CVE-2025-23221 |
Description: Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards. This vulnerability allows a user to maneuver the Webfinger mechanism to perform a GET request to any internal resource on any Host, Port, URL combination regardless of present security mechanisms, and forcing the victim’s server into an infinite loop causing Denial of Service. Moreover, this issue can also be maneuvered into performing a Blind SSRF attack. This vulnerability is fixed in 1.0.14, 1.1.11, 1.2.11, and 1.3.4.
CVSS: MEDIUM (5.4) EPSS Score: 0.06%
January 21st, 2025 (6 months ago)
|
CVE-2025-23220 |
Description: WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A SQL Injection vulnerability was identified in the WeGIA application, specifically in the adicionar_raca.php endpoint. This vulnerability allows attackers to execute arbitrary SQL commands in the database, allowing unauthorized access to sensitive information. During the exploit, it was possible to perform a complete dump of the application's database, highlighting the severity of the flaw. This vulnerability is fixed in 3.2.10.
CVSS: CRITICAL (10.0) EPSS Score: 0.04%
January 21st, 2025 (6 months ago)
|
CVE-2025-23219 |
Description: WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A SQL Injection vulnerability was identified in the WeGIA application, specifically in the adicionar_cor.php endpoint. This vulnerability allows attackers to execute arbitrary SQL commands in the database, allowing unauthorized access to sensitive information. During the exploit, it was possible to perform a complete dump of the application's database, highlighting the severity of the flaw. This vulnerability is fixed in 3.2.10.
CVSS: CRITICAL (10.0) EPSS Score: 0.04%
January 21st, 2025 (6 months ago)
|
CVE-2025-23218 |
Description: WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A SQL Injection vulnerability was identified in the WeGIA application, specifically in the adicionar_especie.php endpoint. This vulnerability allows attackers to execute arbitrary SQL commands in the database, allowing unauthorized access to sensitive information. During the exploit, it was possible to perform a complete dump of the application's database, highlighting the severity of the flaw. This vulnerability is fixed in 3.2.10.
CVSS: CRITICAL (10.0) EPSS Score: 0.04%
January 21st, 2025 (6 months ago)
|
CVE-2025-23214 |
Description: Cosmos provides users the ability self-host a home server by acting as a secure gateway to your application, as well as a server manager. By monitoring the error code returned in the login, it is possible to figure out whether a user exist or not in the database. Patched in 0.17.7.
CVSS: MEDIUM (6.9) EPSS Score: 0.04%
January 21st, 2025 (6 months ago)
|
CVE-2025-23044 |
Description: PwnDoc is a penetration test report generator. There is no CSRF protection in pwndoc, allowing attackers to send requests on a logged-in user's behalf. This includes GET and POST requests due to the missing SameSite= attribute on cookies and the ability to refresh cookies. Commit 14acb704891245bf1703ce6296d62112e85aa995 patches the issue.
CVSS: MEDIUM (6.8) EPSS Score: 0.04%
January 21st, 2025 (6 months ago)
|
CVE-2025-22620 |
Description: gitoxide is an implementation of git written in Rust. Prior to 0.17.0, gix-worktree-state specifies 0777 permissions when checking out executable files, intending that the umask will restrict them appropriately. But one of the strategies it uses to set permissions is not subject to the umask. This causes files in a repository to be world-writable in some situations. This vulnerability is fixed in 0.17.0.
CVSS: MEDIUM (5.0) EPSS Score: 0.04%
January 21st, 2025 (6 months ago)
|
CVE-2025-22131 |
Description: PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file into a HTML representation and displays it in the response.
CVSS: MEDIUM (5.1) EPSS Score: 0.04%
January 21st, 2025 (6 months ago)
|
CVE-2025-21655 |
Description: In the Linux kernel, the following vulnerability has been resolved:
io_uring/eventfd: ensure io_eventfd_signal() defers another RCU period
io_eventfd_do_signal() is invoked from an RCU callback, but when
dropping the reference to the io_ev_fd, it calls io_eventfd_free()
directly if the refcount drops to zero. This isn't correct, as any
potential freeing of the io_ev_fd should be deferred another RCU grace
period.
Just call io_eventfd_put() rather than open-code the dec-and-test and
free, which will correctly defer it another RCU grace period.
EPSS Score: 0.05%
January 21st, 2025 (6 months ago)
|
CVE-2025-0590 |
Description: Improper permission settings for mobile applications (com.transsion.carlcare) may lead to
information leakage risk.
EPSS Score: 0.04%
January 21st, 2025 (6 months ago)
|