CVE-2025-30841 |
Description: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in adamskaat Countdown & Clock allows Remote Code Inclusion. This issue affects Countdown & Clock: from n/a through 2.8.8.
CVSS: CRITICAL (9.9) EPSS Score: 0.05%
April 1st, 2025 (about 1 month ago)
|
CVE-2025-30807 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Martin Nguyen Next-Cart Store to WooCommerce Migration allows SQL Injection. This issue affects Next-Cart Store to WooCommerce Migration: from n/a through 3.9.4.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
April 1st, 2025 (about 1 month ago)
|
CVE-2025-30580 |
Description: Improper Control of Generation of Code ('Code Injection') vulnerability in NotFound DigiWidgets Image Editor allows Remote Code Inclusion. This issue affects DigiWidgets Image Editor: from n/a through 1.10.
CVSS: CRITICAL (10.0) EPSS Score: 0.06%
April 1st, 2025 (about 1 month ago)
|
CVE-2025-3096 |
Description: Clinic’s Patient Management System versions 2.0 suffers from a SQL injection vulnerability in the login page.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
April 1st, 2025 (about 1 month ago)
|
CVE-2024-20439 |
Description:
Multiple vulnerabilities in Cisco Smart Licensing Utility could allow an unauthenticated, remote attacker to collect sensitive information or administer Cisco Smart Licensing Utility services on a system while the software is running.
Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.
For more information about these vulnerabilities, see the Details section of this advisory.
This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cslu-7gHMzWmw
Security Impact Rating: Critical
CVE: CVE-2024-20439,CVE-2024-20440
CVSS: CRITICAL (9.8) EPSS Score: 89.45%
April 1st, 2025 (about 1 month ago)
|
CVE-2025-23120 |
Description: View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 9.4
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: Lifecycle Services with Veeam Backup and Replication
Vulnerability: Deserialization of Untrusted Data
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker with administrative privileges to execute code on the target system.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Rockwell Automation reports the following Lifecycle Services with Veeam Backup and Replication are affected:
Industrial Data Center (IDC) with Veeam: Generations 1 – 5
VersaVirtual Appliance (VVA) with Veeam: Series A - C
3.2 VULNERABILITY OVERVIEW
3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502
A remote code execution vulnerability exists in Veeam Backup and Replication, which the affected products use. Exploitation of the vulnerability can allow a threat actor to execute code on the target system.
CVE-2025-23120 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-23120. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER
Rock...
CVSS: CRITICAL (9.9) EPSS Score: 0.53%
April 1st, 2025 (about 1 month ago)
|
CVE-2025-2237 |
Description: The WP RealEstate plugin for WordPress, used by the Homeo theme, is vulnerable to authentication bypass in all versions up to, and including, 1.6.26. This is due to insufficient role restrictions in the 'process_register' function. This makes it possible for unauthenticated attackers to register an account with the Administrator role.
CVSS: CRITICAL (9.8) EPSS Score: 0.29%
April 1st, 2025 (about 1 month ago)
|
CVE-2024-13553 |
Description: The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.7.9. This is due to the plugin using the Host header to determine if the plugin is in a playground environment. This makes it possible for unauthenticated attackers to spoof the Host header to make the OTP code "1234" and authenticate as any user, including administrators.
CVSS: CRITICAL (9.8) EPSS Score: 0.09%
April 1st, 2025 (about 1 month ago)
|
CVE-2025-30065 |
Description: Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code
Users are recommended to upgrade to version 1.15.1, which fixes the issue.
CVSS: CRITICAL (10.0) EPSS Score: 0.16%
April 1st, 2025 (about 1 month ago)
|
CVE-2025-31095 |
Description: Authentication Bypass Using an Alternate Path or Channel vulnerability in ho3einie Material Dashboard allows Authentication Bypass. This issue affects Material Dashboard: from n/a through 1.4.5.
CVSS: CRITICAL (9.8) EPSS Score: 0.07%
April 1st, 2025 (about 1 month ago)
|