lang": "es",
"value": "Vulnerabilidad de neutralizaci\u00f3n incorrecta de elementos especiales utilizados en un comando SQL ('Inyecci\u00f3n SQL') en Gurmehub Kargo Entegrat\u00f6r permite la inyecci\u00f3n SQL. Este problema afecta a Kargo Entegrat\u00f6r desde n/d hasta la versi\u00f3n 1.1.14."
}
],
"metrics": {

8
CVE-2025/CVE-2025-269xx/CVE-2025-26919.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-26919",
"sourceIdentifier": "audit@patchstack.com",
"published": "2025-04-15T22:15:18.190",
"lastModified": "2025-04-15T22:15:18.190",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tainacan Tain\u00e1 allows Stored XSS. This issue affects Tain\u00e1: from n/a through 0.2.2."
},
{
"lang": "es",
"value": "La vulnerabilidad de neutralizaci\u00f3n incorrecta de la entrada durante la generaci\u00f3n de p\u00e1ginas web ('Cross-site Scripting') en Tainacan Tain\u00e1 permite XSS almacenado. Este problema afecta a Tain\u00e1 desde n/d hasta la versi\u00f3n 0.2.2."
}
],
"metrics": {

8
CVE-2025/CVE-2025-269xx/CVE-2025-26927.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-26927",
"sourceIdentifier": "audit@patchstack.com",
"published": "2025-04-15T22:15:18.330",
"lastModified": "2025-04-15T22:15:18.330",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unrestricted Upload of File with Dangerous Type vulnerability in EPC AI Hub allows Upload a Web Shell to a Web Server. This issue affects AI Hub: from n/a through 1.3.3."
},
{
"lang": "es",
"value": "La vulnerabilidad de carga sin restricciones de archivos con tipo peligroso en EPC AI Hub permite cargar un shell web a un servidor web. Este problema afecta a AI Hub desde la versi\u00f3n n/d hasta la 1.3.3."
}
],
"metrics": {

8
CVE-2025/CVE-2025-269xx/CVE-2025-26930.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-26930",
"sourceIdentifier": "audit@patchstack.com",
"published": "2025-04-15T22:15:18.463",
"lastModified": "2025-04-15T22:15:18.463",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in alleythemes Home Services allows DOM-Based XSS. This issue affects Home Services: from n/a through 1.2.6."
},
{
"lang": "es",
"value": "La vulnerabilidad de neutralizaci\u00f3n incorrecta de la entrada durante la generaci\u00f3n de p\u00e1ginas web ('Cross-site Scripting') en alleythemes Home Services permite XSS basado en DOM. Este problema afecta a los Servicios de Inicio desde n/d hasta la versi\u00f3n 1.2.6."
}
],
"metrics": {

8
CVE-2025/CVE-2025-269xx/CVE-2025-26934.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-26934",
"sourceIdentifier": "audit@patchstack.com",
"published": "2025-04-15T22:15:18.607",
"lastModified": "2025-04-15T22:15:18.607",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in graphthemes Glossy Blog allows Stored XSS. This issue affects Glossy Blog: from n/a through 1.0.3."
},
{
"lang": "es",
"value": "Vulnerabilidad de neutralizaci\u00f3n incorrecta de la entrada durante la generaci\u00f3n de p\u00e1ginas web ('Cross-site Scripting') en graphthemes Glossy Blog permite XSS almacenado. Este problema afecta a Glossy Blog desde n/d hasta la versi\u00f3n 1.0.3."
}
],
"metrics": {

8
CVE-2025/CVE-2025-269xx/CVE-2025-26950.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-26950",
"sourceIdentifier": "audit@patchstack.com",
"published": "2025-04-15T22:15:18.750",
"lastModified": "2025-04-15T22:15:18.750",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AddonsPress Nepali Date Converter allows Stored XSS. This issue affects Nepali Date Converter: from n/a through 2.0.8."
},
{
"lang": "es",
"value": "La vulnerabilidad de neutralizaci\u00f3n incorrecta de la entrada durante la generaci\u00f3n de p\u00e1ginas web ('Cross-site Scripting') en AddonsPress Nepali Date Converter permite XSS almacenado. Este problema afecta a Nepali Date Converter desde n/d hasta la versi\u00f3n 2.0.8."
}
],
"metrics": {

8
CVE-2025/CVE-2025-269xx/CVE-2025-26951.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-26951",
"sourceIdentifier": "audit@patchstack.com",
"published": "2025-04-15T22:15:18.890",
"lastModified": "2025-04-15T22:15:18.890",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in covertnine C9 Blocks allows DOM-Based XSS. This issue affects C9 Blocks: from n/a through 1.7.7."
},
{
"lang": "es",
"value": "La vulnerabilidad de neutralizaci\u00f3n incorrecta de la entrada durante la generaci\u00f3n de p\u00e1ginas web ('Cross-site Scripting') en covertnine C9 Blocks permite XSS basado en DOM. Este problema afecta a los bloques C9 desde n/d hasta la versi\u00f3n 1.7.7."
}
],
"metrics": {

8
CVE-2025/CVE-2025-269xx/CVE-2025-26953.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-26953",
"sourceIdentifier": "audit@patchstack.com",
"published": "2025-04-15T22:15:19.027",
"lastModified": "2025-04-15T22:15:19.027",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Missing Authorization vulnerability in NotFound JetMenu allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects JetMenu: from n/a through 2.4.9."
},
{
"lang": "es",
"value": "La vulnerabilidad de falta de autorizaci\u00f3n en NotFound JetMenu permite acceder a funcionalidades no restringidas correctamente por las ACL. Este problema afecta a JetMenu desde la versi\u00f3n n/d hasta la 2.4.9."
}
],
"metrics": {

8
CVE-2025/CVE-2025-269xx/CVE-2025-26996.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-26996",
"sourceIdentifier": "audit@patchstack.com",
"published": "2025-04-15T22:15:19.163",
"lastModified": "2025-04-15T22:15:19.163",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Fetch Designs Sign-up Sheets allows Code Injection. This issue affects Sign-up Sheets: from n/a through 2.3.0.1."
},
{
"lang": "es",
"value": "La vulnerabilidad de control inadecuado de la generaci\u00f3n de c\u00f3digo ('Inyecci\u00f3n de c\u00f3digo') en Fetch Designs Sign-up Sheets permite la inyecci\u00f3n de c\u00f3digo. Este problema afecta a las hojas de registro desde n/d hasta la versi\u00f3n 2.3.0.1."
}
],
"metrics": {

8
CVE-2025/CVE-2025-269xx/CVE-2025-26998.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-26998",
"sourceIdentifier": "audit@patchstack.com",
"published": "2025-04-15T22:15:19.307",
"lastModified": "2025-04-15T22:15:19.307",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Blocks \u2013 Gutenberg based Page Builder allows Stored XSS. This issue affects SKT Blocks \u2013 Gutenberg based Page Builder: from n/a through 1.8."
},
{
"lang": "es",
"value": "Vulnerabilidad de neutralizaci\u00f3n incorrecta de la entrada durante la generaci\u00f3n de p\u00e1ginas web ('Cross-site Scripting') en sonalsinha21 SKT Blocks \u2013 Gutenberg based Page Builder permite XSS almacenado. Este problema afecta a Bloques SKT, Constructor de p\u00e1ginas basado en Gutenberg, desde n/d hasta la versi\u00f3n 1.8."
}
],
"metrics": {

8
CVE-2025/CVE-2025-270xx/CVE-2025-27008.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-27008",
"sourceIdentifier": "audit@patchstack.com",
"published": "2025-04-15T22:15:19.443",
"lastModified": "2025-04-15T22:15:19.443",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Missing Authorization vulnerability in NotFound Unlimited Timeline allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Unlimited Timeline: from n/a through n/a."
},
{
"lang": "es",
"value": "La vulnerabilidad de falta de autorizaci\u00f3n en NotFound Unlimited Timeline permite acceder a funcionalidades no restringidas correctamente por las ACL. Este problema afecta a Unlimited Timeline: de n/d a n/d."
}
],
"metrics": {

8
CVE-2025/CVE-2025-270xx/CVE-2025-27011.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-27011",
"sourceIdentifier": "audit@patchstack.com",
"published": "2025-04-15T22:15:19.580",
"lastModified": "2025-04-15T22:15:19.580",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magepeopleteam Booking and Rental Manager allows PHP Local File Inclusion. This issue affects Booking and Rental Manager: from n/a through 2.2.8."
},
{
"lang": "es",
"value": "Vulnerabilidad de control inadecuado del nombre de archivo para declaraciones Include/Require en programas PHP ('Inclusi\u00f3n remota de archivos PHP') en magepeopleteam Booking and Rental Manager permite la inclusi\u00f3n local de archivos en PHP. Este problema afecta a Booking and Rental Manager desde n/d hasta la versi\u00f3n 2.2.8."
}
],
"metrics": {

14
CVE-2025/CVE-2025-274xx/CVE-2025-27410.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2025-27410",
"sourceIdentifier": "security-advisories@github.com",
"published": "2025-02-28T21:15:27.677",
"lastModified": "2025-04-15T20:19:49.100",
"vulnStatus": "Undergoing Analysis",
"lastModified": "2025-04-16T13:04:55.890",
"vulnStatus": "Analyzed",
"cveTags": [],
"descriptions": [
{
@ -42,20 +42,20 @@
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "HIGH",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9
"impactScore": 5.2
}
]
},

8
CVE-2025/CVE-2025-275xx/CVE-2025-27538.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-27538",
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"published": "2025-04-16T08:15:14.217",
"lastModified": "2025-04-16T08:15:14.217",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to enforce MFA checks in PUT /api/v4/users/user-id/mfa when the requesting user differs from the target user ID, which allows users with edit_other_users permission to activate or deactivate MFA for other users, even if those users have not set up MFA."
},
{
"lang": "es",
"value": "Las versiones de Mattermost 10.5.x &lt;= 10.5.1, 9.11.x &lt;= 9.11.9 no implementan las comprobaciones de MFA en PUT /api/v4/users/user-id/mfa cuando el usuario solicitante difiere del ID del usuario de destino, lo que permite a los usuarios con permiso edit_other_users activar o desactivar MFA para otros usuarios, incluso si esos usuarios no han configurado MFA."
}
],
"metrics": {

8
CVE-2025/CVE-2025-275xx/CVE-2025-27561.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-27561",
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"published": "2025-04-15T22:15:19.720",
"lastModified": "2025-04-15T22:15:19.720",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unauthenticated attackers can rename \"rooms\" of arbitrary users."
},
{
"lang": "es",
"value": "Los atacantes no autenticados pueden cambiar el nombre de las \"salas\" de usuarios arbitrarios."
}
],
"metrics": {

8
CVE-2025/CVE-2025-275xx/CVE-2025-27565.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-27565",
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"published": "2025-04-15T22:15:19.867",
"lastModified": "2025-04-15T22:15:19.867",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An unauthenticated attacker can delete any user's \"rooms\" by knowing the user's and room IDs."
},
{
"lang": "es",
"value": "Un atacante no autenticado puede eliminar las \"salas\" de cualquier usuario al conocer los identificadores del usuario y de la sala."
}
],
"metrics": {

8
CVE-2025/CVE-2025-275xx/CVE-2025-27568.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-27568",
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"published": "2025-04-15T21:15:55.060",
"lastModified": "2025-04-15T21:15:55.060",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An unauthenticated attacker can get users' emails by knowing usernames. A password reset email will be sent in response to this unsolicited request."
},
{
"lang": "es",
"value": "Un atacante no autenticado puede obtener los correos electr\u00f3nicos de los usuarios conociendo sus nombres de usuario. Se enviar\u00e1 un correo electr\u00f3nico de restablecimiento de contrase\u00f1a en respuesta a esta solicitud no solicitada."
}
],
"metrics": {

8
CVE-2025/CVE-2025-275xx/CVE-2025-27571.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-27571",
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"published": "2025-04-16T08:15:14.353",
"lastModified": "2025-04-16T08:15:14.353",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to check the \"Allow Users to View Archived Channels\" configuration when fetching channel metadata of a post from archived channels, which allows authenticated users to access such information when a channel is archived."
},
{
"lang": "es",
"value": "Las versiones de Mattermost 10.5.x &lt;= 10.5.1, 10.4.x &lt;= 10.4.3, 9.11.x &lt;= 9.11.9 no marcan la configuraci\u00f3n \"Permitir a los usuarios ver canales archivados\" al obtener los metadatos del canal de una publicaci\u00f3n de canales archivados, lo que permite que los usuarios autenticados accedan a dicha informaci\u00f3n cuando un canal est\u00e1 archivado."
}
],
"metrics": {

8
CVE-2025/CVE-2025-275xx/CVE-2025-27575.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-27575",
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"published": "2025-04-15T22:15:20.013",
"lastModified": "2025-04-15T22:15:20.013",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An unauthenticated attacker can obtain EV charger version and firmware upgrading history by knowing the charger ID."
},
{
"lang": "es",
"value": "Un atacante no autenticado puede obtener la versi\u00f3n del cargador EV y el historial de actualizaci\u00f3n del firmware conociendo el ID del cargador."
}
],
"metrics": {

8
CVE-2025/CVE-2025-277xx/CVE-2025-27719.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-27719",
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"published": "2025-04-15T22:15:25.427",
"lastModified": "2025-04-15T22:15:25.427",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unauthenticated attackers can query an API endpoint and get device details."
},
{
"lang": "es",
"value": "Los atacantes no autenticados pueden consultar un endpoint de API y obtener detalles del dispositivo."
}
],
"metrics": {

8
CVE-2025/CVE-2025-277xx/CVE-2025-27791.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-27791",
"sourceIdentifier": "security-advisories@github.com",
"published": "2025-04-15T19:16:07.433",
"lastModified": "2025-04-15T19:16:07.433",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:59.640",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Collabora Online is a collaborative online office suite based on LibreOffice technology. In versions prior to 24.04.12.4, 23.05.19, and 22.05.25, there is a path traversal flaw in handling the CheckFileInfo BaseFileName field returned from WOPI servers. This allows for a file to be written anywhere the uid running Collabora Online can write, if such a response was supplied by a malicious WOPI server. By combining this flaw with a Time of Check, Time of Use DNS lookup issue with a WOPI server address under attacker control, it is possible to present such a response to be processed by a Collabora Online instance. This issue has been patched in versions 24.04.13.1, 23.05.19, and 22.05.25."
},
{
"lang": "es",
"value": "Collabora Online es una suite ofim\u00e1tica colaborativa en l\u00ednea basada en la tecnolog\u00eda LibreOffice. En versiones anteriores a la 24.04.12.4, la 23.05.19 y la 22.05.25, exist\u00eda una falla de recorrido de ruta al gestionar el campo CheckFileInfo BaseFileName devuelto por los servidores WOPI. Esto permit\u00eda escribir un archivo en cualquier lugar donde el uid que ejecuta Collabora Online pudiera escribir, si dicha respuesta proven\u00eda de un servidor WOPI malicioso. Al combinar esta falla con un problema de b\u00fasqueda DNS en el tiempo de verificaci\u00f3n y el tiempo de uso con una direcci\u00f3n de servidor WOPI controlada por un atacante, es posible presentar dicha respuesta para que sea procesada por una instancia de Collabora Online. Este problema se ha corregido en las versiones 24.04.13.1, la 23.05.19 y la 22.05.25."
}
],
"metrics": {

8
CVE-2025/CVE-2025-278xx/CVE-2025-27892.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2025-27892",
"sourceIdentifier": "cve@mitre.org",
"published": "2025-04-15T22:15:25.577",
"lastModified": "2025-04-15T22:15:25.577",
"vulnStatus": "Received",
"lastModified": "2025-04-16T13:25:37.340",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Shopware prior to version 6.5.8.13 is affected by a SQL injection vulnerability in the /api/search/order endpoint. NOTE: this issue exists because of a CVE-2024-22406 and CVE-2024-42357 regression."
},
{
"lang": "es",
"value": "Las versiones anteriores a la 6.5.8.13 de Shopware se ven afectadas por una vulnerabilidad de inyecci\u00f3n SQL en el endpoint /api/search/order. NOTA: Este problema existe debido a una regresi\u00f3n de CVE-2024-22406 y CVE-2024-42357."
}
],
"metrics": {},

Some files were not shown because too many files have changed in this diff Show More