CyberAlerts

Description: Multiple vulnerabilities in TCMAN GIM Mon, 06/09/2025 - 13:32 Aviso Affected Resources GIM, 11 version. Description INCIBE has coordinated the publication of 3 vulnerabilities of medium severity, affecting TCMAN's GIM, a maintenance management software. The vulnerabilities have been discovered by Jorge Riopedre Vega.These vulnerabilities have been assigned the following code, CVSS v4.0 base score, CVSS vector and vulnerability CWE type:CVE-2025-40668 to CVE-2025-40670: CVSS v4.0: 7.1 | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N | CWE-863 Identificador INCIBE-2025-0300 3 - Medium Solution The vulnerabilities have been fixed by the TCMAN team. The manufacturer has reported that the vulnerabilities are not found in the latest version of GIM Web version 20250128. Detail CVE-2025-40668: incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an attacker, with low privilege level, to change the password of other users through a POST request using the parameters idUser, PasswordActual, PasswordNew and PasswordNewRepeat in /PC/WebService.aspx/validateChangePassword%C3%B1a. To exploit the vulnerability the PasswordActual parameter must be empty.CVE-2025-40669: incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows a...

EPSS Score: 0.04%

Source: Incibe CERT

June 9th, 2025 (17 days ago)

CVE-2025-5873

eCharge Hardy Barth Salia PLCC Web UI firmware.php unrestricted upload

Description: A vulnerability was found in eCharge Hardy Barth Salia PLCC 2.2.0. It has been declared as critical. This vulnerability affects unknown code of the file /firmware.php of the component Web UI. The manipulation of the argument media leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. In eCharge Hardy Barth Salia PLCC 2.2.0 wurde eine Schwachstelle ausgemacht. Sie wurde als kritisch eingestuft. Betroffen ist eine unbekannte Verarbeitung der Datei /firmware.php der Komponente Web UI. Mit der Manipulation des Arguments media mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.

CVSS: MEDIUM (5.3)

EPSS Score: 0.04%

Source: CVE

June 9th, 2025 (17 days ago)

CVE-2025-5872

eGauge EG3000 Energy Monitor Setting missing authentication

Description: A vulnerability was found in eGauge EG3000 Energy Monitor 3.6.3. It has been classified as problematic. This affects an unknown part of the component Setting Handler. The manipulation leads to missing authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Es wurde eine Schwachstelle in eGauge EG3000 Energy Monitor 3.6.3 ausgemacht. Sie wurde als problematisch eingestuft. Hiervon betroffen ist ein unbekannter Codeblock der Komponente Setting Handler. Dank Manipulation mit unbekannten Daten kann eine missing authentication-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit steht zur öffentlichen Verfügung.

CVSS: MEDIUM (5.3)

EPSS Score: 0.06%

Source: CVE

June 9th, 2025 (17 days ago)

CVE-2025-41437

Reflected XSS

Description: Zohocorp ManageEngine OpManager, NetFlow Analyzer, Network Configuration Manager, Firewall Analyzer and OpUtils versions 128565 and below are vulnerable to Reflected XSS on the login page.

CVSS: MEDIUM (4.3)

EPSS Score: 0.03%

Source: CVE

June 9th, 2025 (17 days ago)

CVE-2025-3835

Remote Code Execution

Description: Zohocorp ManageEngine Exchange Reporter Plus versions 5721 and prior are vulnerable to Remote code execution in the Content Search module.

CVSS: CRITICAL (9.6)

EPSS Score: 0.16%

Source: CVE

June 9th, 2025 (17 days ago)

EU Launches Privacy-Focused Public DNS Resolver Named DNS4EU

Description: The European Union has officially launched DNS4EU, a secure, privacy-compliant DNS resolution service aimed at citizens, governments, and telecom providers across the bloc. Developed under the supervision of ENISA and managed by a pan-European consortium led by Czech cybersecurity firm Whalebone, DNS4EU is now operational after nearly three years of planning. Initially announced in October … The post EU Launches Privacy-Focused Public DNS Resolver Named DNS4EU appeared first on CyberInsider.

Source: CyberInsider

June 9th, 2025 (17 days ago)

Blocking stolen phones from the cloud can be done, should be done, won't be done

Source: TheRegister

June 9th, 2025 (17 days ago)

CVE-2025-5871

Papendorf SOL Connect Center Web Interface missing authentication

Description: A vulnerability was found in Papendorf SOL Connect Center 3.3.0.0 and classified as problematic. Affected by this issue is some unknown functionality of the component Web Interface. The manipulation leads to missing authentication. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Eine Schwachstelle wurde in Papendorf SOL Connect Center 3.3.0.0 gefunden. Sie wurde als problematisch eingestuft. Davon betroffen ist unbekannter Code der Komponente Web Interface. Dank der Manipulation mit unbekannten Daten kann eine missing authentication-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.

CVSS: MEDIUM (5.3)

EPSS Score: 0.06%

Source: CVE

June 9th, 2025 (17 days ago)

CVE-2025-5870

TRENDnet TV-IP121W Web Interface setup.cgi improper authentication

Description: A vulnerability has been found in TRENDnet TV-IP121W 1.1.1 Build 36 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/setup.cgi of the component Web Interface. The manipulation leads to improper authentication. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. In TRENDnet TV-IP121W 1.1.1 Build 36 wurde eine Schwachstelle gefunden. Sie wurde als kritisch eingestuft. Hierbei betrifft es unbekannten Programmcode der Datei /admin/setup.cgi der Komponente Web Interface. Durch Beeinflussen mit unbekannten Daten kann eine improper authentication-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung.

CVSS: HIGH (7.3)

EPSS Score: 0.07%

Source: CVE

June 9th, 2025 (17 days ago)

CVE-2025-40675

Reflected Cross-Site Scripting (XSS) in Bagisto

Description: A Reflected Cross-Site Scripting (XSS) vulnerability has been found in Bagisto v2.0.0. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the parameter 'query' in '/search'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.

CVSS: MEDIUM (5.1)

EPSS Score: 0.06%

Source: CVE

June 9th, 2025 (17 days ago)

Threat and Vulnerability Intelligence Database

Example Searches:

	Múltiples vulnerabilidades en TCMAN GIM Description: Multiple vulnerabilities in TCMAN GIM Mon, 06/09/2025 - 13:32 Aviso Affected Resources GIM, 11 version. Description INCIBE has coordinated the publication of 3 vulnerabilities of medium severity, affecting TCMAN's GIM, a maintenance management software. The vulnerabilities have been discovered by Jorge Riopedre Vega.These vulnerabilities have been assigned the following code, CVSS v4.0 base score, CVSS vector and vulnerability CWE type:CVE-2025-40668 to CVE-2025-40670: CVSS v4.0: 7.1 \| CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N \| CWE-863 Identificador INCIBE-2025-0300 3 - Medium Solution The vulnerabilities have been fixed by the TCMAN team. The manufacturer has reported that the vulnerabilities are not found in the latest version of GIM Web version 20250128. Detail CVE-2025-40668: incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an attacker, with low privilege level, to change the password of other users through a POST request using the parameters idUser, PasswordActual, PasswordNew and PasswordNewRepeat in /PC/WebService.aspx/validateChangePassword%C3%B1a. To exploit the vulnerability the PasswordActual parameter must be empty.CVE-2025-40669: incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows a... EPSS Score: 0.04% Source: Incibe CERT June 9th, 2025 (17 days ago)
CVE-2025-5873	eCharge Hardy Barth Salia PLCC Web UI firmware.php unrestricted upload Description: A vulnerability was found in eCharge Hardy Barth Salia PLCC 2.2.0. It has been declared as critical. This vulnerability affects unknown code of the file /firmware.php of the component Web UI. The manipulation of the argument media leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. In eCharge Hardy Barth Salia PLCC 2.2.0 wurde eine Schwachstelle ausgemacht. Sie wurde als kritisch eingestuft. Betroffen ist eine unbekannte Verarbeitung der Datei /firmware.php der Komponente Web UI. Mit der Manipulation des Arguments media mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung. CVSS: MEDIUM (5.3) EPSS Score: 0.04% Source: CVE June 9th, 2025 (17 days ago)
CVE-2025-5872	eGauge EG3000 Energy Monitor Setting missing authentication Description: A vulnerability was found in eGauge EG3000 Energy Monitor 3.6.3. It has been classified as problematic. This affects an unknown part of the component Setting Handler. The manipulation leads to missing authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Es wurde eine Schwachstelle in eGauge EG3000 Energy Monitor 3.6.3 ausgemacht. Sie wurde als problematisch eingestuft. Hiervon betroffen ist ein unbekannter Codeblock der Komponente Setting Handler. Dank Manipulation mit unbekannten Daten kann eine missing authentication-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit steht zur öffentlichen Verfügung. CVSS: MEDIUM (5.3) EPSS Score: 0.06% Source: CVE June 9th, 2025 (17 days ago)
CVE-2025-41437	Reflected XSS Description: Zohocorp ManageEngine OpManager, NetFlow Analyzer, Network Configuration Manager, Firewall Analyzer and OpUtils versions 128565 and below are vulnerable to Reflected XSS on the login page. CVSS: MEDIUM (4.3) EPSS Score: 0.03% Source: CVE June 9th, 2025 (17 days ago)
CVE-2025-3835	Remote Code Execution Description: Zohocorp ManageEngine Exchange Reporter Plus versions 5721 and prior are vulnerable to Remote code execution in the Content Search module. CVSS: CRITICAL (9.6) EPSS Score: 0.16% Source: CVE June 9th, 2025 (17 days ago)
	EU Launches Privacy-Focused Public DNS Resolver Named DNS4EU Description: The European Union has officially launched DNS4EU, a secure, privacy-compliant DNS resolution service aimed at citizens, governments, and telecom providers across the bloc. Developed under the supervision of ENISA and managed by a pan-European consortium led by Czech cybersecurity firm Whalebone, DNS4EU is now operational after nearly three years of planning. Initially announced in October … The post EU Launches Privacy-Focused Public DNS Resolver Named DNS4EU appeared first on CyberInsider. Source: CyberInsider June 9th, 2025 (17 days ago)
	Blocking stolen phones from the cloud can be done, should be done, won't be done Source: TheRegister June 9th, 2025 (17 days ago)
CVE-2025-5871	Papendorf SOL Connect Center Web Interface missing authentication Description: A vulnerability was found in Papendorf SOL Connect Center 3.3.0.0 and classified as problematic. Affected by this issue is some unknown functionality of the component Web Interface. The manipulation leads to missing authentication. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Eine Schwachstelle wurde in Papendorf SOL Connect Center 3.3.0.0 gefunden. Sie wurde als problematisch eingestuft. Davon betroffen ist unbekannter Code der Komponente Web Interface. Dank der Manipulation mit unbekannten Daten kann eine missing authentication-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung. CVSS: MEDIUM (5.3) EPSS Score: 0.06% Source: CVE June 9th, 2025 (17 days ago)
CVE-2025-5870	TRENDnet TV-IP121W Web Interface setup.cgi improper authentication Description: A vulnerability has been found in TRENDnet TV-IP121W 1.1.1 Build 36 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/setup.cgi of the component Web Interface. The manipulation leads to improper authentication. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. In TRENDnet TV-IP121W 1.1.1 Build 36 wurde eine Schwachstelle gefunden. Sie wurde als kritisch eingestuft. Hierbei betrifft es unbekannten Programmcode der Datei /admin/setup.cgi der Komponente Web Interface. Durch Beeinflussen mit unbekannten Daten kann eine improper authentication-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung. CVSS: HIGH (7.3) EPSS Score: 0.07% Source: CVE June 9th, 2025 (17 days ago)
CVE-2025-40675	Reflected Cross-Site Scripting (XSS) in Bagisto Description: A Reflected Cross-Site Scripting (XSS) vulnerability has been found in Bagisto v2.0.0. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the parameter 'query' in '/search'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. CVSS: MEDIUM (5.1) EPSS Score: 0.06% Source: CVE June 9th, 2025 (17 days ago)