CVE tracker
351 subscribers
4.78K links
News monitoring: @irnewsagency

Main channel: @orgsecuritygate

Site: SecurityGate.org
Download Telegram
CVE-2025-3949 - SeedProd Theme Builder Landing Page Builder Unauthorized Data Access Vulnerability

CVE ID : CVE-2025-3949
Published : May 9, 2025, 9:15 a.m. | 1 hour, 36 minutes ago
Description : The Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'seedprod_lite_get_revisisons' function in all versions up to, and including, 6.18.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the content of arbitrary landing page revisions.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-4403 - WooCommerce Drag and Drop Multiple File Upload Arbitrary File Upload Vulnerability

CVE ID : CVE-2025-4403
Published : May 9, 2025, 9:15 a.m. | 1 hour, 36 minutes ago
Description : The Drag and Drop Multiple File Upload for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.1.6 due to accepting a user‐supplied supported_type string and the uploaded filename without enforcing real extension or MIME checks within the upload() function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-46392 - Apache Commons Configuration Uncontrolled Resource Consumption Vulnerability

CVE ID : CVE-2025-46392
Published : May 9, 2025, 10:15 a.m. | 36 minutes ago
Description : Uncontrolled Resource Consumption vulnerability in Apache Commons Configuration 1.x. There are a number of issues in Apache Commons Configuration 1.x that allow excessive resource consumption when loading untrusted configurations or using unexpected usage patterns. The Apache Commons Configuration team does not intend to fix these issues in 1.x. Apache Commons Configuration 1.x is still safe to use in scenario's where you only load trusted configurations. Users that load untrusted configurations or give attackers control over usage patterns are recommended to upgrade to the 2.x version line, which fixes these issues. Apache Commons Configuration 2.x is not a drop-in replacement, but as it uses a separate Maven groupId and Java package namespace they can be loaded side-by-side, making it possible to do a gradual migration.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-1087 - Kong Insomnia Desktop Application Template Injection Vulnerability

CVE ID : CVE-2025-1087
Published : May 9, 2025, 12:15 p.m. | 2 hours, 38 minutes ago
Description : Kong Insomnia Desktop Application before 11.0.2 contains a template injection vulnerability that allows attackers to execute arbitrary code. The vulnerability exists due to insufficient validation of user-supplied input when processing template strings, which can lead to arbitrary JavaScript execution in the context of the application.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-3528 - OpenShift Mirror Registry Privilege Escalation Vulnerability

CVE ID : CVE-2025-3528
Published : May 9, 2025, 12:15 p.m. | 2 hours, 38 minutes ago
Description : A flaw was found in the Mirror Registry. The quay-app container shipped as part of the Mirror Registry for OpenShift has write access to the `/etc/passwd`. This flaw allows a malicious actor with access to the container to modify the passwd file and elevate their privileges to the root user within that pod.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-3897 - "WordPress EUCookieLaw Plugin Arbitrary File Read Vulnerability"

CVE ID : CVE-2025-3897
Published : May 9, 2025, 12:15 p.m. | 2 hours, 38 minutes ago
Description : The EUCookieLaw plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.7.2 via the 'file_get_contents' function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. The vulnerability can only be exploited if a caching plugin such as W3 Total Cache is installed and activated.
Severity: 5.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-4206 - Groundhogg WordPress File Deletion Vulnerability (Arbitrary File Deletion)

CVE ID : CVE-2025-4206
Published : May 9, 2025, 12:15 p.m. | 2 hours, 38 minutes ago
Description : The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'process_export_delete' and 'process_import_delete' functions in all versions up to, and including, 4.1.1.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-4382 - GRUB TPM Auto- decryption Data Exposure

CVE ID : CVE-2025-4382
Published : May 9, 2025, 12:15 p.m. | 2 hours, 38 minutes ago
Description : A flaw was found in systems utilizing LUKS-encrypted disks with GRUB configured for TPM-based auto-decryption. When GRUB is set to automatically decrypt disks using keys stored in the TPM, it reads the decryption key into system memory. If an attacker with physical access can corrupt the underlying filesystem superblock, GRUB will fail to locate a valid filesystem and enter rescue mode. At this point, the disk is already decrypted, and the decryption key remains loaded in system memory. This scenario may allow an attacker with physical access to access the unencrypted data without any further authentication, thereby compromising data confidentiality. Furthermore, the ability to force this state through filesystem corruption also presents a data integrity concern.
Severity: 5.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-11861 - EnerSys AMPA Remote Command Injection Vulnerability

CVE ID : CVE-2024-11861
Published : May 9, 2025, 2:15 p.m. | 38 minutes ago
Description : EnerSys AMPA 22.09 and prior versions are vulnerable to command injection leading to privileged remote shell access.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-12442 - EnerSys AMPA Command Injection Vulnerability

CVE ID : CVE-2024-12442
Published : May 9, 2025, 2:15 p.m. | 38 minutes ago
Description : EnerSys AMPA versions 24.04 through 24.16, inclusive, are vulnerable to command injection leading to privileged remote shell access.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-45885 - PHPGURUKUL Vehicle Parking Management System SQL Injection

CVE ID : CVE-2025-45885
Published : May 9, 2025, 2:15 p.m. | 38 minutes ago
Description : PHPGURUKUL Vehicle Parking Management System v1.13 is vulnerable to SQL injection in the /vpms/users/login.php file. Attackers can inject malicious code from the parameter 'emailcont' and use it directly in SQL queries.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-13960 - AVG TuneUp Link Following Local Privilege Escalation

CVE ID : CVE-2024-13960
Published : May 9, 2025, 4:15 p.m. | 2 hours, 38 minutes ago
Description : Link Following Local Privilege Escalation Vulnerability in TuneUp Service in AVG TuneUp Version 23.4 (build 15592) on Windows 10 allows local attackers to escalate privileges and execute arbitrary code in the context of SYSTEM via creating a symbolic link and leveraging a TOCTTOU (time-of-check to time-of-use) attack.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-13961 - Avast Cleanup Premium TuneupSvc Link Following Local Privilege Escalation

CVE ID : CVE-2024-13961
Published : May 9, 2025, 4:15 p.m. | 2 hours, 38 minutes ago
Description : Link Following Local Privilege Escalation Vulnerability in TuneupSvc in Avast Cleanup Premium Version 24.2.16593.17810 on Windows 10 Pro x64 allows local attackers to escalate privileges and execute arbitrary code in the context of SYSTEM via creating a symbolic link and leveraging a TOCTTOU (time-of-check to time-of-use) attack.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-13962 - Avast Cleanup Premium Link Following Local Privilege Escalation Vulnerability

CVE ID : CVE-2024-13962
Published : May 9, 2025, 4:15 p.m. | 2 hours, 38 minutes ago
Description : Link Following Local Privilege Escalation Vulnerability in TuneupSvc in Gen Digital Inc. Avast Cleanup Premium Version 24.2.16593.17810 on Windows 10 Pro x64 allows local attackers to escalate privileges and execute arbitrary code in the context of SYSTEM via creating a symbolic link and leveraging a TOCTTOU (time-of-check to time-of-use) attack.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-9524 - Avira Prime Link Following Local Privilege Escalation Vulnerability

CVE ID : CVE-2024-9524
Published : May 9, 2025, 4:15 p.m. | 2 hours, 38 minutes ago
Description : Link Following Local Privilege Escalation Vulnerability in System Speedup Service in Avira Operations GmbH Avira Prime Version 1.1.96.2 on Windows 10 x64 allows local attackers to escalate privileges and execute arbitrary code in the context of SYSTEM via creating a symbolic link and leveraging a TOCTTOU (time-of-check to time-of-use) attack.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-28200 - Victure RX1800 Default Password Weakness

CVE ID : CVE-2025-28200
Published : May 9, 2025, 4:15 p.m. | 2 hours, 38 minutes ago
Description : Victure RX1800 EN_V1.0.0_r12_110933 was discovered to utilize a weak default password which includes the last 8 digits of the Mac address.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-28201 - Victure RX1800 Root RCE

CVE ID : CVE-2025-28201
Published : May 9, 2025, 4:15 p.m. | 2 hours, 38 minutes ago
Description : An issue in Victure RX1800 EN_V1.0.0_r12_110933 allows physically proximate attackers to execute arbitrary code or gain root access.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-28202 - Victure RX1800 SSH/Telnet Authentication Bypass Vulnerability

CVE ID : CVE-2025-28202
Published : May 9, 2025, 4:15 p.m. | 2 hours, 38 minutes ago
Description : Incorrect access control in Victure RX1800 EN_V1.0.0_r12_110933 allows attackers to enable SSH and Telnet services without authentication.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-28203 - Victure RX1800 Command Injection Vulnerability

CVE ID : CVE-2025-28203
Published : May 9, 2025, 4:15 p.m. | 2 hours, 38 minutes ago
Description : Victure RX1800 EN_V1.0.0_r12_110933 was discovered to contain a command injection vulnerability.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-45513 - Tenda FH451 Stack Overflow Vulnerability

CVE ID : CVE-2025-45513
Published : May 9, 2025, 4:15 p.m. | 2 hours, 38 minutes ago
Description : Tenda FH451 V1.0.0.9 has a stack overflow vulnerability in the function.P2pListFilter.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-46188 - SourceCodester Client Database Management System SQL Injection

CVE ID : CVE-2025-46188
Published : May 9, 2025, 4:15 p.m. | 2 hours, 38 minutes ago
Description : SourceCodester Client Database Management System 1.0 is vulnerable to SQL Injection in superadmin_phpmyadmin.php.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...