CVE-2025-25513 |
Description: Seacms <=13.3 is vulnerable to SQL Injection in admin_members.php.
EPSS Score: 0.03%
February 24th, 2025 (5 months ago)
|
CVE-2025-22974 |
Description: SQL Injection vulnerability in SeaCMS v.13.2 and before allows a remote attacker to execute arbitrary code via the DoTranExecSql parameter in the phome.php component.
EPSS Score: 0.17%
February 24th, 2025 (5 months ago)
|
CVE-2024-56525 |
Description: In Public Knowledge Project (PKP) OJS, OMP, and OPS before 3.3.0.21 and 3.4.x before 3.4.0.8, an XXE attack by the Journal Editor Role can create a new role as super admin in the journal context, and insert a backdoor plugin, by uploading a crafted XML document as a User XML Plugin.
EPSS Score: 0.06%
February 24th, 2025 (5 months ago)
|
CVE-2024-53544 |
Description: NovaCHRON Zeitsysteme GmbH & Co. KG Smart Time Plus v8.x to v8.6 was discovered to contain a SQL injection vulnerability via the getCookieNames method in the smarttimeplus/MySQLConnection endpoint.
EPSS Score: 0.03%
February 24th, 2025 (5 months ago)
|
CVE-2024-53543 |
Description: NovaCHRON Zeitsysteme GmbH & Co. KG Smart Time Plus v8.x to v8.6 was discovered to contain a SQL injection vulnerability via the addProject method in the smarttimeplus/MySQLConnection endpoint.
EPSS Score: 0.02%
February 24th, 2025 (5 months ago)
|
CVE-2024-53542 |
Description: Incorrect access control in the component /iclock/Settings?restartNCS=1 of NovaCHRON Zeitsysteme GmbH & Co. KG Smart Time Plus v8.x to v8.6 allows attackers to arbitrarily restart the NCServiceManger via a crafted GET request.
EPSS Score: 0.04%
February 24th, 2025 (5 months ago)
|
CVE-2025-22868 |
Description: Impact
When parsing compact JWS or JWE input, go-jose could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of '.' characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service.
Patches
Version 4.0.5 fixes this issue
Workarounds
Applications could pre-validate payloads passed to go-jose do not contain an excessive number of '.' characters.
References
This is the same sort of issue as in the golang.org/x/oauth2/jws package as CVE-2025-22868 and Go issue https://go.dev/issue/71490.
References
https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78
https://github.com/golang/go/issues/71490
https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22
https://go.dev/issue/71490
https://github.com/advisories/GHSA-c6gw-w398-hv78
EPSS Score: 0.17%
February 24th, 2025 (5 months ago)
|
![]() |
Description: The new Linux malware named Auto-color uses advanced evasion tactics. Discovered by Unit 42, this article cover its installation, evasion features and more.
The post Auto-Color: An Emerging and Evasive Linux Backdoor appeared first on Unit 42.
February 24th, 2025 (5 months ago)
|
![]() |
Description: Ransomware Attack Update for 24th of February 2025
February 24th, 2025 (5 months ago)
|
![]() |
Description: A patch bypass for a bug in the popular desktop emulator enables root-level privilege escalation and has no fix in sight.
February 24th, 2025 (5 months ago)
|