CVE tracker
341 subscribers
4.65K links
News monitoring: @irnewsagency

Main channel: @orgsecuritygate

Site: SecurityGate.org
Download Telegram
CVE-2025-3297 - SourceCodester Online Eyewear Shop Cross Site Scripting Vulnerability

CVE ID : CVE-2025-3297
Published : April 5, 2025, 9:15 a.m. | 3 hours, 48 minutes ago
Description : A vulnerability, which was classified as problematic, was found in SourceCodester Online Eyewear Shop 1.0. Affected is an unknown function of the file /classes/Master.php?f=save_product. The manipulation of the argument brand leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
Severity: 3.5 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-3298 - SourceCodester Online Eyewear Shop Remote File Inclusion Vulnerability

CVE ID : CVE-2025-3298
Published : April 5, 2025, 11:15 a.m. | 1 hour, 48 minutes ago
Description : A vulnerability has been found in SourceCodester Online Eyewear Shop 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /oews/classes/Master.php?f=save_product of the component Registration Handler. The manipulation of the argument email leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-3299 - PHPGurukul Men Salon Management System SQL Injection Vulnerability

CVE ID : CVE-2025-3299
Published : April 5, 2025, 11:15 a.m. | 1 hour, 48 minutes ago
Description : A vulnerability was found in PHPGurukul Men Salon Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /appointment.php. The manipulation of the argument Name leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-30401 - WhatsApp for Windows MIME Type Spoofing Vulnerability

CVE ID : CVE-2025-30401
Published : April 5, 2025, 12:15 p.m. | 48 minutes ago
Description : A spoofing issue in WhatsApp for Windows prior to version 2.2450.6 displayed attachments according to their MIME type but selected the file opening handler based on the attachment’s filename extension. A maliciously crafted mismatch could have caused the recipient to inadvertently execute arbitrary code rather than view the attachment when manually opening the attachment inside WhatsApp.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-57835 - Amon2::Auth::Site::LINE Cryptographically Insecure Random Number Generation

CVE ID : CVE-2024-57835
Published : April 5, 2025, 4:15 p.m. | 49 minutes ago
Description : Amon2::Auth::Site::LINE uses the String::Random module to generate nonce values.  String::Random defaults to Perl's built-in predictable random number generator, the rand() function, which is not cryptographically secure
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-57868 - Web::API Cryptographically Insecure Randomness Vulnerability

CVE ID : CVE-2024-57868
Published : April 5, 2025, 4:15 p.m. | 49 minutes ago
Description : Web::API 2.8 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. Specifically Web::API uses the Data::Random library which specifically states that it is "Useful mostly for test programs". Data::Random uses the rand() function.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-58036 - Dropbox::API Cryptographically Insecure Random Number Generation

CVE ID : CVE-2024-58036
Published : April 5, 2025, 4:15 p.m. | 49 minutes ago
Description : Net::Dropbox::API 1.9 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. Specifically Net::Dropbox::API uses the Data::Random library which specifically states that it is "Useful mostly for test programs". Data::Random uses the rand() function.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-52322 - Xero WebService Perl Cryptographic Entropy Weakness

CVE ID : CVE-2024-52322
Published : April 5, 2025, 5:15 p.m. | 3 hours, 49 minutes ago
Description : WebService::Xero 0.11 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. Specifically WebService::Xero uses the Data::Random library which specifically states that it is "Useful mostly for test programs". Data::Random uses the rand() function.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-56370 - Xero Perl Cryptographic Entropy Weakness

CVE ID : CVE-2024-56370
Published : April 5, 2025, 7:15 p.m. | 1 hour, 49 minutes ago
Description : Net::Xero 0.044 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. Specifically Net::Xero uses the Data::Random library which specifically states that it is "Useful mostly for test programs". Data::Random uses the rand() function.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-32357 - Zammad Privilege Escalation Information Disclosure

CVE ID : CVE-2025-32357
Published : April 5, 2025, 9:15 p.m. | 3 hours, 49 minutes ago
Description : In Zammad 6.4.x before 6.4.2, an authenticated agent with knowledge base permissions was able to use the Zammad API to fetch knowledge base content that they have no permission for.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-32358 - Zammad SSRF

CVE ID : CVE-2025-32358
Published : April 5, 2025, 9:15 p.m. | 3 hours, 49 minutes ago
Description : In Zammad 6.4.x before 6.4.2, SSRF can occur. Authenticated admin users can enable webhooks in Zammad, which are triggered as POST requests when certain conditions are met. If a webhook endpoint returned a redirect response, Zammad would follow it automatically with another GET request. This could be abused by an attacker to cause GET requests for example in the local network.
Severity: 4.0 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-32359 - Zammad Two-Factor Authentication Authentication Bypass

CVE ID : CVE-2025-32359
Published : April 5, 2025, 9:15 p.m. | 3 hours, 49 minutes ago
Description : In Zammad 6.4.x before 6.4.2, there is client-side enforcement of server-side security. When changing their two factor authentication configuration, users need to re-authenticate with their current password first. However, this change was enforced in Zammad only on the front end level, and not when using the API directly.
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-32360 - Zammad Information Exposure Vulnerability

CVE ID : CVE-2025-32360
Published : April 5, 2025, 9:15 p.m. | 3 hours, 49 minutes ago
Description : In Zammad 6.4.x before 6.4.2, there is information exposure. Only agents should be able to see and work on shared article drafts. However, a logged in customer was able to see details about shared drafts for their customer tickets in the browser console, which may contain confidential information, and also to manipulate them via API.
Severity: 4.2 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-3303 - Apache Code-projects Patient Record Management System SQL Injection Vulnerability

CVE ID : CVE-2025-3303
Published : April 5, 2025, 9:15 p.m. | 3 hours, 49 minutes ago
Description : A vulnerability, which was classified as critical, has been found in code-projects Patient Record Management System 1.0. Affected by this issue is some unknown functionality of the file /birthing_record.php. The manipulation of the argument itr_no leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-32364 - Poppler Floating-Point Exception

CVE ID : CVE-2025-32364
Published : April 5, 2025, 10:15 p.m. | 2 hours, 49 minutes ago
Description : A floating-point exception in the PSStack::roll function of Poppler before 25.04.0 can cause an application to crash when handling malformed inputs associated with INT_MIN.
Severity: 4.0 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-32365 - Poppler JBIG2Stream Out-of-Bounds Read Vulnerability

CVE ID : CVE-2025-32365
Published : April 5, 2025, 10:15 p.m. | 2 hours, 49 minutes ago
Description : Poppler before 25.04.0 allows crafted input files to trigger out-of-bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of a misplaced isOk check.
Severity: 4.0 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-3304 - "Code-projects Patient Record Management System SQL Injection Vulnerability"

CVE ID : CVE-2025-3304
Published : April 5, 2025, 10:15 p.m. | 2 hours, 49 minutes ago
Description : A vulnerability, which was classified as critical, was found in code-projects Patient Record Management System 1.0. This affects an unknown part of the file /dental_not.php. The manipulation of the argument itr_no leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-32366 - ConnMan DNS Proxy Heap-Based Buffer Overflow

CVE ID : CVE-2025-32366
Published : April 5, 2025, 11:15 p.m. | 1 hour, 49 minutes ago
Description : In ConnMan through 1.44, parse_rr in dnsproxy.c has a memcpy length that depends on an RR RDLENGTH value, i.e., *rdlen=ntohs(rr->rdlen) and memcpy(response+offset,*end,*rdlen).
Severity: 3.7 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-3305 - "IKUN_Library Remote Improper Access Control Vulnerability"

CVE ID : CVE-2025-3305
Published : April 5, 2025, 11:15 p.m. | 1 hour, 49 minutes ago
Description : A vulnerability has been found in 1902756969/code-projects IKUN_Library 1.0 and classified as problematic. This vulnerability affects the function addInterceptors of the file MvcConfig.java of the component Borrow Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-3306 - Blood Bank Management System SQL Injection Vulnerability

CVE ID : CVE-2025-3306
Published : April 6, 2025, 1:15 a.m. | 3 hours, 51 minutes ago
Description : A vulnerability was found in code-projects Blood Bank Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /don.php. The manipulation of the argument fullname leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-58131 - FISCO BCOS Denial of Service (DoS)

CVE ID : CVE-2024-58131
Published : April 6, 2025, 3:15 a.m. | 1 hour, 52 minutes ago
Description : FISCO BCOS 3.11.0 has an issue with synchronization of the transaction pool that can, for example, be observed when a malicious node (that has modified the codebase to allow a large min_seal_time value) joins a blockchain network.
Severity: 4.0 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...